Shielded: The Last Line of Cyber Defense

As quantum computing accelerates, organizations can no longer treat cryptographic migration as a distant technical task. Dr Richard Searle of Fortanix explains how confidential computing and a software-first model enable enterprises to adopt post-quantum cryptography (PQC) rapidly while maintaining control, compliance, and agility. He describes how Fortanix integrates standardized PQC algorithms within trusted execution environments to protect data in use, at rest, and in motion, providing a verifiable layer of defense against quantum-era threats. Richard clarifies that crypto agility, not a one-off migration, is the real target, enabling algorithm rotation and policy enforcement as new standards evolve. He also outlines how global companies must account for regional algorithm preferences, such as those emerging in Europe and Asia, without fragmenting global operations. Through examples from finance and technology sectors, he highlights how auditability, attestation, and workload geolocation now define compliance readiness across DORA, GDPR, and CNSA 2.0 frameworks. The discussion reinforces that migration is as much about policy, inventory, and evidence as it is about cryptography itself. The lesson is direct: begin the transition now, build measurable posture, and design architectures that can adapt before regulators and attackers dictate the timeline.What You’ll Learn:How confidential computing underpins a secure execution base for PQC migration.Why crypto agility, not one-off migration, defines long-term resilience.How to manage regional algorithm differences while maintaining global compatibility.How attestation, geolocation, and immutable logs turn compliance into proof of control.The role of inventory management and performance assessment in sequencing PQC rollout.How to balance human approval with machine-based cryptographic execution through APIs.Why finance and technology are leading sectors in post-quantum adoption.Why starting now lowers cost, builds capability, and prevents a rushed, regulator-driven scramble.Dr Richard Searle is the Chief AI Officer at Fortanix, a global leader in confidential computing and data security. He leads Fortanix’s strategy at the intersection of cryptography, AI security, and post-quantum readiness, helping enterprises protect data across hybrid multi-cloud environments. With a background in systems engineering and safety-critical design, Richard brings more than two decades of experience in building secure, compliant, and resilient systems for both private and public sectors. Before becoming Chief AI Officer, Richard served as Fortanix’s Vice President of Confidential Computing and played a pivotal role in advancing the company’s confidential computing platform, which secures data in use through trusted execution environments. He has also served as the Chair of the End-User Advisory Council and General Members’ Representative to the Governing Board of the Confidential Computing Consortium under the Linux Foundation.A Doctor of Business Administration from Henley Business School, University of Reading, Richard continues to contribute to research in AI and defense security. He serves as Principal Investigator for Fortanix within the U.S. NIST AI Safety Institute Consortium (AISIC) and the UK Integrated Quantum Network (IQN) Hub. Known for his clarity and discipline in security architecture, Richard focuses on helping global enterprises design for crypto agility, regulatory assurance, and quantum-safe innovation.Your Roadmap to Quantum Resilience[03:14] Step 1: Establish a Confidential Computing Base -Quantum resilience begins with protecting what matters most, which is “data in use.” Richard explains how trusted execution environments create an invisible shield around sensitive workloads, keeping information safe even while it is being processed. Fortanix’s software-first foundation allows this protection to extend across cloud and on-premises systems, without the delays of hardware dependencies. Establishing this base gives enterprises the confidence to deploy new algorithms, test PQC performance, and maintain control wherever their data flows.Key Question: Which of your workloads process the most sensitive data and need in-use protection today?[05:45] Step 2: Design for Crypto Agility from Day One -Every organization entering the quantum era must prepare for change. Richard highlights the need to design systems that can adapt, rotating algorithms, refreshing keys, and updating parameters through policy rather than rebuilds. This mindset transforms cryptography from a fixed asset into a flexible service that evolves alongside emerging standards. By embedding agility from the start, enterprises can move with the pace of regulation and innovation instead of reacting to it.Key Question: How easily can your teams change algorithms when new standards arrive?[09:10] Step 3: Plan for Regional Algorithm Variants -Global operations demand awareness of regional differences in cryptographic policy. While NIST drives the global baseline, Europe and Asia are advancing their own approaches, such as Classic McEliece and FrodoKEM, to strengthen local sovereignty. Fortanix addresses this diversity through a single control plane that can manage multiple algorithms while maintaining unified governance. Organizations that prepare for regional variance today will stay compliant and operationally aligned as new mandates emerge.Key Question: Are your policies ready to accommodate regional algorithm choices without breaking global consistency?[16:15] Step 4: Turn Compliance into Evidence -Compliance becomes a source of trust when it can be proven. Richard shows how attestation and workload geolocation enable enterprises to demonstrate exactly where and how data was processed. Immutable logs and signed records create a transparent audit trail, satisfying frameworks like GDPR, DORA, and CNSA 2.0. This approach shifts compliance from a reporting exercise to a living proof of security discipline and accountability.Key Question: Can you present verifiable proof of control, location, and authorization for sensitive workloads?[19:22] Step 5: Inventory, Evaluate Performance, and Sequence by Exposure -A strong migration plan begins with visibility. Richard outlines how teams can build an accurate inventory of keys, certificates, and machine identities, then analyze which are most exposed or critical to business continuity. Fortanix’s data security platform supports this assessment, enabling phased implementation that balances performance with risk. By starting with the systems that face customers and regulators, organizations gain both resilience and credibility in their transition to PQC.Key Question: Which high-exposure services in your organization should move first toward PQC?[21:01] Step 6: Govern with Humans, Execute with Machine Identities -As automation expands, clarity of control becomes vital. Richard describes how Fortanix maintains human oversight through quorum approvals while allowing machine identities to perform cryptographic operations within defined boundaries. This structure preserves accountability and enables scale, empowering secure automation for code signing, data exchange, and AI workflows. True governance lies in this balance, human intent directing machine execution through policy and precision.Key Question: Where can you introduce automation that enhances control rather than replacing it?Episode ResourcesRichard Searle on LinkedInFortanix WebsiteJohannes Lintzen on LinkedIn PQShield Website Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so

Hardware security modules (HSMs) sit at the core of digital trust, protecting transactions, PKI systems, and authentication. As quantum computing approaches, traditional HSMs face limits that can’t be solved by patching old hardware. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Bruno Couillard, CEO and co-founder of Crypto4a and co-creator of the Luna HSM, about building quantum-safe HSMs. Bruno explains the difference between PQC-ready and PQC-providing, warning that retrofitting classic devices is not enough. He highlights PKI as the no-regret first step and shows how hybrid models let organizations bridge classic and post-quantum algorithms. Cloud adoption and scalability challenges demand modular, cloud-aligned HSMs instead of isolated, priest-only boxes.Bruno’s message is that HSMs are the foundation of digital security, and crypto-agility is now essential for surviving the quantum era.What You’ll LearnThe origin story of the Luna HSM and why it shaped modern key managementWhy SSL in 1995 marked the “Big Bang” of the digital economyPQC-ready vs. PQC-providing: the critical distinction vendors don’t always makeWhy firmware updates can’t turn classic HSMs into true quantum-safe systemsHow hybrid approaches allow gradual migration from RSA/ECC to PQC algorithmsWhy PKI is the best “no-regret” first step in any migration planThe cloud challenge: why HSMs must evolve from priest-only boxes to scalable, modular systemsThe future of cryptography: crypto-agility as a permanent requirement, not a one-off projectWhy cryptography is back at the forefront and ripe for young talentBruno Couillard is the CEO and co-founder of Crypto4a Technologies, where he leads the development of quantum-safe, crypto-agile products like the QxHSM and QxEDGE. With nearly four decades of experience in cryptography, key management, and cybersecurity, Bruno has shaped the hardware security module (HSM) landscape from its origins to its next evolution. Earlier in his career, Bruno cofounded Chrysalis-ITS and co-designed the original Luna HSM, a product that remains foundational to global PKI systems and is now part of the Thales portfolio. He also contributed to the creation of the PKCS#11 standard and served as a cryptographic evaluator for the Canadian government, where he assessed and architected high-assurance military security products, including the Canadian Cryptographic Modernization Program.Today, Bruno sits on the board of Quantum Industry Canada (QIC), co-chairs the Quantum Industry Developers and Users Working Group, and serves on Canada’s National Quantum Strategy committee, actively shaping the country’s quantum-safe cybersecurity ecosystem. Known for his clear perspective, he emphasizes the urgent need for crypto-agility, the distinction between PQC-ready and PQC-providing systems, and the modernization of HSMs to meet cloud and scalability demands.Your Roadmap to Quantum Resilience[04:59]  Step 1: Learn from the PastHSMs were originally designed in an era when cryptographic officers were treated as “priests,” entrusted with near-sacred responsibilities. The Luna HSM grew out of this mindset with hardware built for isolation, secrecy, and manual control. This legacy explains why many devices remain difficult to use and poorly adapted to modern environments. What worked in the 1990s no longer fits a world where security must be deployed at scale and managed across distributed teams. The first step is recognizing if your current systems are still locked in a pre-cloud, pre-scale paradigm.[09:58] Step 2: Understand the Big Bang of Digital TrustThe arrival of SSL in 1995, combined with PKI and HSMs, triggered what Bruno calls the “Big Bang of the digital economy.” That triad enabled secure transactions and authentication, paving the way for today’s digital commerce, which is now one-third of global GDP. The takeaway is that cryptography is not a side issue but the fabric of the digital economy. If the integrity of this foundation collapses under quantum pressure, every layer of commerce, government, and communication is at risk. Leaders must weigh whether they are underestimating just how central cryptography is to their business model.[12:39] Step 3: Separate PQC-Ready from PQC-ProvidingBruno stresses that an HSM must be internally quantum-safe, not just capable of handing PQC algorithms to external applications. Firmware updates, key exchanges, attestation signatures, and sibling-to-sibling communication inside the HSM all rely on its own cryptography. If that internal layer remains classical, the entire system is compromised even if it outwardly “provides” PQC algorithms. Many vendors blur this line, leaving buyers exposed. Organizations need to question their suppliers if they are only PQC-providing, or if they are truly PQC-ready inside and out?[17:38] Step 4: Don’t Believe in Magic WandsClassic HSMs cannot be turned into quantum-safe devices with a firmware patch. Bruno compares this to painting stripes on a horse and calling it a zebra. It may look different, but the foundation hasn’t changed. Once RSA and ECC are deprecated, patched boxes will collapse under the weight of new requirements. Leaders need to ask now whether their existing fleet can actually survive deprecation, or if they are investing in assets destined for the scrapheap. Betting on retrofits is a costly illusion that will leave organizations scrambling.[21:41] Step 5: Secure Your PKI FirstAmong the many cryptographic systems to protect, PKI stands out as the crown jewel. Amazon has publicly called it a “no-regret” migration step, since nearly all systems depend on certificates and keys issued there. Crypto4a’s approach allows hybrid use, binding classical and PQC algorithms in the same machine, so organizations can transition without rebuilding from scratch. By starting with PKI, enterprises set a quantum-safe anchor that supports a gradual rollout elsewhere. It’s a step that prevents wasted effort and ensures early moves don’t need to be undone later.[26:23] Step 6: Modernize and Build for AgilityWhile computing infrastructure has become modular, scalable, and cloud-aligned, most HSMs are still boxy appliances requiring physical keys and human rituals. This mismatch slows deployment and makes cryptography harder to manage at enterprise scale. Bruno argues HSMs must evolve to cloud-native, modular architectures that operators can provision and control without specialized ceremonies. Equally, systems must be designed for crypto-agility, the ability to swap algorithms through policy updates rather than rewriting code. Without agility and modernization, organizations will find themselves locked into brittle systems just as cryptography enters its most turbulent era.Episode ResourcesBruno Couillard on LinkedInCrypto4A Technologies WebsiteJohannes Lintzen on LinkedIn PQShield Website Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so

As industries continue to treat cryptography as invisible plumbing, the risk of systemic disruption is growing. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Mike Silverman, Chief Strategy & Innovation Officer at FS-ISAC, about why complacency is more dangerous than quantum itself. Mike explains how decades of one-off migrations have left organisations brittle, why inventories and risk models are the essential starting point, and how cryptographic agility must become both a design principle and an organisational mindset. They discuss why timelines like 2030 and 2035 demand phased action, how vendor and supply chain readiness can make or break success, and why PKI standards and certificate interoperability are the hidden dependencies no one can ignore. From embedding PQC into normal app modernisation cycles to reframing the conversation for the boardroom, Mike delivers a pragmatic warning: you don’t need to boil the ocean, but you must start now.What You’ll Learn:Mindset Shift: Why the biggest risk isn’t “quantum” per se, it’s assuming cryptography can be ignored until the next crisis.True Crypto-Agility: Minimal downtime, minimal (ideally zero) code changes, policy-driven selection, and ecosystem readiness.Inventory First: How key discovery, asset metadata, and process mapping create a measurable, fundable scope of work.Risk-Based Priorities: Protect crown-jewel data and long-lived assets first; accept there will be legacy tails.Ecosystem Dependencies: Why vendors, PKI standards, certificate profiles, FIPS-validated libraries and supply chains dictate your timeline.Board Framing: Position PQC as business continuity and trust preservation, embedded in regular tech refresh, not a one-off cost centre.2030/2035 in Practice: Read timelines as phase gates (inventory + highest-risk migrations first; wider coverage later), not a big-bang cutover.Mike Silverman is Chief Strategy & Innovation Officer at FS-ISAC, the global, member-driven consortium dedicated to collective defense in financial services. In this role, he leads forward-looking initiatives on post-quantum cryptography, AI risks, cloud security, and sector resilience, helping financial institutions anticipate and prepare for the threats shaping tomorrow’s trust landscape.With a career shaped by crisis response and industry collaboration, Mike has been at the center of efforts to align governments, regulators, and enterprises on how to secure financial systems under pressure, from pandemic coordination to the emerging quantum challenge. His work focuses on reframing cryptography as a first-class citizen, embedding it into inventories, risk models, and long-term technology refresh cycles that extend beyond any single algorithm.Known for his pragmatic perspective, Mike stresses that the real danger is complacency, not just quantum breakthroughs. He argues that cryptographic agility is the only sustainable defense, that timelines like 2030 and 2035 demand phased and realistic planning, and that collective readiness across vendors and supply chains is non-negotiable. His message is clear: organisations don’t need to panic, but they do need to start now.Your Roadmap to Crypto-Agility[03:52] Step 1: Stop Treating Crypto as PlumbingFor decades, cryptography has been invisible, assumed to “just work” in the background. Mike argues this is the biggest blind spot. Every major migration, from DES to AES or from RSA-1024 to RSA-2048, has been treated as a painful one-off. That approach leaves organisations brittle and unprepared for the next wave of change. The lesson is clear: cryptography must be treated as a first-class citizen in security planning, with visibility, budget, and executive attention. Key Question: Are you still assuming crypto will take care of itself, or are you elevating it to a first-class security discipline in your organisation?[09:58] Step 2: Define What Crypto-Agility Really MeansMike recalls sitting in industry meetings where “crypto-agility” meant wildly different things to different stakeholders. FS-ISAC responded by publishing a sector-wide definition: the ability to swap algorithms (A→B) with minimal downtime, minimal disruption, and ideally no code changes. Achieving this requires both architectural foresight (decoupling crypto from applications) and organisational alignment (governance, vendor contracts, policy-driven controls). Key Question: If you had to change cryptography tomorrow, would it take a simple policy update or a rewrite across every app and vendor system?[15:39] Step 3: Build Your Inventory and Risk ModelSilverman stresses a basic truth: you can’t secure what you can’t see. Few CISOs could raise their hand if asked, “Do you know where 100% of your keys are?” An accurate inventory, where keys live, how they’re managed, which systems depend on them, creates the foundation for prioritisation. Layering risk on top ensures crown-jewel systems and long-lived data are addressed first. Without this visibility, organisations risk wasting resources on the wrong assets. Key Question: Do you know where all your cryptographic keys and algorithms are, and which assets pose the highest risk if migration lags?[20:15] Step 4: Plan for Legacy and External DependenciesEven with a ten-year runway, Mike believes there will be legacy systems left behind. Large institutions with acquisitions face inconsistent policies, while smaller firms rely heavily on vendor products. Dependencies extend beyond the enterprise, supply chains, PKI standards, certificate profiles, FIPS-validated libraries all dictate what’s feasible. Success depends on coordinated timelines with vendors and regulators, not just internal willpower.Key Question: Are you aligning your migration plans with vendor readiness and global standards, or assuming you can solve it all in-house?[26:31] Step 5: Embed PQC into Normal Modernisation CyclesBoards balk at funding PQC as a standalone project. Mike reframes it: cryptographic upgrades should be part of ongoing app modernisation and lifecycle refresh. From mainframes and point-of-sale systems to operating systems and middleware, modernisation already happens in cycles. The right approach is to bake PQC into those existing refreshes, so cost and disruption are absorbed by processes organisations already budget for.Key Question: Are you presenting PQC as an extra burden, or embedding it naturally into technology refresh cycles your board already funds?[36:46] Step 6: Act Now, Without FearmongeringMike is clear: the sky isn’t falling. But the longer organisations delay, the harder and costlier the transition will be. Starting small, augmenting asset management, training staff, asking vendors the right questions, creates momentum without overwhelming the business. Crypto-agility is a journey measured in years, not months, and the best way to reduce fear is to begin.Key Question: Are you waiting for the “perfect moment” to start, or taking small, practical steps today that build toward crypto-agility?Episode ResourcesMike Silverman on LinkedInFS-ISAC WebsiteFS-ISAC LinkedinFS-ISAC XFS-ISAC Cryptographic Agility White Paper (TLP:WHITE)Quantum Safe Financial Forum (QSFF) – EU InitiativeJohannes Lintzen on LinkedIn PQShield Website Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so

As regulators publish guidance and timelines tighten, organizations can’t treat quantum readiness as a “future-us” problem. Will Collison details HSBC’s approach: begin the migration now, build crypto agility into architecture, and manage both internal upgrades and external dependencies across vendors, partners, and customers. He clarifies where PQC (for everyone) and QKD (for select high-assurance links) fit, and why identity (public-key) mechanisms not symmetric crypto like AES, are the primary risk from quantum computing. Will also reframes “legacy” systems as revenue-critical systems that demand careful, early planning, and he lays out a pragmatic cost model: if you wait, you’ll lose the ability to go slow, forcing a fast (and expensive) scramble. The mandate is simple: start now, measure progress, and design for change so you can swap algorithms when needed.What You’ll LearnHow early action lowers cost and risk while keeping quality high.PQC vs. QKD vs. Quantum Computing: Clear roles, overlaps, and where to invest firstWhy quantum threatens public-key identity mechanisms more than symmetric encryption.Crypto Agility as the Goal: Build systems that can swap algorithms when standards evolve.Prioritization Framework: Tackle internet-facing and revenue-critical services early, even if they’re “legacy.”Vendor & Partner Readiness: How to pressure-test your supply chain and avoid being the weak link.Executive Buy-In: Talk tracks that move the conversation from “someday” to funded roadmap.Regulatory Reality: Don’t wait for “R-Day” (regulator day); show posture now to customers and supervisors.Will Collison is the Interim Global Head of Cryptography at HSBC, where he leads the bank’s global cryptography strategy across 60 markets. A CISSP-qualified consultant with two decades of experience, he specializes in public key infrastructure (PKI), cryptography standards, and the automation of trust. Over his seven-plus years at HSBC, Will has served as Technical Director of Cryptography, Global Head of Cryptography Standards and Enforcement, and PKI Specialist, building frameworks for machine and digital identity and driving large-scale remediation programs.Prior to HSBC, he founded Secmundi Limited, advising international banks on cryptography strategy and operating models, and worked as a Trust Consultant at Barclays, guiding PKI implementations and automation of certificate issuance. Known for combining deep technical expertise with pragmatic execution, Will has long been a voice for crypto agility, helping organizations modernize securely while preparing for future shifts. Today, his focus is clear: ensuring enterprises can meet the challenges of post-quantum cryptography (PQC) and build a quantum-safe future.Your Roadmap to Quantum Resilience[06:20] Step 1: Build Awareness and Executive Buy-In -The first barrier isn’t technology, it’s leadership alignment. Will emphasizes that cryptographers alone cannot drive PQC migration; it requires CIOs, CEOs, and developer communities to take ownership. At HSBC, demonstrating early trials with quantum key distribution (QKD) helped leadership see quantum as real and urgent, not distant theory. By pairing opportunity narratives (business applications) with security risks (broken RSA), Will built credibility and won support across the C-suite. Without this awareness step, migrations stall, as PQC remains “just a cryptography issue” instead of a business priority.Key Question: Do your executives see PQC as an organizational shift, or just another crypto upgrade?[10:44] Step 2: Separate the Quantum Trio (PQC, QKD, Quantum Computing) -Confusion often slows action: leaders lump quantum computing, post-quantum cryptography (PQC), and QKD into one bucket. Will makes the distinction clear, PQC is mandatory for everyone, QKD is optional for select high-assurance links, and quantum computing is the attacker capability on the horizon. PQC secures identity mechanisms that quantum computers can break; symmetric algorithms like AES remain largely safe. For organizations, this clarity avoids wasted investment and helps focus resources on the universal priority: PQC. QKD may add value in specific backbone use cases, but it’s not a substitute for PQC adoption.Key Question: Does your roadmap clearly differentiate between PQC (a must-do) and QKD (a niche add-on)?[15:15] Step 3: Prioritize Critical and Revenue-Generating Systems -Migration is not just about legacy; it’s about revenue-critical systems that are hardest to touch. Will highlights that the most important services, core banking, internet-facing platforms, high-value transaction systems, are also the most delicate. These cannot be treated as “old and optional”; they need careful, phased planning. Starting with these systems ensures resilience where risk and business impact are highest. At HSBC, prioritizing internet-facing services and those with zero downtime tolerance became the backbone of the PQC roadmap. Organizations should resist the temptation to defer these systems, as they represent both the highest stakes and the longest lead times.Key Question: Have you identified which systems are both critical and hardest to migrate and started with them?[18:10] Step 4: Engineer for Cryptographic Agility -Will posits that PQC migration isn’t a one-and-done fix. Because cryptography is open to attack and algorithms are deliberately stress-tested by academics, today’s standards may not be tomorrow’s. The real goal is crypto agility, building systems that can switch algorithms without costly rewrites. This means designing pluggable crypto frameworks, modular architecture, and future-ready PKI. Organizations that treat PQC as a single migration will find themselves repeating the pain in a few years; those that embed agility now will be able to adapt at the push of a button. Agility turns a crisis response into a strategic advantage.Key Question: If the next PQC algorithm is broken tomorrow, could your systems swap it out without disruption?[27:15] Step 5: Start Now to Control Cost and Compliance -Waiting only makes migration harder and more expensive. Will lays out the math: if you start today, you can go slow and control costs; if you wait for Q-Day or R-Day (when regulators mandate action), you lose the option of “slow” and are forced into expensive, rushed remediation. Early investment also lets you train in-house talent instead of competing in a skills-short market later. Regulators and peers are already moving, meaning inaction risks reputational damage as much as security exposure. The smartest play is to begin now, measure progress, and use the lead time to stay ahead of both attackers and regulators.Key Question: Are you starting early enough to spread cost and build skills, or setting yourself up for a rushed, expensive scramble later?Episode ResourcesWill Collison on LinkedInHSBC WebsiteJohannes Lintzen on LinkedIn PQShield Website Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so

As executives continue to postpone action, the window for preparing secure systems in the quantum era is rapidly closing. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Adrian Neal, Senior Director and Global Lead for Post-Quantum Cryptography at Capgemini, about the real timelines and challenges of PQC migration. Adrian explains why a “three-to-five-year” plan is unrealistic, why organizations should expect closer to eight years, and how unprepared boards risk panic and triage once the first quantum breakthrough hits. They discuss why crown-jewel systems must be prioritized, how banks and governments face different pressures, and why performance under PQC will shock existing infrastructure, illustrated by tests where an HSM fell from 10,000 transactions per second to just 200. From regulatory pressure that may be needed to drive boardroom buy-in to the hard truth that today’s algorithms may not last, Adrian delivers a candid warning: apathy will kill you. The time to act is now.What You’ll LearnY2K vs. Y2Q: Why “non-event” thinking is dangerous without upfront workTimelines that hold: Why “3–5 years” is best-case and ~8 years is realistic at enterprise scalePerformance truth: How PQC can crush TPS and impact SLAs, capacity, and cost modelsCrypto-agility: Abstract crypto from apps, enable policy-driven selection, and automate swap-outsGovernance first: Why poor implementations, not just algorithms, will break your securityRegulatory unlock: How mandates/bodies (BIS, NCSC, sector groups) drive C-suite actionWhere to start: Crown-jewel systems, dependency mapping, and critical-path schedulingAdrian Neal is Senior Director and Global Lead for Post-Quantum Cryptography at Capgemini, where he advises governments, financial institutions, and global enterprises on preparing for the quantum era. With nearly four decades of experience spanning banking, defense, telecoms, and startups, Adrian has been at the center of major security transformations, from the early days of PKI to today’s post-quantum migration programs. His work focuses on helping organizations identify critical systems, manage dependencies, and design long-term strategies that combine technical execution with board-level buy-in.Known for his candid perspective, Adrian warns that migration is closer to an eight-year journey than a three-year sprint, that crypto-agility is the only sustainable defense as algorithms evolve, and that apathy will kill you. His message is clear: the sooner organizations begin planning, the better chance they have to avoid panic, triage, and systemic disruption when the first quantum “black swan” arrives.Your Roadmap to Quantum Resilience[04:17] Step 1: Accept the Real TimelineThe biggest misconception Adrian encounters is the idea of a “three-to-five-year” migration. As he bluntly states, that only works if everything goes perfectly and in the real world, it never does. Organizations must plan for eight years at best, with the expectation of mid-course corrections and even emergency triage when hidden dependencies surface. Late action only makes the crunch sharper, as boards suddenly realize time has run out. Key Question: Are you planning for an idealized three-year sprint, or budgeting for the reality of an eight-year marathon?[07:18] Step 2: Watch for External SignalsQuantum risk can feel abstract until regulators, supervisors, or global bodies spell out the consequences. Adrian points to the Bank of International Settlements, which recently warned of systemic financial collapse if banks fail to act. Similarly, the UK surveyed CISOs not to congratulate them, but to ask why nothing was happening. These signals are the early tremors  and ignoring them risks being blindsided when regulation becomes mandatory. Key Question: Are you treating industry warnings as background noise, or as early instructions to act before mandates arrive?[12:23] Step 3: Stress-Test Your InfrastructureBenchmarks on paper rarely match performance under real load. Adrian recalls a test where a PQC algorithm dropped a hardware security module from 10,000 transactions per second to just 200. That kind of shock will ripple through SLAs, capacity planning, and cost models. Enterprises can’t wait for standards alone, they need to start testing now to understand what PQC will mean for their unique environments. Key Question: Have you run PQC under production-like loads, or are you still trusting theoretical benchmarks?[31:23] Step 4: Start With the Crown JewelsWhen mapping a migration, not all systems are equal. Adrian insists the first priority must be crown-jewel systems, the assets so critical that losing them could put you out of business. By identifying these early and mapping their dependencies, organizations can build a critical-path plan, sequencing work in the right order and avoiding surprises later. Everything not on the critical path can be parallelized, but the critical path itself must be guarded fiercely. Key Question: Do you know which systems are truly crown jewels, and how delays there will cascade across your migration?[34:17] Step 5: Design for Crypto-AgilityEven if today’s algorithms are standardized, Adrian cautions they may not last. History has already shown finalists falling apart late in the NIST process, and cryptographers warn that vulnerabilities may be found within five years. That means crypto-agility is no longer optional: organizations must decouple applications from crypto libraries, move to policy-driven controls, and be ready to swap algorithms without rewriting code. Governance is equally critical, because poor implementation, not just weak algorithms, will be the Achilles’ heel. Key Question: Can you change cryptography across your systems with a policy update, or would it take a rewrite in every app?[21:38] Step 6: Leverage Regulation for Buy-InFor many CISOs, the hardest part isn’t technical, it’s convincing the board. Adrian highlights how legislation may actually be a friend, giving executives the leverage to unlock budgets by framing PQC as a compliance necessity. Without that pressure, boards tend to see migration as a cost center with no immediate revenue benefit. By aligning to regulatory timelines, CISOs can turn PQC from a “someday project” into a non-negotiable investment. Key Question: Are you waiting for regulators to force your hand, or using regulation as a tool to unlock boardroom commitment today?Episode ResourcesAdrian Neal on LinkedInCapgemini Post-Quantum Cryptography ResourcesEuropean Union Qprep InitiativeJohannes Lintzen on LinkedIn PQShield Website Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so

OpenSSL has secured the internet for over 25 years, but how does a project with such deep legacy prepare for the quantum future? In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Tomáš Mráz, Director of the OpenSSL Foundation, and Jon Ericson, the Foundation’s Community Manager. Together they explore the shift from the old engine model to providers in OpenSSL 3.0, the rollout of NIST-approved post-quantum algorithms in 3.5, and what’s on the horizon with 3.6. They also dive into the realities of FIPS certification, the importance of diversified funding, and how community contributions sustain the world’s most widely used cryptographic library. From surprising “OpenSSL in the Wild” use cases to the first-ever OpenSSL Conference in Prague, this episode offers a rare inside look at how OpenSSL is evolving to keep global infrastructure secure in the quantum era. OpenSSL is evolving to keep the digital world safe.What You’ll LearnHow OpenSSL evolved from engines to providers, enabling faster adoption of new cryptographic standardsWhy community contributions, from bug fixes to corporate sponsorships, remain critical to OpenSSL’s futureThe significance of OpenSSL 3.5 and what to expect in the upcoming 3.6 releaseHow the Foundation approaches FIPS 140-3 certification and the challenges of validating post-quantum algorithmsWhy hybrid cryptography and TLS-style agility are central to migration planningThe importance of funding diversification and how organizations can contributeWhat to expect at the first OpenSSL Conference in PragueOpenSSL’s three-to-five-year outlook on PQC adoption, performance, and global standards alignmentTomáš Mráz is the Director of the OpenSSL Software Foundation and a long-time contributor to the project. After years at Red Hat maintaining OpenSSL packages and serving on the OpenSSL Technical Committee, Tomáš now leads both governance and technical efforts for the Foundation. He has played a key role in transitioning OpenSSL to a provider-based model and integrating post-quantum cryptography support. Jon Ericson is the Community Manager at the OpenSSL Software Foundation. With a background in programming and community building, Jon works to strengthen the connection between OpenSSL’s global user base and its core developers. From GitHub sponsorships to community use case surveys, he ensures that OpenSSL remains responsive to the evolving needs of its contributors and stakeholders.With the shift to post-quantum cryptography accelerating, Tomáš Mráz and Jon Ericson’s message is clear: OpenSSL’s future will be defined by community, funding, and cryptographic agility, ensuring the internet’s most trusted library stays secure in the quantum era.Your Roadmap to Quantum Resilience[02:30] Step 1: Build Through Community, Not Just CodeFrom the very beginning, OpenSSL’s strength has been its community. As Jon Ericson explains, many contributions still come from volunteers fixing bugs or adding features because they personally rely on the library. This model means OpenSSL doesn’t evolve in isolation, it reflects the real-world needs of users across industries. Without this constant input, critical flaws might linger and adoption of new features would stall. Community-driven resilience is what has kept OpenSSL relevant for more than 25 years, and it’s also the key to surviving the quantum shift. Key Question: Is your organization contributing back to the open-source tools it depends on, or just consuming them?[15:40] Step 2: Embrace the Provider Model for AgilityTomáš Mráz highlights that OpenSSL 3.0’s provider architecture was a complete rewrite of the library’s internals. Unlike the old engine system, providers allow new algorithms, including post-quantum candidates, to be plugged in without altering the core code. This design foresight meant OpenSSL could quickly integrate PQC once NIST finalized its standards in 2024, instead of waiting years for structural changes. Agility in cryptography isn’t an abstract idea here, it’s a practical necessity, and the provider model gives OpenSSL the flexibility to adapt faster than ever. Key Question: Is your cryptographic infrastructure designed for future upgrades, or locked into a rigid model?[24:45] Step 3: Prepare for 3.6 With Discipline, Not DeadlinesWhile many in the industry chase feature lists, OpenSSL takes a different approach. As Tomáš explains, new releases are time-based (April and October), but features are only merged when they are truly ready. Current work spans QUIC improvements, zero-RTT support, timing side-channel protections, and potential PQC enhancements, but nothing will be rushed to hit an arbitrary date. This discipline has allowed OpenSSL to remain the backbone of secure communications globally, trusted by billions of devices and applications. For organizations planning their upgrades, the message is clear: align to OpenSSL’s stable releases, don’t gamble on unfinished code. Key Question: Are your upgrade plans aligned with proven releases, or are you rushing ahead of the standards?[27:50] Step 4: Navigate the FIPS 140-3 ChallengeCertification is one of the hardest parts of cryptography. OpenSSL 3.1 achieved FIPS 140-3 validation, a first in its history, and the 3.5 version is already in review to bring NIST’s post-quantum algorithms into scope. Tomáš admits the process is long, political, and outside of the Foundation’s control, with heavy negotiations between NIST, labs, and implementers. But without certification, many governments and enterprises simply cannot adopt PQC at scale. The lesson for security leaders: you can’t shortcut compliance, and you need realistic timelines to plan migrations. Key Question: Is your compliance roadmap realistic about how long certifications actually take?[30:30] Step 5: Stay Engaged With OpenSSL’s FutureOpenSSL is everywhere, often in places you’d never expect. Jon recounts a developer securing serial devices with TLS, and even Mercedes vehicles using OpenSSL in their apps to lock and unlock doors. These surprising “in the wild” stories show why upgrading matters: outdated versions leave unseen risks in everyday systems. Looking ahead, the Foundation is also launching its first-ever OpenSSL Conference in Prague, bringing together experts, contributors, and industry voices to shape the next phase. Between new funding streams, hiring developers, and expanding global engagement, OpenSSL’s next 25 years will be as pivotal as its first.Key Question: Do you know where OpenSSL runs in your stack — and are you keeping pace with its evolution?Episode ResourcesTomáš Mráz on LinkedInJon Ericson on LinkedInOpenSSL Foundation WebsiteOpenSSL GitHub SponsorsJohannes Lintzen on LinkedIn PQShield Website Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so

As governments and regulators accelerate PQC adoption timelines, the urgency for organizations to act has never been greater. In this episode of Shielded: The Last Line of Cyber Defense, host Jo Lintzen speaks with Kevin Hilscher, Senior Director of Product Management at DigiCert, to explore the practical first steps of post-quantum cryptography adoption. They discuss why upgrading to TLS 1.3 is a non-negotiable starting point, how discovery of crypto assets lays the groundwork for any migration, and what enterprises should know about hybrid cryptography and its competing standards. From fragmented global regulations to aggressive timelines and the looming challenges of vendor readiness, Kevin provides a candid, real-world perspective on how organizations can build a quantum-ready roadmap before regulatory deadlines and quantum breakthroughs arrive.What You’ll LearnWhy TLS 1.3 is the non-negotiable first step for PQC readinessHow to approach crypto asset discovery across software, hardware, and vendorsThe difference between hybrid key exchange vs. hybrid certificates (and why it matters)Why regulatory timelines (EU 2030, CNSA 2027) may be more ambitious than realityThe challenge of fragmented algorithms across geographies and what it means for interoperabilityHow Falcon (FNDSA) could benefit resource-constrained IoT devicesWhere vendors are leading (crypto SDKs) vs. lagging (enterprise apps and infrastructure)Kevin’s advice for CISOs: why awareness, discovery, and vendor engagement must start nowKevin Hilscher is Senior Director of Product Management at DigiCert, where he leads the device trust product team and oversees PQC readiness across the company’s portfolio. With a background at Microsoft and deep experience working with OEMs, banks, healthcare providers, and defense organizations, Kevin has been at the forefront of preparing enterprises for the quantum era. His focus spans securing connected devices, enabling regulatory compliance, and helping global customers prepare for the transition to PQC. Known for his pragmatic approach, Kevin bridges the gap between evolving cryptographic standards and real-world business needs, helping organizations take the first steps toward a secure, quantum-ready future.With the shift to post-quantum cryptography accelerating, Kevin’s message is clear: early discovery and TLS 1.3 readiness, not just new algorithms, will define the path to a quantum-ready future.Your Roadmap to Quantum Resilience[06:17] Step 1: Build Awareness and Secure Buy-In - For many industries, the first challenge isn’t technical; it’s awareness. Kevin explains that cybersecurity teams often have to “sell upwards,” using the right data, talk tracks, and materials to educate leadership about PQC and secure sponsorship. Without this “step zero,” projects stall before they begin. Education is critical, not just inside your own enterprise, but across vendors and partners who may not even know what PQC is yet. Key Question: Do your executives and stakeholders truly understand the urgency of PQC, or are they still in denial?[07:18] Step 2: Discover Your Crypto Assets - The foundation of every migration is discovery. Kevin stresses the importance of cataloging where and how cryptography is used, TLS versions, crypto libraries, SDKs, and source code. For banks, that means checking third-party apps and firewalls. For OEMs, it’s embedded devices still running RSA or ECC. Discovery reveals not just internal risks but also gaps in vendor readiness, enabling informed conversations about timelines and support. Key Question: Have you mapped your crypto landscape, from TLS versions to third-party dependencies, so you know what needs to change?[09:25] Step 3: Upgrade to TLS 1.3 Today - Before PQC algorithms even come into play, enterprises must meet the TLS prerequisite. As Kevin notes, the IETF has been blunt: quantum-safe algorithms will only be supported in TLS 1.3 and above. Yet many organizations are still stuck on TLS 1.2 in legacy apps and infrastructure. Migrating now means you can act independently of PQC timelines while also future-proofing your systems for what’s next. Key Question: Are you still relying on TLS 1.2, or have you taken the first real step toward a quantum-ready foundation?[12:30] Step 4: Navigate Hybrid Cryptography with Clarity - “Hybrid” is one of the most confusing terms in PQC. Kevin highlights the difference between hybrid key exchange (pairing a PQC algorithm with RSA or ECC for TLS handshakes) and hybrid certificates (dual-signed X.509s). While hybrid key exchange is standardized and deployable today, hybrid certificates remain stalled by competing standards like composite, Chimeria, and Chameleon. Without clarity, organizations risk paralysis. Key Question: Do you know which type of hybrid you’re preparing for, and are you moving ahead where standards are ready today?[22:14] Step 5: Plan Realistically for Timelines and Vendor Readiness - Global regulators are setting ambitious deadlines, 2030 in the EU, 2027 for U.S. federal procurement. Kevin warns that critical systems like SCADA, SAP, and ERP will struggle to meet those dates, especially with legacy TLS and outdated infrastructure. While crypto SDKs are ahead, enterprise apps and HSM certifications will lag. Organizations must pressure vendors for roadmaps while also preparing for phased upgrades.Key Question: Are you planning your migration based on regulatory optimism, or on the real pace of vendor and infrastructure readiness?Episode ResourcesKevin Hilscher on LinkedInDigiCert PQC ResourcesDigiCert PQC Lab SiteJohannes Lintzen on LinkedIn PQShield Website Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so

As quantum computing accelerates toward real-world impact, organizations must stop viewing post-quantum cryptography as a one-time technical upgrade. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen sits down with Yolanda Reid, former Associate Partner at IBM Consulting and U.S. Department of Defense leader, to explain why the PQC transition is fundamentally different from past events like Y2K. They discuss why treating PQC as a “fix-it-and-forget-it” migration is a dangerous misconception, and why organizations must instead prepare for an ongoing process of algorithm updates, policy changes, system redesigns, and cultural shifts. Yolanda shares lessons from government, financial services, and telecom industries, offering insights on how to build resilient teams, automate enforcement, and educate executives who still think “quantum doesn’t apply to us.” From crypto inventory planning to hybrid approaches and the rising convergence of AI and quantum, Yolanda delivers a clear and urgent call for awareness, preparation, and leadership. This is not just a technology problem; it’s a mindset shift. And the clock is already ticking.What You’ll Learn:Why PQC is a long-term transformation, not a one-time upgradeThe executive blind spot: why C-suites must care nowHow to identify and protect your “crown jewels”What crypto inventory is, and why you’ll need it foreverLessons from the finance sector, and why no two PQC journeys are alikeWhy “hybrid cryptography” is still debated and how to decideHow AI and quantum are converging and why regulation must catch upYolanda’s resilience framework: planning for risk, protecting what matters, and leading with clarityYolanda Reid is a cybersecurity leader with over two decades of experience spanning national defense, intelligence, and enterprise technology. As a former Associate Partner at IBM Consulting, her career includes leadership roles at Raytheon, BBN Technologies, EverWatch, and the U.S. Department of Defense, where she specialized in quantum cryptography, zero trust, and strategic risk mitigation. Respected for her ability to translate complex technical issues into clear, actionable strategies, Yolanda is a trusted advisor to federal agencies, Fortune 500 companies, and emerging tech teams navigating quantum readiness. She combines deep technical expertise with a human-first approach shaped by her journey as a cancer survivor and single mother.Today, Yolanda champions proactive planning, executive education, and long-term resilience, helping organizations prepare for a future where cybersecurity is not just about encryption, but evolution.Your Roadmap to Post-Quantum Readiness[03:15] Step 1: PQC Is Not Y2K And That Changes EverythingThe Y2K scare came and went with a single deadline. But post-quantum cryptography? It’s not a singular event, it’s a complete shift in how we think about cryptography, risk, and infrastructure. Yolanda explains that with PQC, organizations will no longer rely on one fixed algorithm, they’ll need toolkits, policies, and a mindset of constant change. The entire cryptographic lifecycle will be in motion, from policy and procurement to development and testing. If you treat this as just another IT upgrade, you’ll miss the foundational shift required to secure your business in a quantum-enabled world. Key Question: Is your organization preparing for a recurring cryptographic upgrade cycle or hoping for a single fix?[06:47] Step 2: The Real Risk Is Executive BlindnessQuantum threats aren’t just technical, they’re strategic. Yolanda recounts a conversation where a senior leader dismissed PQC because they “don’t do quantum.” That mindset is precisely the danger. She emphasizes that PQC readiness must reach the boardroom, not just engineering teams. Because what’s at risk isn’t theoretical, it’s your communications, finances, and trust.Crown jewels like encrypted data, trade secrets, and customer information are all vulnerable without leadership engagement. This isn’t a technical curiosity. It’s an executive obligation and the time to engage is now. Key Question: Have your executives been briefed on the strategic impact of quantum disruption?[09:27] Step 3: Design for Breakage, Because It’s ComingPQC migration isn’t clean. Yolanda emphasizes that upgrading algorithms will break systems, sometimes in unpredictable ways. Systems built 10, 20, or even 40 years ago weren’t designed for this shift, and performance may degrade or, in some cases, improve. Yolanda urges leaders to plan for this reality, build troubleshooting teams, and avoid panic rollbacks when things inevitably break. Breakage isn’t failure, it’s part of the process. Organizations that build for resilience, not perfection, will come out stronger. Key Question: Do you have a real-time recovery plan for the failures PQC migration will trigger?[25:35] Step 4: The 2030 Timeline Is a MirageThink 2030 is far away? Think again. Yolanda compares the current moment to Y2K’s long runway, where preparation began over a decade in advance. She warns that migrations like TLS took 15 years, and we’re already late. Quantum adoption will likely happen faster and hit harder.And if global investors succeed in reaching quantum advantage before 2030, it’s not just a matter of being slow, it’s a matter of being exposed. By the time official deadlines hit, it may already be too late for unprepared organizations to catch up. Key Question: Are you treating 2030 as your deadline or your last chance?[30:27] Step 5: AI + Quantum Changes Everything, Including PolicyQuantum computing won’t arrive in isolation. Yolanda explains that it will collide with AI, creating exponential disruption that current policy frameworks are unprepared for. And while regulators are still trying to wrap their heads around AI, the convergence with quantum is already underway in labs, startups, and state-sponsored programs. Yolanda cautions that adversaries are already exploring malicious use cases, and we need to match that urgency with proactive safeguards. Those who wait for a clear policy may find themselves on the wrong side of quantum advantage. Key Question: Are you helping shape the future of secure AI + Quantum use or waiting for someone else to define it?Episode Resources:Yolanda Reid on LinkedInJohannes Lintzen on LinkedIn PQShield Website Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so

One year ago, NIST released its long‑awaited post‑quantum cryptography standards, marking the official start of the migration to quantum‑safe security. It was the moment everyone had been “waiting for” but did it really kickstart the shift?In this anniversary episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen brings back some of the most important voices in the PQC conversation to revisit where we were, where we are, and where we need to go next:Dustin Moody (NIST) on what has surprised him about the first year of migration since the standards landed.Dr. Garfield Jones (DHS) on how mandates and compliance have accelerated (or complicated) the push to PQC.Bas Westerbaan (Cloudflare) on why the work is less about “just switching” and more about managing change.John Ray (Thales) on what crypto agility has looked like in practice since the standards dropped.Mamta Gupta (Lattice) & Cassie Crossley (Schneider Electrics) on the reality of aligning hardware lifecycles, evolving algorithms, and compliance demands.Rolfe Schmidt (Signal) reveals how early adoption ahead of the standardization process paid off and the unexpected protocol design challenges that emerged in year one.Together, they deliver an unvarnished look at what’s changed in the 12 months since the standards were finalized and what still needs urgent attention.What You'll Learn:How much progress has been made one year after the standards and where organizations are still stuck.Why government mandates mean “waiting” could lock your business out of contracts.The #1 first step before any PQC migration (and why it hasn’t changed in a year).What crypto agility means now that the standards are a reality.Why hardware lifecycles vs. quantum threats are still a ticking clock.What this first year has taught us about what it will take to reach full migration.The latest one-year-on insights from Cloudflare and Signal as they refine their PQC deployments.This is a rare, roundtable-style single-guest interview featuring voices from government, industry, and research in one conversation. If you need to understand not just why PQC migration matters but how to start, this is your playbook.Your Roadmap to Post-Quantum Readiness:[00:45] Step 1: Busting the “Quick Switch” Myth –  A Year LaterWhen NIST released its PQC standards last year, a lot of organizations exhaled, assuming the hard part was over. “Great,” they thought, “we’ll just swap in the new algorithms and move on.” But as Dustin Moody warned then, and has proven true over the past 12 months, this migration isn’t that simple. It’s not just a patch or an update; it’s a deep, sometimes painful overhaul of systems, processes, and mindsets. One year on, companies are discovering that waiting doesn’t make the work easier, it makes it messier. Key Question: One year in, are you still treating PQC migration as “future work,” or are you finally planning for the hard parts?[03:31] Step 2: This Migration Isn’t Optional – And Year One Proved ItWhen Dr. Garfield Jones said, “This migration shouldn’t be optional,” it sounded like a wake‑up call. A year later, it’s not just a warning, it’s policy. Government memos, executive orders, and procurement rules have already started pushing companies to act, with federal agencies asking for cryptographic inventories and refusing to work with vendors who can’t demonstrate progress. The message is blunt: if your systems aren’t on the migration path, you could be locked out of contracts or entire markets. Year one proved the pressure is real, and year two will only raise the stakes. Key Question: Are you keeping pace with mandates, or will you watch opportunities dry up as compliance deadlines kick in?[09:14] Step 3: Start With a Real Inventory – And Keep It CurrentA year ago, Bas Westerbaan of Cloudflare told us that the first step in PQC migration was a thorough cryptographic inventory. That advice hasn’t changed but the past year has shown just how hard that job is in reality. Most organizations don’t have a full picture of where cryptography lives across their systems, what protocols are in use, or even which data is most sensitive. Without that map, every other decision becomes reactive, and every fix becomes a scramble. One year later, companies that didn’t start this work are already struggling to answer the simplest question: “Where do we even begin?” Key Question: Is your cryptographic inventory still a “to‑do,” or have you turned it into a living, updated map of risk?[15:39] Step 4: Crypto Agility – From Concept to Year‑One RealityA year ago, John Ray warned that if we hard‑coded PQC algorithms the way we did with RSA and ECC, we’d just be setting ourselves up for another trap. That warning has aged well. In the past year, crypto agility has shifted from an abstract “future‑proofing” buzzword into an urgent architectural reality. Companies are already seeing that systems without flexibility turn every new standard or algorithm change into an expensive nightmare. The smartest teams are designing infrastructure so the back‑end decides what algorithm to use, instead of forcing every application to be rebuilt. Key Question: Are you building systems that can adapt, or are you locking yourself into brittle ones you’ll regret later?[18:17] Step 5: The Hardware Gap – Still a Ticking ClockMamta Gupta flagged it last year, and it’s even sharper now: hardware lives on a different timeline. Devices being shipped today are designed to last 10–15 years but the cryptography inside them might not even last five. Standards are evolving, threats are evolving faster, and anything rigid will be obsolete long before it’s retired. In year one, we’ve already seen how this mismatch turns into a headache for companies that didn’t build in an upgrade path. The clock is still ticking, and the gap isn’t closing on its own. Key Question: Are you designing hardware for the future, or are you shipping next year’s legacy problems?[21:49] Step 6: Compliance – A Moving Target, Still MovingOne year on, compliance hasn’t “settled down” the way some expected. Frameworks like FIPS 140‑3 and certification rules are still evolving, and Cassie Crossley warns that algorithms considered safe today might not pass tomorrow’s tests. For companies that locked in too early, that means costly rework; for companies that waited, it means they still can’t sit still. This is why crypto agility isn’t just a “nice idea,”  it’s survival. PQC isn’t a single migration; it’s an ongoing process of adaptation. Key Question: One year after standards dropped, are you ready for the next round of compliance changes?Episode Resources:Dustin Moody on LinkedInDr. Garfield Jones on LinkedInBas Westerbaan on LinkedInJohn Ray on LinkedInMamta Gupta on LinkedinCassie Crossley on LinkedInNIST WebsitePQShield Website Want exclusive insights on post-quantum security? Stay ahead of the curve - subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, and YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so

As post-quantum cryptography moves from theory to hardware, organizations can no longer afford to ignore the physical layer of security. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Ferhat Yaman, security researcher at AMD’s Product Security Office, to explore how electromagnetic side-channel attacks, hybrid cryptography, and AI privacy are reshaping the future of secure system design. They discuss the risks of leakage in post-quantum implementations, the challenge of model theft in AI accelerators, and why mitigation needs to start before silicon is even taped out. From masking and shuffling to pre-silicon testing and homomorphic encryption, Ferhat offers a candid and deeply technical look at what it means to build quantum-resilient systems in hardware, not just in code.What You’ll Learn:How side-channel attacks exploit physical leakage like EM emissions and power consumptionWhy even tiny hardware optimizations can create new vulnerabilitiesHow AI model parameters can be extracted using electromagnetic analysisWhat homomorphic encryption means and why it’s not yet practicalHow hybrid cryptography supports post-quantum transition in real systemsWhere to start with PQC hardware implementation (hint: think bootloaders)How open source and commercial tools help validate hardware security pre-siliconFerhat’s top 3 priorities for building post-quantum-ready chips todayFerhat Yaman is a security researcher at AMD's product security office, where his work spans post-quantum cryptography, AI privacy, and side-channel resilience. With a background in both theoretical cryptography and practical hardware design, Ferhat has contributed to projects including the Crystals-Kyber and Dilithium PQC implementations, Caliptra Root of Trust, and electromagnetic model extraction from Google’s Edge TPU. His research explores how secure systems can be built from the silicon up, balancing performance, cost, and long-term quantum readiness. Ferhat’s recent work looks at accelerating homomorphic encryption for AI workloads and improving pre-silicon testing using commercial and open-source tools.With the shift to post-quantum hardware security accelerating, Yaman’s message is clear: protecting systems requires more than new math; it demands early testing, layered defenses, and security built into the silicon itself.Your Roadmap to Hardware-Centric PQC:[06:59] Step 1: Test for Physical Leakage, Not Just Algorithm Strength - Strong algorithms don’t guarantee strong protection if the hardware leaks secrets. Ferhat explains how side-channel attacks can extract private keys by analyzing power consumption or electromagnetic emissions, especially in hardware implementations of post-quantum cryptography like Kyber and Dilithium. Even minor hardware optimizations meant to improve speed can unintentionally introduce new leakages. Key Question: Have you tested your PQC hardware for side-channel leakage, or just verified the math?[11:19] Step 2: Prepare for Hybrid Attacks, Not Just Hybrid Crypto - Attackers are blending techniques, merging cryptanalytic insights with side-channel data to break even well-implemented systems. Ferhat emphasizes that defending against these multi-layered threats requires layered countermeasures across hardware and software. The combination of multiple attack vectors makes traditional assumptions about isolated vulnerabilities dangerously outdated. Key Question: Are you planning for real-world attack combinations or idealized test conditions?[13:52] Step 3: Use Hybrid Cryptography to Bridge the Transition -You don’t have to replace everything overnight. Ferhat describes how AMD’s Caliptra project integrates classical and post-quantum cryptography side-by-side, giving developers flexibility while building resilience. Hybrid cryptography is a practical way to support both legacy and quantum-safe systems, especially in constrained environments. It’s a crucial stepping stone for organizations that can’t afford a full cryptographic overhaul in one cycle. Key Question: Can your architecture support both today’s standards and tomorrow’s requirements?[17:38] Step 4: Defend AI Models from Electromagnetic Model Theft - AI workloads running on edge hardware can leak critical information. Ferhat’s research shows how electromagnetic side-channel attacks can reveal the structure of neural networks down to the number of layers and nodes, without touching the model file. For companies that treat models as IP, this presents a new category of risk. This form of model extraction reduces training time for attackers by shortcutting hyperparameter tuning. Key Question: Could your AI accelerators be quietly leaking trade secrets?[23:52] Step 5: Build Security In, With Countermeasures That Match the Threat -Mitigation strategies like masking, shuffling, and randomness injection aren’t optional; they’re essential. Ferhat walks through how these hardware-level techniques help minimize leakage, but warns that each comes with design and performance tradeoffs. Choosing the right countermeasure depends on your timing, area, and risk budget; there’s no one-size-fits-all solution. Key Question: Have you budgeted for countermeasures, or are you counting on hope?Episode Resources:Ferhat Yaman on LinkedInJohannes Lintzen on LinkedIn PQShield Website  AMD’s Caliptra ProjectChipWhisperer by NewAEKeysight Side Channel Analysis SuiteANSYS Security ToolsAMD LinkedinWant exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.✔ Get insider knowledge from leading cybersecurity experts.✔ Learn practical steps to future-proof your organization.✔ Stay updated on regulatory changes and industry trends.Need help subscribing? Click here for step-by-step instructions.Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so