From Quantum Risk Awareness to Quantum Resilience

Quantum resilience is not about waiting for quantum computers to break today’s security—it is about building the organizational capability to see, adapt, and transform before tomorrow’s threats arrive.

Sanchez P.

7/17/202643 min read

Abstract

The emergence of quantum computing represents a fundamental challenge to the cryptographic foundations that underpin modern digital trust. Public-key cryptographic systems, including RSA and elliptic curve cryptography (ECC), support essential cybersecurity functions such as confidentiality, authentication, digital identity, secure communication, and software integrity. Although large-scale quantum computers capable of compromising these systems do not yet exist, advances in quantum algorithms and the potential for “harvest now, decrypt later” attacks create a strategic requirement for organizations to begin preparing for the transition towards quantum-safe security.

This paper examines quantum resilience as an organizational capability and explores the strategic, technological, and governance capabilities required for enterprises to successfully navigate the transition towards post-quantum cybersecurity. Drawing upon research in post-quantum cryptography, cybersecurity governance, enterprise risk management, digital resilience, and dynamic capabilities theory, the paper argues that quantum resilience extends beyond the deployment of quantum-resistant cryptographic algorithms. Instead, successful transition requires organizations to develop the ability to identify cryptographic dependencies, assess future exposure, govern migration activities, and maintain adaptability as cryptographic technologies and threat environments evolve.

The paper develops a conceptual framework consisting of four interconnected dimensions of quantum resilience: cryptographic visibility, risk-based prioritization, governance capability, and crypto-agility. Cryptographic visibility enables organizations to understand where cryptographic mechanisms exist across applications, infrastructure, cloud environments, and third-party dependencies. Risk-based prioritization supports informed decision-making by enabling organizations to allocate resources according to business criticality, data sensitivity, regulatory requirements, and migration complexity. Governance capability provides the structures, accountability mechanisms, and strategic alignment required to coordinate enterprise-wide transformation. Crypto-agility enables organizations to continuously adapt cryptographic architectures as standards, technologies, and security requirements change.

The analysis demonstrates that quantum resilience represents a socio-technical transformation challenge rather than a narrowly defined cybersecurity upgrade. Organizations that delay preparation may face increased migration complexity, operational disruption, and future security exposure. Conversely, organizations that develop proactive governance structures, comprehensive cryptographic visibility, risk-based migration strategies, and adaptive security architectures will be better positioned to preserve digital trust and operational resilience in the post-quantum era.

This paper contributes to cybersecurity management literature by positioning quantum resilience as a strategic organizational capability and highlighting the importance of governance, adaptability, and continuous transformation in managing emerging technological disruption.

Keywords: Quantum resilience; post-quantum cryptography; cybersecurity governance; cryptographic agility; digital resilience; enterprise risk management; dynamic capabilities; cybersecurity strategy

1. Introduction

1.1 Background and Research Context

Cryptography represents one of the most fundamental enabling technologies underpinning modern digital society. The security and reliability of contemporary information systems depend upon cryptographic mechanisms that provide confidentiality, integrity, authentication, and non-repudiation across increasingly interconnected digital environments. Financial transactions, electronic commerce, cloud computing, digital identity systems, healthcare platforms, software distribution, government services, and critical infrastructure all rely on cryptographic controls to establish trust between users, organizations, and technology platforms (Katz and Lindell, 2020).

As organizations have undergone accelerated digital transformation, cryptography has evolved from being a technical security mechanism into a strategic organizational dependency. The availability and reliability of cryptographic services directly influence operational continuity, regulatory compliance, customer confidence, and business competitiveness. Consequently, any disruption to the assumptions underpinning modern cryptographic systems represents not only a cybersecurity concern but also a strategic enterprise risk.

For several decades, organizations have relied heavily on asymmetric cryptographic algorithms, particularly RSA and elliptic curve cryptography (ECC), to support secure digital communication and authentication. These algorithms derive their security from mathematical problems that are considered computationally infeasible for classical computers, including integer factorization and discrete logarithms. This assumption has enabled widespread adoption of public-key cryptography across global information infrastructures.

However, the emergence of quantum computing challenges the long-term validity of these assumptions. Quantum computing represents a fundamentally different computational paradigm that exploits quantum mechanical phenomena, such as superposition and entanglement, to solve certain classes of problems more efficiently than classical computers (Nielsen and Chuang, 2010). While current quantum computers remain limited in scale and error correction capability, advances in quantum research indicate the possibility that future quantum systems may achieve the computational capability required to compromise widely deployed cryptographic algorithms.

The theoretical foundation for this concern was established by Shor (1994), who demonstrated that a sufficiently powerful quantum computer could efficiently solve integer factorization and discrete logarithm problems. This discovery showed that cryptographic algorithms such as RSA and ECC, which currently protect a significant proportion of global digital infrastructure, may become vulnerable in a future quantum computing environment.

The significance of this threat extends beyond the technical weakness of individual algorithms. Cryptography is deeply embedded throughout enterprise technology ecosystems, meaning that quantum disruption has implications across applications, infrastructure, identity systems, communication networks, software development processes, cloud services, and third-party technology dependencies. Therefore, the quantum challenge represents a systemic risk to digital trust rather than an isolated vulnerability affecting specific technologies.

1.2 The Strategic Nature of Quantum Risk

A defining characteristic of quantum risk is that it requires organizations to act before the threat becomes operationally immediate. Traditional cybersecurity management generally focuses on identifying and responding to existing vulnerabilities, active attacks, and observable threats. Quantum computing introduces a different category of strategic uncertainty: organizations must prepare for a future technological capability whose timing remains uncertain but whose consequences could be significant.

This creates a difficult risk management dilemma. Organizations must determine:

  • when quantum computing capabilities will become sufficient to threaten existing cryptography;

  • how quickly post-quantum alternatives will mature;

  • how long enterprise migration will require;

  • which information assets require protection against future decryption.

The challenge is intensified by the long lifespan of many sensitive information assets. Data protected today may require confidentiality for decades, meaning that future cryptographic compromise could expose information collected long before quantum computers become operationally capable.

One of the most significant manifestations of this risk is the emergence of “harvest now, decrypt later” (HNDL) attacks. Under this scenario, adversaries collect encrypted information today with the intention of decrypting it once sufficiently powerful quantum computers become available. This creates particular concern for information requiring long-term confidentiality, including government records, defence information, healthcare data, financial records, intellectual property, and strategic commercial information (Mosca, 2015).

Mosca (2015) argues that organizations should evaluate quantum risk according to three interacting factors:

  1. the estimated timeframe until quantum computers can compromise current cryptographic systems;

  2. the period for which sensitive information must remain confidential;

  3. the time required to complete migration to quantum-resistant alternatives.

This creates a migration urgency problem. Even if cryptographically relevant quantum computers are not currently available, organizations that delay preparation may discover that migration timelines exceed the available preparation window.

Therefore, quantum risk cannot be managed solely through reactive cybersecurity approaches. Instead, organizations require proactive capabilities that enable them to anticipate technological disruption and adapt before existing security assumptions become invalid.

1.3 The Emergence of Post-Quantum Cryptography

The potential threat posed by quantum computing has stimulated significant research into post-quantum cryptography (PQC): cryptographic algorithms designed to remain secure against both classical and quantum computing attacks.

Unlike traditional public-key cryptographic approaches, which depend upon mathematical problems vulnerable to quantum algorithms, PQC algorithms are based on alternative mathematical structures believed to resist quantum attacks. These include lattice-based cryptography, hash-based cryptography, code-based cryptography, and multivariate cryptographic systems (Bernstein, Buchmann and Dahmen, 2009).

The development of practical PQC standards has become a major international cybersecurity priority. The National Institute of Standards and Technology (NIST) initiated its Post-Quantum Cryptography Standardization programme to identify and standardize cryptographic algorithms suitable for widespread deployment (Alagic et al., 2020). This represents an essential step towards enabling organizations to transition away from vulnerable cryptographic mechanisms.

However, the availability of PQC algorithms does not automatically solve the enterprise quantum challenge. The assumption that quantum migration is simply a matter of replacing existing algorithms underestimates the complexity of modern technology environments.

Enterprise cryptographic dependencies are frequently distributed across:

  • applications;

  • operating systems;

  • network protocols;

  • certificates;

  • authentication systems;

  • cloud services;

  • embedded devices;

  • third-party platforms;

  • operational technology environments.

Many organizations lack complete visibility into where cryptography is deployed and how critical business processes depend upon cryptographic functions. As a result, the transition towards PQC requires substantial organizational coordination, planning, governance, and architectural change.

Therefore, the post-quantum challenge should not be understood merely as a cryptographic engineering problem. It represents a broader socio-technical transformation challenge requiring organizations to develop new capabilities for managing technological uncertainty.

1.4 From Quantum Readiness to Quantum Resilience

Existing discussions of quantum preparation frequently use concepts such as quantum readiness or quantum migration. While these concepts are valuable, they often emphasize technical implementation rather than the organizational capabilities required to sustain long-term adaptation.

This paper introduces the concept of quantum resilience as a broader organizational capability.

Quantum resilience is defined as:

The ability of an organization to anticipate quantum-related cryptographic risks, understand its cryptographic dependencies, govern migration activities effectively, and continuously adapt security architectures as technological conditions evolve.

This definition builds upon established research in cybersecurity resilience and organizational capability theory.

Cyber resilience research emphasizes that effective security requires organizations not only to prevent disruption but also to anticipate, adapt, recover, and transform in response to changing environments (Linkov et al., 2013; Duchek, 2020).

Similarly, cybersecurity research increasingly recognizes that security is not solely a technical function but a strategic organizational responsibility involving governance, risk management, and business alignment (von Solms and van Niekerk, 2013).

Quantum resilience therefore extends traditional cybersecurity thinking by emphasizing proactive adaptation. Organizations must not only protect against current threats but also develop the capability to manage future technological disruption.

1.5 Theoretical Foundation: Dynamic Capabilities Perspective

This paper adopts dynamic capabilities theory as its primary theoretical lens. Dynamic capability theory explains how organizations adapt, renew, and transform their resources in response to changing environmental conditions (Teece, Pisano and Shuen, 1997).

Teece (2007) identifies three central dimensions of dynamic capability:

  • Sensing emerging threats and opportunities;

  • Seizing appropriate strategic responses;

  • Transforming organizational resources and processes.

This framework is particularly relevant to quantum resilience.

Organizations must first sense the emerging quantum threat by understanding technological developments, cryptographic vulnerabilities, and regulatory expectations.

They must then seize opportunities to respond by establishing governance structures, allocating resources, and developing migration strategies.

Finally, they must transform their security architectures by adopting quantum-resistant cryptography and developing crypto-agile capabilities.

Through this perspective, quantum resilience becomes an example of organizational adaptation under technological uncertainty.

The key strategic question is therefore not simply:

"When will quantum computers break existing encryption?"

but rather:

"Does the organization possess the capabilities required to identify, manage, and adapt to cryptographic disruption before it creates unacceptable risk?"

1.6 Research Gap

Although research into quantum computing and post-quantum cryptography has expanded significantly, existing literature remains predominantly focused on technical challenges.

Current research has provided substantial contributions regarding:

  • quantum algorithms;

  • cryptographic vulnerability;

  • PQC mathematical foundations;

  • algorithm standardization.

However, comparatively limited attention has been directed towards the organizational capabilities required to execute enterprise-scale quantum migration.

This represents an important research gap because organizations will not experience quantum disruption at the level of individual algorithms. They will experience it through complex socio-technical systems involving technology dependencies, governance challenges, operational constraints, regulatory expectations, and strategic investment decisions.

Understanding quantum resilience therefore requires integrating insights from cryptography, cybersecurity governance, organizational resilience, and strategic management.

1.7 Research Question and Objectives

This paper addresses the following research question:

How can organizations develop the strategic capabilities required to transition from traditional cryptographic security models towards quantum-resilient cybersecurity architectures?

To address this question, the paper pursues four objectives:

  1. Examine the emerging quantum threat to modern cryptographic systems.

  2. Analyse post-quantum migration as an organizational transformation challenge.

  3. Develop a conceptual framework for quantum resilience as an organizational capability.

  4. Identify governance and strategic practices that support enterprise transition towards quantum-safe security.

1.8 Contribution of the Research

This paper contributes to cybersecurity management literature in three ways.

First, it extends discussions of post-quantum migration beyond technical algorithm replacement by positioning quantum resilience as an organizational capability.

Second, it integrates dynamic capability theory with cybersecurity resilience research to explain how organizations can prepare for uncertain technological disruption.

Third, it proposes a four-dimensional quantum resilience framework consisting of:

  1. Cryptographic visibility — understanding where cryptographic dependencies exist;

  2. Risk-based prioritization — allocating resources according to business impact;

  3. Governance capability — coordinating enterprise-wide transformation;

  4. Crypto-agility — enabling continuous adaptation.

Through this framework, the paper argues that organizations most capable of navigating the post-quantum era will not necessarily be those that adopt quantum-resistant technologies first, but those that develop the organizational capabilities required to continuously manage cryptographic change.

2. Literature Review

2.1 Introduction

The emergence of quantum computing represents a disruptive technological development with significant implications for cybersecurity, digital trust, and organizational resilience. While considerable research has focused on the technical development of quantum-resistant cryptographic algorithms, the broader organizational challenge of preparing enterprises for quantum disruption remains comparatively underexplored.

Existing research on post-quantum security has largely concentrated on three technical questions:

  1. Which cryptographic systems are vulnerable to quantum attack?

  2. Which mathematical approaches can provide quantum-resistant alternatives?

  3. How should post-quantum cryptographic algorithms be standardized and implemented?

These questions are essential; however, they represent only one dimension of the broader transition challenge. Enterprise adoption of post-quantum cryptography will require organizations to identify existing cryptographic dependencies, prioritize migration activities, coordinate stakeholders, manage operational disruption, and establish long-term adaptability. Therefore, quantum resilience represents not only a cryptographic challenge but also an organizational capability challenge.

This literature review examines the theoretical foundations necessary to understand quantum resilience as an enterprise capability. It explores four interconnected research areas:

  1. The quantum threat to modern cryptographic infrastructure;

  2. The development and limitations of post-quantum cryptography;

  3. Quantum migration as an organizational transformation challenge;

  4. Cyber resilience, governance, and dynamic capabilities as foundations for quantum resilience.

The review concludes by identifying a research gap: although technical research on quantum-resistant cryptography is extensive, limited academic attention has been given to the organizational capabilities required to successfully manage quantum transition.

2.2 Quantum Computing and the Disruption of Cryptographic Assumptions
2.2.1 The Classical Cryptographic Security Model

Modern digital security depends heavily on cryptographic systems that enable secure communication, authentication, and information protection. Cryptography provides the foundation for digital trust by allowing organizations to verify identities, protect sensitive information, and establish secure interactions across distributed networks (Katz and Lindell, 2020).

Public-key cryptography, introduced through the work of Diffie and Hellman (1976), transformed digital security by enabling secure communication without requiring previously shared secret keys. Systems such as RSA and elliptic curve cryptography became fundamental components of internet security because their underlying mathematical problems were considered computationally infeasible for classical computers.

RSA security depends primarily on the difficulty of factoring large integers, while elliptic curve cryptography relies on the difficulty of solving discrete logarithm problems. These mathematical assumptions have supported decades of secure digital infrastructure.

However, these assumptions are not universally secure. They depend on limitations in classical computing capability. The emergence of quantum computing challenges these foundations by introducing computational methods capable of solving certain mathematical problems substantially more efficiently.

2.2.2 Quantum Computing as a Cryptographic Disruption

The relationship between quantum computing and cryptography changed fundamentally following Shor’s (1994) development of a quantum algorithm capable of efficiently solving integer factorization and discrete logarithm problems.

Shor’s algorithm demonstrated that sufficiently powerful quantum computers could compromise many widely deployed public-key cryptographic systems, including RSA and elliptic curve cryptography. This discovery created a fundamental security challenge because these algorithms underpin many critical digital services, including secure web communications, digital signatures, identity systems, and software authentication mechanisms.

The impact of quantum computing therefore extends beyond individual cryptographic algorithms. Cryptography operates as a foundational trust infrastructure embedded throughout modern digital ecosystems. A failure of cryptographic assumptions would have implications across governments, financial institutions, healthcare providers, technology companies, and critical infrastructure operators.

However, quantum risk differs from traditional cybersecurity threats because exploitation depends on future technological capability rather than current attacker capability. This creates a unique strategic uncertainty.

Mosca (2015) argues that organizations must consider not only the future availability of quantum computers but also the confidentiality lifetime of protected information and the duration required for migration. This creates a temporal risk problem: information encrypted today may require protection beyond the point where quantum attacks become feasible.

2.3 Harvest Now, Decrypt Later and the Problem of Long-Term Data Protection

A major concern associated with quantum computing is the possibility of harvest now, decrypt later (HNDL) attacks.

Unlike conventional cyberattacks, where adversaries exploit existing vulnerabilities immediately, HNDL attacks involve collecting encrypted information today and storing it until future quantum capabilities allow decryption.

This creates a particularly significant concern for information assets with extended confidentiality requirements, including:

  • government intelligence;

  • defence information;

  • healthcare records;

  • financial data;

  • intellectual property;

  • scientific research.

The strategic implication is that organizations cannot measure quantum risk solely by considering when quantum computers become available. Instead, they must evaluate whether the information they protect remains valuable beyond the expected migration period.

Mosca (2015) suggests that this creates a “cryptographic migration window” problem, where organizations must begin transition activities before quantum computers become a practical threat.

This represents a departure from traditional cybersecurity approaches, which generally prioritize current vulnerabilities. Quantum resilience requires organizations to adopt anticipatory risk management practices.

2.4 Post-Quantum Cryptography: Technical Solution and Organizational Challenge
2.4.1 Development of Quantum-Resistant Algorithms

Post-quantum cryptography (PQC) has emerged as the primary technical response to the quantum threat. PQC aims to develop cryptographic algorithms capable of resisting attacks from both classical and quantum computers.

Research has focused on several mathematical approaches, including:

  • lattice-based cryptography;

  • hash-based cryptography;

  • code-based cryptography;

  • multivariate cryptography.

Lattice-based approaches have received significant attention due to their combination of security properties and practical implementation potential (Bernstein, Buchmann and Dahmen, 2009).

The development of standardized PQC algorithms has been accelerated through NIST’s Post-Quantum Cryptography Standardization project, which seeks to establish cryptographic standards suitable for global deployment (Alagic et al., 2020).

This represents an important milestone because standardization provides organizations with greater confidence regarding future cryptographic adoption.

However, standardization does not eliminate the organizational complexity of migration.

2.4.2 The Limitations of Algorithm-Centric Approaches

A significant limitation in existing discussions of quantum preparedness is the assumption that the primary challenge is selecting appropriate replacement algorithms.

In practice, enterprise cryptographic migration is significantly more complex.

Organizations operate environments where cryptographic mechanisms may exist within:

  • application code;

  • operating systems;

  • hardware security modules;

  • communication protocols;

  • certificates;

  • cloud services;

  • vendor-managed platforms;

  • embedded technologies.

Many organizations do not possess complete visibility into their cryptographic dependencies. Consequently, they may be unable to determine:

  • which systems require migration;

  • which algorithms are currently deployed;

  • which applications depend on vulnerable cryptographic components;

  • which business processes could be affected.

This suggests that the primary barrier to quantum resilience is not necessarily cryptographic availability but organizational capability.

The existence of PQC algorithms provides a technical solution; however, organizations require governance, visibility, and transformation capabilities to implement that solution effectively.

2.5 Quantum Migration as an Organizational Transformation Challenge
2.5.1 Technology Transformation and Organizational Capability

Research in information systems demonstrates that successful technology transformation depends on more than technical implementation. Organizations must align technology adoption with processes, governance structures, skills, and strategic objectives (Bharadwaj et al., 2013).

Quantum migration reflects this challenge because cryptographic systems are deeply embedded within organizational processes.

Replacing cryptographic mechanisms may require:

  • application redesign;

  • infrastructure modification;

  • supplier coordination;

  • regulatory assessment;

  • workforce capability development;

  • operational testing.

Therefore, quantum migration represents a socio-technical transformation rather than a conventional cybersecurity upgrade.

2.5.2 Dynamic Capabilities and Quantum Adaptation

Dynamic capabilities theory provides a useful framework for understanding how organizations respond to technological uncertainty.

Teece, Pisano and Shuen (1997) argue that organizations achieve sustained adaptability through their ability to integrate, build, and reconfigure resources in changing environments.

Teece (2007) further develops this perspective through three capabilities:

Sensing

Organizations must identify emerging quantum risks and understand their potential implications.

Seizing

Organizations must mobilize resources, establish governance, and implement strategic responses.

Transforming

Organizations must redesign systems and processes to maintain long-term adaptability.

Applied to quantum resilience, dynamic capability theory suggests that organizations should not wait until quantum threats become operationally immediate. Instead, they should develop capabilities that allow continuous adaptation.

2.6 Cyber Resilience and the Evolution of Security Thinking

Traditional cybersecurity approaches have historically emphasized prevention and protection through technical controls. However, increasing complexity and uncertainty have encouraged a shift towards cyber resilience.

Cyber resilience emphasizes an organization’s ability to anticipate, withstand, recover from, and adapt to disruptive events (Linkov et al., 2013).

This perspective is particularly relevant to quantum resilience because organizations cannot eliminate uncertainty regarding quantum development timelines. Instead, they must develop adaptive capabilities that allow them to respond effectively as conditions evolve.

Duchek (2020) conceptualizes organizational resilience as a capability consisting of:

  1. Anticipation;

  2. Coping;

  3. Adaptation.

These dimensions closely align with quantum resilience requirements.

Organizations must anticipate quantum threats.

They must cope with migration complexity.

They must adapt cryptographic architectures continuously.

Therefore, quantum resilience can be viewed as a specific manifestation of broader organizational resilience theory.

2.7 Cybersecurity Governance and Enterprise Responsibility

Cybersecurity research increasingly recognizes that security is not solely a technical responsibility but an organizational governance challenge.

Von Solms and van Niekerk (2013) argue that cybersecurity represents an evolution from information security towards a broader discipline involving governance, risk management, and organizational accountability.

This perspective is highly relevant to quantum resilience because responsibility for cryptographic migration extends beyond cybersecurity teams.

Quantum transition affects:

  • executive leadership;

  • enterprise architecture;

  • software development;

  • procurement;

  • compliance;

  • legal functions;

  • operational teams.

IT governance research emphasizes the importance of clearly defined decision rights and accountability structures in managing complex technology initiatives (Weill and Ross, 2004).

Therefore, effective quantum resilience requires governance mechanisms capable of coordinating enterprise-wide transformation.

2.8 Crypto-Agility as a Long-Term Resilience Capability

One of the most significant lessons from quantum computing is that cryptographic assumptions cannot be considered permanent.

Historically, organizations have often deployed cryptographic mechanisms as long-lived infrastructure components. However, future advances in cryptanalysis, regulation, and technology may create additional requirements for cryptographic change.

Crypto-agility refers to the ability of organizations to replace and adapt cryptographic mechanisms efficiently when required.

A crypto-agile organization possesses:

  • modular security architectures;

  • standardized cryptographic interfaces;

  • effective key management processes;

  • cryptographic lifecycle governance;

  • continuous monitoring capabilities.

Crypto-agility therefore represents more than technical flexibility. It represents an organizational capability supporting continuous adaptation.

2.9 Literature Review Summary and Research Gap

The literature demonstrates that quantum resilience represents a multidimensional challenge requiring integration between cryptographic technology, organizational governance, and strategic capability development.

Several conclusions emerge.

First, quantum computing threatens fundamental assumptions underlying widely deployed cryptographic systems. Although practical quantum attacks remain uncertain, long-term confidentiality requirements create pressure for early preparation.

Second, post-quantum cryptography provides essential technical solutions but does not independently resolve enterprise migration challenges.

Third, successful quantum transition requires organizational capabilities including visibility, governance, prioritization, and adaptability.

Despite increasing research into PQC, existing academic literature has focused primarily on technical cryptographic development rather than organizational readiness.

This creates a significant research gap:

How can organizations develop the capabilities required to manage quantum-driven cryptographic transformation effectively?

This paper addresses this gap by conceptualizing quantum resilience as an organizational capability composed of four dimensions:

  1. Cryptographic visibility;

  2. Risk-based prioritization;

  3. Governance capability;

  4. Crypto-agility.

This framework provides the foundation for analysing how organizations can move beyond quantum awareness towards sustainable post-quantum resilience.

3. Quantum Resilience as an Organizational Capability

3.1 Introduction: From Technical Preparedness to Organizational Capability

The transition towards quantum-resilient cybersecurity requires a conceptual shift away from viewing quantum computing as solely a cryptographic problem and towards understanding it as a broader organizational transformation challenge. Although post-quantum cryptography (PQC) provides the technical foundation required to mitigate future quantum-enabled attacks, the successful implementation of PQC across complex enterprise environments depends upon organizational capabilities that extend beyond algorithm selection and cryptographic engineering.

Existing research on cybersecurity increasingly demonstrates that effective security outcomes are shaped by the interaction between technological controls, organizational processes, governance structures, and strategic decision-making capabilities (von Solms and van Niekerk, 2013; Craigen, Diakun and Verner, 2014). This perspective is particularly relevant to quantum resilience because organizations must prepare for a future technological disruption while facing uncertainty regarding its timing, severity, and operational implications.

This chapter argues that quantum resilience should be conceptualized as a dynamic organizational capability: the ability of an organization to anticipate quantum-related cryptographic risks, develop visibility into cryptographic dependencies, govern migration activities, and continuously adapt security architectures as technological and threat environments evolve.

This conceptualization extends existing discussions of quantum readiness. Much of the existing literature on post-quantum security focuses on cryptographic algorithm development, mathematical security assumptions, and standardization efforts (Bernstein, Buchmann and Dahmen, 2009; Alagic et al., 2020). While these contributions are essential, they provide limited insight into how organizations should practically manage the socio-technical complexity of transitioning thousands of interconnected systems from existing cryptographic mechanisms towards quantum-resistant alternatives.

The organizational challenge is therefore not simply:

"Can quantum-resistant algorithms be developed?"

but rather:

"Can organizations develop the capabilities required to identify, govern, implement, and continuously evolve cryptographic security mechanisms in response to technological disruption?"

Addressing this question requires applying theories of organizational adaptation and resilience.

3.2 Theoretical Foundation: Dynamic Capabilities and Quantum Resilience

Dynamic capabilities theory provides a suitable theoretical lens for understanding how organizations prepare for disruptive technological change. Originally developed from the resource-based view of the firm, dynamic capability theory explains how organizations maintain competitiveness by adapting, integrating, and reconfiguring resources in changing environments (Teece, Pisano and Shuen, 1997).

Unlike traditional capability perspectives, which emphasize possessing valuable resources, dynamic capabilities focus on an organization's ability to modify those resources as environmental conditions change. This distinction is critical for quantum resilience because the primary challenge is not simply acquiring post-quantum cryptographic technology but developing the ability to repeatedly adapt cryptographic practices over time.

Teece (2007) identifies three fundamental components of dynamic capability:

  1. Sensing — identifying emerging technological threats and opportunities;

  2. Seizing — mobilizing resources and implementing strategic responses;

  3. Transforming — continuously reconfiguring organizational assets and processes.

These three dimensions provide a useful framework for understanding enterprise quantum resilience.

3.2.1 Sensing Quantum Cryptographic Disruption

The sensing capability represents an organization's ability to recognize emerging risks before they become immediate operational problems. In traditional cybersecurity management, organizations often respond to known vulnerabilities, active attacks, or regulatory requirements. Quantum risk differs because organizations must act before the threat becomes practically exploitable.

Effective sensing requires organizations to develop awareness of:

  • developments in quantum computing capability;

  • cryptographic vulnerabilities;

  • emerging regulatory expectations;

  • industry migration timelines;

  • the confidentiality requirements of organizational data.

This aligns with broader cybersecurity risk management research, which emphasizes that resilient organizations require the ability to anticipate future threats rather than merely respond to current incidents (Linkov et al., 2013).

Mosca (2015) argues that quantum risk management requires organizations to consider three variables:

  1. the time until quantum computers become capable of breaking current cryptographic systems;

  2. the required confidentiality lifetime of protected information;

  3. the time required to migrate enterprise systems.

This relationship creates a strategic planning challenge. Even if cryptographically relevant quantum computers remain years away, organizations may already face risk because migration itself may require substantial preparation, testing, and implementation time.

Therefore, sensing capability requires organizations to recognize quantum computing not as a distant technological possibility but as a strategic risk requiring proactive assessment.

3.2.2 Seizing Quantum Resilience Opportunities

The second component of dynamic capability theory involves transforming awareness into strategic action. For quantum resilience, this involves establishing governance structures, allocating resources, prioritizing migration activities, and developing organizational expertise.

A significant challenge is that cybersecurity investment decisions are often influenced by immediate operational risks. Organizations frequently prioritize vulnerabilities that present current exploitation opportunities rather than emerging future threats. However, delaying quantum preparation may create significant future costs because cryptographic migration is likely to become increasingly complex as organizations accumulate additional technology dependencies.

This challenge reflects a broader principle within enterprise risk management: uncertainty does not eliminate the need for strategic preparation. Rather, uncertainty often increases the importance of developing flexible capabilities capable of responding to multiple future scenarios (Kaplan and Mikes, 2012).

Seizing capability therefore requires organizations to:

  • establish executive ownership of quantum resilience;

  • integrate quantum risk into enterprise risk frameworks;

  • allocate resources for cryptographic discovery and migration;

  • develop partnerships with vendors and technology providers;

  • establish migration priorities based on business impact.

Without these capabilities, organizations may possess awareness of quantum risk but lack the ability to convert awareness into effective action.

3.2.3 Transforming Enterprise Security Architecture

The final component of dynamic capability theory concerns transformation: the ability of organizations to modify existing structures, processes, and technologies.

Quantum resilience requires transformation because existing cryptographic infrastructures were not designed for rapid cryptographic replacement. Many organizations operate environments where cryptographic functions are embedded within legacy applications, proprietary platforms, hardware devices, and third-party services.

Consequently, transformation requires more than deploying new algorithms. It requires organizations to redesign security architectures, modernize legacy systems, establish cryptographic governance processes, and embed adaptability into future technology decisions.

This aligns with research on digital transformation, which emphasizes that successful technological change depends upon organizational restructuring and capability development rather than technology adoption alone (Bharadwaj et al., 2013; Warner and Wäger, 2019).

From this perspective, quantum resilience represents a form of strategic digital transformation: organizations must redesign foundational security capabilities to remain effective within a changing technological environment.

3.3 A Four-Dimensional Model of Quantum Resilience

Based on the theoretical foundations discussed above, this paper proposes that quantum resilience consists of four interconnected organizational capabilities:

  1. Cryptographic visibility;

  2. Risk-based prioritization;

  3. Governance capability;

  4. Crypto-agility.

These capabilities represent the organizational mechanisms through which enterprises can move from quantum awareness towards sustainable resilience.

3.3.1 Cryptographic Visibility

Cryptographic visibility represents the organization's ability to identify, classify, and understand cryptographic mechanisms deployed throughout its digital ecosystem.

This capability is foundational because organizations cannot effectively manage quantum exposure without understanding where vulnerable cryptographic mechanisms exist. Unlike traditional IT assets, cryptographic dependencies are frequently hidden within software applications, libraries, communication protocols, certificates, cloud services, and embedded technologies.

Research in cybersecurity resilience emphasizes that effective protection depends upon understanding critical assets, dependencies, and vulnerabilities (Bodeau and Graubart, 2017). However, many organizations possess limited visibility into cryptographic usage because cryptography is often implemented as an underlying technical function rather than managed as an enterprise asset.

This creates several challenges:

  • unknown exposure to quantum-vulnerable algorithms;

  • inability to prioritize migration activities;

  • increased operational risk during transition;

  • difficulty demonstrating regulatory readiness.

A mature cryptographic visibility capability requires organizations to establish cryptographic inventories that document:

  • cryptographic algorithms currently deployed;

  • systems relying on vulnerable mechanisms;

  • certificate dependencies;

  • encryption requirements;

  • third-party cryptographic relationships.

This capability is analogous to software asset management and software bills of materials (SBOMs), where transparency into dependencies enables improved security management (CISA, 2023). However, cryptographic visibility extends this concept by focusing specifically on the security mechanisms protecting enterprise information.

Therefore, cryptographic visibility represents the foundation upon which all other quantum resilience capabilities depend.

3.3.2 Risk-Based Prioritization

The second capability involves determining which cryptographic dependencies require the earliest migration attention.

A simplistic approach to quantum migration would suggest replacing all vulnerable algorithms immediately. However, enterprise environments contain thousands of systems with different levels of sensitivity, criticality, and migration complexity.

Risk-based prioritization recognizes that quantum exposure is influenced by multiple variables:

  • confidentiality requirements;

  • data retention periods;

  • regulatory obligations;

  • operational importance;

  • technical complexity;

  • third-party dependencies.

This approach aligns with established enterprise risk management principles, which emphasize prioritizing resources according to potential business impact rather than technical vulnerability alone (Kaplan and Mikes, 2012).

For example, encrypted intellectual property requiring decades of confidentiality may require earlier migration than transactional systems where information loses value quickly. Similarly, critical infrastructure systems may require extended planning periods because changes must be carefully tested to avoid operational disruption.

Therefore, quantum resilience requires organizations to move beyond a binary question:

"Is this system vulnerable?"

towards a more strategic question:

"What is the organizational consequence if this cryptographic dependency becomes vulnerable?"

This shift represents a transition from vulnerability management towards strategic risk management.

3.3.3 Governance Capability

Governance capability refers to the organizational structures and decision-making mechanisms required to coordinate quantum migration.

Cryptographic decisions have historically been distributed across multiple technology teams, application owners, suppliers, and infrastructure providers. While this decentralized approach may have been acceptable when cryptographic technologies changed slowly, quantum migration introduces the need for enterprise-wide coordination.

IT governance research demonstrates that successful technology initiatives require clearly defined decision rights, accountability structures, and alignment between technology investments and organizational objectives (Weill and Ross, 2004).

Quantum governance therefore requires:

  • executive sponsorship;

  • defined ownership of cryptographic risk;

  • enterprise cryptographic policies;

  • cross-functional migration teams;

  • supplier governance mechanisms;

  • reporting structures.

The governance challenge is significant because quantum resilience crosses traditional organizational boundaries.

Cybersecurity teams manage security requirements.

Enterprise architects manage technical dependencies.

Application teams implement changes.

Procurement manages supplier relationships.

Legal and compliance teams evaluate obligations.

Business leaders determine strategic priorities.

Without governance capability, quantum migration risks becoming fragmented and inconsistent.

3.3.4 Crypto-Agility

The final capability is crypto-agility: the ability of organizations to modify cryptographic mechanisms efficiently as technologies, vulnerabilities, and standards evolve.

Historically, cryptographic systems have often been treated as stable infrastructure components with long operational lifecycles. However, the quantum challenge demonstrates that cryptographic assumptions can change significantly over time.

Crypto-agility requires organizations to develop architectures and processes that enable:

  • algorithm replacement;

  • automated cryptographic management;

  • flexible security architectures;

  • continuous monitoring;

  • rapid response to cryptographic vulnerabilities.

The importance of crypto-agility extends beyond quantum computing. Future developments in cryptanalysis, regulatory requirements, and technological innovation are likely to create additional cryptographic challenges.

Therefore, crypto-agility represents the long-term sustainability mechanism of quantum resilience.

From a dynamic capabilities perspective, crypto-agility represents an organization's ability to repeatedly transform its security capabilities in response to environmental change (Teece, 2007).

3.4 Discussion: Quantum Resilience as Strategic Capability

The four-dimensional model demonstrates that quantum resilience represents a higher-order organizational capability composed of interconnected technological and managerial capabilities.

Cryptographic visibility enables organizations to understand their environment.

Risk-based prioritization enables informed resource allocation.

Governance capability enables coordinated transformation.

Crypto-agility enables continuous adaptation.

Together, these capabilities transform quantum resilience from a reactive cybersecurity initiative into a strategic organizational capability.

This perspective contributes to cybersecurity management literature by extending existing discussions of post-quantum migration beyond cryptographic engineering. While technical innovation remains essential, organizational success depends upon the ability to manage complexity, coordinate transformation, and sustain adaptability.

This argument is consistent with broader research on organizational resilience, which suggests that resilient organizations are distinguished not merely by their ability to withstand disruption but by their capacity to continuously evolve in response to changing conditions (Duchek, 2020).

Quantum computing therefore represents not only a cryptographic challenge but also a test of organizational adaptability.

3.5 Chapter Summary

This chapter has developed the theoretical foundation for understanding quantum resilience as an organizational capability.

Drawing upon dynamic capabilities theory, cybersecurity governance research, and resilience literature, the chapter argues that quantum resilience requires four complementary capabilities:

  1. Cryptographic visibility — understanding where cryptographic dependencies exist;

  2. Risk-based prioritization — directing resources towards the most significant exposures;

  3. Governance capability — coordinating enterprise-wide transformation;

  4. Crypto-agility — enabling continuous adaptation as cryptographic environments evolve.

The development of these capabilities allows organizations to move beyond reactive security approaches and establish a proactive strategic posture for the post-quantum era.

The following chapter examines the governance and leadership implications of quantum resilience, focusing on executive responsibility, organizational decision-making, enterprise risk integration, and the strategic role of leadership in managing cryptographic transformation.

4. Governance and Leadership Implications

4.1 Introduction

The transition towards quantum-resilient cybersecurity represents a fundamental governance challenge as much as a technological one. While post-quantum cryptography provides the technical mechanisms required to address quantum-enabled threats, successful implementation depends upon organizational structures capable of coordinating complex, long-term transformation.

Unlike conventional cybersecurity initiatives, which often focus on addressing existing vulnerabilities or improving defensive controls, quantum resilience requires organizations to make strategic decisions under conditions of uncertainty. The absence of immediately exploitable quantum threats creates a challenge for leadership because investment decisions must be justified based on future risk rather than current operational impact.

This uncertainty creates the possibility that quantum preparedness may be deprioritized in favour of more immediate cybersecurity concerns. However, delaying action introduces significant strategic exposure because enterprise-wide cryptographic migration is likely to require substantial time, resources, and coordination. Consequently, governance mechanisms are required to ensure that quantum resilience becomes integrated into enterprise risk management rather than treated as a specialist technical concern.

This chapter argues that effective quantum resilience requires a shift from technology-focused security management towards enterprise-level governance. Leadership must establish accountability, align investment decisions with organizational risk priorities, and create the conditions required for continuous cryptographic adaptation.

4.2 Quantum Resilience as an Enterprise Governance Challenge

Traditional approaches to information security governance have often focused on controlling access, protecting information assets, and ensuring compliance with security requirements. However, contemporary cybersecurity challenges increasingly demonstrate that effective security requires broader organizational coordination involving strategy, governance, risk ownership, and business alignment (von Solms and van Niekerk, 2013).

Quantum resilience extends this challenge because cryptographic dependencies exist throughout the enterprise rather than within isolated security systems.

Cryptographic technologies support:

  • customer-facing applications;

  • authentication and identity management;

  • financial transactions;

  • software signing;

  • cloud services;

  • operational technology;

  • third-party integrations.

Therefore, responsibility for quantum transition cannot reside exclusively within cybersecurity departments. A successful migration requires participation from multiple organizational stakeholders, including:

  • executive leadership;

  • chief information security officers;

  • enterprise architects;

  • technology leaders;

  • application owners;

  • procurement teams;

  • legal and compliance functions;

  • business units.

This distributed dependency creates a governance challenge: organizations require mechanisms that establish ownership and coordinate decision-making across diverse stakeholders.

IT governance research highlights that complex technology environments require clearly defined decision rights, accountability structures, and strategic alignment between technology investments and organizational objectives (Weill and Ross, 2004).

Applied to quantum resilience, governance must answer fundamental questions:

  • Who owns cryptographic risk?

  • Who is responsible for maintaining cryptographic inventories?

  • Who determines migration priorities?

  • How are quantum risks incorporated into enterprise risk assessments?

  • How are third-party dependencies managed?

Without clear governance ownership, organizations risk fragmented responses, inconsistent implementation, and inefficient resource allocation.

4.3 Executive Leadership and Strategic Risk Ownership

Executive leadership plays a critical role in transforming quantum resilience from a technical initiative into an organizational priority.

Cybersecurity research increasingly recognizes that senior leadership involvement is a significant factor influencing security effectiveness. Security failures often result not from the absence of technical controls but from inadequate governance, unclear responsibility, and insufficient strategic attention (Bulgurcu, Cavusoglu and Benbasat, 2010).

Quantum resilience presents a particularly important leadership challenge because the benefits of preparation are primarily preventative. Unlike investments addressing active vulnerabilities, quantum migration produces value by reducing future uncertainty and avoiding potential disruption.

This creates a strategic communication challenge. Leaders must understand that the absence of immediate quantum attacks does not indicate the absence of risk.

A mature leadership approach requires viewing quantum resilience through the principles of enterprise risk management. The relevant question is not:

"Is quantum computing currently breaking our encryption?"

but rather:

"Will our organization be able to protect critical information and maintain digital trust when cryptographic assumptions change?"

This shift requires executives to incorporate quantum considerations into broader strategic planning processes, including:

  • technology roadmaps;

  • cybersecurity strategies;

  • digital transformation initiatives;

  • supplier management;

  • regulatory planning.

4.4 Integrating Quantum Risk into Enterprise Risk Management

Enterprise risk management (ERM) provides a framework for identifying, assessing, and responding to organizational risks across strategic, operational, financial, and compliance domains.

The Committee of Sponsoring Organizations (COSO) argues that effective risk management requires organizations to integrate risk considerations into strategy formulation and decision-making rather than treating risk as an isolated compliance activity (COSO, 2017).

Quantum risk aligns closely with this perspective because its consequences extend beyond cybersecurity.

Potential impacts include:

Operational risk

Cryptographic migration may disrupt critical applications, services, and business processes if poorly managed.

Regulatory risk

Future regulations may require organizations to demonstrate appropriate preparation for cryptographic transition.

Financial risk

Emergency migration activities may create significant unplanned costs if organizations delay preparation.

Strategic risk

Loss of digital trust caused by cryptographic compromise could negatively affect reputation and competitive position.

Therefore, quantum resilience should be incorporated into enterprise risk frameworks alongside other emerging technology risks.

A mature governance approach would include:

  • quantum risk assessment within cybersecurity risk processes;

  • executive reporting mechanisms;

  • defined risk ownership;

  • investment planning;

  • migration accountability.

4.5 Governance Structures for Quantum Migration

Effective quantum transition requires formal governance structures capable of coordinating long-term transformation.

A potential governance model could include a cross-functional quantum resilience steering committee involving representatives from:

  • cybersecurity;

  • enterprise architecture;

  • infrastructure;

  • software engineering;

  • compliance;

  • procurement;

  • business operations.

Such a structure provides several benefits.

First, it creates organizational visibility of quantum-related risks.

Second, it enables coordinated prioritization of migration activities.

Third, it ensures that business requirements are considered alongside technical requirements.

Fourth, it improves communication between technical and executive stakeholders.

This approach reflects broader research on cybersecurity governance, which suggests that security effectiveness depends on organizational integration rather than isolated technical expertise (von Solms and van Niekerk, 2013).

However, governance structures must avoid becoming purely administrative mechanisms. Effective governance requires decision-making authority, measurable objectives, and accountability.

For example, organizations may establish governance metrics including:

  • percentage of cryptographic assets inventoried;

  • number of critical systems assessed;

  • migration progress against roadmap milestones;

  • third-party quantum readiness status;

  • percentage of systems supporting crypto-agility.

These measures transform quantum resilience from an abstract objective into a measurable organizational capability.

4.6 The Role of Governance in Developing Cryptographic Visibility

One of the most significant governance challenges associated with quantum migration is establishing cryptographic visibility.

Many organizations maintain detailed inventories of hardware, applications, and infrastructure assets; however, cryptographic dependencies are often poorly documented.

This creates a governance problem because organizations cannot effectively manage risks they cannot identify.

Cryptographic visibility requires coordinated ownership of:

  • algorithm inventories;

  • certificate management;

  • encryption dependencies;

  • cryptographic libraries;

  • third-party integrations.

Responsibility for this information cannot remain fragmented across individual technology teams.

Instead, organizations require enterprise-wide governance processes that establish:

  • common cryptographic standards;

  • reporting requirements;

  • lifecycle management processes;

  • ownership responsibilities.

This demonstrates the relationship between governance capability and technical resilience: governance provides the organizational mechanisms required to create visibility and enable informed decision-making.

4.7 Leadership, Dynamic Capabilities, and Organizational Transformation

Dynamic capability theory provides a useful perspective for understanding leadership’s role in quantum resilience.

Teece (2007) argues that organizations operating in uncertain environments must develop capabilities to:

  1. Sense emerging changes;

  2. Seize opportunities for adaptation;

  3. Transform organizational resources.

Leadership is central to each of these activities.

Sensing

Executives must recognize quantum computing as a strategic technology development rather than a distant technical possibility.

Seizing

Leaders must allocate resources, establish governance structures, and initiate migration planning.

Transforming

Leaders must support architectural modernization and cultural change required for long-term cryptographic adaptability.

From this perspective, leadership responsibility is not simply approving cybersecurity investments. It is enabling organizational transformation.

Organizations with strong leadership capability will be better positioned to manage uncertainty because they can mobilize resources before external pressure forces action.

4.8 Governance as a Foundation for Crypto-Agility

Crypto-agility requires not only flexible technology architectures but also governance processes that support continuous change.

Without governance, organizations may repeatedly encounter the same challenge: cryptographic technologies become deeply embedded, making future replacement expensive and disruptive.

Governance enables crypto-agility through:

  • standardized cryptographic policies;

  • lifecycle management processes;

  • technology architecture principles;

  • approved cryptographic frameworks;

  • continuous monitoring.

Therefore, crypto-agility should be understood as both a technical and organizational capability.

A technically flexible architecture without governance may still result in fragmented decision-making.

Conversely, governance without architectural flexibility may create policies that cannot be practically implemented.

Quantum resilience therefore requires alignment between governance capability and technological capability.

4.9 Chapter Summary

The transition towards quantum resilience requires organizations to reconsider how cybersecurity decisions are governed. Quantum migration cannot be managed effectively as a narrow technical project because cryptographic dependencies extend across enterprise systems, business processes, and stakeholder relationships.

This chapter has demonstrated that governance and leadership are foundational components of quantum resilience.

Effective governance requires:

  • enterprise ownership of cryptographic risk;

  • integration with enterprise risk management;

  • cross-functional coordination;

  • measurable accountability;

  • executive sponsorship.

Leadership plays a critical role by transforming quantum resilience from a future technical concern into a strategic organizational capability.

Through the lens of dynamic capabilities theory, effective leadership enables organizations to sense emerging quantum risks, mobilize resources, and transform security architectures before disruption occurs.

Ultimately, organizations that establish strong governance foundations will be better positioned to navigate the post-quantum transition. Quantum resilience is therefore not achieved solely through adopting new cryptographic algorithms; it depends upon the ability of organizations to govern, adapt, and continuously evolve their approach to digital trust.

5. Migration Strategy: From Awareness to Implementation

5.1 Introduction

The transition towards quantum-resilient cybersecurity requires organizations to move beyond recognizing quantum risk and develop structured capabilities for managing cryptographic transformation. Although post-quantum cryptographic (PQC) standards provide the technical foundation required to address future quantum threats, successful migration depends upon organizational readiness, strategic planning, governance maturity, and the ability to manage complex technological dependencies.

Unlike conventional cybersecurity improvement initiatives, quantum migration cannot be approached as a simple technology replacement exercise. Modern enterprises rely on cryptography throughout highly interconnected technology ecosystems, including applications, networks, identity platforms, cloud environments, operational technologies, and third-party services. Consequently, replacing vulnerable cryptographic mechanisms requires organizations to understand their current state, evaluate exposure, prioritize investment, and implement change without compromising operational continuity.

This challenge reflects a broader principle within digital transformation research: technology adoption creates value only when supported by complementary organizational capabilities, processes, and governance mechanisms (Bharadwaj et al., 2013).

Therefore, quantum migration should be understood as a long-term enterprise transformation programme rather than a discrete cybersecurity project.

This chapter proposes a five-stage migration strategy:

  1. Awareness and education;

  2. Cryptographic discovery and visibility;

  3. Risk assessment and prioritization;

  4. Migration planning and implementation;

  5. Development of crypto-agility.

These stages represent a capability-building journey through which organizations progress from understanding quantum risk towards achieving sustainable quantum resilience.

5.2 Stage One: Awareness and Education
5.2.1 Establishing Organizational Understanding

The first requirement for quantum resilience is the development of organizational awareness. Before organizations can implement technical solutions, stakeholders must understand why quantum risk represents a strategic cybersecurity challenge.

Unlike traditional vulnerabilities, quantum risk does not present as an immediate technical failure requiring urgent remediation. Instead, it represents a future disruption requiring proactive preparation. This creates a communication challenge because investment decisions must be justified before the threat becomes visible.

Research on cybersecurity governance demonstrates that security effectiveness depends significantly on organizational awareness, leadership commitment, and employee understanding of security objectives (Bulgurcu, Cavusoglu and Benbasat, 2010).

Quantum awareness therefore must extend beyond cybersecurity specialists.

Relevant stakeholders include:

  • executive leadership;

  • security teams;

  • enterprise architects;

  • software developers;

  • infrastructure teams;

  • procurement functions;

  • compliance professionals;

  • business owners.

Each stakeholder group requires different levels of understanding.

Executives require awareness of strategic risk, investment requirements, and business impact.

Technical teams require understanding of cryptographic dependencies, PQC technologies, and migration requirements.

Procurement and supplier management teams require awareness of third-party cryptographic dependencies.

5.2.2 Building the Business Case for Quantum Resilience

A major challenge associated with emerging technology risks is gaining organizational commitment before measurable impacts occur.

Quantum resilience requires a shift from reactive cybersecurity investment towards anticipatory risk management.

The business case should therefore focus on:

  • protecting long-term confidentiality;

  • reducing future migration disruption;

  • maintaining regulatory readiness;

  • preserving stakeholder trust;

  • strengthening overall cybersecurity maturity.

Rather than presenting quantum migration solely as a defensive cybersecurity expense, organizations should position it as an investment in long-term digital resilience.

This approach aligns with dynamic capability theory, which suggests that organizations create strategic advantage by developing capabilities before environmental disruption occurs (Teece, 2007).

5.3 Stage Two: Cryptographic Discovery and Asset Visibility
5.3.1 Establishing Cryptographic Awareness

The second stage involves creating visibility into the organization’s existing cryptographic environment.

This represents one of the most significant challenges in quantum migration because cryptographic dependencies are often poorly documented.

While organizations commonly maintain inventories of:

  • hardware assets;

  • applications;

  • users;

  • networks;

they frequently lack comprehensive knowledge of:

  • cryptographic algorithms in use;

  • encryption dependencies;

  • certificate lifecycles;

  • cryptographic libraries;

  • embedded security functions.

Without this visibility, organizations cannot accurately determine quantum exposure.

5.3.2 Developing a Cryptographic Inventory

A cryptographic inventory should identify where cryptography exists across the enterprise.

Relevant areas include:

Applications

Organizations must identify applications using vulnerable algorithms, encryption libraries, and authentication mechanisms.

Infrastructure

Network devices, servers, storage platforms, and security appliances may contain embedded cryptographic dependencies.

Identity Systems

Authentication mechanisms, certificates, and digital signatures require assessment because they often depend on public-key cryptography.

Cloud Services

Cloud platforms introduce additional complexity because organizations may rely on provider-managed cryptographic services.

Third Parties

Supplier systems, software vendors, and managed services may represent hidden cryptographic dependencies.

This process transforms cryptographic visibility from a technical activity into a governance capability.

As Bodeau and Graubart (2017) argue, cyber resilience requires organizations to understand critical assets, dependencies, and relationships within complex technology environments.

5.3.3 Challenges of Cryptographic Discovery

Cryptographic discovery is difficult because cryptography is frequently invisible to business users and application owners.

Several challenges exist:

  • undocumented legacy systems;

  • outdated software libraries;

  • third-party dependencies;

  • decentralized technology ownership;

  • insufficient cryptographic lifecycle management.

These challenges demonstrate why quantum resilience requires organizational coordination rather than isolated technical assessment.

5.4 Stage Three: Risk Assessment and Prioritization
5.4.1 Moving from Visibility to Decision-Making

Once organizations understand their cryptographic environment, they must determine where migration effort should be focused.

A common mistake is to assume that all cryptographic systems require equal urgency. In practice, migration priorities should be determined through risk-based analysis.

This aligns with enterprise risk management principles, which emphasize allocating resources according to organizational impact rather than treating all risks equally (COSO, 2017).

5.4.2 Risk Prioritization Criteria

A mature quantum risk assessment should consider several dimensions.

Data Sensitivity and Confidentiality Lifetime

Information requiring long-term confidentiality should receive priority because it may be vulnerable to harvest now, decrypt later attacks.

Examples include:

  • intellectual property;

  • healthcare information;

  • financial records;

  • government information.

Business Criticality

Systems supporting essential business operations should be prioritized because disruption during migration could significantly affect organizational performance.

Regulatory Requirements

Organizations operating in regulated sectors may face increasing expectations regarding cryptographic preparedness.

Technical Complexity

Legacy systems and highly integrated platforms may require longer migration timelines and therefore should be assessed early.

Third-Party Dependency

External suppliers may introduce additional risk where organizations lack direct control over cryptographic implementation.

5.4.3 Creating a Migration Roadmap

Risk assessment enables organizations to develop practical migration sequencing.

Rather than attempting immediate enterprise-wide replacement, organizations should establish phased approaches based on:

  • business impact;

  • technical feasibility;

  • regulatory expectations;

  • resource availability.

This reduces operational disruption and enables continuous learning throughout the transition.

5.5 Stage Four: Migration Planning and Implementation
5.5.1 Developing a Structured Migration Approach

Following assessment and prioritization, organizations can begin implementation planning.

However, migration must recognize that cryptographic replacement may affect system compatibility, performance, availability, and operational processes.

A successful migration strategy should incorporate:

  • architectural planning;

  • testing environments;

  • stakeholder coordination;

  • supplier engagement;

  • phased deployment.

5.5.2 Hybrid Cryptographic Approaches

During transition periods, organizations may adopt hybrid cryptographic approaches that combine existing algorithms with post-quantum alternatives.

Hybrid approaches provide several advantages:

  • reduced transition risk;

  • improved interoperability;

  • additional security assurance;

  • gradual adoption.

However, hybrid approaches also introduce complexity because organizations must manage multiple cryptographic mechanisms simultaneously.

Therefore, hybrid deployment should be supported by strong governance and lifecycle management processes.

5.5.3 Supplier and Ecosystem Coordination

Modern enterprises rarely operate entirely independent technology environments.

Cloud providers, software vendors, hardware manufacturers, and managed service providers all influence cryptographic readiness.

Consequently, quantum migration requires ecosystem-level coordination.

Organizations should evaluate:

  • supplier PQC roadmaps;

  • contractual requirements;

  • technology dependencies;

  • service provider readiness.

This reinforces the argument that quantum resilience is an enterprise capability rather than an internal cybersecurity initiative.

5.6 Stage Five: Developing Crypto-Agility
5.6.1 Beyond One-Time Migration

The final stage of quantum resilience involves developing crypto-agility.

Crypto-agility represents the ability of an organization to replace cryptographic technologies efficiently as requirements evolve.

This capability is increasingly important because quantum computing is unlikely to represent the final disruption to cryptographic security.

Future challenges may emerge from:

  • new cryptanalytic techniques;

  • regulatory changes;

  • technological evolution;

  • emerging vulnerabilities.

Therefore, organizations must avoid recreating the same problem by implementing PQC in rigid architectures.

5.6.2 Characteristics of Crypto-Agile Organizations

A crypto-agile organization typically demonstrates:

Modular Architecture

Cryptographic components can be replaced without extensive system redesign.

Lifecycle Management

Cryptographic assets are continuously monitored and updated.

Standardized Processes

Organizations maintain consistent approaches to cryptographic implementation.

Continuous Governance

Cryptographic decisions remain subject to ongoing oversight.

Crypto-agility therefore represents the practical expression of dynamic capability theory within cybersecurity.

Organizations develop resilience by continuously sensing change and transforming their security architecture accordingly (Teece, 2007).

5.7 Summary of the Migration Strategy

The transition towards quantum resilience requires organizations to progress through a structured capability-development process.

The five-stage migration approach demonstrates that successful preparation involves more than adopting quantum-resistant algorithms.

The five-stage migration approach represents a progressive capability-development journey through which organizations move from initial awareness of quantum risk towards long-term quantum resilience. The first stage, awareness and education, establishes organizational understanding by ensuring that key stakeholders recognize the strategic implications of quantum computing and the potential impact on existing cryptographic systems. Without sufficient awareness, quantum resilience initiatives may remain isolated within technical teams and fail to achieve the executive support and organizational alignment required for successful implementation.

The second stage, cryptographic discovery, develops enterprise visibility by enabling organizations to identify where cryptographic mechanisms exist, understand their dependencies, and determine which systems may be affected by future quantum threats. This visibility provides the foundation for informed decision-making because organizations cannot effectively manage cryptographic risk without first understanding their current environment.

The third stage, risk assessment, enables strategic prioritization by allowing organizations to evaluate cryptographic exposure according to factors such as data sensitivity, business criticality, regulatory requirements, and migration complexity. Rather than attempting immediate replacement of all cryptographic systems, organizations can use risk-based approaches to allocate resources effectively and focus efforts on the areas of greatest potential impact.

The fourth stage, migration implementation, supports controlled transformation by enabling organizations to transition towards quantum-resistant cryptographic solutions through structured planning, testing, and phased deployment. This approach reduces operational disruption while ensuring that security improvements remain aligned with business requirements and technology dependencies.

The final stage, crypto-agility, establishes continuous adaptation by ensuring that organizations can modify and evolve cryptographic mechanisms as technologies, standards, and threat environments change. Rather than viewing quantum migration as a one-time project, crypto-agility enables organizations to maintain long-term resilience through ongoing monitoring, governance, and architectural flexibility.

Together, these capabilities enable organizations to move beyond reactive cybersecurity practices focused on responding to existing threats and towards proactive resilience models based on anticipation, adaptation, and continuous transformation. Quantum resilience therefore represents not simply the implementation of new cryptographic technologies, but the development of organizational capabilities that allow enterprises to manage future cybersecurity disruption effectively.

Stage

Primary Capability Developed

The central argument of this chapter is that quantum migration should be viewed as an organizational transformation programme supported by technology, governance, and adaptive capability.

Organizations that begin developing these capabilities early will have greater control over migration timelines, reduced operational disruption, and stronger ability to preserve digital trust in the post-quantum era.

6. Discussion

6.1 Introduction

The emergence of quantum computing represents a significant strategic challenge for cybersecurity because it questions the long-term assumptions upon which modern digital trust has been constructed. Although cryptographically relevant quantum computers capable of compromising widely deployed public-key cryptographic systems do not currently exist, the potential consequences of such capabilities require organizations to begin preparing before the threat becomes operationally immediate.

This paper has argued that quantum resilience should not be conceptualized as a narrow technical problem concerned solely with replacing vulnerable cryptographic algorithms. Instead, it should be understood as a broader organizational capability involving technological preparedness, governance maturity, risk management, and continuous adaptation.

The findings developed throughout this research suggest that successful preparation for the post-quantum era depends on an organization’s ability to develop four interconnected capabilities: cryptographic visibility, risk-based prioritization, governance capability, and crypto-agility. Together, these capabilities enable organizations to transition from reactive security management towards proactive resilience.

This discussion examines the implications of this argument by considering quantum resilience through the perspectives of cybersecurity strategy, organizational capability development, and enterprise transformation.

6.2 Quantum Resilience as a Strategic Cybersecurity Capability

A central contribution of this paper is the positioning of quantum resilience as an organizational capability rather than a technology implementation activity.

Traditional cybersecurity approaches have historically emphasized protection against current and observable threats, including malware, vulnerabilities, unauthorized access, and active cyberattacks. While these approaches remain essential, quantum risk introduces a different strategic challenge because organizations must prepare for a future technological capability whose timing remains uncertain.

This creates a fundamental difference between traditional cybersecurity management and quantum resilience.

Traditional security practices often follow a reactive model:

  1. identify vulnerability;

  2. implement mitigation;

  3. restore security posture.

Quantum resilience requires a proactive model:

  1. anticipate future disruption;

  2. understand organizational exposure;

  3. develop adaptive capabilities before disruption occurs.

This distinction aligns with the concept of dynamic capabilities proposed by Teece (2007), where organizations achieve resilience by developing the ability to sense environmental changes, seize opportunities for adaptation, and transform existing resources and processes.

Applied to quantum resilience, organizations must first sense the emerging cryptographic disruption by understanding quantum developments and assessing potential exposure. They must then seize opportunities for adaptation through investment, governance, and migration planning. Finally, they must transform their security architectures by developing flexible and crypto-agile environments.

Therefore, the strategic value of quantum resilience lies not only in reducing future quantum risk but also in strengthening the organization’s broader capacity to respond to technological change.

6.3 The Importance of Cryptographic Visibility as a Foundation Capability

One of the most significant findings of this research is that cryptographic visibility represents a foundational capability for quantum resilience.

Although organizations typically maintain extensive inventories of applications, infrastructure, and information assets, cryptographic dependencies often remain poorly understood. This creates a significant management challenge because organizations cannot effectively assess or reduce risks that they cannot identify.

The complexity of modern digital environments increases this challenge. Cryptographic mechanisms may exist across:

  • applications;

  • databases;

  • cloud services;

  • identity platforms;

  • network protocols;

  • third-party technologies;

  • embedded systems.

Consequently, quantum migration cannot begin effectively without establishing a comprehensive understanding of the cryptographic environment.

This finding reinforces broader cybersecurity resilience research, which emphasizes the importance of asset visibility and dependency management in managing complex technology ecosystems (Bodeau and Graubart, 2017).

However, cryptographic discovery should not be interpreted merely as an operational inventory exercise. Instead, it represents a strategic governance capability because it enables organizations to make informed decisions regarding risk, investment, and migration sequencing.

The implication for organizations is significant: those without cryptographic visibility may struggle to respond effectively when quantum migration becomes a regulatory, operational, or security requirement.

6.4 Risk-Based Prioritization and the Management of Uncertainty

A key challenge associated with quantum resilience is determining how organizations should invest in preparation when the timeline for quantum threats remains uncertain.

The uncertainty surrounding quantum computing creates a strategic dilemma. Investing too early may involve significant expenditure before immediate security benefits are visible. However, delaying preparation may expose organizations to greater costs, reduced flexibility, and accelerated migration pressures in the future.

This challenge reflects broader principles within enterprise risk management, where organizations must evaluate not only the probability of an event occurring but also the potential consequences and preparation requirements associated with that event (COSO, 2017).

Quantum risk is particularly complex because impact depends on multiple factors:

  • when cryptographically relevant quantum computers become available;

  • how long sensitive data requires protection;

  • how quickly organizations can migrate;

  • how rapidly standards and regulations evolve.

Therefore, a purely probability-based approach to quantum risk is insufficient.

Instead, organizations should consider the relationship between:

time to potential quantum capability
and
time required for enterprise migration.

If migration requires several years, then waiting until quantum capabilities emerge may already represent a strategic failure.

This supports the argument that quantum resilience requires forward-looking risk management rather than conventional vulnerability management.

6.5 Governance Capability as a Critical Success Factor

The analysis demonstrates that governance capability is essential because quantum migration affects the entire enterprise rather than a single technology function.

Cryptographic decisions have historically been distributed across different teams, resulting in fragmented ownership and inconsistent practices. While this approach may have been acceptable when cryptographic technologies changed slowly, the emergence of quantum risk requires greater coordination.

Effective governance requires:

  • executive ownership;

  • clear accountability;

  • cross-functional collaboration;

  • integration with enterprise risk management;

  • measurable migration objectives.

This supports the argument of von Solms and van Niekerk (2013), who suggest that cybersecurity has evolved beyond technical information security into a broader governance discipline involving organizational strategy and decision-making.

A key implication is that organizations should avoid treating quantum resilience as the responsibility of cybersecurity teams alone. Security specialists may provide technical expertise, but enterprise leadership must establish the strategic direction, investment priorities, and organizational structures required for successful transformation.

Without governance maturity, even technically strong PQC implementations may fail because organizations lack the coordination required to deploy and maintain them effectively.

6.6 Crypto-Agility and the Future of Cybersecurity Resilience

A further contribution of this research is the emphasis on crypto-agility as a long-term resilience capability.

The historical challenge with cryptographic systems is that once deployed, they often become deeply embedded within technology environments. This creates operational dependency and makes future replacement costly and disruptive.

Quantum computing demonstrates the limitations of this approach. Cryptographic assumptions that remain secure today may become inadequate as technological capabilities evolve.

Therefore, organizations must move towards security architectures that support continuous cryptographic adaptation.

Crypto-agility provides several strategic benefits:

  • reduced migration complexity;

  • faster response to cryptographic vulnerabilities;

  • improved compliance readiness;

  • lower long-term security costs.

However, crypto-agility should not be understood solely as a technical architecture characteristic. It also requires organizational processes, governance structures, and lifecycle management capabilities.

In this sense, crypto-agility represents the practical application of dynamic capability theory within cybersecurity. Organizations demonstrate resilience when they can continuously modify their security capabilities in response to environmental change (Teece, 2007).

6.7 Quantum Resilience as a Socio-Technical Transformation

The findings of this paper suggest that quantum resilience represents a socio-technical transformation challenge.

Technology alone cannot deliver resilience. Post-quantum algorithms, although essential, do not solve broader organizational challenges such as:

  • identifying cryptographic dependencies;

  • coordinating migration activities;

  • managing supplier relationships;

  • allocating resources;

  • maintaining operational continuity.

Successful transition requires alignment between:

  • technology capabilities;

  • governance structures;

  • organizational processes;

  • leadership commitment.

This perspective aligns with research in digital transformation, which emphasizes that technology-driven change requires complementary organizational capabilities rather than isolated technological adoption (Bharadwaj et al., 2013).

Therefore, quantum resilience should be viewed as part of a broader evolution in cybersecurity management, where organizations increasingly compete on their ability to anticipate, adapt, and transform.

6.8 Implications for Cybersecurity Leadership

For cybersecurity leaders, the findings create several practical implications.

First, quantum resilience should be incorporated into strategic cybersecurity planning rather than treated as a future technical concern.

Second, organizations should prioritize cryptographic discovery because visibility represents the foundation upon which all migration decisions depend.

Third, leadership should establish governance mechanisms that create accountability across technology and business functions.

Fourth, organizations should invest in crypto-agile architectures that reduce future dependence on rigid cryptographic implementations.

These actions represent a shift from traditional cybersecurity thinking towards resilience-oriented security management.

The organizations best positioned for the post-quantum era will not necessarily be those that adopt quantum-resistant algorithms first. Instead, they will be those that develop the organizational capabilities required to manage continuous cryptographic evolution.

6.9 Chapter Summary

This chapter has demonstrated that quantum resilience represents a strategic organizational capability rather than a purely technical cybersecurity initiative.

The discussion has shown that successful preparation depends on four interconnected capabilities:

  • Cryptographic visibility, which enables organizations to understand their current exposure;

  • Risk-based prioritization, which supports effective allocation of resources;

  • Governance capability, which provides strategic coordination and accountability;

  • Crypto-agility, which enables continuous adaptation.

Together, these capabilities allow organizations to move from reactive cybersecurity practices towards proactive resilience models.

The significance of quantum resilience extends beyond preparing for quantum computing. The broader lesson is that organizations operating in environments of technological uncertainty must develop the ability to anticipate disruption, adapt capabilities, and continuously transform their security approaches.

Quantum computing therefore represents not only a challenge to cryptographic systems but also a test of organizational adaptability. Enterprises that develop strong governance, visibility, and adaptive capabilities will be better positioned to preserve digital trust and operational resilience in the post-quantum era.

7. Conclusion

The emergence of quantum computing represents one of the most significant future challenges to the foundations of modern digital security. Contemporary digital ecosystems rely extensively on cryptographic mechanisms to establish trust, protect sensitive information, authenticate identities, and secure communications. However, advances in quantum computing challenge the mathematical assumptions underlying widely deployed public-key cryptographic systems, creating the possibility that current security mechanisms may become vulnerable in the future.

Although the timeline for achieving cryptographically relevant quantum computing capabilities remains uncertain, organizations cannot evaluate quantum risk solely according to the current state of quantum technology. The long confidentiality requirements of sensitive information, combined with the possibility of “harvest now, decrypt later” attacks, mean that migration planning must begin before quantum threats become operationally immediate. The complexity and scale of enterprise cryptographic dependencies further reinforce the need for proactive preparation.

This paper has argued that quantum resilience should not be understood as a technical exercise focused exclusively on replacing vulnerable cryptographic algorithms with post-quantum alternatives. While post-quantum cryptography represents an essential component of future security architectures, successful transition requires broader organizational capabilities that enable enterprises to understand, govern, and continuously adapt their cryptographic environments.

The research developed a conceptual framework consisting of four interconnected dimensions of quantum resilience.

First, cryptographic visibility provides the foundation for effective preparation by enabling organizations to identify where cryptographic mechanisms exist and understand their relationship with critical business processes. Without accurate visibility into cryptographic dependencies, organizations cannot effectively evaluate exposure, establish migration priorities, or coordinate enterprise-wide transformation.

Second, risk-based prioritization enables organizations to manage uncertainty by directing resources towards systems and information assets requiring the greatest level of protection. Because migration across complex technology environments will require significant time, investment, and coordination, organizations must adopt structured approaches that consider factors including data sensitivity, business criticality, regulatory expectations, technical complexity, and third-party dependencies.

Third, governance capability ensures that quantum resilience is managed as an enterprise strategic initiative rather than an isolated cybersecurity activity. Effective governance establishes accountability, enables cross-functional coordination, integrates quantum risk into enterprise risk management processes, and ensures that migration activities remain aligned with organizational objectives.

Fourth, crypto-agility represents the long-term capability required to manage continuous cryptographic change. The quantum transition demonstrates that cryptographic assumptions cannot be considered permanent. Organizations must therefore develop flexible architectures, lifecycle management processes, and governance mechanisms that allow security technologies to evolve as new threats, standards, and technological developments emerge.

The findings reinforce broader cybersecurity and strategic management research concerning the importance of adaptive organizational capabilities in uncertain environments. Through the lens of dynamic capabilities theory, quantum resilience illustrates how organizations must develop the ability to sense emerging technological disruption, mobilize resources effectively, and transform existing capabilities before disruption occurs (Teece, 2007).

The strategic implication for organizations is that quantum preparation should be integrated into cybersecurity strategy, enterprise risk management, and digital transformation planning. Organizations that begin developing quantum resilience capabilities early will benefit from greater control over migration timelines, reduced operational disruption, improved regulatory readiness, and stronger stakeholder confidence. In contrast, organizations that delay preparation may experience accelerated migration pressures, increased costs, and reduced ability to manage future cryptographic change.

Ultimately, the post-quantum transition represents more than a challenge to cryptographic technology; it represents a test of organizational adaptability. The organizations most likely to succeed in the post-quantum era will not simply be those that deploy quantum-resistant algorithms, but those that develop the governance structures, visibility capabilities, and adaptive architectures required to continuously manage cybersecurity transformation.

Quantum resilience is therefore not a single implementation milestone but an ongoing organizational capability. By developing the capacity to anticipate, govern, and adapt to cryptographic change, enterprises can preserve digital trust, strengthen operational resilience, and remain secure in an era of accelerating technological disruption.

References

Alagic, G. et al. (2020) Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process. Gaithersburg: National Institute of Standards and Technology.

Bernstein, D.J., Buchmann, J. and Dahmen, E. (2009) Post-Quantum Cryptography. Berlin: Springer.

Bharadwaj, A., El Sawy, O.A., Pavlou, P.A. and Venkatraman, N. (2013) ‘Digital business strategy: toward a next generation of insights’, MIS Quarterly, 37(2), pp.471–482.

Bodeau, D. and Graubart, R. (2017) Cyber Resiliency Design Principles: Selecting and Applying Cyber Resiliency Design Principles. Bedford, MA: MITRE.

COSO (2017) Enterprise Risk Management: Integrating with Strategy and Performance. New York: Committee of Sponsoring Organizations of the Treadway Commission.

Craigen, D., Diakun, B. and Verner, J. (2014) ‘Defining Cybersecurity

Diffie, W. and Hellman, M.E. (1976) ‘New directions in cryptography’, IEEE Transactions on Information Theory, 22(6), pp.644–654.

Duchek, S. (2020) ‘Organizational resilience: a capability-based conceptualization’, Business Research, 13, pp.215–246.

Kaplan, R.S. and Mikes, A. (2012) ‘Managing risks: a new framework’, Harvard Business Review, 90(6), pp.48–60.

Katz, J. and Lindell, Y. (2020) Introduction to Modern Cryptography. 3rd edn. Boca Raton: CRC Press.

Linkov, I. et al. (2013) ‘Changing the resilience paradigm’, Nature Climate Change, 4, pp.407–409.

Mosca, M. (2015) ‘Cybersecurity in an era with quantum computers: will we be ready?’, IEEE Security & Privacy, 16(5), pp.38–41.

Nielsen, M.A. and Chuang, I.L. (2010) Quantum Computation and Quantum Information. Cambridge: Cambridge University Press.

NIST (2024) Post-Quantum Cryptography Standardization. Gaithersburg, MD: National Institute of Standards and Technology.

Shor, P.W. (1994) ‘Algorithms for quantum computation: discrete logarithms and factoring’, in Proceedings 35th Annual Symposium on Foundations of Computer Science. IEEE, pp.124–134.

Teece, D.J., Pisano, G. and Shuen, A. (1997) ‘Dynamic capabilities and strategic management’, Strategic Management Journal, 18(7), pp.509–533.

Teece, D.J. (2007) ‘Explicating dynamic capabilities: The nature and microfoundations of (sustainable) enterprise performance’, Strategic Management Journal, 28(13), pp.1319–1350.

von Solms, R. and van Niekerk, J. (2013) ‘From information security to cyber security’, Computers & Security, 38, pp.97–102.

Warner, K.S.R. and Wäger, M. (2019) ‘Building dynamic capabilities for digital transformation’, Long Range Planning, 52(3), pp.326–349.

Weill, P. and Ross, J.W. (2004) IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Boston: Harvard Business School Press.

Contact

Reach out via email for inquiries.

Email

Subscribe to newsletter

info@grcadvisory.ch

© 2025. All rights reserved.