Why “Explain PQC Like I’m 5” Misses the Point

Posted: Saturday, Oct 25

KBI.Media
$
Why “Explain PQC Like I’m 5” Misses the Point

Samuel was always interested in emerging technologies, having cofounded AISSOC - Artificial Intelligence Student Society, during his university studies. AISSOC is a club for students interested in and working on AI projects. He contributed to and helped facilitate multiple projects. Shortly after finishing his Cybersecurity studies at Monash, he became interested in Quantum Computers, and found that he needed to adapt his Cybersecurity skillset in the face of this rapidly developing technology. Seeing that there's not nearly enough attention paid to this incoming threat, he took it upon himself to not only spread awareness of the issue, but also provide the solution with ExeQuantum. Since then, Samuel has been leading multiple thought leadership, lectures and panels around Australia, including in Stone & Chalk, University of Melbourne, Melbourne Python, and more, spreading the word of the quantum threat.

i 3 Table of Contents

Why “Explain PQC Like I’m 5” Misses the Point

From Samuel Tseitkin

After spending the past couple of years talking with boards, executives, and CISOs, from lunch-and-learns to national security workshops, I’ve learned something interesting about how people approach Post-Quantum Cryptography (PQC).

Everyone agrees it’s important. Everyone nods when you say “harvest now, decrypt later.” But the moment you start explaining how deep that problem really goes, someone inevitably says: “Can you make it simple? Explain it like I’m five.”

It’s always well-intentioned. Clarity matters. But after hearing that line (or “in layman’s terms,” or “so a non-technical person can get it,” take your pick) more times than I can count, I’ve realised something: with PQC, “explain it like I’m five” is the wrong goal.

I’ve even seen it among seasoned marketers. Every CMO I’ve interviewed – all smart, capable communicators – tried to find the “perfectly simple” story that would make a semi-interested audience both understand PQC and act on it. But every attempt ended up drifting into abstraction. The simpler the language got, the further the message moved from the real urgency.

Because PQC isn’t just another tech acronym to say in pure layman’s terms; it’s the invisible infrastructure shift that will decide whether today’s data stays secure ten years from now. And when we smooth away its complexity, we also smooth away the stakes.

The Reality Beneath “Keep It Simple”

Quantum computing isn’t just “a faster computer.” It’s a fundamentally different way of processing information, one that rewrites the rules our current encryption systems were built on. PQC isn’t a new feature or an upgrade; it’s a defensive rebuild of the world’s digital foundations, happening quietly in the background while most of the internet continues to run on algorithms that quantum machines will eventually break.

And that’s where the communication challenge begins. Quantum is inherently complex. Cryptography is inherently complex. And future-proofing is inherently abstract. Combine all three, and you get a collision of disciplines, physics, mathematics, and risk planning, each demanding precision to stay meaningful.

When we try to compress all of that into an oversimplified story, it starts to sound unserious. Ask ChatGPT to “explain quantum computers like I’m five,” and it’ll use the word “magic”. Even dressed up in corporate polish, that framing doesn’t survive a C-suite conversation. It makes the topic feel whimsical when what’s needed is strategic gravity.

There’s another cost to simplification: it distorts scope. Once PQC sounds easy, it stops sounding big. People stop recognising that PQC migration is a multi-year, enterprise-wide effort, one that touches infrastructure, procurement, compliance, and policy. When they believe it’s a small technical fix rather than a systemic rebuild, deferring it feels safe.

That’s the paradox of simplifying PQC: the easier we make it sound, the less it sounds like something worth acting on.

Two Kinds of Conversations

After dozens of workshops and board discussions, I’ve noticed that every conversation about PQC eventually splits into one of two paths.

The first is the “curious but detached”, the one filled with curiosity but little urgency. It’s the kind where someone says, “Quantum sounds fascinating, but it’s still years away, right?”, or sometimes even say something among the lines of “people should start actioning it now!” – until prompted to be the one to act. The discussion stays conceptual. People are interested, but not invested.

The second is the “aware and impacted”. These conversations are usually shorter, sharper, and more practical. They don’t require a lengthy simplification of the whole concept. These are the people who already understand that quantum computing doesn’t need to exist today to pose a threat today. They ask about the threat itself, migration timelines, integration steps, and how to audit cryptographic assets before the next mandate hits.

And the data backs it up: recent studies suggest fewer than 5% of CISOs currently view PQC as a high strategic priority. Most organisations are still in that first category, which perfectly mirrors what I see in the room.

What’s interesting is that this split doesn’t correlate with job titles or technical depth. I’ve seen CISOs, CMOs, and cybersecurity leads all start from the same point of uncertainty. Because PQC sits at the intersection of fields that don’t usually overlap: mathematics, physics, and long-horizon risk management. The difference isn’t in background; it’s in mindset.

Once someone grasps that data encrypted today may be decrypted tomorrow, and the true impact of it, and also how right around the corner 2030 is, the tone changes completely. It’s no longer about learning a new concept, it’s about protecting what already exists.

That’s why our communication and product strategy both focus on the “aware and impacted”. There’s already a wealth of accessible education for those still learning the basics, including resources we’ve contributed to ourselves. But we can’t keep teaching the alphabet of cryptography; At a certain point, continuing progress depends on shared responsibility – communicators to explain clearly, and leaders to stay engaged.

The Onus to Learn

There’s no shortage of educational material about PQC anymore. The standards are public. The mandates are published. Governments, vendors, and industry bodies, have all sounded the same alarm, and the message is consistent: the transition has already begun. There are many sources that started from the very beginning, including articles and videos published by us and other vendors.

So when I still hear “I don’t really understand post-quantum cryptography”, and their next step isn’t asking for resources to learn about it, it’s no longer just a statement of curiosity. By 2025, saying ‘I don’t understand PQC’ isn’t just curiosity, it’s an indicator of organizational risk.

The truth is, PQC doesn’t lack explanations. It lacks engagement. Too often, people mistake “not understanding” for “not being able to understand.” But this field isn’t inaccessible, it’s just unfamiliar. The problem isn’t complexity; it’s distance.

Simplifying PQC to make it sound easy doesn’t bridge that distance; it widens it. It removes the sense of scale and consequence that make the topic worth understanding in the first place. We don’t make it clearer by sanding off its edges, we dilute it, and in doing so, we do the audience a disservice.

Executives in charge of security, compliance, or infrastructure already carry the expectation to stay informed on AI, IAM, and cloud. Crypto-agility deserves the same attention. Understanding it isn’t optional background reading, it’s part of protecting continuity and trust.

Ultimately, the barrier to understanding PQC isn’t a lack of plain language, it’s whether we’re willing to stay curious long enough to engage with it.

Curiosity Over Comfort

Some of the most meaningful conversations I’ve had about PQC weren’t with cryptographers or researchers, they were with executives who admitted, “I don’t get this yet, but I want to.” Those are the discussions that move the fastest. They start from curiosity instead of defensiveness.

That willingness to learn, to pause, to engage with something unfamiliar, is what separates leaders who adapt early from those who wait until adoption becomes an obligation and a last minute chaos.

Because PQC isn’t just a technical milestone; it’s a cultural one. It asks people who are already experts in their own domains to step briefly into another, to bridge security, mathematics, physics, and policy, and make sense of something that doesn’t fit neatly into a single discipline. That calls for humility more than mastery.

The leaders who make progress aren’t the ones who have the simplest explanations. They’re the ones who stay curious long enough to see past them and to power through the learning curve, just like they should for other technologies like AI.

PQC isn’t about hype. It’s about stewardship of data, trust, and national resilience. And that demands curiosity far more than comfort.

Conclusion

There’s a recurring tension in every frontier technology between clarity and depth. The easier something sounds, the less seriously it’s taken, and PQC is no exception.

We can’t make it effortless without making it empty. And that’s okay. Some subjects are meant to stretch us a little, to remind us that protecting the future isn’t meant to be convenient.

Rather than ‘explaining it like you’re five,’ I aim to explain it clearly, honestly, and accessibly, trusting readers to meet the complexity halfway.

Because clarity matters, but so does curiosity.