top of page


Post-Quantum Cryptography and the End of Algorithmic Permanence
Brian Couzens, CEO, SITG-Consulting Peter Shor published his quantum factoring algorithm in 1994. Thirty-two years later, the global cryptographic community is still responding to the consequences. That response has been substantial. NIST finalised its first three post-quantum cryptography (PQC) standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). In March 2025, NIST selected HQC as a fifth standard, a lattice-independent backup to ML-KEM (N
Brian Couzens
Jun 199 min read


When Quantum Capability Becomes Infrastructure
Beyond Encryption: How Quantum Capability Is Creating New Forms of Systemic Risk Somewhere along the way, quantum risk became shorthand for broken encryption. Mention quantum in a boardroom, regulatory meeting or security programme and the conversation quickly turns to cryptography, harvest now decrypt later attacks and migration plans. Those concerns are real. They are also only part of the story. A much larger shift is underway. Quantum technologies are beginning to move fr
Brian Couzens
Jun 199 min read


The Baker's Dirty Dozen
Thirteen Trust Failures That Changed Cybersecurity Forever Cybersecurity has spent decades strengthening cryptographic mathematics. At the same time, the discipline of understanding, measuring, governing, and assuring trust systems has received far less attention than its importance warrants. The result is visible throughout the history of cybersecurity. Many of the industry's largest and most expensive failures were not failures of cryptography. They were failures of impleme
Brian Couzens
Jun 196 min read


Myths v Facts: Quantum Computing, PQC, Q-Day & Bitcoin
I am increasingly seeing across LinkedIn, GitHub, arXiv, Zenodo and so many other repositories a flurry of poorly written nonsense on these subjects. Let’s be entirely clear, the empirical and governance realities do not match the hype. These are the global facts: 𝐓𝐡𝐞 𝐏𝐐𝐂 𝐒𝐢𝐥𝐯𝐞𝐫 𝐁𝐮𝐥𝐥𝐞𝐭 Myth: "PQC is the definitive solution." Truth: Post-Quantum Cryptography (PQC) is one component within a full cryptographic transformation. Global authorities, including CISA,
Brian Couzens
Jun 192 min read


Crypto-Agility Is Not the Goal. Why Crypto-Agility Requires All Three Legs
Crypto-Agility Is Not a Product The post-quantum conversation has a vocabulary problem, and the vocabulary problem is producing a strategy problem. For two years the industry has rallied around "crypto-agility" as the answer to the quantum threat. Vendors sell it. Boards ask for it. Migration roadmaps are built around it. The implicit promise is seductive: build the capability to swap algorithms quickly, and you are protected against whatever cryptanalysis (quantum or classic
Brian Couzens
Jun 1915 min read


🌐 Quantum Weekly - The Global Signals That Actually Mattered (8-14 June 2026)
Founder & CEO, SITG-Consulting | Forensic Strategist | Cyber Resilience, Quantum Risk & Governance | Transformation, ERM & Independent Validation | Writer | White Paper Author | Evidence-Based Decision Making June 15, 2026 Will this be a week to remember or not ? This week marked a critical inflection in quantum governance, cryptographic standardisation and sovereign quantum infrastructure. Capital deployed across infrastructure (Australia, Canada), cryptographic migration at
Brian Couzens
Jun 199 min read
BIS and Stablecoin
The #BIS has published a paper that challenges a common assumption in stablecoin analysis. A stablecoin transfer is often treated as a payment. The BIS examined 141 million #Ethereum transactions and 241 million #stablecoin transfer events and found that nearly 60% of transfer events occur within more complex transaction structures. These structures combine activities such as trading, lending, collateral management, liquidity provision and settlement into a single atomic tran
Brian Couzens
Jun 191 min read


🔴 I Wonder What Came Before Digital Trust?
Long before: • PKI • Certificates • Digital Signatures • Identity Providers • Zero Trust • Encryption People still had the same problem. How do I know this is genuine? How do I know it hasn't been altered? How do I know who sent it? How do I know who touched it? How do I know I can trust it? The solutions may look familiar: Certificate Authority → King's Seal Digital Signature → Wax Seal Authentication → Signet Ring Ident
Brian Couzens
Jun 191 min read
The Lexicon
Does the Postman always Deliver? Well SITG-Consulting do. Always. Over the past few days, we have built something that started as a simple idea and evolved into a genuinely useful resource. The result is a searchable reference library containing 1,540 terms covering: • Governance • Risk • Resilience • Transformation • Cyber Security • Cloud Security • Identity & Access Management • Cryptography • Post-Quantum Cryptography • Quantum Computing • AI Security • Standards & Regula
Brian Couzens
Jun 191 min read
Plain English Translator
Ain't No Mountain High Enough. Ain't No Valley Low Enough. Ain't No River Wide Enough. Yet somehow, translating technical language into something a board can understand often feels impossible. Quantum Risk. Quantum Readiness. Quantum Security. Post-Quantum Cryptography. Cryptographic Agility. Harvest Now Decrypt Later. The definitions exist. The challenge is that they are often written for specialists rather than decision-makers. So we built something different. The SITG-Cons
Brian Couzens
Jun 191 min read


Independent Validation and Pre-Implementation Review
Somewhere in your organisation, a cryptographic transformation programme is on a desk waiting for board approval. It is a multi-year, eight-figure commitment. It will reshape the cryptographic estate, the regulatory posture, and the operational risk profile of the firm. The decision to fund it is fiduciary. It will sit in the board minutes alongside the names of the directors who signed off. Once approved, it cannot be unwound without consuming a second budget on top of the f
Brian Couzens
Jun 198 min read


THE DEFINITIVE CBOM OPERATING MODEL
From "Dark Matter" Liability to Defensible Fiduciary Asset 1. Executive Summary: The Fiduciary Imperative In a $100T digital economy, cryptography is the invisible keel holding the ship of state and commerce upright. It secures identity, privacy, and value transfer. Yet 95% of enterprises operate with near-zero visibility into where this cryptography lives, how it behaves, or whether it remains fit for purpose (NIST). This hidden exposure has evolved into Cryptographic Dark M
Brian Couzens
Jun 198 min read
𝐅𝐨𝐮𝐧𝐝𝐞𝐫 𝐏𝐫𝐨𝐝𝐮𝐜𝐭 𝐑𝐞𝐯𝐢𝐞𝐰 𝐚𝐧𝐝 𝐕𝐚𝐥𝐢𝐝𝐚𝐭𝐢𝐨𝐧™
For many years, SITG Consulting has delivered independent product assurance, validation and challenge as part of our broader Assurance and Validation services. What has changed is demand. Every week we receive enquiries from founders, technology companies, investors and advisory firms seeking independent assessment of products, platforms, governance frameworks and strategic claims. Many of those conversations begin in the same way. "We have built something." "Can we prove it?
Brian Couzens
Jun 192 min read


ISO/IEC 18033-2:2006/Amd 2:2026 has published.
Three post-quantum KEMs now sit inside one of the principal international standards for asymmetric encryption: ML-KEM, Classic McEliece and FrodoKEM. Read that again. Not one algorithm. Three. From three different mathematical families. Why this matters before the detail. A standards body had a choice. It could have ratified the market's preferred answer, ML-KEM, and closed the question. It did not. It standardised a structured lattice scheme, an unstructured lattice scheme a
Brian Couzens
Jun 162 min read


The Merkle Tree Comeback
Merkle trees are having a moment, not because they are new, but because post-quantum cryptography makes scale matter more than novelty. This week, Let's Encrypt confirmed that Merkle Tree Certificates will form part of its roadmap for post-quantum web PKI. At first glance this seems unusual. Merkle Trees were proposed by Ralph Merkle almost 50 years ago and have long been regarded as a mature cryptographic construct. Yet one of the most significant challenges in post-quantu
Brian Couzens
Jun 102 min read


Global #PQC Sector Readiness: A Map of Structural Unpreparedness
This heatmap is not a prediction and it’s not a narrative. It’s an empirical synthesis of the global regulatory landscape, industry spending patterns, and cryptographic‑standards adoption as of early 2026. Classification is based on observable regulatory mandates, sector migration programmes, and real‑world cryptographic infrastructure dependencies. How the RAG status is determined 🔹 Mandates - Is there a legal or regulatory requirement to migrate to PQC? 🔹 Interoperability
Brian Couzens
May 232 min read


𝐓𝐡𝐞 𝐏𝐐𝐂 𝐇𝐞𝐚𝐭 𝐈𝐬 𝐎𝐧 𝐢𝐧 𝐉𝐚𝐩𝐚𝐧
Japan just moved cybersecurity from guidance to gatekeeping. Over 1,000 government contractors are reportedly being pulled into stricter cybersecurity requirements aligned to internationally recognised standards such as NIST SP 800-171. This is not incremental. Japan is no longer treating cybersecurity as an internal technical issue. It is treating it as a condition of participation. For years, these controls were: best practice, maturity targets, aspirational governance. Now
Brian Couzens
May 222 min read


QBOM or CBOM
Why organisations are suddenly asking about #QBOM and what it may actually mean Over the past 48 hours we have seen a surge of calls from Indian organisations and global vendors operating in India. The question has been: “What is a QBOM, and do we need to produce one?” The confusion comes from India’s National Quantum Mission report. It references QBOM in the glossary, but does not define it, scope it, mandate it, attach a schema, or link it to procurement or certification. S
Brian Couzens
May 222 min read


THE NINE THAT SURVIVED: Special Edition
NIST’S NEW SIGNATURE PORTFOLIO AND THE DAWN OF ADAPTIVE TRUST ARCHITECTURE By SITG-Consulting - Quantum Risk & Resilience Special Edition Executive Strategic Thesis IR 8610 marks the transition from static cryptography to adaptive trust architecture. For three decades, the digital economy operated on a foundational assumption: cryptographic trust could remain relatively stable across generations of infrastructure. That era is ending. The future trust estate is unlikely to be
Brian Couzens
May 2210 min read


Regulatory Compliance Strategies for Cryptographic Governance
In the rapidly evolving landscape of digital finance and technology, regulatory compliance has become a cornerstone for organizations leveraging cryptographic governance. As cryptocurrencies and blockchain technologies gain traction, the need for robust compliance strategies is more pressing than ever. This blog post will explore effective strategies for ensuring regulatory compliance in cryptographic governance, providing practical insights and examples to help organizations
Brian Couzens
May 214 min read
bottom of page