Episode Overview
In this episode, Michael Watson, Chief Information Officer of the Commonwealth, Virginia Information Technologies Agency and Glenn Schmitz, Chief Information Security Officer, Virginia State Corporation Commission deliver a lively, audience-driven conversation on post-quantum cryptography—what it is, why it matters, and why waiting for certainty is a risk in itself. Using relatable analogies (from Y2K to an oncoming train), they explain the concept of “Q-Day”: the moment quantum computers become powerful enough to break today’s widely used encryption, and why that date is unknown—but the impact is predictable.
Michael and Glenn make the case that public sector teams don’t need to be quantum experts to act now. The priority is practical preparedness: knowing where cryptography lives across systems, understanding which data has a long “shelf life,” and starting a realistic transition plan that accounts for legacy tech debt, third-party risk, cost, and organisational change.
Key Themes
A central theme is uncertainty with urgency: unlike Y2K (where the deadline was known), quantum risk arrives on an unknown timeline—yet organisations still need to prepare before it’s too late. The speakers also highlight the “harvest now, decrypt later” threat, where adversaries collect encrypted data today and wait to decrypt it when quantum capability arrives, making long-life data (financial, health, sensitive government information) especially exposed.
Another major theme is pragmatism: the path forward is less about physics and more about fundamentals—asset management, inventory, prioritisation, and crypto agility. The episode also explores the ripple effects across vendors, hybrid environments, and user trust signals, reinforcing that post-quantum readiness is a whole-of-organisation change effort, not a niche security project.
What You’ll Learn
1) What “Q-Day” Means (and Why It’s Not Like Y2K)
Why quantum risk has a similar “deadline” feel to Y2K, but with the added challenge that no one knows the exact date.
2) The “Harvest Now, Decrypt Later” Problem
How adversaries can steal encrypted data today and decrypt it in the future—without you knowing when it happens.
3) Why Long-Life Data Is the Real Target
Why financial, healthcare, national security, and strategic decision-making data are at higher risk because they remain valuable years later.
4) How Quantum + AI Changes the Threat Landscape
Why quantum decryption combined with AI analysis could turn stolen communications into a readable, searchable “operating manual” for an organisation.
5) Where to Start: Build a Crypto Bill of Materials (CBOM)
Why the first step is understanding where your cryptography is (data at rest, data in transit, certificates, key usage, algorithms) and treating it as an inventory/asset management problem.
6) Standards and Timelines: What to Watch
How emerging standards (including NIST-aligned approaches) shape planning—and why predictions differ on when quantum breaking capability may arrive.
7) Crypto Agility: Designing for Change, Not a One-Time Fix
Why switching algorithms once won’t be enough, and how “swap-in/swap-out” cryptography becomes essential as standards evolve and future algorithms are challenged.
8) Third-Party and Supply Chain Readiness
Why you need to start asking vendors now: “Is post-quantum cryptography on your roadmap—and when?” especially wherever your most important data travels.
9) The Organisational Change Layer (Not Just Tech)
Why cost, timelines, legacy constraints, and user education (what “safe” looks like) must be part of the readiness plan.
Key Takeaways
- Quantum risk is coming, but the timeline is uncertain - preparation can’t wait for a date
- “Harvest now, decrypt later” means encrypted data stolen today may be exposed years from now
- The starting point is practical: build a crypto inventory / crypto bill of materials
- Prioritise: focus first on the most critical systems and most sensitive, long-life data
- Legacy tech debt will be one of the biggest blockers—even for well-resourced organisations
- Crypto agility is essential: post-quantum migration is not a one-and-done change
- Vendor and partner readiness matters - your data’s path defines your risk surface
Why You Should Listen
This episode is for public sector cybersecurity leaders, risk and compliance teams, architects, infrastructure leaders, and executives who need a clear, practical understanding of what post-quantum cryptography means and what actions can start now. It’s an accessible, no-math conversation that helps translate a complex topic into a real-world plan for prioritisation, migration, and resilience across large hybrid environments.
Memorable Line of Thinking
The “Q-Day train” has already left the station—your choice is to be caught on the tracks, or be ready on the platform when it arrives.
Published by
Help your peers
Share what you've learned with fellow public servants