Different inevitabilities.

A gradiant, not a binary

Quantum security vendors are losing the room — not because leaders are uninformed, but because the argument being made doesn’t match the way leaders evaluate risk. Urgency requires a shared definition of inevitable, and that definition varies more than the industry admits.

This piece introduces a simple distinction: some threats expand the attack surface and have no single solution. Others are instances of a vulnerability class that already exists. Harvest Now, Decrypt Later falls into the second category — quantum computers didn’t create the weakness in your cryptography, they just gave it a deadline.

The executive question isn’t whether to take the threat seriously. It’s whether you’re being sold a solution to one instance of a problem when what your organization actually needs is to address the class.

Not all inevitabilities are equal. Vendors pitching quantum risk treat HNDL as self-evident, but leaders aren’t wrong to be unconvinced — they’re responding to an argument that was never actually made. The case for urgency depends on which type of inevitable you’re talking about, and HNDL sits at the far end of that spectrum.

Inevitability is a spectrum, it’s not one thing, it’s a gradient. If I showed you a gradient between yellow and blue and asked where yellow ended, you’d probably point somewhere before green. But if I asked where blue started, likely you’d choose something on the other side. Other languages have a different subset of colors named, and that changes the perception of color.

Languages with more named colors see more colors in tests. What’s happening with Cybersecurity right now is that different people have named different types of inevitability. Some threats feel inevitable the moment you hear them. Others require a framework you don’t yet have.

Imagine a CEO of a small company. It’s big enough they don’t deal with engineering, but small enough to hear highlights about individuals. They have two Cybersecurity vendors on their schedule.

The first vendor talks about Claude Mythos and how the attack surface is impossible to secure now. The CEO thinks back to a few years ago when an engineer put an early small LLM on their laptop and it found a few minor, but previously unseen security issues.

The second vendor talks about how quantum computers will break encryption once they get big enough, and attackers are collecting or “harvesting” data now to decrypt later on.

The second vendor has a harder sell. They are referring to something that to the vendor, to researchers and likely to cybersecurity professionals is urgent and inevitable. But to most leaders, it isn’t.

This isn’t just a vendor issue. CISOs, CTOs and other leaders inside the organization may understand the threat clearly and still fail to move it simply because they’re speaking a different dialect of inevitable than the leaders they’re trying to convince.

Not all inevitabilities work the same way. AI expands the attack surface — there’s no single solution because the problem keeps growing. HNDL is different. It’s not a new class of vulnerability, it’s a named instance of one that already exists: any cryptography can be broken, by someone, eventually. Quantum computers just gave that timeline a shape. The executive question isn’t whether to take HNDL seriously. It’s whether you’re being asked to solve the instance when what you actually need is to address the class.