The lightbulb moment for Antti Ropponen happened in 2019 during a risk assessment for a South European bank. While many were still viewing quantum threats as a distant theoretical concern, the complexity of that early project revealed a different reality. The challenge was not purely mathematical. It was an architectural and organizational puzzle that required a transformation-level effort.
Antti explains that the current state of quantum safe migration mirrors the early days of cloud adoption. Back in 2016 and 2017, organizations were obsessed with “lift and shift” strategies, moving workloads without rethinking the underlying architecture. We see a similar trend today where teams want to simply swap an algorithm and call it a day. This approach ignores the need for crypto agility and redesigned frameworks that can adapt as standards evolve.
Getting Past the Inventory Paralysis Trap
One of the primary roadblocks today is what Antti calls inventory paralysis. Large organizations are not dealing with hundreds of systems but tens of thousands of interconnected dependencies. Waiting for a perfect, 100% accurate inventory is a recipe for stagnation because the data changes faster than it can be scanned. “It seems to be that the data is never complete,” Antti observes. “Two weeks later, it’s showing different data.” Instead of waiting for perfection, leaders should use a risk-based approach to double-click on the areas that matter most.
Ownership Outside the CISO Organization
The ownership of these programs is also shifting. An IBM study found that only 11% of quantum safe programs are owned by the CISO. More than half now sit within the CTO office or with heads of technology transformation. This change reflects the magnitude of the task. Transitioning an entire enterprise requires coordinating hundreds of application and platform teams. It is a cultural and behavioral transformation that must move beyond the security silo to be successful.
Showing Quantified Metrics That Display Risk Reduction Over Time
Building a business case for a multi-year journey remains a challenge. Antti suggests moving away from abstract counts of “bad things” toward quantified metrics of risk reduction. He also advocates for identifying technical debt.
By integrating quantum-safe standards into existing IT refresh cycles, organizations can avoid the future cost of reworking projects that are currently in flight. “You want to get funding for something small now, which avoids the future rework cost,” Antti notes. If a three-year project continues without quantum-safe guidelines, it essentially creates “net new” legacy debt.
No Longer a Future Problem But a Very Much Present Transformation
The strategy for a bank might look very different from a pharmaceutical company. For a financial institution, the priority is often maintaining operational trust flows and ensuring mortgages and payments remain uninterrupted. In contrast, a pharmaceutical company might prioritize the confidentiality of clinical trial data that must be secured for decades. Both require a focus on what matters most from a threat perspective, whether that is “harvest now, decrypt later” or risks to long-term authentication.
The biggest misconception remains the idea that this is a future problem. Antti encourages organizations to stop labeling this as a specialized “quantum” project and start treating it as business-as-usual engineering transformation. By updating engineering practices and technology development today, the transition becomes a natural evolution rather than a frantic race against a future date.
About Antti Ropponen
Antti Ropponen is the Global Quantum Safe Transformation Leader at IBM Consulting. He works with global organizations to scale quantum-safe programs, focusing on moving from theoretical risk to operational migration. His work emphasizes architectural planning, crypto agility, and enterprise-wide governance.