top of page


NIST: CSF2.0
NIST CSF 2.0 may be one of the most important Quantum Readiness frameworks available today. Not because it contains a section on quantum computing. It doesn't. Not because it tells organisations which algorithms to deploy. It doesn't do that either. What CSF 2.0 does provide is something far more important. Governance. The 2024 update elevated governance to a core function, recognising that cybersecurity is no longer solely a technology challenge. It is a board, executive and
Brian Couzens
Jun 252 min read


𝐃𝐞𝐩𝐥𝐨𝐲𝐦𝐞𝐧𝐭 𝐦𝐞𝐚𝐬𝐮𝐫𝐞𝐬 𝐚𝐜𝐭𝐢𝐯𝐢𝐭𝐲. 𝐄𝐥𝐢𝐦𝐢𝐧𝐚𝐭𝐢𝐨𝐧 𝐦𝐞𝐚𝐬𝐮𝐫𝐞𝐬 𝐩𝐫𝐨𝐠𝐫𝐞𝐬𝐬.
This week I read the best description of how to measure success against quantum risk. It comes from a recent Department of War (DoW) strategy document, and it is a breath of fresh air. 𝐈 𝐪𝐮𝐨𝐭𝐞: "Quantum resistance is not achieved when PQC is rolled out, but when quantum-vulnerable solutions are deprecated." Let's dissect what that means because it cuts straight through the marketing theatre dominating cybersecurity right now. 𝐃𝐞𝐟𝐢𝐧𝐞:"Quantum-Vulnerable" Any algor
Brian Couzens
Jun 252 min read


The Human Cost of Quantum Risk: Why Cryptographic Failure Becomes a Societal Event
We built a digital society on a promise we never had the means to keep. Quantum computing is not the threat. The breach of that promise is. --- For two decades, boards have governed cryptographic risk as though it were an accounting category. If the balance sheet survives, the regulator is satisfied, and the insurance renewal clears, the assumption is that the risk has been managed. Quantum computing destroys that assumption. Not because it introduces a new cost line, but bec
Brian Couzens
Jun 256 min read
The Department of War’s Post-Quantum Cryptography Strategy landed just a day or so ago, but it deserves far more attention than it’s getting.
The DoW just gave us a document worth promoting - my favourite line is 𝐐𝐮𝐚𝐧𝐭𝐮𝐦 𝐫𝐞𝐬𝐢𝐬𝐭𝐚𝐧𝐜𝐞 𝐢𝐬 𝐧𝐨𝐭 𝐚𝐜𝐡𝐢𝐞𝐯𝐞𝐝 𝐰𝐡𝐞𝐧 𝐏𝐐𝐂 𝐢𝐬 𝐫𝐨𝐥𝐥𝐞𝐝 𝐨𝐮𝐭, 𝐛𝐮𝐭 𝐰𝐡𝐞𝐧 𝐪𝐮𝐚𝐧𝐭𝐮𝐦-𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐥𝐞 𝐬𝐨𝐥𝐮𝐭𝐢𝐨𝐧𝐬 𝐚𝐫𝐞 𝐝𝐞𝐩𝐫𝐞𝐜𝐚𝐭𝐞𝐝. The Department of War’s Post-Quantum Cryptography Strategy landed just a day or so ago, but it deserves far more attention than it’s getting. In my view, it is much more relevant and operationally impor
Brian Couzens
Jun 251 min read


The #EO14409 isn’t a genesis point - it is a compliance hammer.
The #EO isn’t a genesis point - it is a compliance hammer. There is an immense amount of noise surrounding the newly issued Executive Order 14409, "Securing the Nation Against Advanced Cryptographic Attacks." Many commentators treat it as a sudden wake-up call that magically creates a post-quantum cryptography (PQC) migration strategy out of thin air. Before making that claim, look at what already existed. Federal policy did not start on 22 June 2026. Agencies have been opera
Brian Couzens
Jun 242 min read


🌐 Quantum Weekly - The Global Signals That Actually Mattered (15–21 June 2026)
Brian C Founder & CEO, SITG-Consulting | Forensic Strategist | Cyber Resilience, Quantum Risk & Governance | Transformation, ERM & Independent Validation | Writer | White Paper Author | Evidence-Based Decision Making June 23, 2026 The week of 15–21 June 2026 was defined by the simultaneous arrival of sovereign standards architecture, capital deployment, legislative governance, and market formation across four continents. No single country dominated; the signals ran in paralle
Brian Couzens
Jun 2320 min read


THE DEADLINE JUST MOVED. AGAIN.
That should concern every board, regulator, CISO and risk committee still treating post-quantum cryptography as a distant technology problem. The United States has issued a new Executive Order accelerating PQC migration requirements. Notably: • PQC key establishment for High Value Assets by 31 December 2030 • PQC digital signatures for High Value Assets by 31 December 2031 This is the second major shift in federal timing expectations. That matters. Governments do not compress
Brian Couzens
Jun 231 min read


ISO/IEC 18033-2:2006/Amd 2:2026 has published.
𝐈𝐍𝐓𝐄𝐋𝐋𝐈𝐆𝐄𝐍𝐂𝐄 𝐁𝐑𝐈𝐄𝐅 ISO/IEC 18033-2:2006/Amd 2:2026 has published. Three post-quantum KEMs now sit inside one of the principal international standards for asymmetric encryption: ML-KEM, Classic McEliece and FrodoKEM. Read that again. Not one algorithm. Three. From three different mathematical families. Why this matters before the detail. A standards body had a choice. It could have ratified the market's preferred answer, ML-KEM, and closed the question. It did
Brian Couzens
Jun 232 min read


Special Forces
Is it just me, or has the World become one giant credential parade? I am going to try and make this a regular feature. The working title is: **The Sunday Slop** *Another week. Another guru.* Former Navy SEAL. Former Secret Service. Former MI6. Former Commando. Former Special Operations. Former Intelligence Officer. Former Special Agent. Former Operator. Former Tactical Something. Former Strategic Something Else. At this point I am beginning to wonder whether LinkedIn has a mi
Brian Couzens
Jun 212 min read


The Fortinet 73,932 Breach Wasn't a VPN Failure. It Was a Cryptographic Governance Failure.
The disclosure of 73,932 compromised Fortinet firewall URLs is not just another VPN incident. It is a cryptographic governance failure at global scale and a perfect illustration of why organisations must treat HNDL (Harvest Now, Decrypt Later) and HNFL (Harvest Now, Forge Later) as present-tense operational risks rather than abstract quantum-era hypotheticals. The incident was empirically documented by Volodymyr "Bob" Diachenko, who discovered the attacker-controlled server c
Brian Couzens
Jun 212 min read


The Origin of SITG-Consulting
People often ask what SITG stands for. Today, the answer is Strategy. Intelligence. Technology. Governance. What many do not know is that the final letter was not always Governance. When the company was founded, the G stood for Growth. At the time, that made sense. The world was focused on expansion, transformation, technology adoption and business acceleration. Organisations were investing heavily in digital programmes, data initiatives, regulatory transformation and operati
Brian Couzens
Jun 203 min read


The Psychology of Post-Quantum Risk
Why the human mind is the primary vulnerability in cryptographic transformation The standard framing of post-quantum risk is a race between two technical trajectories: the development of a cryptographically relevant quantum computer, and the deployment of quantum-resistant cryptography. The organisation that completes its migration before the former arrives has won. It is presented as an engineering problem, a procurement problem, a programme delivery problem. This framing is
Brian Couzens
Jun 209 min read


Moodys aligns with SITG-Position on PQC Risk
#Moody's may have delivered one of the most important post-quantum signals of 2026. Not because of a breakthrough in quantum computing. Not because of a new cryptographic standard. Because a global credit rating agency has started discussing Post-Quantum Cryptography (PQC) as a budgetary, governance and enterprise risk issue. For many years, this has been the position of SITG-Consulting. Our Quantum Risk White Paper, first published in 2024, revised in December 2025 and again
Brian Couzens
Jun 192 min read


The PQC Transition: Testing is the Only Control Surface That Protects Your Organisation -
Harvest-now-decrypt-later attacks are no longer theoretical. Data is being collected today with the explicit intent of decryption once quantum capability matures. Organisations are still treating the Post-Quantum Cryptography (PQC) transition like a standard cipher upgrade. They are wrong. Procurement and implementation dominate the conversation. But implementation is a vanity metric. It proves deployment, not security. The real challenge is the testing burden. PQC does not s
Brian Couzens
Jun 195 min read


The Data Is Already Gone: The Quantum-Era Crisis Nobody Is Preparing For
THE QUANTUM RISK AND RESILIENCE – SPECIAL EDITION From Harvest to Consequence: Why HNDL Is a Governance Problem, Not a Cryptography Problem Why This Matters Discussion around post-quantum cryptography has centred on future resilience. That framing is incomplete. The material risk sits in the past. Encrypted data has already been intercepted, copied, and stored. Financial messaging, healthcare records, diplomatic traffic, corporate communications. Once copied, it is no longer
Brian Couzens
Jun 194 min read


PQC Discovery Does Not Start With Infrastructure. It Starts With Data.
Last week I challenged a post that framed PQC discovery as a choice between infrastructure and code. The responses confirmed what I already suspected. The industry is still anchoring discovery to observation methods rather than exposure analysis. That is backwards, and it is why most discovery programmes either stall or produce inventory without insight. Cryptographic discovery is a risk discipline. It is not an asset count. The question is not where your cryptography is. It
Brian Couzens
Jun 1912 min read


Hybrid Cryptography: A Special Exposé
Bridge, Mitigation, Quantum‑Washing, and Where It Fits in Transformation Hybrid cryptography is often presented as the bridge between classical cryptography and post‑quantum security. That description is broadly correct-but it is also incomplete. Hybrid is not: a replacement for classical cryptography, a finished post‑quantum architecture, or a permanent end‑state. It is a transitional mitigation model designed to reduce cryptographic exposure during a period where: quantum‑r
Brian Couzens
Jun 1911 min read


THE GLOBAL CRYPTOGRAPHY FAILURE
Forty Years of Warnings the Digital World Never Fully Operationalised For more than forty years, cryptographers, standards bodies, protocol designers, and national cybersecurity agencies repeatedly warned that digital infrastructure needed to evolve. Cryptography was never supposed to be static. Algorithms were expected to age. Protocols were expected to change. Entropy systems were expected to be monitored. Certificate ecosystems were expected to become agile. Hardware secur
Brian Couzens
Jun 199 min read


The Article That Permanently Changes How Crypto Agility Is Understood
Crypto Agility Is Not About Algorithms It is about whether digital trust can survive continuous change. Globally. Under pressure. Without a return to the conditions that caused this exposure in the first place. For more than two decades, cryptography was treated as a technical control. A component. A configuration. A compliance line item. That framing has now expired. The defining question of the next twenty years is not whether algorithms are strong. It is whether the global
Brian Couzens
Jun 1910 min read


Interoperability in Post Quantum Cryptography
The Operational Fault Line of the Quantum Transition Post quantum cryptography is often discussed as if the challenge is primarily mathematical. Organisations focus on algorithms, key sizes, cryptanalytic resistance and future quantum capability. Vendors announce support for ML-KEM, ML-DSA and hybrid TLS as though algorithm availability alone represents readiness. It does not. The real challenge begins after the standards are published. The operational challenge is whether th
Brian Couzens
Jun 1915 min read
bottom of page