Quantum computing is speeding up, and organizations are racing to protect long‑lived data. Security expert Chris Basener joins us to talk about post‑quantum cryptography, the rising “Harvest Now, Decrypt Later” threat, and how PQC is already being tested. We ask what project managers can do now to assess risk, strengthen governance, and prepare their careers for a quantum future.
Chapters
00:00 … Intro
01:38 … About Post-Quantum Cryptography
03:42 … What is a Quantum Computer
05:25 … The Upside of Quantum Computers
06:54 … The Workings of Current Encryption
08:19 … A Question of Timing
11:02 … Impact on VPN and Password Managers
14:35 … Defining Post-Quantum Cryptography
16:12 … PQC In Use Today
17:32 … How Can I Protect Myself
20:08 … A Continuous Risk Review Mindset
22:20 … Ren Love’s Projects from the Past
25:08 … Limitations to Post-Quantum Cryptography
26:35 … Governance Risk & Compliance
28:08 … Hybrid in Emerging Complexity
30:13 … Translating Technical Risk Clearly
32:00 … Tactical Empathy
34:36 … Quantum-Proof Your Career
38:27 … Advice for PMs
40:03 … Getting the Word Out
43:05 … Find Out More
45:19 … Closing
Intro
CHRIS BASENER: But if everyone starts to do their part now and learn and make progress, I think they’re going to be fine, or have a better chance of doing well. But it’s the people that blow it off, “Oh, that’s futuristic, that’s “Star Trek,” that’s not going to happen to me.” The Titanic thought it wouldn’t sink, and guess where it is now.
WENDY GROUNDS: Hello, and welcome to Manage This, the podcast by project managers for project managers, and we’re thrilled to have you with us.
If you’re enjoying the show, we’d love to hear from you. Whether it’s on our website Velociteach.com, social media, or your favorite podcast app, your feedback helps us keep inspiring and supporting project managers just like you. And if you’ve got questions about our podcast or about project management certifications, we’re here to help.
BILL YATES: The PMP Exam is changing this July, 2026. If certification is on your radar, now is the time to act. When major exam updates roll out, new content and question formats typically follow — and early transitions can be a bit bumpy and unpredictable. Right now, the exam is stable, it’s well-defined, and is fully supported by proven study materials.
At Velociteach, we’ve helped project managers earn their PMP certification for over 20 years. Our boot camps and OnDemand training are built around the same methodology behind the #1 PMP exam prep book, with more than 250,000 copies sold worldwide.
If you’re serious about getting certified, do it before the exam changes. Visit velociteach.com to learn more.
About Post-Quantum Cryptography
So today we’re exploring a topic that may sound like science fiction, but it is very real and increasingly important to our digital future: post-quantum cryptography, or PQC. We’ll talk about quantum computing, why it could disrupt today’s encryption methods, and what organizations can do now to prepare.
Joining us is Chris Basener, an information security management professional with over 20 years of experience in consulting and project leadership. Chris specializes in aligning cybersecurity strategy with business objectives, mitigating enterprise legal and reputational risk while supporting profitability.
More recently, Chris has expanded his focus to quantum safe security. Completing MIT’s xPRO quantum computing strategy and impact, he’s a former director of security for PMI NYC, and today he’ll help us cut through the noise, explain what PQC really means for project leaders, and share how organizations can start preparing before the risk becomes reality.
BILL YATES: This is going to be a great conversation, Wendy. Let me boil it down. We as project managers have to focus on security and securing data quite frequently. Really, it’s a constant concern, and something that’s always on the risk register. So, one of the key questions here for this conversation is how can project managers protect sensitive data?
I saw an analogy about post-quantum cryptography that was helpful for my third-grade brain. It says, okay, post-quantum cryptography is like changing the locks on your house today because you know in the future someone will invent a master key that breaks the old ones. We’ve got great locks in place today, but we don’t know how long they’re going to be viable, how long they’ll last. So, we’re going to get into this topic and talk about securing our data.
WENDY GROUNDS: Hi, Chris. Welcome to Manage This. Thank you so much for joining us today.
CHRIS BASENER: Thank you so much for having me. It’s really an honor to be on this podcast. Congratulations on your 10 years plus.
What is a Quantum Computer
WENDY GROUNDS: Thank you. Thank you so much. I really appreciate that. And we are intrigued by this topic. I think it’s something very new, and we love to bring new stuff to our audience. So, we really appreciate you reaching out to us. First of all, let’s start at the basics and talk about quantum computing. We hear a lot about it, but we don’t really know exactly what a quantum computer is and how it’s different from the computers that we’re using today. So, could you just give us a little bit of a background into that?
CHRIS BASENER: Absolutely. First, just a quick bit on what it’s not because there are a lot of misconceptions. And as with any nascent technology or emerging technology, there’s hype, there’s truth, and sometimes there’s something in between.
So, the basics of a classical computer are a bit; right? Data can be a zero or one. It’s binary. It’s one or the other. It’s like a light switch, a standard old-fashioned light switch, on or off; right? There’s no dimmer button. So, with quantum computers, the basis is a qubit. So, if anyone has had quantum mechanics, it’s very different. It’s not just, oh, this is a little different. It’s a completely different way of looking at things. A qubit can be in what’s called a “superposition.” It can be zero; it can be one; it can be both.
Think of it like a coin spinning on the top of the table, heads, tails, and you don’t know where it’s at until you measure it. So, quantum computers are not just going to be everything faster. There are use cases for quantum computers. There are things quantum computers will be able to do faster than a classical computer. But some of that’s still being developed. A lot of it’s still being developed. So that’s a great question to start off.
The Upside of Quantum Computers
BILL YATES: Following up with that, some people worry that quantum computers are going to be dangerous. If there’s potential for harm, why are we even creating these things? You know, what’s the upside here?
CHRIS BASENER: Absolutely. Well, the upside has several use cases. It’s anticipated that quantum computers will help speed up developing new drugs for pharmaceutical companies. They’re anticipated to help with security. And it’s also anticipated that quantum computers will help group optimization problems, for example, with logistics in other similar cases.
So, there are many use cases. It’s like any other tool; right? I can use a steak knife to cut my steak. Not I, but a criminal could use that to harm someone. Same thing with a car. I use a car to go to work or to travel. Some people drink and drive, and a car is used to kill someone.
So, although those analogies maybe aren’t the closest to computing, it’s like any tool; right? It’s in the hands of the user to use it for good or not for good. And my goal is to help spread the word on how to use them for good. So, thanks again for getting the word out.
BILL YATES: Chris, when I was researching this, one of the quotes that I came across that I just thought was the funniest was, “What’s the need for quantum computing?” And the quote was, “The most famous use of quantum computers is ruining IT security.” I’m like, “Okay, that gets right to it.” So, we’ll talk more about that.
The Workings of Current Encryption
WENDY GROUNDS: Chris, can you explain how current encryption works, and how a quantum computer can break it?
CHRIS BASENER: Well, cryptography, as I’m sure many of your listeners know, has been around for a long time; right? We have Caesar’s cipher. We have many examples, even back to antiquity. So, cryptography is not new. Think of asymmetric cryptography; right? RSA. Think of it as basically the computer will take two large prime numbers and multiply them, something for a classical computer that’s very easy to do. But the reverse for a classical computer is very difficult.
So, the risk is that quantum computers using Shor’s algorithm, something developed by MIT’s Peter Shor around 1994, it’s expected that that will break that because of the super positioning of the qubit.
It’s not like a classical computer where things are done sequentially, one and then another. So, for a classical computer to break RSA 2048, it could take years and years and years, like well beyond our lifetime. But with quantum computers being able to put qubits in superposition, it’s like trying them all at once, many at once. So, it’s expected to happen pretty quickly. Back to a common misconception, using post-quantum cryptography, it’s not a simple software upgrade. It’s not like going from Windows 9 to 10 or 10 to 11. It’s a very different way of looking at things and thinking.
A Question of Timing
BILL YATES: Along the topic of timing, how long do you think it is? What are the estimates until quantum computers can realistically break current encryption methods?
CHRIS BASENER: That’s a good question. That reminds me of when people were asked about Bitcoin; right? Some people say Bitcoin’s going to zero. Some people say it’s going to a million. Depends on who you ask. I think there are credible estimates that a quantum computer will be able to break RSA 2048 around the year 2030. And it’s a fair question; right? It matters when it’s coming in terms of a risk analysis.
But there’s actually a deeper question behind that. You mentioned earlier a quote on quantum computing. The favorite one that I’ve found yet is actually by Ian Kahn from “The Futurist.” And he said, “The quantum future isn’t coming. It’s already here. I’ve seen organizations with perfect quantum migration plans on paper struggle with execution because they lack the specialized expertise to navigate the transition.”
So, because of threats like Harvest Now, Decrypt Later – and there are others, too. That’s probably the one that gets the most press. But what’s happening now is criminals are stealing data now that they can’t decrypt; right? And once there’s a cryptographically relevant quantum computer, meaning a quantum computer that can break asymmetric key encryption, they’ll be able to harvest the data; right? I mean, I call it “Steal Now, Decrypt Later.” But in the literature, it’s called “Harvest Now, Decrypt Later.” It has other names, but basically that’s what’s happening.
So, there’s already data that’s at risk. The idea is, going to Mosca’s theorem, you look at how long do you need to keep your data safe? Because if you have data that once there’s a cryptographically relevant quantum computer, it doesn’t matter, then who cares? But if you have, let’s say, trade secrets. Let’s take, for example, an insurance company. You have algorithms, you have data that you need safe forever, as long as the company’s going to be in business. Well, the transition to post-quantum cryptography for large enterprises is expected to be years; right? So, if those companies aren’t starting the transition now, they’re already behind the 8-ball.
BILL YATES: Yeah. I’m so glad you brought that up. I had that in my notes, too, that mantra of Harvest Now and Decrypt Later. Again, it’s like, yeah, this is a future problem, but it comes back to right now; right? If we have data exposed today that someone can access, even if they can’t decrypt it, even if they can’t break it down and get into it, in the future they may have that capability. This is a relevant conversation, yes, for the future, but also for now. So, I’m really glad you brought that up.
Impact on VPN and Password Managers
You know, when I think about project managers and some of the approaches they use for securing the data that they have related to their projects, one strategy is VPN. Most companies, you know, have a very standard practice and protocol for doing that. Another is maybe a little more personal, as well, but we all use password managers.
And certainly, you know, for data that’s important within our projects, we should have access passwords, passwords for our customers, for different data sets that we have access to, that kind of thing. Those should be really hard passwords, and many of us use password manager software to do that. You know, some popular ones are like – Google has some, Apple, LastPass, Bitwarden, things like that. So, are there practical concerns for looking at the impact this may have on VPN, and then also on password managers.
CHRIS BASENER: Great question, yes. Well, it goes back to what we’re taught to do as project managers in terms of managing third-party vendor risks; right? And beyond third-party, the third-party is relying on fourth-party, and so on down the line as today’s tech stack goes. So, it’s a great question. It’s definitely something to keep on the horizon. VPNs definitely could be impacted.
But again, this isn’t cause for worry. The goal here is not to scare anyone to buy anything. The goal is to raise awareness because the risks are already in play with the Harvest Now, Decrypt Later. But it’s definitely something to ask your third-party vendors. I know the large companies like Google, this is already on their radar.
And I really saw a trend this past year that enterprises and people were going from what is quantum computing and what is post-quantum cryptography to, okay, we really have to do something now. And I think part of that was the federal government coming up to speed and really trying to lead the ship in the right direction in this regard. Again, not getting into politics, just saying the federal government is laying out some standards for post-quantum cryptography.
And in that regard, it really comes also to a national security issue, back to your question earlier on why develop this, because other nations are going, and in a way, whoever develops that quantum advantage first really is going to gain an advantage. And the world that we live in involves global politics, whether we like it or not.
Back to some misconceptions too, I think some people think of Q Day, the day when there’s a cryptographically relevant quantum computer, as it’s going to be apocalyptic; right? Well, I guess that’s possible that it’s been said that history repeats itself. It’s also been said that history rhymes. And like superpositioning, both can be true. But if we think back to World War II with Enigma used by the Germans, they didn’t know it was cracked; right?
So, it’s easy to think, oh, let’s say a major nation state gets a quantum computer before the U.S. They’ll wreak havoc and take all the money they can, destroy infrastructure, et cetera. Maybe, or maybe they’ll be a little more clandestine about it.
So, none of us knows. I mean, the point in relating back to the Bitcoin analogy earlier is that no one knows, even the really smart minds regarding quantum computing and post-quantum cryptography. No one knows exactly. And that’s what makes these migration projects different is just the high level of risk involved, and the rapidly changing environment. This is not building a road that’s been done for thousands of years. This is blazing a new path.
Defining Post-Quantum Cryptography
WENDY GROUNDS: So, let’s just get down to a little bit of basics about post-quantum cryptography. Can you basically give us a definition of what it is and how the algorithms for PQC, I think you call it, how that works and how they’re different to the encryption that we use today?
CHRIS BASENER: Absolutely. So post-quantum cryptography is also referred to as quantum-safe cryptography. There are other names. But the idea of it kind of goes back to Peter Shor’s algorithm. That’s really what put fuel on the fire to develop it. However, before that, in the late ‘70s, there were a couple of researchers that started what we can call the precursors of post-quantum cryptography. But it wasn’t really until the 2000s that the term post-quantum cryptography was formally used.
So how is it different? Well, as I mentioned earlier, let’s say RSA, asymmetric cryptography. It takes large prime numbers, multiplies them together, which is easy for a classical computer to reverse engineer, not hard for a quantum computer.
By contrast, post-quantum cryptography, one of the methods, it’s called lattice-based; right? So, think of it as a grid with multi-dimensions, and the grid going in multiple directions. It’s just much more complex. It’s something that a classical computer just couldn’t figure out. And it’s also something that’s expected that even a quantum computer couldn’t reverse engineer.
So, to come back full circle to the definition, we think of post-quantum cryptography as cryptography that’s safe from known attacks from both classical computers, and also cryptography that’s expected to be safe from attacks from quantum computers.
PQC In Use Today
WENDY GROUNDS: How’s it being used today? Do you have examples of where it’s actually been used?
CHRIS BASENER: That’s a great question. So yes, it’s currently being used in the financial services sector. The large financial institutions are assembling their own teams. JP Morgan & Chase has been very vocal about leading the charge on this. I know there are other companies, as well. They’re not the only ones, but they’re definitely leading the charge. There are insurance companies, as well, looking to transition.
And just to put some context around this, the transition to post-quantum cryptography is really meant to be a hybrid transition; right? When we think about a full-scale migration, where is cryptography? Well, the answer is “everywhere.” It’s in hardware; it’s in software; it’s in communication channels. It’s everywhere. And it’s been said there’s not enough money in the world to change all of it over, especially all of it at once.
So, in terms of using it, it’s software-based, and post-quantum cryptography is not quantum technology; right? We’re not using qubits for that. It’s software-based. It will need to go into hardware eventually. But in terms of transitioning the migration to post-quantum cryptography, there are companies today that are beginning to employ software solutions to begin to protect their environment.
How Can I Protect Myself
WENDY GROUNDS: So, if we have people listening, and they’re thinking, “Oh, am I supposed to be doing something? How can I protect myself?” what should they be doing today?
CHRIS BASENER: That’s a great question. Well, let’s think of this on an enterprise level; right? So, if an enterprise is planning a migration, the first step really is to do an inventory. And I think a lot of enterprises, as I think about lessons learned and talk to other people in the field, people are surprised at all the cryptography that they have; right?
Enterprises today are sprawling. People are working remotely. These aren’t the old days where everyone shows up at a building; the environment is contained within the walls of the building, in the tech stack. Everything has sprawled to such a degree that people are surprised at where they’re finding. So, before anyone can really do anything, you have to take an inventory of, “Okay, what do we have?” And to do that, it really requires a hybrid approach.
It’s important to have questionnaires. It’s important to ask people. But when people don’t know, sometimes they just answer. They don’t come to you and say, “I don’t really understand what you mean.” They just answer the question because they’re busy. They have a million things to do, like you and I. And you don’t get accurate information.
But it’s still good to ask people. However, there are also tools that you can scan the environment with; right? And there are different ones that have different purposes and lead to different results. But the best case, especially for national defense, the financial services sector, those high-impact sectors really need a tool that will give them an up-to-date cryptographic inventory in real-time. And that’s not cheap to implement.
So, in terms of what should they do, first we have to figure out what cryptography do we have, and then we have to assess the risk. What’s really at risk now? What are the highest risk systems, business lines, et cetera? And then how can we migrate, and then doing a test case; right? You don’t want to break the system. And start the transition.
Now, another thing that really sets post-quantum cryptography migrations apart from other projects is, think of it this way. The end goal is not a product. The end goal is not even really a thing. It’s cryptographic agility because we don’t even know today what these quantum computers exactly will do with the cryptography. We’re making our best educated guess. We’re not throwing darts blindfolded. But we don’t know for sure. So, the end game is a state of cryptographic agility, meaning we can swap algorithms without shutting everything off, recoding everything, and getting back online in a week.
A Continuous Risk Review Mindset
BILL YATES: Yeah, yeah, that’s good. This is great practical advice, Chris, for our project and program managers, both at the project level and then higher up. Start with an inventory; right? Get a sense for, okay, what is the most sensitive data that we have in our project or in our portfolio of projects? What would hurt us the most or hurt our customer the most if this data got out? Financial data, all kinds of design specs and engineering documents, things like that. So, thinking that through.
And then to your point, once I have that inventory, I want to look and see what third-party vendors do I have? What other companies am I counting on to not be the weak link in this chain that we’re building of strength? And then it’s funny, like even when I was researching things like password managers and the impact that this will have on that, the bottom line is it’s still all about how strong is your master password; right? If you’re using Google, or if you’re using Bitwarden or whatever, how strong is your master password, and has that been compromised? If so, go create another one. And, you know, there’s some basic blocking and tackling that we can do to make sure that we’re in the best position we can be.
But I really like your use of the word “agility” and “flexibility.” It’s like as we gather this data and make the inventory, and even in listing out those companies that we’re partnering with, okay, we’re using their software, we’re using their tools, it’s not a one-time shot; right? It’s like you said, you have to continue to look at it and see.
They may be like at a medium level of preparedness today. In a month, they may have really shot up. They may be pursuing this. So, we’re in a better place. We’re not as at-risk as we used to be.
So, I like this advice. Start with an inventory, start to look at what is most at risk to me and to my project team, my stakeholders, and then go from there. And to your point, you have to continue to review it and take a look at it fresh from time to time.
CHRIS BASENER: Absolutely. And other good project management practices are making sure all of this is incorporated into SLAs and such, and contracts. So, although some of this is new, some of it is using the great training and tools and techniques that we have as project managers.
Ren Love’s Projects of the Past
REN LOVE: Ren Love here with a glimpse into Projects of the Past; where we take a look at historical projects through the modern lens. Today’s project feature takes us back to early colonial Australia and into one of the strangest public-private partnerships in history: the Rum Hospital, now known as the Sydney Hospital, in Sydney, Australia.
If you needed a hospital in New South Wales in the early 1800s; you’d be sent to a series of tents and temporary buildings that were overcrowded and in poor condition – this was a big issue in a penal colony that was plagued by disease, injuries, and lack of basic sanitation. In 1810, Governor Lachlan Macquarie arrived in the colony and decided that a real hospital was needed.
The goal was to construct a permanent hospital complex consisting of three buildings: a central hospital building flanked by two auxiliary wings that were built out of local sandstone and designed in a Georgian architectural style. Construction began in 1811 was completed in 1816. The workers were mainly convicts, overseen by colonial officials and the private contractors. While there were delays — mostly due to shortages of materials and some workmanship issues — the project was completed roughly within its expected timeframe.
The scope and the schedule weren’t particularly record-breaking or interesting. The most interesting part of the project is how it was funded. The British government did want a proper hospital built in the colony but, unsurprisingly, didn’t want to pay for it. The solution? Instead of cash, the contractors were granted a monopoly on importing and selling 45,000 gallons of rum to the colony — hence the nickname, “The Rum Hospital.”
At the time, this deal was worth an estimated £100,000. In today’s dollars, that would equate to over 10 million pounds (around 13 million USD). Critics of the deal argued that the colony ended up paying far more in social and economic damage from increased alcoholism than it would have if it had just paid for the hospital in cash.
Was the project a success? Technically, yes. The hospital did get built and it served members of the colony for decades until the central building was demolished in the late 1880s and then replaced with a new, higher quality building. So, this hospital, the Sydney Hospital, remains the oldest operational hospital in Australia.
Thank you for joining me for Projects of the Past, I’m Ren Love. See ya next time!
Limitations to Post-Quantum Cryptography
WENDY GROUNDS: Chris, can you tell us if there are any drawbacks or if there are limitations to post-quantum cryptography?
CHRIS BASENER: There are several. One is just the skills gap; right? There are estimates out there by large companies in terms of how big that skills gap is. But one is just the skills gap. We need people that understand this, that can help implement it. So that’s definitely a drawback.
Another one is just the compute power needed for this. And that’s one thing that sets this type of project apart from others. It’s not a simple software upgrade. The compute power is different. So, there are a lot of dependencies and impacts beyond maybe a standard IT project for post-quantum cryptography migrations.
And then some people think post-quantum cryptography is the silver bullet to protect everything. It’s not. Standard security principles are still important – defense in depth, making sure the network is segregated. So, if someone gets in, they don’t get the keys to the kingdom right away. It won’t protect everything from everyone.
And there are certain post-quantum cryptography algorithms that are subject to side-channel attacks, which is, you know, the technical details are really beyond an initial broach of the subject. But absolutely, there are definitely risks involved. And then the other risks are the costs; right? This is not a cheap thing to do.
Governance Risk & Compliance
And that’s where it’s important as good project managers to think that we don’t do security for the sake of security. Security is there for the sake of achieving enterprise goals. So, some of this boils down to good GRC; right? And it’s very important for an enterprise to have the appropriate governance in place. Think about change management. If you have a large enterprise, and their change management process is like going to the Department of Motor Vehicles – and, you know, you’re laughing. You know where this is going; right?
BILL YATES: Mm-hmm.
CHRIS BASENER: Then forget it. Your project is doomed. Or if you have, for example, when we look at how artificial intelligence has been implemented, it was such a shiny object for some companies that said use this, they didn’t really have good business cases, and they didn’t get an ROI. It wasn’t AI’s fault. It wasn’t the person’s fault. It was a lack of good GRC, Governance Risk & Compliance. So that’s another important factor with these projects, as well.
BILL YATES: I think regarding Governance, Risk & Compliance, in the future you have anticipated there are going to be quite a few projects out there that people are going to be called on to lead that will be PQC projects. They’re going to be Post-Quantum Cryptography-related projects, either replacing or updating systems that we’re using currently, just raising the security level, raising the risk level that our corporation has.
So, I could see these as being very important, vital, internal projects that some of us are going to be tapped to lead.
Hybrid in Emerging Complexity
But those, obviously those projects are going to be complex. And to your point, there needs to be an attitude of, okay, this is not a waterfall project. This is something we’re going to be learning, the knowledge will emerge as our project progresses.
This is definitely one of those where the project team has to continue to look and see what developments are coming down in terms of breakthroughs, in terms of risks, in terms of solutions for those.
So, what works? I mean, do you use an agile approach? Do you use a waterfall approach? You know, it sounds to me like you need kind of a mixture, and you need to find something that works for this particular type of project. So, what kind of advice can you give in that?
CHRIS BASENER: Good question. So definitely a hybrid approach. There are some things that need to be planned out a little more in advance. In terms of the end goal with the migration, you know, the hardware is not going to be available with an agile mindset; right? That’s going to require longer term planning, for sure. But in terms of the implementation, definitely it will require a hybrid approach, right, because we can’t plan everything out because we don’t even know. I mean, just even think about the NIST standards, the FIPS 203, 204, and 205, the Federal Information Processing standards. Those might change.
So, we’re not even at the target range, shooting at a stationary object necessarily. So definitely a hybrid approach is necessary. And also realize that the end goal is the cryptographic agility. We might transition some teams, some systems to use a hybrid approach. And hybrid doesn’t mean one or the other. Hybrid means we’re using the classical encryption and the post-quantum cryptography together. So, if one fails, it’s like a double-check system.
BILL YATES: Yeah, you brought that up before, Chris, and I like that. It’s not flipping a switch. It’s more of a transition plan where you’re going to be using both, certainly both for a long period of time. And then maybe, you know, depending on how things develop, then maybe we just go a PQC route in the future. Yeah, that’s a good point. So, it requires a flexible mindset from the project leader and the team to continue to assess the environment that they’re in.
Translating Technical Risk Clearly
Given how unique these PQC projects could be for one of us to lead, they’re highly technical. They’re probably going to last a long time. The project manager is still going to have stakeholders and executives they have to support. But it’s going to be tricky; right? I mean, how do I communicate something as nebulous, you know, the cyber side of this? How do I communicate to my executive team, to those sponsors, as to the progress that we’re making and maybe future challenges that we see without scaring them to death? So, give us some advice there as project leaders.
CHRIS BASENER: That’s a good point. I think there seems to be a tendency online for the doom and gloom to take over. And it’s interesting, if we look at it from a psychological perspective, some people just tend to be wired to like, you know, the murder mysteries and the crime dramas. And there’s something about that. But it boils down to some good project management communication skills of communicating the strategic value. And some people might be the first one in their enterprise to raise their hand or pound the table and say, “We really have to do something about this.”
So, in terms of communicating it, I think it’s good to start with a business case; right? How can we be an early adopter to use this to our advantage? I really think that JPMorgan & Chase is at some point going to have a strategic advantage for being so vocal about the work that they’re doing because, think about it. Once more people become aware of this problem, they’re going to start to think, “Is my money safe in the bank?” And if the quantum apocalypse happens, what are you going to do? Okay, it’s backed by the full faith and credit of the U.S. Most people probably haven’t even read what the FDIC insurance means. In that situation, I wouldn’t be holding my breath.
BILL YATES: Ha ha, yeah.
Tactical Empathy
CHRIS BASENER: So, I think those are some keys, as well. Plus, I love reading books, and I love learning more about project management. I love learning more about security. I also love learning about communicating. In this past year, I read a book by Chris Voss called “Never Split the Difference.”
BILL YATES: Yes, great book. Yeah, yeah, yeah.
CHRIS BASENER: It’s a fabulous book. Not even a paid endorsement. Just a great work. He uses what’s called “tactical empathy.” And so many times, and we’ve all had this experience where you see someone’s upset or they’re concerned about something, and we’re trying to reason with them; right? And guess what? It doesn’t work. I mean, I’m not saying not to use reason. I’m not saying that we shouldn’t speak logically. But the point is, if you have a board of directors’ member who is totally opposed to this, strategic empathy.
So, it sounds like you’re concerned about gaining market value. How can we do this with an emerging technology? Asking questions, looking at it from their perspective. You know, the board wants to know strategic decisions.
And that’s one great thing about being a project manager is if you can learn to speak to the board the way that resonates with them, you’re going to drive project success. If you talk to them like you’re talking to the person in charge of DevSecOps, it’s a different language; right? We have to be multilingual. That’s part of our jobs. That’s part of the joy of being a project manager is to relate different things in different contexts to different people to drive project success.
BILL YATES: Right. That’s good. Yeah. That book was fantastic. And one of those keys is – you’ve nailed it. It’s like, okay, find out what’s most important to the person that’s on the other side of the table. You want to know what’s most important to them? I know what this risk looks like to our organization in terms of, you know, what we think we need to fix, but what’s the executive most worried about? So yeah, you’re right. It goes back to communication.
CHRIS BASENER: Exactly. And the flipside of the negative risk is positive risk; right? Risk is unknown. So how can we use this to create a strategic advantage? And that was one of the takeaways from an MIT course that I took this past year because I had a moment of reflection. I thought, where are things going in the financial services sector?
And I thought, the future of the financial services sector in terms of security and project management is going to center around quantum computing, including post-quantum cryptography, which is not necessarily a quantum technology at this point, but certainly part of that genre of building a quantum advantage and also artificial intelligence. So, it’s important to look at the upside, too, of creating a strategic advantage by creating a roadmap for an enterprise to adopt quantum technologies.
Quantum-Proof Your Career
WENDY GROUNDS: Project managers who are listening to us, some of them maybe will be leading projects in something like PQC. But then others might be thinking, well, how can I best forward my career, not necessarily leading these projects, but just being aware of quantum computing and post-quantum cryptography. It’s such an emerging domain that how can project managers best be prepared for this? How can they quantum-proof their careers?
CHRIS BASENER: That’s a great question. There are a lot of fabulous resources out there. I can tell you about some of them that I’ve vetted myself and that I know about. There’s an interesting book by a Ph.D. I can spell the name. Greg Skulmoski. The last name is S-K-U-L-M-O-S-K-I. He wrote a book called “Accelerated Quantum Technologies Change Management.” Sounds pretty fancy; right?
But he writes it in such a way that it’s very tactical. And not only is it a great book, but he’s a great guy. As an aside, one thing that I found in this community of quantum experts is quantum computing is really a humbling field.
And I’ve met some super smart people that were very talented, have been in the field of quantum computing for quite a long time. Super smart, but also very humble. Every Tuesday I’m on a call with an international group that really focuses on quantum. And it’s a great touch point to hear about what’s new, what’s changing. Because to your point, things are changing quickly.
And this is not a case where, you know, you read a book once. It’s not a one and done. It’s still emerging. So that group is called QSecDef, Quantum Security Defense. It’s based out of the UK. But there are people all over the world. We get on a call every Tuesday morning at 9:00. Their lifetime membership is like $149. It’s a tremendous value. You can take courses, jump online, join the community, ask questions. It’s really a great resource. IBM also has some free courses one can take online.
There’s a fabulous blog. It’s Postquantum.com. Marin Ivezic is a great human being, and super, super knowledgeable about quantum computing and postquantum cryptography. His company is dedicated just to that quantum space and that post-quantum cryptography space. So, there are some great resources. As I also mentioned, I took a course from MIT, Quantum Computing Strategy and Impact. Great course.
The professors were fantastic. They were able to take a very difficult-to-understand topic and make it understandable, and give you enough details to be able to use it without being a Ph.D. student, postdoc.
BILL YATES: Chris, you know, I’m thinking too, if I were active right now in a company managing projects, I would, depending on the size of the organization, but I would try to see what my CTO or my CIO, see what they know about the topic and ask them do we have a statement yet? Do we have guidelines corporately that I need to abide by? Just to kind of raise that awareness.
So, you know, this is something that I see a lot of benefits to it. You know, to Wendy’s point, this could help in terms of my opportunities in the future as a project manager. You know, if I had some interest in this and some training, then I might get tapped or brought into really important projects in the future. If I can kind of find out what’s important to the team, or what’s a little bit uncertain for them, then I think I become more of an ally for them and deepen that relationship.
CHRIS BASENER: That’s a great point. I think by cultivating that curious mindset, asking questions and delving in and doing some learning, even if it’s micro learning or learning informally, it’s a great opportunity to build that bridge, learn and really help the enterprise push forward together.
BILL YATES: Mm-hmm. Yep. Good point.
WENDY GROUNDS: Flexible, yeah.
Advice for PMs
BILL YATES: Chris, obviously, we need to talk about this particular topic of PQC. But I need to ask you, with all the experience you’ve had in IT and security, what advice do you have for project managers?
CHRIS BASENER: That’s a good question. I had a great time serving as the Director of Security for PMI NYC, and security is definitely very important, especially as almost everything we do is online. So, I think it’s a case where probably the best advice I can give is continually learning. I mean, not everyone has to be an ex-security expert, but security is all of our jobs. We all have to think about what links we click or don’t click. We all have to think about just the new threats that are out there.
With artificial intelligence, it’s so easy to have criminals get a hold of data. Criminals only need, like, three to five seconds of video to create a deep fake, and there have been so many examples where people wired money to the wrong person. And it’s so easy to think, oh, how could they fall for that? Any one of us could.
I’ve done phishing campaigns, and sometimes the people that click the links are the people you wouldn’t expect. So, it’s just a case where it’s not good to be overwhelmed, but just continual learning, even if it’s micro learning, because security of the project, that’s everyone’s goal. And if that’s compromised and the project fails, that’s a big ball drop, and not the kind that you want like on New Year’s Eve.
So, I think it’s something that, because everything is digital now, it’s definitely our responsibility as project managers to learn our role in that. And it doesn’t have to be another certification, but just simply learning.
BILL YATES: Mm-hmm.
Getting the Word Out
WENDY GROUNDS: Are there any exciting breakthroughs? Is anything happening right now in post-quantum cryptography or quantum computing that would be interesting for our listeners to know about?
CHRIS BASENER: I think probably the most interesting development is probably the ones we aren’t aware of; right?
BILL YATES: Yeah.
CHRIS BASENER: Well, I’m grateful that people like you are open to getting the word out, and I really think there’s been a concentrated effort to get the word out. So, I think the fact that we’ve gone from, “What is this stuff?” to “Okay, we need to start moving in that direction,” not in a panicked, frantic way, but a thoughtful, planned manner, I think those are, for me, the most exciting developments.
Because when you think about security and lessons learned, sometimes the lesson learned is the lesson wasn’t learned; right? You look at security, and a lot of breaches still occur because someone did something they weren’t supposed to do. And so, the thinking is not, gee, what are we going to do if we’re breached anymore. Now really the thought is cyber resilience. How are we going to respond when we’re breached?
Really, as project managers, thinking about business continuity, disaster recovery, project and organizational resilience, because gone are the days where, “Gee, what if we’re hacked?” I mean, seriously, if the FBI is hacked, who are we to think as organizations that we’re above that? So, the idea is to build in that resiliency.
And so, to come full circle, I think the greatest advances are that people are realizing now this is necessary. We have to do something. We’re going to start learning. We’re going to start implementing. We’re going to create a roadmap. We’re going to make progress. We’re going to push the ball forward. We’re going to raise the bar. And we’re going to do it together.
So that’s another important piece to come full circle on what you talked about earlier, what can be done. Yes, we build that cryptographic inventory. Yes, we analyze our risk. But we also need to upskill. We need to train people. For their role, what do they need to know?
So that differentiated learning is so important because what the board needs to know is very different from the tech team versus HR. And part of the future success in terms of the fabric of the organization because I really think the organizations that say, “Oh, we don’t need this. It’s down the road. I’ll get to it later,” some of them aren’t going to exist because there’s going to come a point where quantum computers advance, people see the need more, there’s going to be a talent shortage.
And it’s like the parable of, you know, bringing the oil and running out of oil and asking people for oil. Enterprises are going to get to a point where they haven’t done anything, and they’re going to ask, and it’s going to be too late because the people that know how to do this are going to be up to their ears busy and can’t take on one more thing, or it will compromise the success of everything.
But if everyone starts to do their part now and learn and make progress, I think they’re going to be fine, or have a better chance of doing well. But it’s the people that blow it off, “Oh, that’s futuristic, that’s “Star Trek,” that’s not going to happen to me.” The Titanic thought it wouldn’t sink, and guess where it is now.
BILL YATES: Right.
WENDY GROUNDS: Right, right.
BILL YATES: Mm-hmm, that’s true.
Find Out More
WENDY GROUNDS: If folk want to find out more, if they want to get in touch with you, or they want to follow developments in post-quantum cryptography, where should they go?
CHRIS BASENER: Sure, they can reach out to me on LinkedIn. I also created a group on LinkedIn specifically for project managers to learn about post-quantum cryptography, and I’m happy to share that information. I also developed a course because I realized there’s a gap in what we’re currently doing in the project management realm versus what’s going to be required on these post-quantum cryptography migration projects.
So, if people are members of PMI, they can go to ProjectManagement.com and search under “webinars” for my name, and there’s a presentation on this topic scheduled for February. I’ve done other presentations, “Cybersecurity for Project Managers” and some others, but there’s one specific to post-quantum cryptography that you can get PDUs for.
So, there are other great resources out there that I mentioned earlier. But I’m happy to connect with people on LinkedIn, answer questions. And it’s an exciting time. It’s changing quickly so there’s a lot of stress in that sense. There’s a lot at stake. But it’s also a very exciting time.
WENDY GROUNDS: Great.
BILL YATES: Yeah, that’s fantastic. Chris, this has been so helpful. And you are a lifetime learner. I can see that in you. And this is a perfect application of that curiosity that you have because this is an area that we need to raise awareness in, both in our organization, within our project teams, and promote better practices and continue to just evaluate the environment that’s out there because it’s going to be changing. There’s no doubt about it. So, thank you for promoting this in our conversation today and just raising that awareness. Really appreciate it.
CHRIS BASENER: Well, you’re welcome, and thank you for having me on. I really enjoy your podcast, and I can tell that you have that humble learning mindset of, hey, we can learn from anyone in a different area of project management. And sometimes the most successful people will take ideas from seemingly disparate areas and combine them together in a new way. It’s that creative aspect that sometimes really moves the ball forward. So, it’s great to be a part of this group. It’s really been an honor to be here, and I appreciate the great work you do. And I really, really enjoyed this. This was learning, inspirational, and fun all in one. So many thanks to you.
Closing
WENDY GROUNDS: Thank you for joining us on Manage This. You can visit us at Velociteach.com, where you can subscribe to this podcast and see a complete transcript of the show.
To claim your free PDUS, go to Velociteach.com, choose Manage This Podcast from the top of the page. Click the button that says Claim PDUs, and click through the steps.
Until next time, stay curious, stay inspired, and keep tuning in to Manage This.
Leave a Reply