Mirela Ciobanu
02 Jul 2026 / 5 Min Read
Why are leaders ignoring a certain cybersecurity disaster? Bryant D. Nielson (Quantum Core Institute) details how to address quantum risk before standard encryption fails.
Your name is closely tied to Bitcoin treasury strategy and professional credentialing, but the Quantum Core Institute confronts a risk most organisations are only beginning to take seriously: the threat quantum computing poses to the cryptography that underpins modern finance.
I started the Quantum Core Institute because I kept watching smart organisations treat quantum risk as a science-fiction problem they could deal with after lunch, indefinitely. The security and compliance world is very good at the threats it can see this quarter. It's much worse at a threat that is certain to matter and inconvenient to schedule.
Post-quantum cryptography falls straight into that gap. Everyone agrees it was real, nobody wants to own it, and it keeps getting filed under ‘someday’.
The gap I wanted to fill wasn't technical. The math is being handled by people far smarter than me. The gap was governance: who is accountable, what gets inventoried, on what timeline, and how a board proves it actually did something other than nod along to a slide.
That's an organisational problem, and organisational problems are where I'm useful.
The phrase ‘harvest now, decrypt later’ comes up often in quantum-risk conversations.
It's a wonderfully cynical idea, which is why it works. An attacker doesn't need a quantum computer today to hurt you today. They copy your encrypted data now, sit on it, and decrypt it the moment the hardware catches up. Patience is free.
So, the real question isn't ‘when do quantum computers arrive’, it's ‘how long does this data need to stay secret’. If the answer is ten or fifteen years, and for a lot of financial and legal records it is, then the clock already started and you missed the start gun. That's why a CFO or chief risk officer should care now instead of later. ‘Later’ is precisely the assumption the attack is built to exploit. The uncomfortable part is there's no alarm when it happens. You simply find out, eventually, that the secret wasn't one.
QCI-QS1 is a governance standard, not a product you install. It asks an organisation to do the unglamorous work first: find every place cryptography is actually used, which is always more places than anyone expects, then rank those uses by how long each one has to stay secure and how painful migrating it would be. From there it sets ownership, timelines, and a way to show progress to a board or a regulator.
The reason it isn't a one-time IT upgrade is that there is no single ‘quantum patch’ to apply.
Your cryptography is buried in hardware, vendor contracts, certificates, protocols, and systems nobody has touched in years and is quietly afraid of. Migrating that is a multi-year program with dependencies, not a weekend.
Treating it as a checkbox is how you discover, three years in, that you never actually started.
The most dangerous blind spot is the cryptography you don't control directly.
Banks and payment networks obsess over their own systems, which is fine, but most of their real exposure lives in vendors, legacy middleware, and the long tail of integrations that quietly run the business.
You can be quantum-ready on paper and completely exposed through a settlement partner who isn't.
Digital-asset holders have their own version of this. The signatures protecting most wallets are exactly the kind quantum computers target, and ‘not your keys, not your coins’ takes on a darker meaning when the keys themselves age out.
As for who's furthest behind, it's rarely the largest institutions. It's the mid-sized firms with real obligations, thin security teams, and a comfortable belief that someone else, somewhere, is handling it.
Nobody is handling it for you. That's sort of the entire point.
Honestly? Boring reasons, not technical ones. No clear owner, no budget line, and a quiet hope that the deadline will slip. It won't.
NIST finalised the first standards in 2024, and mandates like NSA's CNSA 2.0 are already pointing at 2027, which in enterprise-program time is roughly tomorrow. What leaders should do in the next twelve months is unglamorous and entirely doable. Build an inventory of where cryptography lives and what it protects. Rank it by how long it needs to survive.
Start asking vendors and partners for their post-quantum roadmaps in writing, because their timeline just became your timeline. And put one accountable person in charge instead of spreading the responsibility so thin that it evaporates.
None of that requires a quantum computer or a genius. It requires deciding to start before it's an emergency, which is the one thing organisations are reliably bad at.
This interview was made possible following our meeting with Bryant at KuppingerCole Analysts ' European Identity and Cloud Conference, held in Berlin in May.
About author

Bryant D. Nielson is a serial entrepreneur and educator focused on Bitcoin, blockchain, and quantum-era risk. He founded the Quantum Core Institute and the Satoshi Institute and chairs the Web3 Certification Board. He hosts the Bitcoin Alchemy podcast, wrote ‘The Bitcoin Treasury Playbook’, and advises corporate and public-sector leaders on digital assets, treasury strategy, and post-quantum cryptography readiness. He speaks internationally on emerging technology and enterprise risk.
About Quantum Core Institute (QCI)

The Quantum Core Institute helps organisations prepare for the day quantum computing breaks the cryptography they depend on today. It develops governance standards, executive briefings, and education around post-quantum cryptography readiness, including the QCI-QS1 Quantum Readiness Governance Standard. Its work turns an abstract future threat into a planned migration: helping enterprises, financial institutions, and public-sector bodies inventory their exposure and move to quantum-resistant systems before doing so becomes an emergency.
Mirela Ciobanu
02 Jul 2026 / 5 Min Read
The Paypers is a global hub for market insights, real-time news, expert interviews, and in-depth analyses and resources across payments, fintech, and the digital economy. We deliver reports, webinars, and commentary on key topics, including regulation, real-time payments, cross-border payments and ecommerce, digital identity, payment innovation and infrastructure, Open Banking, Embedded Finance, crypto, fraud and financial crime prevention, and more – all developed in collaboration with industry experts and leaders.
Current themes
No part of this site can be reproduced without explicit permission of The Paypers (v2.7).
Privacy Policy / Cookie Statement
Copyright