Quantum Risk Puts Encryption Strategy At The Center Of Data Governance

Quantum risk has moved from security side conversation to board-level problem because encryption no longer guarantees time-proof protection. Attackers don’t need quantum computers in hand to create exposure; they can steal encrypted data now, hold it, and wait until decryption capabilities catch up. That makes today’s historical files, proprietary records, and long-life customer data tomorrow’s liability, pushing C-suites to treat post-quantum readiness as an operational resilience issue rather than a distant cryptography debate.

We spoke with Jon Murphy, SVP and CISO at American Campus Communities, to explore how he handles long-horizon cyber risk. Murphy has more than two decades of security and risk leadership experience, previously directing organizational resilience at Expedia and co-leading the development of the United States' first National Special Security Event plan for Super Bowl XXXIX.

For many teams pursuing strategic hardening and enterprise resilience, the conversation around frontier technology is shifting away from individual tools toward a convergence of risks that were once treated separately. "Attackers don't need quantum computers today. They can simply gather your information and decrypt it when they get it. That risk is real and already present," Murphy says.

The expiration date on encryption

Security teams often rely heavily on encryption, assuming a stolen device or exposed database is permanently protected. But as post-quantum cryptography becomes a tangible concern, that baseline assumption leaves organizations with less protection than they expect.

The realization that standard encryption will become obsolete is prompting leaders to consider a post-quantum security landscape. "It used to be in the good old days, like last week, if a laptop was stolen, you could say, 'No big deal. It had BitLocker on it.' Well, not anymore," Murphy says. "You can't just throw that worry away because it was encrypted. If they got it, they could, in an undetermined amount of time, get the keys to the kingdom."

Now that attackers are pulling data without the need to immediately decrypt it compounds the issue. Any cybersecurity breach or incident where data could be exfiltrated could result in exposure down range, regardless of whether the records were encrypted at the time of theft.

Machine-speed vulnerability discovery

The data retention issue sits alongside an operational hurdle unfolding in modern SOCs. While some adversaries harvest data for eventual quantum decryption, frontier models are simultaneously unearthing decades of legacy code debt through AI-driven vulnerability discovery. Murphy notes that AI will continue operating at machine speed to find existing flaws and surface entirely new classes of vulnerabilities. Worse, these models can take lower-severity vulnerabilities that organizations typically defer and daisy-chain vulnerabilities into entirely new attack vectors.

Pairing long-lived data exposure with accelerated vulnerability discovery exposes the danger of relying on vendor assurances. The natural consequence of aggressive innovation cycles is that competitive pressures incentivize providers to ship features first and patch later. Security teams must treat it as an operational baseline. "There is this misperception that Anthropic or Google or OpenAI or Microsoft would never release a product that's unsafe," Murphy says. "They're trying to monopolize and monetize the latest, greatest, cutting-edge feature, security, privacy, and compliance. And they're still doing it."

Continuous patching as the new baseline

Because security leaders no longer assume vendor-supplied safety nets will catch every issue, the industry is pivoting. Traditional periodic patching alone cannot keep up. Instead, SOC teams are moving toward continuous patching and modernizing security operations, leveraging proactive defensive tooling and human-AI defensive collaboration to match machine-speed development with machine-speed defense.

For many teams, tackling these intertwined threats starts with governance. Murphy notes that before any technical migration, organizations generally need to identify their long-life sensitive data: intellectual property, formulas, differentiated processes, or customer records that will still matter a decade from now. A lack of clear ownership in the C-suite often acts as a barrier to that inventory. Executing this discovery phase requires the CISO to act as a translator. Rather than kicking off with formal presentations, Murphy prefers informal conversations that frame the issue in business terms, asking leaders how long they could operate without particular datasets. "I would strongly suggest they follow the money," he says. "So in their organization, she or he should figure out which department, which entity makes the most or spends the most. That's the most mission-critical to that organization."

Once that valuable data is identified, the next step is to quantify the associated risk in financial terms. He likens this to a Business Impact Analysis and points to frameworks such as the FAIR methodology as one way to put hard numbers on graduated risk tolerance. An organization might accept a certain level of loss related to older, less sensitive data but set a zero-tolerance threshold for current proprietary information. Those trade-offs need to be set by top-level executives and supported by a CISO, Chief Risk Officer, or emerging roles such as a Digital Risk Officer.

Converged risk and the end of the ostrich strategy

In many boardrooms, the historical separation between cyber, compliance, and operational risk appears to be breaking down. Failing to implement a unified governance model to handle this convergence changes how accountability is viewed. Because insurance carriers already struggle to cover standard cyber incidents, this converged risk is hard to untangle and insure against. As a result, executives face greater direct financial and legal exposure, especially if courts conclude they had ample notice of the evolving landscape, prompting discussions about executive cyber liability. "I suspect that courts are going to get much more stringent about all this combined risk, much like they're doing around privacy," Murphy says. "They're going to say that executives should have known better. You decided to play ostrich. There's going to be accountability there."

Murphy frames the path forward as a shared obligation across the business, not a problem any single function can solve in isolation. "This is not just the CISO's problem or the CIO's problem. It's not just a technology problem. It is an all-of-business effort," he says. "Both parties have to come to the table as partners and work on a solution together, or else it's not going to be pretty."