PQC is not a quantum problem.
PQC is cryptographic debt wearing a deadline. Three independent surveys found the same thing: everyone knows it's coming, and almost nobody has started the inventory work.
Essays and field notes from the practical side of running, defending, and recovering complex systems.
Three independent industry surveys reach the same conclusion: the awareness exists, the planning does not, and the gap is widest in the middle of the market. The edge has moved. Most of the interior hasn't caught up.
PQC is a cryptographic debt, inventory, procurement, and governance problem. The quantum element is the deadline. Everything else is the work that should already have been done — and a disciplined Sense → Decide → Act → Learn loop is how operators close it without panic.
On building technology environments that survive disruption, vendor failures, and the messy edge cases that don't show up in best-practice diagrams.
On moving from reactive firefighting to measured, insurable resilience. IR 2.0 and the Calm Loop, in practice.
On vendor accountability, licensing fairness, and the risks of building critical systems on top of providers whose interests may not stay aligned with yours.
On clarity, attention, and information discipline as a leadership competency. Why staying clear-headed is now an operating skill.
PQC is cryptographic debt wearing a deadline. Three independent surveys found the same thing: everyone knows it's coming, and almost nobody has started the inventory work.
Underwriters can now see the gap between what a company spent on security and what it can actually recover from. This piece is about the four pillars and the operating loop that closes that gap.
The practice I built to stop the day's noise from spending my attention for me — five steps, applied as things arrive, treating attention as something you defend rather than hope holds.
Broadcom's VMware move is a case study in how a vendor can rewrite the deal after you've already built your infrastructure around it.
I was inside one of the affected environments the night of July 19. This is what that night taught me about the difference between having security tools and being able to recover.