Your First 90 Days of Quantum Strategy

The newly appointed Chief Risk Officer at a Nordic insurance group received a board memo in March 2025 that mentioned quantum computing as an “emerging risk to monitor.” She had read enough to know that “monitor” was a euphemism for “do nothing,” and she suspected doing nothing was a mistake. But she also knew that announcing a quantum computing initiative without a concrete plan would produce exactly the kind of empty pilot project described in Chapter 1.

So she did something unusual: she treated quantum computing not as a technology to adopt but as a risk to quantify and an opportunity to scope. In 90 days, without hiring a single quantum physicist or purchasing any quantum hardware, her team had a complete picture of the organization’s cryptographic exposure, a shortlist of three business problems where quantum approaches could add measurable value, and a pilot design with clear success criteria.

Total cost: four staff members working part-time and a two-week engagement with a post-quantum cryptography assessor. Roughly $120,000 in fully loaded costs. The output was a document the board could actually act on.

This chapter describes what she did. Not a framework. Not a maturity model. A work plan with specific tasks, specific outputs, and specific milestones.

The Two-Track Approach

Your 90-day plan runs two workstreams in parallel:

Track A (Defensive): Cryptographic Exposure Audit. This is the urgent track. Its output is a prioritized list of systems that need post-quantum migration, ordered by exposure severity.

Track B (Offensive): Quantum Opportunity Scoping. This is the strategic track. Its output is a shortlist of business problems where quantum computing could create measurable value, with rough estimates of that value and the timeline for realization.

Track A has a clear mandate: known risk, established standards, specific technical actions. Track B requires more judgment and is more likely to produce ambiguous results. Both are necessary. Running only Track A protects you from the quantum threat but misses the competitive opportunity. Running only Track B positions you for future advantage but leaves your current infrastructure exposed.

Days 1-30: Inventory and Landscape

Track A: Cryptographic Discovery

Task A1: Appoint a Post-Quantum Migration Lead (Day 1-3)

This person should be a senior security engineer or architect, not an executive. They need enough organizational authority to request information from every IT team and enough technical depth to understand cryptographic implementations.

If you do not have someone with both qualifications, the security architect handles the organizational access and you bring in an external PQC specialist for technical assessment.

Output: Named lead with a mandate letter signed by CISO or CTO.

Task A2: Automated Cryptographic Scanning (Days 3-14)

Run automated scans across your network to identify every TLS connection, certificate, VPN endpoint, and SSH configuration. Tools for this exist and are mature. The scan will identify which cryptographic algorithms are in active use across your infrastructure.

Focus on:

• All external-facing TLS configurations (web servers, APIs, partner connections)
• Internal certificate authority and certificate chain configurations
• VPN concentrators and their key exchange algorithms
• Email encryption (S/MIME, PGP) configurations
• Code signing infrastructure
• Hardware security modules and their supported algorithms

Output: A spreadsheet listing every identified cryptographic endpoint, the algorithms in use, and the system owner.

Task A3: Data Classification Overlay (Days 14-21)

Take the cryptographic inventory from A2 and overlay your data classification. For each system or data flow, determine: what data does this protect, and how long must that data remain confidential?

This step transforms a technical inventory into a risk assessment. A TLS connection protecting public marketing content has zero exposure. The same TLS configuration protecting 20-year patient records has severe exposure.

Output: The same spreadsheet from A2, enriched with data sensitivity classification and required confidentiality period.

Task A4: Exposure Calculation (Days 21-28)

For each system, calculate S + M > Q (as described in Chapter 3). S is the required secrecy period from your data classification. M is your estimated migration time for that system type. Q is your organization’s planning assumption for when a cryptographically relevant quantum computer will exist.

For M, use these defaults if you do not have better estimates:

• Cloud-managed services (AWS, Azure, GCP TLS): 6-12 months (dependent on provider timeline)
• Self-managed web servers and APIs: 12-24 months
• VPN infrastructure: 12-18 months
• Certificate authority re-issuance: 18-36 months
• Hardware security modules: 24-48 months
• Embedded systems and IoT: 36-60 months
• Partner and vendor connections: dependent on partner, assume 24-48 months

For Q, use 2033 as a baseline planning assumption. This is conservative enough to avoid panic and aggressive enough to drive action. Adjust based on your threat model. If your adversary model includes state-level actors with major quantum programs, use 2030-2031.

Output: A risk-ranked list of all cryptographic systems, sorted by exposure severity.

Task A5: Top-10 Priority Report (Days 28-30)

From the ranked list, extract the 10 systems with the highest exposure and write a one-page report for each: what it is, what data it protects, how exposed it is, and what migration looks like. This becomes the input for your post-quantum migration plan.

Output: Top-10 Priority Cryptographic Migration Report. This is the Track A deliverable for the first 30 days.

Track B: Problem Identification

Task B1: Computational Bottleneck Survey (Days 3-21)

Interview the leaders of each major business function (operations, finance, risk, R&D, supply chain, marketing/pricing) and ask three questions:

1. Where do you accept suboptimal answers because computing the best answer takes too long?
2. Where do you spend money on physical testing because simulation is not accurate enough?
3. Where do you make decisions based on simplified models because the full model is too computationally expensive?

Most leaders will not frame their challenges in these terms. You will need to translate. When the head of operations says “our scheduling system takes 16 hours to run and we still need to fix things manually,” that is question 1. When the head of R&D says “we test 200 formulations in the lab when theoretically there are 50,000 candidates,” that is question 2.

Output: A list of 15-30 computational bottlenecks, described in business terms with estimated business impact.

Task B2: Quantum Suitability Screen (Days 21-28)

Take the bottleneck list and screen each one against the four quantum problem types from Chapter 4:

• Is this constrained optimization?
• Is this molecular or materials simulation?
• Is this high-dimensional pattern recognition?
• Is this a cryptographic application?

For each bottleneck that maps to a quantum problem type, assess: how large is the problem instance? Does it require fault-tolerant hardware, or could a hybrid approach work on near-term systems?

If you do not have internal expertise for this screen, bring in external support. This is a one-to-two-week engagement, not a six-month consulting project.

Output: A shortlist of 3-5 business problems with quantum potential, each with a problem-type classification, estimated business value, and hardware timeline requirement.

Task B3: Competitive Intelligence Scan (Days 14-30)

Research what your direct competitors and industry peers are doing with quantum computing. Look for:

• Published partnerships with quantum hardware or software vendors
• Patent filings that reference quantum algorithms or quantum-safe technology
• Participation in quantum industry consortia
• Job postings that mention quantum computing
• Public statements or presentations about quantum strategy

This is open-source intelligence gathering, not espionage. Most of this information is publicly available through patent databases, LinkedIn, press releases, and conference proceedings.

Output: A competitive landscape memo showing who in your industry is moving, what they are doing, and where the gaps are.

Days 31-60: Literacy and Pilot Design

Internal Literacy Building

Task C1: Executive Briefing (Day 31-35)

Present your Track A and Track B findings to the executive team. This is a 45-minute meeting with three sections:

1. The risk picture (15 min): Cryptographic exposure, top-10 priority systems, recommended migration timeline. Ask for authorization to begin migration planning for the top-3 systems.

2. The opportunity picture (15 min): The shortlisted quantum-suitable problems, estimated value, and timeline dependencies. Ask for authorization to design one pilot.

3. The competitive picture (10 min): What peers are doing. Where you are ahead or behind.

This briefing converts quantum computing from an abstract technology trend into a set of concrete risks and opportunities with estimated values. Executives can act on risks and opportunities. They cannot act on technology trends.

Output: Executive authorization for migration planning and pilot design.

Task C2: Quantum Literacy Program (Days 35-50)

Identify 10-15 people across the organization who will be involved in quantum-related decisions over the next three years: security architects, data scientists, optimization engineers, R&D leaders, procurement leads.

Provide them with curated learning resources. Not a vendor’s marketing course. Not a university physics course. Business-relevant material that covers:

• What quantum computing does and does not do (Chapter 2 of this guide)
• The cryptographic threat and migration requirements (Chapter 3)
• How to evaluate quantum claims (Chapter 5)
• Your organization’s specific quantum-relevant problems (from Task B2)

This takes two to three weeks of part-time study. The goal is not expertise. It is fluency: the ability to participate in quantum-related conversations, evaluate vendor proposals, and contribute to strategic decisions.

Output: A cohort of 10-15 quantum-literate professionals who can support decision-making across the organization.

Task C3: Vendor Landscape Map (Days 40-55)

Based on your shortlisted problems (Task B2), identify the quantum vendors whose capabilities are most relevant. For each:

• What modality do they use?
• What is their roadmap?
• Do they have customers in your industry?
• What does engagement look like (cloud access, professional services, partnership)?
• What does it cost?

Use the evaluation framework from Chapter 5. Do not commit to any vendor at this stage. You are mapping options, not choosing.

Output: A vendor landscape map with 5-8 relevant vendors, evaluated on your specific criteria.

Pilot Design

Task D1: Select Pilot Problem (Days 45-50)

From your shortlist of quantum-suitable problems, select one for a pilot. Selection criteria:

1. Business value is clear and quantifiable. You can measure whether the quantum approach improved the outcome.
2. The problem can be scaled down. You can test on a smaller instance before committing to full-scale deployment.
3. Classical benchmark exists. You have a current classical solution whose performance you can measure and compare against.
4. Data is available. You have the data needed to formulate and run the problem.
5. Near-term feasibility. The problem can be approached with hybrid quantum-classical methods on current or near-current hardware, rather than requiring fault-tolerant hardware that is years away.

The ideal pilot is a constrained optimization problem where you already have a classical solver, you can measure solution quality, and you have enough data to formulate the problem at a meaningful scale.

Output: Selected pilot problem with written justification against selection criteria.

Task D2: Define Success Criteria (Days 50-55)

Before engaging any vendor or starting any technical work, write down what success looks like. Be specific:

• “The quantum-hybrid approach finds a solution within 5% of the classical solver’s quality in less than 50% of the time.” This is measurable.
• “The quantum approach demonstrates potential.” This is not measurable.

Define three tiers:

• Minimum success: We learned something concrete about the problem’s quantum suitability that informs future investment decisions.
• Target success: The quantum approach matched or exceeded the classical solution on at least one meaningful metric.
• Stretch success: The quantum approach clearly outperformed the classical solution, suggesting business value at production scale.

Output: Success criteria document with measurable thresholds for each tier.

Task D3: Pilot Budget and Timeline (Days 55-60)

Scope the pilot. A well-designed first quantum pilot should:

• Run for 8-12 weeks
• Cost $75,000-$200,000 (primarily vendor engagement and internal staff time)
• Produce a clear, data-backed assessment of the problem’s quantum potential
• Not require quantum hardware purchases

The pilot is a learning exercise, not a deployment. Its primary output is knowledge: does this problem have genuine quantum potential, and if so, what would it take to realize it?

Output: Pilot proposal with timeline, budget, resource requirements, vendor shortlist, and success criteria.

Days 61-90: Partnership and Planning

Task E1: Vendor Selection for Pilot (Days 61-70)

From your vendor landscape map, select 1-2 vendors to engage for the pilot. Use the questions from Chapter 5 in your evaluation conversations. Prioritize vendors who:

• Have experience with your problem type
• Offer cloud-based access (no hardware purchase needed)
• Agree to your success criteria before starting
• Provide technical support at the right level (algorithm expertise, not just API access)
• Are willing to share their methodology and code

Negotiate the engagement. A reasonable structure: fixed-fee engagement with defined deliverables at 4-week and 8-week checkpoints. Include a clause that allows termination if minimum success criteria are clearly unachievable at the first checkpoint.

Output: Signed engagement with selected vendor(s), with milestones and success criteria embedded in the contract.

Task E2: Post-Quantum Migration Planning (Days 65-80)

Using your Top-10 Priority Report from Task A5, develop a detailed migration plan for the three highest-priority systems. For each system:

• Identify the target post-quantum algorithm (ML-KEM for key exchange, ML-DSA for signatures)
• Determine whether hybrid mode (classical + post-quantum simultaneously) is feasible as an interim step
• Identify dependencies (partner readiness, HSM compatibility, protocol support)
• Estimate migration cost and timeline
• Define testing and validation approach

Output: Detailed migration plan for top-3 priority systems, with cost estimates and timelines.

Task E3: Board-Ready Strategy Document (Days 80-90)

Consolidate everything into a strategy document for board approval. Structure:

1. Executive Summary (1 page): The two-sentence version of your quantum risk and opportunity position.
2. Cryptographic Risk and Migration Plan (2-3 pages): What is at risk, what migration looks like, what it costs, what timeline you recommend.
3. Quantum Opportunity Assessment (2-3 pages): Which business problems have quantum potential, estimated value, and when hardware timelines make that value accessible.
4. Pilot Plan (1-2 pages): What you are testing, with whom, at what cost, and what you will learn.
5. Competitive Position (1 page): Where you stand relative to industry peers.
6. Resource Request (1 page): What you need for the next 12 months. Typically: budget for migration of top-priority systems, budget for pilot execution, and authorization for 1-2 hires (PQC specialist and quantum-literate analyst).

Output: Board-ready quantum strategy document.

The 90-Day Checklist

Day	Track	Task	Output
1-3	A	Appoint PQC migration lead	Named lead with mandate
3-14	A	Automated cryptographic scanning	Cryptographic endpoint inventory
3-21	B	Computational bottleneck survey	Bottleneck list with business impact
14-21	A	Data classification overlay	Enriched inventory with sensitivity
14-30	B	Competitive intelligence scan	Competitive landscape memo
21-28	A	Exposure calculation	Risk-ranked system list
21-28	B	Quantum suitability screen	Shortlist of 3-5 problems
28-30	A	Top-10 priority report	Priority migration report
31-35	Both	Executive briefing	Authorization to proceed
35-50	Both	Quantum literacy program	10-15 literate professionals
40-55	B	Vendor landscape map	5-8 evaluated vendors
45-55	B	Pilot problem selection and success criteria	Selected problem with criteria
55-60	B	Pilot budget and timeline	Pilot proposal
61-70	B	Vendor selection	Signed pilot engagement
65-80	A	Post-quantum migration planning	Top-3 migration plan
80-90	Both	Board strategy document	Board-ready quantum strategy

What Comes After 90 Days

This plan gives you a foundation. What happens next depends on what you learn.

If the cryptographic audit reveals severe exposure: you enter an accelerated migration program. The migration plan from Task E2 becomes your immediate priority. This is not quantum strategy. This is cybersecurity risk management, and it should be treated with the same urgency.

If the pilot shows promise: you expand the pilot, increase investment, and begin building the internal capability to operationalize quantum optimization when hardware matures. You are not deploying quantum computing. You are preparing to deploy it at the right moment.

If the pilot shows no advantage: you have learned something valuable for a modest cost. You understand the specific technical limitations. You can revisit in 12-18 months when hardware has advanced, and you will know exactly what metrics to track.

In all three scenarios, you have moved from “quantum computing is something we should probably look into” to a specific, evidence-based position. That position may be “our cryptography needs urgent attention,” or “we have a high-value use case waiting for hardware maturity,” or “quantum is not strategically relevant for us in the medium term.” Any of these answers is useful. The only useless answer is the one most organizations have today: “We don’t know.”