Quantum readiness remains far behind the level of concern. ISACA’s 2025 poll of more than 2,600 digital trust professionals found that 95% of organizations lacked a quantum-computing roadmap. Among European respondents, only 4% said their organization had a defined strategy, despite 67% expecting quantum computing to increase or alter cybersecurity risks over the next decade.

The UK’s National Cyber Security Centre has set three migration milestones: organizations should complete discovery and initial planning by 2028, move their highest-priority services by 2031 and finish migrating systems, services and products to post-quantum cryptography by 2035. The NCSC estimates that large organizations may need two to three years for discovery, assessment and initial planning alone.

Helping organizations make sense of that transition is Moona Ederveen-Schneider, a cybersecurity expert with more than 20 years of experience across financial services, risk and cyber resilience. She has held senior roles at Deutsche Bank, JPMorgan Chase, UBS, Nomura and ABN Amro, and is the founder of Resilia Connect and author of the Practical Post-Quantum Transition Framework.

In this exclusive interview with the Champions Speakers Agency, Moona explains why encrypted data is already being targeted, how quickly organizations need to prepare and where businesses commonly go wrong when beginning a post-quantum migration.

Question 1: What makes the quantum threat an immediate data-security concern rather than a distant technological risk?

Moona Ederveen-Schneider: “Quantum computing is not simply a future threat. Adversaries are already harvesting encrypted data with the intention of decrypting it once quantum computers become powerful enough.

“Most organizations have not yet started preparing for that transition.

“I developed a practical post-quantum transition framework to explain the issue clearly, cut through market hype and vendor noise, and make the process manageable for organizations and their teams.

“I also run tabletop exercises that teach organizations how to become crypto-agile. I poll participants at the beginning and again at the end of these sessions. The shift in the room is remarkable.

“People often arrive feeling that the challenge is unmanageable. They leave with greater confidence and a clear understanding of what they need to do next.”

Question 2: What do current migration deadlines reveal about the pace at which organizations must prepare for post-quantum security?

Moona Ederveen-Schneider: “The UK National Cyber Security Centre says organizations should complete detailed planning by 2028 and be fully migrated by 2035.

“Google has set its own internal migration deadline of 2029, citing faster-than-expected advances in quantum computing. That reflects the wider sentiment I am seeing and the increasingly strong guidance being issued by governments globally.

“Google is one of the organizations building these machines, so its decision deserves serious attention.

“Large organizations typically need at least five years to complete a full cryptographic overhaul, while some may need twice that long. A 2035 deadline is therefore not generous. Organizations need to begin acting now.

“My practical post-quantum transition framework is designed to deliver security improvements from the first day. It provides a clear starting point and a route through the process without overwhelming teams or budgets.

“Organizations are also not preparing for a future threat in isolation. They are building more resilient architectures that can improve protection against current threats, including ransomware, AI-enabled attacks and supply chain compromise.”

Question 3: Where should organizations begin their post-quantum transition, and why is a cryptographic inventory alone insufficient?

Moona Ederveen-Schneider: “The first common mistake is treating post-quantum cryptography migration as a technology project and handing responsibility solely to the security team.

“It is a whole organizational transformation.

“The data that needs protecting sits across HR, legal and finance, not only within what DORA defines as critical business processes.

“The second common mistake is beginning with the cryptographic inventory.

“Contrary to the approach commonly repeated across the industry, I advise organizations to strengthen their data security posture first.

“They must answer a fundamental business question: what are we protecting, and how long does it need to remain secret?

“My practical post-quantum transition framework begins with that question and is designed to deliver security improvements immediately. It can be adapted for organizations and teams of any size.”

This exclusive interview with Moona Ederveen-Schneider was conducted by Tabish Ali of the Motivational Speakers Agency.