Mapping the Supply Chain: A Faster Path to Organizational Resilience

Most conversations about post-quantum cryptography start with algorithms. Sarah McCarthy starts with people. As Quantum Readiness Program Lead at Citi, Sarah works in the realm of payments, compliance, and cryptographic change inside one of the world's most regulated and interconnected financial institutions. In this episode of Shielded: The Last Line of Cyber Defense, she brings that perspective to bear on what large-scale PQC migration actually looks like in practice.

Sarah's background spans research, vendor-side work, and enterprise security, giving her a view across the full cryptographic supply chain. That experience shapes how she thinks about readiness. At Citi, the quantum readiness program began in 2022, predating much of the current regulatory urgency. What started with foundational questions about data sensitivity and retention has expanded into a formal vendor survey, internal education efforts, and a growing set of no-regret technical actions already underway.

One of the clearest themes from the conversation is the gap between how organizations think about PQC migration and what it actually demands. The instinct is to frame it as an algorithm upgrade. In practice, it requires identifying which systems hold sensitive data, understanding how long that data needs to stay protected, coordinating across teams that may not yet see cryptography as their problem, and building internal champions who can translate technical risk into organizational action.

Sarah also addresses the vendor landscape directly. Citi's quantum readiness survey of suppliers is surfacing meaningful patterns about where the ecosystem stands and which vendors are genuinely prepared to engage with these questions. Unsurprisingly, the most capable responses are coming from key management providers and hardware security module vendors. Others are still catching up, not just technically but organizationally.

The episode also tackles the regulatory picture across payments. Standards bodies and working groups are moving, but interoperability across jurisdictions remains a live challenge. For organizations waiting on regulatory direction before acting, Sarah's message is clear: some steps make sense right now regardless of what regulators decide. Upgrading AES key sizes for data at rest, moving to TLS 1.3, and identifying crown-jewel data are all defensible moves that will not be undone by future guidance.

Sarah closes with what she expects from the next twelve months at Citi and with the framing that best captures her overall approach: quantum migration is an operational challenge before it is a technical one. The organizations that prepare well will find the actual algorithm switch far more manageable than they feared.

Sarah McCarthy is the Quantum Readiness Program Lead at Citi, where she brings together a world of payments, compliance, and post-quantum cryptography. Her background spans academic research, vendor-side security work, and large-scale enterprise risk, giving her a rare cross-sectional view of the cryptographic supply chain. At Citi, she leads efforts to assess and reduce quantum risk across a globally interconnected payments environment, including the design and rollout of a quantum readiness vendor survey program. Her work focuses on translating complex cryptographic risk into practical organizational action across highly regulated, multi-jurisdictional systems.

Sarah draws a direct line between show jumping and PQC. In show jumping, dressage, which is all the flat work done before any fence is in sight, is what makes the jump possible. Cutting corners does not save time. It causes failure at the moment that matters and the same logic applies here. Most of the effort in post-quantum migration is not switching algorithms. It is everything that has to happen first: understanding what you are protecting, mapping dependencies, building internal relationships, and creating the conditions for change to land cleanly. 

Key Question: Is your organisation building toward the jump, or assuming the jump will sort itself out?

Citi launched a formal quantum readiness survey for their supplier network, built around the NIST 8547 report and the algorithms slated for deprecation. It asks vendors what post-quantum algorithms they plan to support, what their timelines look like, and whether they have lab capacity for performance and interoperability testing. So far it has gone mainly to vendors already active in the quantum community. And even there, a pattern is clear. The most capable responses come from key management providers and hardware security module vendors. Others cannot yet identify who inside their organisation should be answering. That gap tells you exactly where your migration dependencies are most exposed and which vendor relationships need attention before they become blockers. 

Key Question: If you surveyed your critical vendors today, do you know which ones could answer and which ones could not?

When Sarah describes what Citi's quantum readiness program focused on first, the answer is deliberately unglamorous. Start with data at rest. Make sure AES key sizes are large enough. Then go to the teams responsible for databases, find out what upgrading actually requires, and make sure no data falls through the gaps. In an organisation the size of Citi, that means finding databases that have been running without anyone looking after them. None of this is post-quantum cryptography. But it is foundational, it will not be undone by future guidance, and it forces you to understand the two attack vectors that quantum actually creates: harvest now decrypt later, which targets long-life confidential data, and trust now forge later, which targets the integrity of long-term contracts and records. You cannot prioritise what you have not found. 

Key Question: Do you know where your long-life sensitive data lives, and whether what is protecting it today is actually sufficient?

Sarah's quantum readiness team at Citi is, by her own description, a negligible number of people. What makes the program work is not headcount but the coalition built around it. The team recruits champions from legal, compliance, risk, and emerging technology, each with their own stake in the outcome and their own routes into parts of the organisation the core team cannot reach alone. Compliance teams respond to the threat of future penalties. Risk teams have frameworks that absorb quantum threat modelling. Quantum opportunity work opens doors that a security briefing would not. A Hudson Institute study put the potential economic impact of a quantum attack on financial institutions at three to four trillion dollars. That number moves budget conversations. The message is the same for organisations without a formal centre of excellence: find the people who already have a reason to care, and give them what they need to carry it forward. 

Key Question: Who across your organisation has a stake in this that they do not yet know about?

There is a persistent assumption that full cryptographic asset discovery has to come before anything else can happen. Sarah challenges it directly. The Quantum Safe Financial Forum report Sarah contributed to builds a prioritisation matrix scored on migration cost, solution availability, number of dependencies, and geographic exposure. The point-of-sale terminal example makes the case concretely. Offline POS transactions use asymmetric cryptography and might look like an obvious target until you examine the use case and find that most of those transactions are negligible in value and can be handled by moving online and upgrading symmetric key sizes instead. Use-case analysis stops you from putting migration effort in the wrong places. 

Key Question: Have you identified your highest-risk use cases, or are you waiting for a complete inventory before doing anything?

Sarah's closing reframe is the most important one in the episode. The instinct is to treat post-quantum migration as an algorithm upgrade. Hand it to the security team. Wait for a technical answer. But what it actually requires is getting legal, risk, compliance, procurement, software developers, and budget holders onto the same page and keeping them there. No team can do this in isolation. And the reason it has to be everyone's priority is not complicated. Financial institutions run on trust – from customers, vendors, and peers. Strong cryptography is what makes that trust possible. Once that framing lands, quantum readiness stops being a security problem and becomes an organisational one. The algorithm switch is the jump. Coordination is the dressage that makes it possible. 

Key Question: Is your organisation treating this as a coordination challenge, or is it still waiting for one team to solve it?

Want exclusive insights on quantum migration? Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts. 

✔ Get insider knowledge from leading cybersecurity experts. 

✔ Learn practical steps to future-proof your organization. 

✔ Stay updated on regulatory changes and industry trends.

Need help subscribing? Click here for step-by-step instructions.

Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so