PQC ROI the Honest Way

Introduction

Many organizations are hesitating to invest in post-quantum cryptography (PQC) because the return on investment (ROI) is not immediately obvious.

Security projects are already hard to justify, but when we try we traditionally do it by reductions in current risk exposure or reduction in security cost, but PQC addresses a seemingly future threat – the day a cryptographically relevant quantum computer (CRQC) arrives – adding a whole other layer of complexity and ambiguity. This uncertainty leads executives to delay action, waiting for a more tangible “business case.”

Unfortunately, traditional Total Cost of Ownership (TCO) models don’t capture the unique risk of harvest-now, decrypt-later (HNDL) attacks. In an HNDL scenario, adversaries steal encrypted data today and simply hold onto it, waiting until a future quantum computer can decrypt it. This means the risk is already present – sensitive data in transit or at rest could be intercepted now and exposed later, even if no quantum computer exists yet. Classic TCO calculations focus on immediate costs and benefits, often ignoring this ticking time-bomb of liability. As a result, organizations that rely on naive cost models may drastically underestimate the risk of doing nothing, leading to a false sense of “no ROI” in the short term.

I’ll try and provide CISOs and security architects with a clear, modular approach to evaluate PQC ROI honestly – factoring in both risk reduction (especially HNDL risk) and the total costs of a quantum-safe transition.

The Risk Reduction Side

Harvest-Now, Decrypt-Later (HNDL) Risk

The crux of PQC’s value is in risk reduction, particularly mitigating HNDL threats. In simple terms, any data encrypted with today’s standard algorithms (RSA, ECC, etc.) is vulnerable to future decryption. An attacker can record your VPN traffic, steal encrypted files, or tap into TLS communications now, and store that ciphertext. When quantum cracking capabilities arrive, that data could be decrypted, revealing secrets that were meant to stay confidential.

Crucially, this creates current exposure: even though the “break” happens later, the compromise happens today when the data is harvested. Every organization has some data with a long useful life, whether it’s personal customer information, intellectual property, or state secrets.

Confidentiality Lifetimes and Asset Urgency

A key factor in gauging quantum risk is the confidentiality lifetime of your assets. Not all data is equally sensitive over time. For example, a quarterly financial report loses sensitivity after disclosure, but a trade secret or military secret might need to remain confidential for 10, 20, or even 50 years. If the data’s confidentiality requirement extends beyond the plausible arrival of quantum decryption, that data is in the quantum danger zone.

Organizations should classify assets by how long they must stay secure. This shelf-life of sensitive information directly impacts PQC urgency – data with long-lived sensitivity demands earlier quantum-safe protection. In fact, industry guidelines suggest that if your data needs to remain secure for a decade or more, you must assume adversaries are harvesting it now.

A practical example: think of encrypted health records or identity data that could expose individuals to harm even years down the road. If such data were stolen today and decrypted in 10 years, the damage could be just as severe as an immediate breach.

Quantifying Risk in Dollar Terms

To make ROI concrete, CISOs can model the value of risk reduction in financial terms. Essentially, ask: What losses would we expect if our sensitive data gets decrypted by an adversary in the future? While it’s tricky to put a price on hypothetical future breaches, you can estimate impact in several categories:

• Intellectual Property Loss: If proprietary designs, algorithms, or trade secrets are decrypted by a competitor or rogue nation, the company could lose its competitive edge. For instance, the stolen IP from today’s R&D could enable competitors to catch up or undercut your business in a few years, translating to tens or hundreds of millions in lost future earnings.
• Reputational Damage: A delayed breach (data leaked in the future that was stolen now) will still erode customer and stakeholder trust.
• Regulatory Penalties and Litigation: If decrypted data includes personal information or regulated data (think GDPR, HIPAA, PCI, etc.), the organization could face hefty fines and legal costs once the breach comes to light. Regulations don’t care how a breach happened, whether through classical hacking or post-quantum decryption, the result is a data exposure. Under GDPR, fines can reach up to 4% of global annual turnover.
• Lost Business and Incident Response Costs: Just like any breach, a future quantum-related data compromise would incur incident response expenses: forensic investigations, notification costs, offering credit monitoring, etc. There is also the potential loss of business during the incident.

By assigning dollar values or ranges to these impact areas for each class of asset, security leaders can estimate an “expected loss” associated with quantum-vulnerable data. For example, you might determine that if a certain trove of archived customer data were decrypted, the regulatory fines, lawsuit settlements, and customer attrition would cost the company $50 million. That figure represents the risk side of the ROI equation that PQC migration can potentially eliminate or reduce.

In summary, the risk reduction benefit of going quantum-safe is essentially the avoidance of future breach costs, which can be massive.

The Cost Side

On the other side of the equation, we need to honestly assess the total cost of ownership for migrating to post-quantum cryptography. PQC transition is a multi-year program with many moving parts. Below are the major cost components an organization can expect:

• Cryptographic Inventory and Assessment: The very first step is discovery – figuring out everywhere your organization uses cryptography. This crypto inventory entails mapping all applications, systems, and data stores to identify what algorithms and key sizes are in use. This phase can be labor-intensive and may involve new tooling or consulting services. While the inventory itself is a one-time project, maintaining it for crypto-agility (see below) is an ongoing cost.
• Migration of Infrastructure and Applications: Once you know your crypto landscape, there will be extensive work to migrate or upgrade those components to quantum-safe equivalents. This includes:
  • Reissuing certificates and keys using PQC algorithms.
  • Updating or patching software libraries to support PQC.
  • Upgrading hardware or firmware: Some legacy network devices, Hardware Security Modules (HSMs), or IoT gadgets might lack the performance or memory to handle the larger key sizes and computational load of PQC. These may need hardware upgrades or complete replacement.
  • Vendor dependency management: You will likely rely on vendors for parts of this migration. Operating systems, cloud providers, database vendors, and others must offer PQC-enabled versions. Coordinating upgrades or waiting for vendor roadmaps can introduce delays and costs.
• Development and Testing Effort: Simply swapping algorithms is rarely “drop-in.” PQC integration can require substantial code revisions in applications, especially where cryptography is deeply embedded. Your development teams (or external engineers) will spend time refactoring code to use new APIs or data structures. After development, rigorous testing is needed: performance testing, security testing, and interoperability testing with partners. That often means consulting fees or hiring crypto engineers, which can be expensive. In short, the engineering cost can be significant, especially for large enterprises with many custom applications. (On the positive side, this effort can surface long-neglected technical debt and spur modernization that has ancillary benefits, but it will consume budget upfront.)
• Training and Personnel Costs: A PQC transition isn’t just a technology swap; it’s also about people and processes. Your security architects, developers, and IT staff will need education and training on the new cryptographic standards. This might involve formal training sessions, obtaining resources or labs for practice, and time spent learning new tools or libraries.
• Governance and Crypto-Agility Frameworks: A huge lesson from this PQC effort is that cryptographic change is continuous. The transition we undertake now is not a one-and-done fix; rather, the goal is to embed crypto-agility into the organization’s DNA. Crypto-agility means having the processes and systems in place to swap out cryptographic algorithms and keys rapidly as threats evolve. To this end, there will be costs in establishing new governance structures and frameworks:
  • Policy updates: Security policies and technical standards need updating to specify PQC-approved algorithms and deprecate old ones.
  • Governance bodies: Some organizations set up a Post-Quantum Steering Committee or working group that oversees the migration and ongoing crypto-agility.
  • Tooling for automation: Investing in crypto-agility management tools can greatly streamline future operations. Solutions like certificate lifecycle managers or automated crypto inventory systems come with license costs, but they support ongoing tracking of where cryptography is used and help enforce updates.
  • Documentation and compliance: Ensuring your PQC transition meets any emerging compliance guidelines might involve external audits or certifications in the future.

In summary, the “Cost Side” of PQC includes not just the obvious technical work of upgrading algorithms, but also the soft costs of organizational change and future-proofing. It encompasses one-time expenses like initial inventory and code refactoring, as well as ongoing costs to maintain an agile crypto posture. All these should be tallied when calculating the denominator of the ROI equation. Yes, it will be a significant investment, but keep in mind the alternative: playing catch-up amid a crisis later (with regulators, customers, and attackers all in the mix) will likely cost far more.

The ROI Equation

After outlining the risk reduction and the costs, we can bring them together in a simplified ROI model. At its core, ROI = (Expected Risk Reduction from quantum-safe migration) / (Cost of implementing PQC). This formula provides a ratio that helps justify the investment. For instance, an ROI > 1 (or > 100%) would mean the benefits outweigh the costs in quantifiable terms (e.g., avoiding an expected $100M in breach losses at a cost of $50M yields ROI = 2, a 200% return in risk averted). However, calculating this in practice requires breaking the problem into manageable pieces. Different parts of your IT environment will have different risk profiles and different costs to migrate. A practical approach is to calculate ROI by domain or use-case, then prioritize those with the highest payoff or urgency. Below I break down the ROI equation across a few key domains:

TLS and Network Encryption

This includes HTTPS traffic, VPN tunnels, and any other data-in-transit protection (like inter-service APIs).

Risk Reduction: High, if the data being transported is sensitive. For example, imagine an HTTPS connection carrying customers’ personal or financial data – if an adversary is eavesdropping and recording that traffic today, a future quantum computer could decrypt it and expose thousands of records. The expected loss (per the risk discussion) could be millions in fines and reputation damage. Implementing PQC for TLS (e.g., using a hybrid classical+PQC key exchange) greatly reduces this HNDL risk, essentially preserving the confidentiality of those sessions even against future quantum adversaries.

Cost: Moderate. Many modern TLS endpoints (browsers, servers) are starting to support PQC cipher suites, especially after NIST’s standards. The cost involves upgrading servers, possibly enabling new protocols or installing new certificates, and ensuring clients are compatible. There might be performance impacts (larger key exchange messages) but for most web infrastructure, these are manageable with tuning.

ROI Analysis: Protecting customer data in transit is often mandated by compliance, so the qualitative ROI is unquestionable. Quantitatively, you can estimate how many records could be exposed via intercepted traffic and assign a breach cost to that. If that expected cost far exceeds the upgrade expenditures (which might be, say, new load balancers or certificate costs), then ROI is high. In practice, because TLS is so ubiquitous, organizations often start here; it provides a broad risk reduction for a relatively contained cost (updating configurations and certificates). In fact, deploying PQC key exchanges in TLS is considered the “urgent priority” by experts since it protects long-lived data now being collected by adversaries.

Secure Email and Data-at-Rest Encryption

This domain covers encrypted email (e.g., S/MIME or PGP), as well as files and databases that are encrypted for confidentiality.

Risk Reduction: Potentially high, depending on the content. Consider email: Executives might be emailing strategy documents or legal might be emailing contracts – if those are encrypted (even just by TLS in transit or via end-to-end encryption), an attacker harvesting them now could leak them in a few years, causing financial or reputational damage. Similarly, encrypted archives or backups (think of years’ worth of customer data or confidential recordings) are at risk if stolen. Quantify the worst-case: could the decrypted emails result in a major PR scandal or legal liability? Could decrypted database backups expose all your users’ data? If yes, that’s a huge dollar risk.

Cost: Varies. Upgrading email encryption to PQC might involve deploying new tools or plug-ins (if using end-to-end encryption) or ensuring your email servers support PQC TLS. For stored data, you’d need to re-encrypt archives with quantum-resistant algorithms (or store them in quantum-safe storage systems). This can be labor-intensive if data is spread out. Also, usability is a factor, for instance, larger PQC ciphertexts might bloat storage or slow down retrieval.

ROI Analysis: Break it down by data category. Perhaps your most sensitive 5% of data (by value) constitutes 80% of the risk. It might be worth migrating that to PQC encryption first (high ROI), while less sensitive archives can follow later. Organizations may find that certain data (like long-term secrets) justify the immediate cost of re-encryption because the harvest-now risk is acute. On the other hand, if some data will be obsolete in 2 years, the ROI of re-encrypting it with PQC is low (the data will expire before a quantum computer can threaten it). So, this domain really tests your asset classification – high-confidentiality-lifetime data yields high ROI for PQC.

Code Signing and Software Integrity

This domain includes code signing certificates, software update signatures, and digital signatures used for integrity and authentication (e.g., documents, contracts).

Risk Reduction: Different from encryption, here the threat is a future attacker forging your digital signatures once quantum computers break current signature algorithms. For example, an attacker in 2030 might use a quantum computer to fake your code-signing certificate and push out malware as if it’s a legitimate software update. The impact is potentially catastrophic (mass compromise of customer systems, loss of trust, etc.) However, note that this is not a harvest-now scenario in the same way – an attacker cannot “store” a future opportunity to forge a signature; they have to do it when quantum computing is available. That means the urgency for signatures is slightly lower than for encryption. Indeed, upgrading digital signatures can follow a more measured, risk-based timeline since the threat (forgery) becomes possible only once the quantum capability exists and typically in an active attack scenario.

Cost: Rotating code signing keys and certificates to PQC algorithms will involve updates to your build and release processes, firmware update systems, and possibly hardware (if you use hardware signing devices or modules, those may need updates to support PQC signature algorithms). There’s also an ecosystem aspect: clients (operating systems, browsers, etc.) need to recognize and trust PQC-based signatures. The cost here might also involve coordinating with partners or customers to ensure they accept your new PQC-based signatures.

ROI Analysis: In terms of ROI, one could argue the risk (massive supply chain compromise) is so high that, even if somewhat less urgent, it justifies significant investment. But because it can be phased in, many organizations will handle this domain methodically over a longer timeline. The ROI can be demonstrated by comparing the expected impact of a code signing compromise (which for a big software vendor could be hundreds of millions in losses and liability) against the cost of overhauling the code signing infrastructure. Often, the cost is smaller, e.g., replacing a signing appliance and updating software might be a known expense, whereas the risk of not doing so is essentially an existential threat for a software company. Thus, ROI is still high, but the timeline to realize the “return” may be longer-term. In practice, you might prioritize PQC for code signing of critical updates or devices (say, updates to a medical device software) sooner, and less critical signatures later.

IoT and Embedded Systems

Many organizations have a fleet of IoT or embedded devices either in their products or in their operations (think smart sensors, industrial control systems, medical devices, connected vehicles, etc.)

Risk Reduction: IoT devices are particularly susceptible to quantum threats because of their long lifecycles. Devices deployed today may remain in use for 10-20 years (consider a car or an MRI machine), well within the timeframe of the quantum threat. If an IoT device’s communications (telemetry, firmware updates) are encrypted with vulnerable algorithms, an adversary could harvest that data now or later exploit it. Worse, if the device’s authentication mechanism (like a digital signature on firmware) is broken in the future, attackers can potentially load malicious firmware or impersonate devices, leading to safety risks. The impact here can be physical harm, massive recalls, or critical infrastructure sabotage – truly hard to put a price tag on, but obviously very high for certain industries.

Cost: Upgrading IoT to PQC is challenging. Many IoT devices have constraints in CPU, memory, and connectivity. Some cannot be updated remotely at all. The cost might involve redesigning hardware modules to include PQC-capable crypto chips for new product lines, and creating a plan to update or replace existing devices in the field. This may include costly recall or field service operations for devices that aren’t remotely updatable. On top of that, manufacturers need to work PQC into their product security lifecycle now, testing PQC algorithms on constrained devices, which sometimes means waiting for optimized implementations or even helping develop them.

ROI Analysis: For devices with long service lives, the ROI of adding PQC from the start is high: the incremental cost of stronger crypto now is far less than retrofitting or replacing devices later. Manufacturers of long-lived devices should deploy PQC algorithms today, because devices deployed now will likely face quantum threats within their lifetime. In business terms, investing in PQC for IoT avoids the future scenario of emergency product fixes or liability if a device is compromised. If you imagine, say, an automotive company avoiding a future recall of 1 million cars by spending a fraction of that cost now on PQC chips and software, that’s a clear ROI win. The calculation can be domain-specific, e.g., what is the expected cost if our smart meters are all compromised in 2030 vs. the cost to update them over the next 5 years? In critical infrastructure, even more than money, the ROI is measured in resilience and lives (for healthcare devices, etc.), but one can still frame it as avoiding extremely high impact events at a moderate cost today. The key is that the longer the device lifespan, the higher the ROI of immediate PQC implementation, because the probability of facing a quantum-capable adversary during that lifespan approaches 1.

Across all these domains, the formula remains Benefit (risk avoided) / Cost (of migration). By calculating this for each area, you can identify “quick wins” (high ROI domains where risk reduction is large and costs are relatively low) and also acknowledge the tougher areas (maybe some niche system is very costly to upgrade and the data isn’t as critical, that might be a lower ROI, perhaps schedule it later). This modular approach prevents analysis paralysis.

Rather than seeking a single binary ROI for “PQC migration” as a whole, you model it as a series of investments with individual returns. In aggregate, these form the organization’s ROI for becoming quantum-safe. And importantly, this exercise shifts the conversation from “Do we have to do this?” (yes, it’s inevitable) to “In what order do we do this for maximum payoff?”.

Workbook Framework

To operationalize the ROI calculation and get all stakeholders on the same page, it’s helpful to create a PQC ROI/TCO workbook. Think of this as a customized spreadsheet or calculator that your team can use to plug in values and immediately see the impact. Such a workbook would include at least the following components:

• Asset Categories with Confidentiality Windows: List the categories of assets or data (e.g., “Customer PII Database,” “Product Design Files,” “VPN Network Traffic,” “IoT Sensor Telemetry,” “Code Signing Keys”, etc.) For each category, record its confidentiality window – how long it needs to remain secret. This could be in years (for instance, “10+ years” for intellectual property, or “1 year” for transactional data). This helps prioritize which assets fall into the harvest-now threat window (long-lived secrets) versus those that might expire before quantum arrives.
• Estimated Impact Value if Decrypted: For each asset category, assign a dollar value (or a range) to the impact if that asset’s data were compromised via a quantum attack. This can combine all the risk factors we discussed: regulatory fines, loss of revenue, legal costs, etc. For example, you might estimate that the customer PII database exposure would cost $X million (based on number of records and cost per record from breach studies), whereas the trade secrets exposure might cost $Y million in lost future profits. It’s fine if these are rough estimates, the goal is to have a tangible value at risk to weigh against mitigation cost.
• Current vs. Post-Migration Crypto Posture: In this section of the workbook, detail the status quo and the post-PQC scenario for each asset. For example, “Current: VPN uses RSA-3072; Post-migration: VPN uses hybrid Classical+Kyber PQC.” Or “Current: Code signing uses ECDSA P-256; Post: use Dilithium2 for signatures.” You can also include qualitative risk levels (e.g., “High risk – vulnerable to HNDL” vs. “Quantum-safe after migration”). This part essentially documents how the risk profile changes after implementing PQC. It’s useful for communicating to non-technical stakeholders that there is a plan: “Right now this data could be cracked by a quantum adversary, but after we migrate, that risk is mitigated.”
• Reissuance and Migration Costs per Domain: This is the heart of the cost calculation. Break down the expected costs by domain (as we did in the ROI section). For each domain or asset category, list the specific migration tasks and their costs. For example:
  • TLS/Network: Number of certificates to replace, cost per certificate (including any platform or CA fees), labor cost for configuration changes, potential hardware upgrade costs for SSL/TLS terminators.Application Updates: Developer hours needed to update and test applications (you might estimate hours and multiply by a loaded rate), cost of external consultants if needed, cost of new software libraries or tools.PKI/Certificates: If you run your own PKI, cost of updating the CA software to support PQC, issuing new intermediate CAs or CRLs, etc. If you use a public CA, maybe any new contracts for PQC cert issuance.IoT Devices: R&D cost for new cryptographic modules, per-device cost increase (if any) for including PQC support, and the big one – field upgrade costs (if you have to recall or send technicians to update devices, estimate that per device).Training & Governance: Allocate a budget for training (e.g., $50k for staff training sessions or certifications), and time for governance (maybe X hours of risk committee meetings, etc., which you can cost out as part of people’s salaries).
  Each of these line items can sum up to a total cost per domain. This granular view helps in two ways: it makes the cost estimation more accurate (you won’t forget hidden tasks), and it allows targeted optimization (maybe you find a particular cost is very high and seek a cheaper approach or phase it later).
• Timeline and Rollout Plan: The workbook should incorporate a timeline – for example, a column for Year 1, Year 2, Year 3 – showing when costs will be incurred and when risk reduction is achieved for each asset category. This effectively creates a roadmap with milestones. It’s important to capture that PQC migration is incremental. You might plan to tackle TLS in Year 1, internal application encryption in Year 2, and IoT devices over Years 2-4, for instance. By laying this out, you can also compute how the aggregate risk drops over time (perhaps use a rough metric like “% of total data volume that is quantum-safe” or a weighted risk score). This timeline helps articulate the strategy: immediate wins vs. longer-term projects.

The beauty of a well-constructed workbook is that it becomes a communication tool. CISOs can use it to brief the CIO, CFO, and other executives by showing a rational, number-backed plan: “Here’s the dollar risk we mitigate each quarter, and here are the costs to get there.” It also allows easy scenario tweaking, for example, you can adjust the assumed “Q-Day” (quantum break day) year to see how it affects urgency, or plug in new cost info from vendors. Ultimately, the workbook approach turns the abstract PQC dilemma into a concrete set of projects with budgets and returns, which is exactly how businesses like to make decisions.

Conclusion

The transition to post-quantum cryptography is often portrayed as a daunting, expensive journey with no immediate payoff. It’s true that PQC doesn’t bring new revenue or flashy capabilities; its benefits are in risk avoidance, which can be harder to visualize than, say, a new product launch.

However, as we’ve outlined, the ROI can and should be calculated – and when done honestly, it becomes clear that waiting for a “mythical” break-even point is a strategic error. Every organization has domains where the incremental ROI is already justified today, whether by the sensitivity and lifespan of data or by emerging regulatory expectations. By modeling ROI on a per-domain or per-asset basis, you can start chipping away at the problem in a prioritized manner. In fact, incremental adoption is the smart way: you address the highest-risk areas first, demonstrating progress and reducing exposure, while lower-risk areas can be scheduled in a roadmap. This beats waiting until some future alarm bells force a hasty, organization-wide scramble.

Remember that postponing the inevitable often makes it more expensive.