Quantum Readiness: The Risk No One Owns with Louise Davey

Show Notes

In this episode of Entropy, Francis Gorman speaks with Louise Davey, executive leader, transformation architect, and author of Quantum How, about why quantum readiness has to move beyond the technology function and into the boardroom.

Louise argues that post-quantum cryptography is no longer just a cryptography, standards, or cybersecurity discussion. It is an enterprise governance and transformation challenge that affects digital trust, operational resilience, fiduciary duty, regulatory exposure, insurance, systemic financial risk, and long-term business viability.

The conversation explores why boards and executive leaders often struggle to act on quantum risk, not because the threat is unclear, but because it is poorly communicated. Louise explains how quantum risk breaks traditional risk models: it is time-shifted, has unclear ownership, spans the entire digital infrastructure layer, and reaches far beyond any single technology team.

The episode also covers the real-world consequences of unreadiness, from harvest-now-decrypt-later exposure to operational technology, financial services, elevators, pacemakers, insurance risk, liquidity impact, and corporate survival. But the conversation is not only about risk. Louise also makes the case that quantum readiness can be used as a once-in-a-generation transformation opportunity to reduce technical debt, strengthen governance, improve enterprise intelligence, and create lasting organisational value.

Takeaways:

1. Quantum readiness is now a boardroom issue.
Louise makes the case that post-quantum security has moved beyond the technical layer. It now belongs in enterprise governance, risk management, transformation strategy, and board oversight.

2. The communication gap is one of the biggest blockers.
The people who understand the quantum threat are often technologists, while the people who control funding, risk appetite, and enterprise priorities are boards and executives. The challenge is translating the issue into language decision-makers can act on.

3. Traditional risk models do not handle quantum risk well.
Quantum risk does not fit neatly into standard operational risk taxonomies. It is time-shifted, systemic, infrastructure-level, and difficult to assign to a single owner.

4. Digital trust may be the real asset at risk.
The episode repeatedly comes back to trust. Cryptography underpins authentication, authorisation, privacy, financial transactions, customer confidence, and the resilience of modern digital business.

5. Harvest-now-decrypt-later is already a live issue.
Louise stresses that quantum risk is not purely future-facing. Sensitive data may already be exposed if adversaries are collecting encrypted information today to decrypt later.

6. Boards need to understand their fiduciary exposure.
If boards are made aware of the scale of the risk and still fail to act, the issue becomes one of governance failure and fiduciary responsibility.

7. This is bigger than IT and cybersecurity.
Quantum risk affects financial services, insurance, operational technology, manufacturing, logistics, public safety, and the physical systems connected to digital infrastructure.

and many more....

SoundBytes:

“The people who understand the problem often are not the people who own the decision.”

“Quantum risk challenges the way organisations think about ownership, accountability, and authority.”

“Digital trust does not belong to one function. It belongs to the organisation as a whole.”

“The board is the only place high enough to own a risk of this scale.”

“This is not just about avoiding risk. Done properly, quantum readiness can create long-term enterprise value.”

Transcript

Francis Gorman (00:05.209)
Hi, everyone. Welcome to the Entropy podcast. I'm your host, Francis Gorman. Before we dive in, if today's conversation challenges you, sparks a new idea or sharpens how you think about the world, don't keep it to yourself. Subscribe, leave a review and share this episode with someone who enjoys staying curious. Today, I'm joined by Louise Davie, an executive leader and transformation architect whose work sits at the intersection of technology, organisational risk, governance and systems dynamics. Louise works with large institutions to translate deep technical

distribution into resilient operating models, effective governance and measurable business outcomes. A former partner, CTO and COO in financial services and IT consulting firms, brings over 30 years of transformation experience within large complex organizations. As founder and president of LDIQ, Louise advises boards, regulators and executive teams on quantum readiness and the transition to post quantum cryptography, with particular emphasis on execution excellence and enduring long term value creation.

Louise is the author of Quantum How, a guide for boards and executives to lead into the quantum era. Louise also holds a master's in physics from McGill University and is based in Canada. Louise, it's my pleasure to have you with me here today.

Louise Davey (01:18.286)
Thank you, Frances. It's really, it's a thrill to be here.

Francis Gorman (01:22.081)
I've been looking forward to this Louise because we're kind of on the board, non-executive director trend at the moment in the quantum space. I think it's a really important area that hasn't been given the level of attention. Obviously you've wrote a book about it, so you've recognized that gap. And I think if you don't get your boards and your non-executives and your chief risk officers and the people who control the revenue flow to the project streams in your organization on board with

the need for quantum readiness, cryptographic resilience, you you don't get funded. So this is a conversation that I kind of want to have with that lens attached for those individuals that they can kind of pick this podcast up, have a listen and kind of come away informed. So with that in mind and in terms of how we're framing the conversation, I suppose, I think what I'd like to ask is why should non-technical leaders care about quantum now?

Louise Davey (02:21.93)
Yeah, okay. Well, I guess I'd start it with why we have to get this beyond the technical leaders, right? I would sort of turn that question around. Why is this actually not a technology discussion? And because I think that that's where we're getting stuck. I believe that there's...

for very good reasons. This has been a technology-driven discussion for a very long time. It's been a cryptographic, it's been a quantum computing discussion, it's been a standards discussion. And I think that there's a risk is that we're kind of trapped in that specific paradigm right now. And we can't do much good just by convincing ourselves that this work needs to be done, that these are critical risks that are being generated.

Because as you correctly point out, it's really that funding has to come from the executive layer of the organization. And guess what? They don't care about technology, right? The last thing they want to talk to you about is technology. And if you try to engage with your board or your senior executives other than your CTO or your CIO on technology, they're just going to shut you out. So one of the things that I've been promoting

and I'm not alone in this, but one of the things that I've been promoting is that really PQC is no longer, post quantum security is no longer a technology conversation. It is no longer a standards conversation. This is really an enterprise governance and transformation conversation that needs to be taking place. And problematically is that many of the people who master the content

of the post quantum imperatives, these are technology people. And so there's this gap between the people who understand what the problem is and the people who actually own and need to act on the problem. So the senior executive and board layer where there's very little technical knowledge and actually very little interest in increasing that technical knowledge. And at the technology and the practitioner level,

Louise Davey (04:40.15)
where there's this gap of just the inability to communicate and to resonate with that group. And that is the biggest problem that we have today. Yeah.

Francis Gorman (04:52.76)
It makes a lot of sense. I suppose in that regard, when you kind of bring that piece to life, when does quantum unreadiness become a fiduciary issue?

Louise Davey (05:03.246)
Yeah, well, it is today. It is because if you think about it as a risk, the quantum readiness risk is quite unique. The risk taxonomy and enterprise risk management practices and so on, these are concepts that were largely established, I'm going to say, like the late 90s and 2000s for operational risk. And it's evolved slowly, but mostly through like

small evolutions and incremental changes. What I have been seeing as originally being an IT risk expert and a data risk expert and then moving into the AI space and now quantum is that the dynamics of modern day digital operations fundamentally challenge that standard taxonomy and risk management practices. And so they have not evolved

effectively to meet them. There's so many problems and gaps in the risk manage the operational risk management model today because it just it was designed for static assets. It was designed for very clear and cut incremental ownership paradigms where the dynamics of data, which is, you know, this kind of free flowing

digital asset and where the dynamics of the risk that quantum is bringing into place, they don't fit the model anymore. Right. And so from a fiduciary responsibility, this is this is really critical because the quantum risk is different in many ways. And I'm going to say the first the first element of it, there's really no other risk that's like this, is that it's time shifted.

so that the owner of the risk and the decisions required to mitigate it today is not going to be the owner or unlikely to be the owner of the consequences of that risk in the future. Right. So we have this time shifted thing. And if you think about the standard executive package, like, you know, compensation doesn't go get much more. It doesn't go much further than the next quarter and so on. So why would a senior executive, you know, champion this

Louise Davey (07:23.298)
you know, massive, difficult initiative that won't show any recognition or payoff for, you know, another, well, it's down now down to like three, four, five, six years, but it used to be 10, 15 years out. So that's, that's one of reasons we haven't gotten traction is that time shiftedness. The everything is ownership. So quantum is challenging the ownership notion of the risk management model where, you know, ownership could be tied to a physical asset. Ownership could be tied to a specific process.

the risks related to that asset, the risks related to that process or activity. Now, the quantum risk is a risk at the infrastructure layer, the digital infrastructure layer, which permeates the entire organization and beyond the organization out into the ecosystem. And so there's no clear owner for that risk within the organization. Sure, IT...

and IT and the security officer, they operationalize and monitor the risk, but they don't own it. They don't own it. For governance to be effective, you need to be able to align accountability and authority. And they cannot be accountable because they don't have the authority to make the organization move on this risk. So that's another place where it...

it challenges the risk model. The scale of this is like nothing else we've ever seen, right? This is by and large the largest technological migration, and I'll call it transformation because as you know, we need to bring in all sorts of new business capabilities that we've ever seen, right? So here we have this risk with no owner, with no champion that doesn't fit the model that is off scale for the organization. So.

there's only one owner for this type of risk, right? Digital trust doesn't belong to any individual function within the organization. It belongs to the organization as a whole. And so the only one owner, possible owner for this is the board of directors because you cannot go higher than that in terms of the ownership of the oversight. So that's where it becomes a fiduciary duty. Now the board is accountable for making sure that the organization

Louise Davey (09:46.11)
acts on this, right, because nobody within the organization can act on it alone. The board is accountable that the organization acts on this. And it becomes an issue of fiduciary duty if they do not act on it. So that's where we're at. And the problem is, that to get them to act on it, we have to be able to explain it and articulate it in terms

that they can understand and in terms that they can make decisions on and act on. And I think that's where the failure is. It's that the failure is in the communication. Because if you communicate effectively to a board, if you actually make them aware of this, what's at stake, then they will act.

And if they do not, then they really are at fault. And hey, I'd be looking for another job personally if my board was made effectively aware of the scale of this risk and decided not to act on it. But I don't think that's the case. I think that what I'm seeing is a lot of kind of failure to effectively engage the board and explain to the board in terms that they can act on it.

Francis Gorman (10:59.118)
I'm really happy that you've brought up the risk problem because nobody talks about the risk problem. And what I see across multiple institutions and organizations, we don't know how to record the risk, the risk. Where does the risk sit? Who owns the risk? Why is the risk so god damn complicated that it doesn't fit the model that we have in place for risk management? You know, that is so real. that, that is that is really the tip of the iceberg here, because if you can't

Louise Davey (11:12.076)
Yeah. Yeah.

Louise Davey (11:27.576)
Yeah.

Francis Gorman (11:28.472)
You can't record issues and underpin them to risks. How do you enact change in a governing manner? And I think it's really important to bring that up Louise. And I think you're probably the first one who's really kind of pulling that thread and brought it to the, brought it to the fore. The second thing is, and this is what I'm looking forward to. You talked about the importance of communication to the board. How do you explain the quantum risk to a board? What is your secret sauce for?

getting them to understand and bring this to life.

Louise Davey (11:59.478)
Yeah, sure. So let me address the first one about the risk and how it doesn't fit. I gave you a couple of reasons why it doesn't fit. And also the fact that there's many things that don't fit. We have been pretending that data fits the existing risk model. We have been assigning ownership.

to data and trying to assign risk owners to data. That's just so fundamentally wrong. That's why data governance doesn't work, has never worked. That's why it gives it such a bad reputation. Similarly, we've had lots of practice runs. Similarly with AI, AI is still being, in many organizations, slated as an IT responsibility and an IT risk.

And that is absolutely not the case, right? IT does not oversee autonomous decision-making, right? That is much more, it's strangely much more in the area of HR than it is in IT, right? So we've constantly been trying to force all of these new paradigms into the existing model. And it has been quietly failing for a little bit of time.

And then the quantum one really challenges it for the reasons that I already shared. So how do I explain this to the board? Like what's the tactic? So I do publish a lot about this on my LinkedIn account. I try and share everything that I learn, I try to share as much as possible because truthfully there's not that much time and there's a...

huge amount of work to get done and a huge amount of people to convince. so, you know, if I can, if I can help move that forward in any way, I do. So how do I talk to boards? Well, I think it's important you have to really understand who's on the board. And I don't mean that like as individuals, but I mean the kind of the nature of the people who sit on boards. I think when you're doing communications, you have to understand that

Louise Davey (14:07.414)
If you're a CISO or a CIO and you're communicating to the board, you're not communicating to another CISO or CIO, right? You're communicating to a very different beast. And so I actually do, you know, these kind of personas where I describe, do like workshops and I publish on what's the typical board member like. So think about the typical board member. They're towards the, generally towards the end of their career. They've generally had a very illustrious career. They're generally very credible individuals.

In most cases, I'm gonna say they're also very curious people and they're looking to engage, they're looking to help the organization, really that's what they want to do. And they're also looking to protect their butts, right? Because, know, especially in the US, right? We're entering these increasingly litigious kind of periods.

And so I think you want to kind of engage with them at that level, right? So that they're an extremely credible person. They're curious. They want to know and understand. They need to exercise their fiduciary duty. They need to be very conscious of that. And then the last thing is they're there to make decisions, OK? They are not there to approve a project.

They are there to make decisions that you put in front of them. And those decisions are generally related to what's the priority of this. And yeah, and this is strategically the direction that we want to go in. So those are the buckets that you need. None of those involve explaining technology. That's number one. So let's start at the credibility. So credibility is none of them want to end up on the front page.

None of them want to ever be challenged in terms of their integrity and their quality of their leadership and decision making. So you have to present things to them in a way that allows them to act in a high integrity manner. So that's one piece. The second one is curiosity. So I never go to a board and just walk in and...

Louise Davey (16:35.106)
go all doom and gloom and just explain that the floor is about to fall out because of quantum risks and threats. I always start, well, I'm a physicist in my early background, so I'll start with a very short explanation of the technology, but mostly what the technology can do and all of the strategic value and how this is gonna transform many industries and so on. I always, always, when I go into pitch,

an assessment, it's always an opportunity and risk assessment. So that's that's the other thing. Then when it comes to then when it comes to their fiduciary duty, I make that very clear. Okay, so I show fiduciary duty, what does that mean? And I'd actually like to give a plug here for Darren Bender, who I think has done some really great work on this fiduciary duty, what that means is that I have acted with I can't say it as well as he does.

I have acted with in a way that any high integrity individual would act with the information that has been made available to them. I've made decisions that are sensible in that context. So what do I need to do? I need to give them the information that makes it impossible for them not to move. And there is so much of that information out there. Like the G7.

cyber group issuing warnings to the financial sector, FS Isaac publishing roadmaps. And I really like a call from the heart or crida car as we say in French, you know, for the financial sector to get organized, all of the different security agencies, government security agencies publishing, like it is impossible now. If I were to put that information in front of a board and say this is happening.

Right? Your own government here in Canada in April of this year, every government function has to publish its PQC migration roadmap and start reporting. Right? So it's impossible for me to say your government is moving on this. They are protecting citizens data and make you aware of this. And for you to say, know, that's not important. It's impossible. So, so I show them that, you know, fiduciary duty must be acted on.

Louise Davey (18:56.554)
Lastly, I make the decision easy for them. First of all, I tell them I need them to make a decision, right? Often people go into the board and they're presenting and they go in and they just kind of present information. No, no, you have to go in specifically with the objective of engaging with the board on a specific topic and wanting a decision or an outcome from it, right? So what I do is I make that decision so easy for them that

really, it's just like a walk down the garden path for them to listen to me, to get engaged, to get curious, to realize the fiduciary duty. And the decision is so obvious, right, that they have to make it. so to do that, I give them all of the information that they need, right? I give them a high level risk assessment. I have some very scary slides. I have some very scary slides where I, you know, I compare, I make a comparison between

Y2K in 2008, the financial crisis, right? What's this going to look like? What is this going to look like, right? Is it going to look like Y2K? Are we all going to wake up on New Year's Day and have a nice champagne brunch? Or is this going to look like 2008 where, you know, the entire banking sector, financial sector was on edge for, you know, well over a year where it was just daily crisis, VUCA conditions, know, volatile uncertainty.

complexity and ambiguity. And that's what it's going to be. if you do not make this decision, if you do not approve this, then you are looking at a multi-year VUCA type situation where you're doing cybersecurity crisis management, where you'll be lucky if you can keep your company up if you don't get directly attacked.

And I explain that to them and then I fill in the blanks. This will cost approximately. This will protect X billions of dollars of revenue. This will take approximately this length. This is how I'm going to communicate progress to you. This is why the regulator is going to be happy with us. This is how you're not gonna go to jail, right? So I give them all of this information so that, yeah, like you just leave with the answer you want.

Francis Gorman (21:19.707)
I think that's really key. And I like the way you've kind of tied all of those pieces together because I don't think that a lot of organizations realize that this could be a company killer. Like you are talking about trust. And if you get rid of the layer that provides trust, specifically in financial services and industries that absolutely rely on the trust layer.

you're in significant trouble. I also love the mention to Darren. Darren's one of my biggest listeners and I'm going to have to get him on the show now after this because he's been on to me a few times. So Darren, you're coming on soon. And the guys in Pro Check are doing great stuff at the moment. So it's a great shout out. Louise, when you go through that with the board and I think I'm always careful with the Y2K analogy because I think a lot of people go

Louise Davey (21:50.285)
Yeah.

Louise Davey (21:53.89)
Yeah.

Louise Davey (21:58.211)
Yeah.

Francis Gorman (22:09.893)
Yeah, but nothing happened. was like, yeah, but nothing happened because so much work was done in preparation up to the day. What risks are boards exposed to now that they may not realize?

Louise Davey (22:13.859)
Yeah.

Louise Davey (22:22.86)
Well, I mean, the obvious one is the harvest now decrypt later, right? Because of that risk, and it's more than a risk, it's actually materialized, so it's currently an issue, right? So because of that, your organization is likely already not compliant with most privacy laws, right? That there's a failure to recognize that there's this kind of thing like, is something that's going to affect us in the future. No, no, no.

No, no, this is happening today. So there's that. There's the risk, as you mentioned, to organizational viability, right? Resilience, basic resilience, the ability to stay operational in the future. There's, particularly in the financial sector, there's the systemic nature of the risk, right? Because the banking sector is just so incredibly intertwined, right? That ecosystem is...

is just so tight and that's one of the reasons why the 2008 repercussions were so violent. You know, even in Europe where, you you didn't have that type of predatory lending yet, you still suffered the effects of, you know, what was going on in the US. So those risks are there. But then there's also, there's also, you know, strategic competitive risks. So again, in the banking sector, there's so many opportunities to leverage quantum computing capabilities.

that if your organization is not looking at this, you may well be shut out, right? First movers in this area, and there are many of them, are currently out there, you know, securing the physical resources that they need, securing the expertise that they need, and already piloting and testing algorithms that will give them huge advantages in financial sectors, things like, you know, portfolio management.

is really an obvious one, but then also, you know, anybody in logistics or transportation, right, routing and scheduling. And I mean, these are these are huge multinational organizations or banks with, you know, billions and billions of dollars, where if they can incrementally improve performance by 1 % or a fraction of percent, that's that's hundreds of millions, if not billions of dollars right there. Right. So

Louise Davey (24:43.53)
If you are not exploring those opportunities, you are at risk of being being shut out by the competition. And then I think the big one, this is this is really the big one that I don't think people are really looking at enough is insurability. Right. And the risk to the insurance industry. So they're not quite as connected as the banking industry, but they are connected in the sense that they share a loan. They share they share policies together. But yeah.

like because the risks to organization, the risk to insurance companies is that unless they have specifically built in policies that protect them against the quantum threat, they may be liable for policies for damages that organizations suffer for failure to prepare. Right? So, you know, that's definitely, those are definitely some of the risks that not necessarily everybody is thinking about might not be on the radar.

Francis Gorman (25:43.781)
And you're triggering me now Louise, because when you start talking about these kind of peripheral risks, there's one that keeps coming into the back of my mind that I haven't vocalized quite quite well just yet that I see on the outskirts, which is liquidity within large financial institutes as well, because these programs are not going to cost hundreds of thousands. They're going to cost potentially hundreds of millions, depending on the complexity of the environment. But you're also going to have downstream all of your

Louise Davey (25:46.414)
you

Louise Davey (26:01.902)
Of

Francis Gorman (26:13.2)
business customers that may need to uplift their technology, they need to amend their credit lines, etc. So that becomes a very keen business interest in terms of one, we potentially have an exposure on the balance sheet that we may not fully understand. But two, we also have an opportunity for all of these downstream organizations to uplift. But if they don't uplift their cryptography, do they become liabilities on our balance sheet?

as well because their business model becomes unsustainable. This is how deep the complexity gets in these conversations. It can get a little bit overwhelming sometimes when you're trying to consider all the different levels of it.

Louise Davey (26:56.686)
Absolutely. Yeah, absolutely. And we touched on it at beginning, right? The scale of this is like nothing we've ever seen before, right? The scale of it, the systemic nature of it. Yeah, I think we're still nasal gazing, I think we're still navel gazing a lot. And I think that, again, the conversation is still being driven by cryptographers, by cybersecurity people who are

really focusing on their scope and what they know and control. And yet, as you mentioned correctly, the reverberations are, they're going to go out for, know, the ripple effect will be huge. Yeah. This is, you know, this is a global scale systemic risk, right? To the digital economy, the digital infrastructure.

very few people who are going to be spared from this, unless you have a farm and some goats, which a friend of mine is thinking of buying. you're totally off grid. And we haven't even talked about Francis. Right now we're talking about the digital economy and the digital processes in the world, but there's the physical world. There's the whole physical world, the whole...

built economy that is also going to be impacted by this, right? All of the manufacturers and all of the, you know, the factory lines and all of the operational technology that is employed there. I'm giving a conference coming up soon with Bruno Cuiar, who I think you probably know also. And it's called, well, we're playing with different terms, but it's

you know, it's concrete steel and cryptography or concrete machinery and cryptography, like one of these layers is going to give and it's going to take down the rest, right? There's issues of public safety, right? There's so many aspects of our life that are digitally controlled and simple things like your home security office, your home security setup, your...

Louise Davey (29:19.086)
Bruno points out pacemaker, that's because he's of a certain age, as we say. My big scare is elevators in a high tower complex. So, I mean, all of these things need to be upgraded, right? And the operational technology side, it's even, the timelines are even longer and scarier because most of that equipment was never designed to be upgraded.

Whereas, you know, we know from an IT perspective that upgrades happen every two or three years and we kind of roll with it. But in the operational technology side, you know, the firmware side of things, generally the lifetimes when these products are deployed is like at least 10 or 20 years. And they may not be able to even accept the upgrade of their cryptographic systems. Yeah.

So yeah, so it's big, it's huge. It's gonna really touch, people haven't woken up to this yet. It's really gonna touch every aspect of our digital and many aspects of our physical lives.

Francis Gorman (30:25.306)
Yes, so that's a bit terrifying, Louise. When you said elevators, got this this, you know, those dreams where you fall asleep, you're falling and there's no there's no one to catch it. I get a free fall moment there for a couple of seconds. I think I feel a bit queasy after it. But I think that brings it to life in real terms. know, the cryptography not only protects the trust elements, but also a lot of the authentication and authorization components that are heavily embedded into OT and

Louise Davey (30:27.822)
I'm sorry about that. Yeah. Yeah, yeah, yeah. I'm so sorry. I'm so sorry.

Yeah.

Yeah.

Louise Davey (30:52.686)
All

Francis Gorman (30:54.904)
system. that is, yeah, no, that's probably the best analogy I've heard so far. My elevator pitches, we could be in free fall if we don't upgrade the hardware.

Louise Davey (31:01.902)
Yeah, I think that's good. Yeah, I want to say like I have I have gone through my dark phase on both AI and and this like, you know, I have spent nights like in the fetal position on the floor, like, my god, right? This is this is actually coming. And I remember one day I actually walked home and I went to the house to my husband, I said, sell everything, just sell everything. We're going to like buy a farm or something.

But then I pull myself out of that and know the world will go on, know all of this must continue, we must have resilience and there's so much good work happening and humankind is proving itself over and over again to be able to navigate these situations, not necessarily elegantly, but we have demonstrated that we can pull our...

pull ourselves through. But honestly, we really need to get it together though. We really do need to get it together. Yeah, the same way we did with Y2K. And I always start by framing Y2K as, know, we derived that situation, but really we should applaud that. That is just really an incredible example of a coordinated global initiative that saved the day.

Francis Gorman (32:32.189)
I think that gets lost a lot, but it is very true. The amount of spend and work that went in to making sure Y2K didn't happen was astronomical when you read back on it in terms of the effort. Louise, I want to ask you a bit about enduring long term value creation. know, I suppose we talk a lot of boards about the risk and the position and within an organization, but there's a value edge here. Can you talk to me about about that also, please?

Louise Davey (32:49.39)
you

Louise Davey (32:58.306)
Yeah, absolutely. So there's the first one which I spoke to already, which is really the strategic opportunities to leverage this new computing capability. So that's obviously one, that's a really, that's a little hanging fruit that's easy to jump on. And most organizations don't realize that the barrier to get into that is actually very low. Like there's many quantum computing companies that offer, you know, deals, you know, packaged use cases to come in and get started and test that.

So that's the first thing I want to put out there. The second one is there's so much work that needs to be done, right? And we have a choice, which is to do it smartly or to just stumble along and create a lot of havoc as we do it. And my position, and so when I speak to the point of execution excellence and value creation is...

It goes back to, I think it's the Chicago School of Business is famous for its line, like never let any good crisis go unexploited. And so here's a great case, right? Here's a crisis. Here's where we are forced to move. We are forced to react. We can do it smartly or we can do it in a really kind of grotesque, clumsy way. And if we do it smartly, our organizations will come out of this way better.

than they were going in, right? Like all of the errors of the past, all of the stale legacy technology that we've left hanging around that has caused us, that is creating some of the greatest risks here. All of the organizational inertia, all of the problems with the existing governance models, all of the things that are like slowly dragging our organizations down. Well, here's an opportunity because cryptography sits at the root.

of the infrastructure. You can't go deeper than that, right? And so we have to go all the way down to the root and we have to make changes and we have to understand all of the effects and impacts of those changes. We actually have to understand our organizations in a way with a level of granularity and a level of sophistication that we've never really had to before. So

Louise Davey (35:12.17)
We should really be designing, and this is where my transformation architecture background comes in, we should really be designing our transformation architecture for two things. One is that we generate the most value possible, is that we get the most done for the least cost. We move as smartly as possible by always making sure that we hit the highest value and the lowest effort fixes and going on.

this will introduce so much intelligence into our business, much more than we've ever had. And if we capitalize and capture that, and we build our capabilities, like basically my philosophy is an organization should be in a constant transformation, right? You should be in constant, constant transformation. And you need to be fueling that transformation with information and intelligence and really crystal clear decision making and rigorous

rigorous reporting and accountabilities and so on. So I would, this is like the ultimate stress test and I would fully leverage this opportunity so that the organization that goes in and delivers smartly will come out in a much better posture than when it went in and we'll be able to capitalize on that for years, years to come, much more enterprise level agility, much less technical debt. Yeah. Yeah.

Francis Gorman (36:39.599)
sounds like great stuff and I think bringing this to the fore is really important right now and hopefully the people listening start to take a few notes and that kind leads me into my next and final question, you'll be happy to know Louise, is what should leaders listening to this do in their next 90 days? What does the next three months look like for Quantum Safe?

Louise Davey (37:01.646)
Yeah, so I have a few. I like to do is, so when I speak to boards, again, this is also part of my shtick, is you don't go in and tell them everything, right? What I do is when I meet with boards is I equip them with questions that they should be asking management.

So I don't, you know, I don't go and I don't take the place of management. I actually work with management when I go in. Management is aware of the questions that I'm going to be giving to the board so that they can start preparing to answer them. But yeah, I equip them with questions and there's just these very slightly, you know, depending on how well I remember them. But the first question that needs to be asked is, is the board sufficiently educated and aware to oversee this risk?

Right. And generally the answer to that is no, they're not. They're not. Right. So my, my first point is make sure that you secure effective board training. And then the next question is, we have the expertise within the organization to actually meet this risk and challenge at the level that we need to meet it? And I'm going to say that with the exception of some of the larger

you know, more mature organizations, the answer to that is probably no. Even though your organization may have like a top end CISO and so on, no one has faced this challenge before. They have unlikely to have faced this challenge before and they're unlikely to have mastered all of the concepts that I've been exposing here today, like the risk, know, the risk taxonomy and the...

ownership and all of this these are things that are beyond the CISOs scope and so on. So I generally recommend to the board and to management that they be accompanied right by somebody who has been thinking about this for a lot longer than they have who has experience with this scale or similar scale of transformation and so on. So I have that. The next question is who is accountable or I'm sorry.

Louise Davey (39:14.734)
Who is responsible for leading this initiative at the enterprise level? Because you need somebody. You need somebody to have ownership of this. You need a champion. You need somebody to be running with it. This is a full-time job. You need somebody to have ownership of this. And this could be, I'm not recommending that it's the, whoops.

Louise Davey (39:37.986)
You know, this could be in some organizations, it could be the CISO, it could be the CIO, but it doesn't have to be. It could be, you know, somebody from the business, could be somebody from strategy, as long as they're properly accompanied and supported. But who is the one person who is going to bed every night and waking up every morning? And this is their number one priority. So you need to know that. So who is it? And then the next question is, what does that person need from us today as a board?

And then my last, and this the scary question is, what's our plan if Q-Day comes early and we are left exposed, right? So what does that look like? Those are the questions.

Francis Gorman (40:27.189)
I like your mic drop last question as you walk out there. have a vision. I have a vision of the Obama moment where the microphone just hits the ground and just turns and walks out. Yeah, because you don't want to be answering that last question. That is that is no, that is brilliant. Louise Louise. think this has been really insightful. I've got a lot of value out of myself. I think I'm going to sharpen my CV. It sounds like that. could be a good job to go for in the future.

Louise Davey (40:29.868)
Hahaha

Yeah, yeah.

Louise Davey (40:40.738)
No.

Louise Davey (40:52.812)
you

Francis Gorman (40:55.559)
But I really do appreciate you having you on and for sharing your lessons learned and your experiences to date. It's so useful to the community to get those back. And hopefully anyone listening has got something from this and they can they can leave us a comment on LinkedIn or YouTube or wherever they wherever they wherever they listen or watch this from. So really appreciate you having you on. And thanks for joining me today.

Louise Davey (41:18.466)
Yeah, that's great. Thank you. Thank you so much, Frances. I really appreciate the opportunity. I'm actively looking to grow my network and my reach. you know, I invite all of your listeners to follow me on LinkedIn. I promise to bring lots of original content.
So I would also invite all of your listeners to download my book called Quantum How, also available in French, command contact. And this is available for free off of my website, which is LDIQ.ca. Feedback has been very positive today. I'll be honest, it's a bit of a page turner. yeah, so make sure that you have some maybe an hour or two ahead of you because you might not want to put it down.

Francis Gorman (42:45.693)
I will I will commit to that as I read it going through London Airport, Heathrow Airport. Not so long ago, Louise, after you sent me the link. And what I'll do is I'll stick the link into the description for anyone who who wants to find it directly from your phone or laptop, et cetera. But Louise, it's been great having you on and thanks for spending time with me today.

Louise Davey (43:07.352)
Thank you so much, Frances, and thank you for the good work that you're doing and helping to get the message out and with the communications around this.

Francis Gorman (43:16.349)
Thank you.