The commercial availability of quantum computers that are capable of compromising traditional asymmetric cryptography is still five to 10 years away. But security and risk (S&R) professionals must assess and prepare for the impact of quantum security. This report examines the governance, strategy, architecture, and impacts of quantum security in the short, medium, and long term.