INSIGHT

The Cyber Brief | Q-Day: why quantum readiness can't wait, with Vikram Sharma, QuintessenceLabs

Boards & NEDS Corporate Governance Cyber Data & Privacy Disputes & Investigations General Counsel Risk & Compliance Technology, Media & Telecommunications

What advances mean for cyber risk management

Within just a few years, quantum computers could render today's encryption obsolete, exposing sensitive data and disrupting critical systems. In this episode, Valeska and co-host David Rountree are joined by Dr Vikram Sharma, Founder and CEO of QuintessenceLabs, to unpack what these advances mean for cyber risk management. Vikram explains why post-quantum transition timeframes are accelerating, what boards and executives should be doing to prepare, and why the transition will be more complex than a simple technology upgrade. Valeska, David and Vikram also discuss 'harvest now, decrypt later' attacks, why post-quantum readiness is—at its core—a governance issue, and the need to build crypto agility into future systems. 

The Cyber Brief is a podcast for decision-makers in cyber. Through candid conversations with the industry's best, The Cyber Brief delivers executive-level insights on cyber risk, best-practice governance and emerging threats. Leaders in the field share practical insights, real-world stories and actionable advice for boards, executives and cyber professionals.

Episode nine: Q-day: why quantum readiness can't wait, with Vikram Sharma, QuintessenceLabs 

 

Read the full conversation

Valeska: Welcome to The Cyber Brief, the podcast for decision-makers in cyber. Through candid conversations with the industry's best, we bring you executive-level insights on cyber risk, best practice governance and emerging threats. We've advised on some of the world's most complex cyber incidents, and we know what it's like in the trenches. We're asking the experts for their unfiltered truths and best advice on what executives, boards and cyber professionals should be doing now to stay ahead.

Within just a few years, quantum computers could render today's encryption obsolete, exposing sensitive data and disrupting critical systems. And while the technology is not yet operating at scale, regulators, intelligence agencies and insurers are already sounding the alarm. The Australian Signals Directorate has set a clear timetable to respond: post-quantum encryption transition plans in place by the end of this year, transition underway by the end of 2028, and completion by 2030.

I'm Valeska Bloch, head of cyber at Allens, and in this episode, my co-host, quantum enthusiast David Rountree, and I speak with Dr Vikram Sharma, founder and CEO of QuintessenceLabs, recipient of Australia's 2025 Prime Minister's Prize for Innovation, and a member of the World Economic Forum's Global Future Council on Cyber Security. Vikram explains what quantum computing means for your organisation's security posture in terms even I can understand, and the practical steps executives and boards can take now. He also tolerates David's quantum jokes, which, like qubits, somehow manage to be both funny and not funny at the same time. Let's get into it.

So, let's start with the fundamentals. Could you please explain to us in really simple terms, for me, especially, how quantum computers will break the encryption that protects our data today.

Vikram: Yeah, absolutely. Well, quantum computers really rely on a very different mechanism to conduct their computations, so, as opposed to conventional computers, where you have very familiar bits, and a bit can be a one and a zero at any point in time, in a quantum computer, somewhat bizarrely relying on the effects of quantum mechanics, they have something called a qubit, which is a fundamental unit of operation, and a qubit can be a zero and a one and various combinations of zeros and one at the same time. So it kind of defines everyday logic and everyday experience at the human scale, but when you get down to the quantum level, you find that these, these effects in this particular one's called superposition manifests themselves. But as a result of this, for certain types of problems, a quantum computer can solve them much faster than our best supercomputers can today. Indeed, many, many orders of magnitude faster, so billions or more times faster than today's best supercomputers. Encryption today relies on, for, in the main, on the mathematical complexity of certain types of operations, so that they're easy to do one way, but difficult to reverse. Our best supercomputers find it quite difficult to reverse that in any reasonable amount of time. However, quantum computers, for all the amazing benefits that they'll bring us, are able to actually reverse these mathematical operations very rapidly, putting much of our digital infrastructure at risk once we have a quantum computer at the right scale.

David: Thanks, Vikram. That's, um, that's crystal clear for me. Are we talking just sci-fi at this stage, you know? Are we talking about something that is a real risk today? What are we looking at in terms of the current kind of suite of cyber risks that people have faced? Is this really on the agenda?

Vikram: Yeah, a great question, David. Certainly, there's been research that's been happening in quantum computing over many, many years. Indeed, when the concept was first sort of proposed about 40-odd years ago, since then we've had steady progress, and as with any fundamentally deep technology, it's taken time to mature the physics that underlies it, and then actually translate that physics into computers that actually will be functional. As of the last seven, eight years, you start to see some of the leaders in this space have now produced quantum computers at small scale, and you look at leaders like IBM, Google, PsiQuantum, of course, which is well known in Australia, you have Silicon Quantum Computing, Diraq, even companies like Quantum Brilliance. So there's a mad race on at the moment, you could call it a sort of a global arms race of sorts, to really harness this technology at scale. Because once we get to scale, an incredible array of very valuable mathematical problems, which will have immediate beneficial consequences for our societies, will be able to be unlocked with the optimisation of various kinds of things. So, to your question, David, we are very much on the cusp, where in the next few years, if you look at the roadmaps of IBM and the many other players in the space, they suggest they'll have what they call the utility-scale quantum computer by '29, so that's a mere two or three years away now. And those utility-scale quantum computers will solve certain types of problems better than any of our best supercomputers can. So, I think we've really moved past the point originally of science fiction, where we can see really well-defined roadmaps that will achieve these quantum computers in the coming years,

Valeska: You say we're on the cusp, and obviously there's been a debate around timing going on for quite a few years now, but it certainly does feel as though things have changed, and you've obviously been working with Quintessence in this space since 2008. What is it about the past 12 months, or the time we're in right now, that makes you feel like that there is a realistic assessment for Q-Day in the next few years?

Vikram: I think it's the convergence of two factors. One is that you're seeing quantum computers, as we were just discussing, really making significant progress towards the realisation of real quantum computers at scale, so you see this uplift of quantum computing capability. At the same time, there have been major advances in quantum algorithms, so on the software side. So we've been sort of tracking this for a while, Valeska, and we saw back in somewhere around about 2014–2015, the estimate of the number of qubits, you know, the qubits that we talked about to break a particular kind of encryption we use today, called RSA-2048 bit, so a lot of our e-commerce is premised on the correct operation of that algorithm. That it was estimated back in 2014–15 to be about a billion qubits to break 2048 bit RSA in one or two days. That has progressively been coming down as brighter and brighter algorithm scientists have been working on this to the point where a few years ago it dropped to the hundreds of millions, down to the 10s of millions, and as of late last year, the sort of estimate was that it would be a million qubits. However, there was a paper that was published out of Caltech in the United States by a highly credible group of people that now suggests the number of qubits required for that 2048 bit RSA break is 100,000. So what you've seen is, as we said, you know, the number of qubits is going up and the number of qubits required to break RSA is coming down. Guidance that's coming out from many regulators around the world is increasingly suggesting that the risk profile beyond round about 2030 is going to be one that you would probably not want to carry. And therefore quite strong advisories, guidance, and in some cases regulation, that are requiring particularly sectors dealing with sensitive information to be quantum safe, quantum resilient by about 2030. Although, on the back of this announcement from Caltech that we were just talking about, Google felt that this was so significant, they previously had their timeline set to 2030 for the whole of Google to be quantum safe. They've actually pulled that in by a year to 2029. So, certainly I think we're seeing organisations around the world starting to recognise that the risk of cryptographically relevant quantum computer, as it's called, now starts to cross a threshold of tolerance, or which they consider appropriate somewhere around about that 2030 timeframe.

David:  Does that mean we can just wait until 2029 and, you know, everything that happens until that we're kind of good, and then Q-Day comes, and, you know, then we need to panic. Is it Y2K coming for RSA tokens near you?

Vikram: Yeah, a great question. So, given that you've mentioned Y2K, really interesting. There's a quote from a German called Steve Suarez, who's a senior advisor to McKinsey, and he said that this advent of quantum computing is going to trigger the biggest cryptographic transition in history, and in fact he specifically called out that this would be far larger than Y2K. So this is going to be a huge effort, and coming back to your first part of the question, you know, can we just wait till that day arrives and then, you know, snap our fingers and, hey, we're good, well, not quite that simple. Cryptography is embedded right into the bowels of our cybersecurity infrastructure globally, and it's buried very deeply, sometimes into code bases, which have millions of lines of code. And in that code, in many instances, it might say something like, if this field is a credit card number, use this encryption cipher to protect it, and so we have to go through all of these code bases, find where those encryptions are used, and then upgrade them to these new ciphers, new cryptographic mechanisms that are believed to be quantum resilient. So this effort is going to be a very significant one. For most large enterprises, the general estimate is that this transition process is a three- to-five year timeline that will be required for it. So should we choose to sit on our hands and just say, well, you know, I will deal with it when the time arrives, more than likely, that's not a good strategy, and exposing that organisation to extreme risk, if you're dealing with sensitive data. And in some cases, if we don't move in time, it indeed could be existential risk for some of those organisations.

David: I actually want to pick up on something you just said there, which I found was fascinating, which was you said that algorithms that are believed to be quantum-encryption resilient, are we confident that the quantum-resilient algorithms now will stay that way, or is it going to be a static once-off change, or is it going to be a change where you actually need to contemplate change in the future?

Vikram: This is not going to be a static once-off effort. Indeed, the National Institute of Standards in the United States has been running a competition since 2016 to find new kinds of mathematics that we believe will not be susceptible to quantum attack. About 18 months ago, they announced the first three standards of these quantum-resilient algorithms, and they rely on a type of mathematics that we believe to be resilient to quantum attack, but it is not provably so. In the advent of new quantum algorithms being developed, in the advent of quantum computers building more capability, there is that risk that these algorithms may not continue to be quantum safe. However, the National Institute of Standards is continuing its quest to develop, search for and standardise other algorithms, and they're optimised for different things. So, in that process, it's expected that over the next 10 years, something like 40 new standards will be announced. And if you average that out, it's one a quarter for a decade. So very much not every one of these new algorithms will apply to every organisation, but some will. So it's really critical that we, as we build out this new cybersecurity infrastructure, we build a new set of technologies, which have this characteristic called crypto agility, where you can support legacy ciphers, you can support extant ciphers today. These new ciphers are called PQC, post-quantum cryptography. But at the same time, recognising that it's not a one-shot game, more than likely in a few years' time we'll need to change them again. So we need to be agile to be able to ingest these new ciphers easily.

Valeska: So in addition to the mapping exercise that organisations need to be doing around their assets, and then how they are encrypted, and whether they have crypto agility, what are the other steps that organisations should be taking to manage this risk, both into the future, but also to address the issue around the harvest now, decrypt later issue, which is currently a risk for organisations,

Vikram: So the first is many organisations, particularly large ones, don't have a complete understanding of all the data sets they hold. So you should start with a mapping-out, exactly as you were saying, of all the data that you hold. Where does it reside? Who has access to it? What level of sensitivity  applies to that data. That's quite a non-trivial exercise for many organisations, particularly larger ones with geographically dispersed locations over which they might run their businesses. The second step is to understand what cryptographic mechanisms are current, if any are currently in place; so how's that data protected? Who has access to the encryption keys that protect that data? What security controls or policies have you enforced over the top of that? So, once you have those two data sets, it enables you to do a bit of a gap analysis. Okay, this is what I've got out of everything that I've got in my data holdings, this piece of it is the set of data that has some level of sensitivity, and there may be varying levels of sensitivity. Now, how is that protected today and where have I got gaps? That should give you a quite well-informed strategy about what you need to do to remediate those gaps. And, knowing that, then what we sort of suggested to a number of organisations, which they have been following this advice, is to start early stage, maybe even parallel with the discovery process, experimentation with quantum-safe technologies. Because often it's not just a case of taking a bit of software or a piece of hardware, dropping an infrastructure, and we're good. There's typically quite a lot of integration that's required, and as you experiment with these, often you'll find issues which on the surface don't appear so readily. Conducting those pilots or POC projects often is a great learning exercise. First of all, just to understand the complexity, but also to inform you of the resource requirements required to transition your entire enterprise. Doing that, this whole process, as we've said, it takes some time and resources, so we need to ensure that we've got the right budgetary allocations to be able to undertake this transition. And given that cybersecurity teams across almost every large enterprise have such a velocity of threats that are hitting them just every day, and trying to keep up to those with those, there's very little bandwidth to look at anything that's anywhere beyond the immediate. Therefore, the only way you can address this risk is by allocating additional budget and creating, in some sense, a dedicated team to be able to take this forward. So those are some of the early steps, that then gives you ability to make a roadmap, and then implementation. Hence, as we were saying earlier on, if you think about all these steps, you can see why it might take three-plus years for a large organisation to implement this successfully. To come back to your harvest-now decrypt-later question, so these are attacks where we have adversaries who are listening in to sensitive communications that are protected with today's encryption technologies. They're then taking those communications and storage is cheap, cents in the gigabyte or terabyte, even, and storing them away with the expectation that they will have quantum or even conventional compute capabilities that can break the encryptions protecting the data that they've captured. For data that's ephemeral, it doesn't matter, that will not be of value, but data which has some longevity associated with it, and there's many data sets, you know, which have 5, 10, 15, and more years of sensitivity. Those types of data are at risk today, because this activity, Booz Allen Hamilton, for example, put out a report a few years ago, highlighting that this was actively occurring today. So just closing the loop on that, you know, that those are data sets that are particularly at risk already today, even though we don't have a quantum computer, and organisations should really move post haste to protect those particular types of data.

Valeska: What you said before about how stretched cyber teams are, really, really resonates because they're dealing with previous threats, where perhaps, as you say, encrypted data has already been taken, and it's just a matter of time. The current threats, the AI-accelerated cyber threat, the quantum threat. And of course, the ASD in Australia has been putting out various reports and has said that organisations should have a comprehensive post-quantum transition plan by the end of this year. I'm really curious to hear how realistic you think that is, whether it's a sensible time frame, how likely it is that Australian industry will actually meet that time frame. Where is the maturity at, at the moment?

Vikram: So, a number of regulators, and I think ASD, in particular, has been quite prescient, and they were one of the earliest regulators that set what at that time seemed like a very aggressive timeline of 2030 to be quantum resilient. But as things have been playing out, I think they've been proven to really have been quite forward thinking and potentially having very good foresight, because as I was just sharing before, even Google, who has tremendous visibility, tremendous resources, have now moved their own timeline to 2029. So, again, if you look at it through a risk lens, that period, as we were discussing a little earlier, around about somewhere around 2030, you would feel that the risk for many organisations crosses a threshold of comfort. You don't know exactly when Q-Day will occur. It relies on scientific and engineering improvements, and indeed, in certain geographies, there's a tremendous amount of work that's going on behind the curtain that we are unaware of. So, in order not to be exposed to potential risk, I strongly agree with ASD's position, and increasingly other regulators around the world are concurring, or in some cases following suit, to suggest this date. In terms of the preparedness of our large organisations in Australia, I think that still is a challenge. As you said, there's only, you know, end of this year we should have our quantum transition plans. To do them properly is a non-trivial process, particularly as we suggested that they would be better informed in terms of building those plans, having conducted some pilot programs and POCs. And some, from what we're seeing, is that it's still work in progress and not clear that by the end of this year the types of organisations, particularly those operating under the critical infrastructure sector, which covers everything from supermarkets to banks to utilities, will have plans that are meaningful by that time frame. So I think the message we've been trying to take out, and ASD actually have been, as you said, quite active in raising this awareness, this year is the year of cyber awareness. And so ASD continues to do a great job in looking to educate organisations and trying to emphasise the need to develop these plans rapidly. So I guess I would just concur and double down on their guidance that boards of directors, C-suite, need to take ownership of this issue, support their cyber teams, resource them properly, so that they can complement all the valuable work that they're doing day to day with building something that will be required over the near to medium term.

David: Vikram, what you've described is obviously a pretty complex technology, you know, change program. It's not a, not a lift and shift, not a click or switch one day. And you've also kind of highlighted the challenges that cyber teams face, just with a sheer resourcing and capacity. How do organisations with legacy-type infrastructure and legacy systems, you know, manage where you've got a, particularly across areas where you may have a hodgepodge of different types of systems. Does the existence of legacy technology infrastructure kind of exacerbate some of those challenges?

Vikram: It does make it more complex. But this is where, David, you know, we were talking about crypto agility, that becomes critical, so that ability to support all the legacy systems, of which, of course, there, you know, if you think about the banking sector, we got records that go back many, many decades, which still need to be kept secure. Similarly, across healthcare and many, many other sectors as well. However, if we can implement systems that can concurrently support the historical, the today, and the future encryption technologies, that certainly eases the pathway. Still, it's going to be a very big transition, but by doing so, we can ease the way to be able to support the multitude of systems that we have support, and keep ourselves flexible enough to adopt the new ciphers as they, as they get announced. So that is an absolutely critical element of new infrastructure, cybersecurity infrastructure that's implemented. And certainly at QuintessenceLabs, that's one of the key value propositions with our technologies that we look to offer our stakeholders.

Valeska: There'll be a number of executives and directors who might be hearing about post-quantum cryptography for the first time, and others that have been brought sort of further along the journey. But what are the actions that you'd recommend they take over the next six to 12 months to oversee these sorts of risks adequately. And also I'd be interested to hear your views on how organisations should be framing these risks to make sure that they're getting the adequate investment and resource allocation that is required to do all of the things that you've been talking about.

Vikram: The good news is that we have solutions today already that can mitigate against this risk. And if you look at it in terms of cost of implementing these protective measures, in the scheme of the hundreds of millions of billions of dollars that are spent on cybersecurity by large corporations, they're actually not material. You can achieve this in quite a reasonably, reasonable budgetary allocation if the right resources are made available. So I guess the first bit would be just, just for boards of directors, familiarise themselves with the risk, and perhaps then put a lens in terms of how that risk plays out in terms of their organisations that they have stewardship for. Second would be, is to bring in the appropriate executives from their teams, and perhaps work with them to understand what strategies are being developed or being thought of, or planned even, to mitigate against this risk. And then, importantly, as we were discussing earlier, is to ensure that the right budgetary allocation is made to enable those teams then to be able to execute, because if we're going to try and scrape resources from what are already stretched teams, I think we'll just find that the adequate attention is not given to this very important transition. And we might find ourselves at some point so close to Q-Day that we actually don't have enough time to transition, and thereafter we've actually exposed our organisations to unacceptable risk, which actually probably comes back to your second question there is how we frame this. And we think a risk-based argument is the one that makes the most sense, because for many organisations, you know, as we're increasingly digital citizens, as most of our businesses become ones that leverage information, much more so than physical assets, the value of the organisations lies in that knowledge, and indeed in those data sets. So, as boards of directors sort of think that through, of, you know, what is the core set of assets that drive value in their organisations, I think they'll often find it's the data that's held there, and indeed intellectual property that's owned by those organisations. And then, if we think about, well, if, if any subsets of those, even, let alone the entirety, are compromised, what does that mean in terms of the business reputationally, or what does it mean commercially, and what would it take to remediate? I think once you start to ask those questions, very rapidly it becomes apparent that we should address this risk. We've got the technology to do so, it can be done so at a cost, which is really almost a rounding error on cybersecurity budgets, but it does need to be incremental, it's not zero. I think if we think about it that way, perhaps we'll start to see the right level of attention and urgency turned to this issue.

David: Many of those organisations will have regulatory frameworks that are ultimately kind of brought back to risk-based decisions and assessments about what are the threats facing them from an operational perspective, so if you're looking at critical infrastructure, if you're looking at financial services and prudently regulated organisations, you know, all of those sit within existing risk-based frameworks for managing the operational risks, and the kind of risk and threat you've just described is a foreseeable one, and that kind of does start playing directly into not only their risk-based frameworks, but their legal obligations, and how they must execute and operate on those legal obligations.

Valeska: And now that it's the subject of ASD guidance, organisations, I think, are well and truly on notice as well, especially when you look at how much the regulators are pointing to the ASD guidance.

Vikram: Absolutely. You know, this really falls in that category of known known. I think the only variability is exactly when, but I think if once you start thinking about it in risk terms, as more and more regulators around the world are suggesting, be ready by 2030. You know, it may occur a few years later, but the point is, it's asymmetric. If you're too late, you've really got a problem. If you're early, well, it's just good cyber hygiene, and you're better protected against harvest now, decrypt later attacks, for example.

David: Vikram, I'm wondering, do you know, with the work you've done with Quintessence, started to see any changes in the way insurance is assessing, you know, because you were looking at this from the realm of boards and, and the realm of C-suite, but often people can be motivated highly by how insurance, and how those risks are managed from an insurance perspective.

Vikram: So it's quite interesting you asked that question. I was two weeks ago at the World Economic Forum annual meeting on cybersecurity. So this is a gathering of well over 100 of the chief information security officers of some of the world's largest corporations, but there were insurers there as well, and certainly much as AI surfaces as a very large topic, the quantum risk increasingly was brought up, including by some of the folks in the insurance world. So it's early days, but it has certainly started to surface on their radars, and I think people are just starting to now turn their attention to how they would start to think about this risk, quantify it, and then ultimately, I imagine, insure against it.

Valeska: Vikram, looking ahead 5,10 years once post-quantum cryptography is widely deployed. Do you think we'll ever achieve genuine quantum resilience, or will there just be another thing?

Vikram: It's a really interesting question. As managers of risk, I think you generally find there's few things that you can reduce the risk to absolutely zero, and I would imagine the same applies here, as we said, with these PQCs. The idea is that we believe that they are resilient, and into the foreseeable future, even with people that are sort of looking at what the future developments could be with quantum computers. But of course that doesn't rule out all of a sudden some incredible new algorithm being found or some dramatic engineering development in quantum computing, so therefore you can never quite bring it down to zero. But I think you can take prudent steps to bring it to the level that way it would make sense, where you can put your hand on your heart and say we have done our best that we can to protect the organisation. But I guess I would note that there is a complementary technology that's also being developed, which at the moment is more perhaps being supported in places like Japan, Singapore, India, China, and EU, to some extent, called quantum key distribution. So while in particularly the Five Eyes countries, at the moment we prefer the PQC, the software-based approach, this approach of quantum key distribution gives you an alternative way to think about it, and where you're actually relying on the laws of physics, not mathematics, to transport encryption keys between two points. So some countries are considering implementing both technologies to give you, I guess, additional element of security.

David: Perhaps you might entangle the two options together. It sounds like forever quantum vigilant we'll have to be, I think. Thanks, Vikram. If we could leave the audience with one actual takeaway about quantum threats and preparedness, what would it be?

Vikram: I think that it's of ensuring that those custodians of the medium-term value of our organisation, so C-suite and the boards of directors, understand this risk and take ownership of it, and then develop plans, which, for their particular organisation, are reasonable and responsible, so they fulfil their duties to their stakeholders.

Valeska: One final question we always ask before we wrap up is, whether you've got a favorite cyber film TV show, podcast?

David: Or quantum physics.

Vikram: Looking at the quantum realm, I've always sort of found the books from, I don't know, if you know the science writer Yuval Harari, and who has actually done, you know, puts a fantastic historical lens into some deep research. And he's, over a number of his books, started to explore from several years ago, the impact of quantum technologies both broadly on our lives and indeed from a cryptographic perspective, so I'd always sort of enjoyed reading those. And then, as I said, interestingly, now it seems to be entering everyday conversation, where even, for example, CNN carried, as we said, a piece on it yesterday, and I guess a few years ago I had a bit of fun in doing a TED Talk on this area as well. So I guess those are a few thoughts on where you could find a bit more information about this, what we've been talking about.

Valeska: Fantastic. Well, thanks very much for joining us today. This has been great.

Vikram: Well, thanks for having me. Really enjoyed the conversation.

David: Thanks, Vikram.

Valeska: Dave, I'm surprised we only had one quantum joke from you.

David: All of my quantum jokes are currently not being observed, and so once they're being observed, then they'll be able to be captured as a podcast recording.

Valeska: Jokes aside, I thought that was great. He's got such a wonderful ability to explain these really technical concepts in very simple terms, and I think what really struck me was the urgency around all of this, despite the fact that cyber teams have so much on their plate already, that the fact that this planning exercise needs to start now, because the transition invariably takes several years, and frankly, organisations are already on notice because of the ASD guidance, not to mention other guidance that is already out there.

David: Yeah, I think particularly striking that the view that even probably some of the most well-resourced companies in Australia are still going to struggle to meet the first part of that hurdle and get through the first gate, which is even to have planning in place, and that, you know, that there is probably a way to go, and that, yes, it is on the agenda for some companies, but the need to be able to have a flexible implementation approach really struck me.

Valeska: And as with managing any kind of cyber risk, it really comes back to the fundamentals of data mapping, understanding your assets, where they are, how sensitive they are, and how they're protected, in order to then take the steps needed to mitigate some of these risks.

David: Yeah, that's right. And then the tech transformation and the transformation roadmap, I think the Y2K analogy is really powerful, and perhaps, you know, even more, you know, prescient than the kind of global panic that was happening. Well, let's not pretend I was practising then, but, you know, at that point in time, the idea that you don't want to find yourself in a position where you're suddenly scrambling in 2028 to try and work out where all your assets are and what your cryptography assets and how they're going to be done, because the work is going to take a while, and it's going to be one that needs to kind of proceed at a pace that's appropriate to manage that risk, but will need to be done cautiously and effectively over that time period.

Valeska: That's for everyone to do.

David: Yeah, I'll put myself in superposition now.

Valeska: Thanks for listening to this episode of The Cyber Brief. Check the show notes for resources from this episode, or visit allens.com.au/cyber for our latest thinking. Don't forget to follow to keep up to date on what's ahead for cyber risk, governance, and emerging threats as we interview some of the most respected voices in the industry.

Follow our podcast

In our new podcast series we will continue to unpack the key issues business leaders are facing and provide some real world examples and tips. Don't miss an episode, you can listen or watch on our website or follow us wherever you find your podcasts.