Your First Win in Post-Quantum Migration
Post-quantum cryptography is no longer a distant concern—organizations need to start their migration now to protect against future threats. This article breaks down a practical first step: automating your Cryptographic Bill of Materials (CBOM) and extending your hybrid perimeter to prepare for quantum-resistant security. Industry experts share actionable strategies to help your organization begin this critical transition without overwhelming your security team.
Automate CBOM Then Extend Hybrid Perimeter
The best starting point for transitioning from today's static, local spreadsheet tracking of cryptographic inventory is to automate and develop a Crypto Bill of Materials (CBOM), used to document your organization's Crypto Assets - the assets we can identify as "Shadow Cryptography", or hard-coded cryptographic libraries within your 3rd Party integrations that have historically evaded capture due to manual audit processes. Only through identification of the location of the apparatus which provide you RSA Signatures vulnerable to Quantum Attack and ECC Signatures vulnerable to Quantum Attack can you begin the Pilot Process of transitioning to PQC.
During assessments of legacy middleware, we have corroborated that very few employees actually realize that the buffer sizes of legacy systems are inherently fixed. Classical algorithms utilize relatively small key sizes whereas PK algorithm (formerly called PQC such as ML-KEM - formerly called Kyber) have much larger payload sizes for public keys and ciphertexts. After deploying the larger payload sizes to assess and validate on these legacy systems, they have 'choked' or dropped packets as a result of buffer limitations which do not exist, only upon achieving full deployment, to address the realities of the physical restraints.
In order to eliminate this potential interaction with the memory limits of legacy systems, through collaboration and discussion to develop a plan, we chose to deploy a hybrid key exchange to extend the perimeter of the network, rather than implementing a complete 'rip and replace' or complete re-coding of legacy systems. Instead of wrapping legacy traffic in the single layer protective tunnel enabling 'Harvest Now, Decrypt Later' mitigation strategy, and allowing for the continued functionality of legacy systems working only in classical protocols - until replacement/refactoring of legacy systems can occur with Crypto Agility for the appropriate Quantum Resilience.
Pilot Post-Quantum Signatures in Build Pipeline
Software supply chains are a smart first win because code signing is scoped and high impact. A small pilot can add post-quantum signatures to a few build files alongside current signatures. The pilot can run in the build system and test how signature checks handle larger keys and files.
Rollback steps and strong logs reduce risk while teams learn. Results can guide choices for hashes, key sizes, and root keys. Start a code signing pilot with post-quantum signatures this month.
Rekey Archives and Backups for Durable Protection
Long lived data that must stay secret for years faces the biggest risk from future quantum attacks. A first win is to protect backups, archives, and key stores with post-quantum or hybrid keys. Teams can keep current ciphers for now and add a post-quantum layer that protects the data keys.
Work can start with the most sensitive sets and run during low traffic times. Clear labels and simple proof of coverage make audits easy. Begin securing long lived data at rest with a careful re-encryption plan today.
Form Executive Council Publish Roadmap
Cryptography change touches many teams and needs clear backing from the top. A small steering group with executive support can set rules, roles, and timelines. Shared budgets and training plans can remove common blockers.
A change board can approve pilots, track risk, and report progress to leaders. Simple dashboards can show coverage and gaps across systems. Stand up an executive backed crypto program and publish its first roadmap this quarter.
Add Crypto Abstraction Layer via Flags
A clear win is to add a simple layer in the app that hides the choice of crypto. This layer lets teams swap algorithms without changing business code. Feature flags or config can turn on post-quantum methods in a safe way.
Shared test cases and logs can prove that calls work the same before and after a switch. This design also reduces vendor lock in and speeds audits. Build and ship a small cryptography layer that apps can use now.
Leverage Procurement to Mandate PQC Support
Buying power can create early wins by shaping vendor plans. Contracts can require support for NIST post-quantum algorithms, timelines for delivery, and proof of tests. Vendors can be asked to share a software bill of materials that lists all crypto parts.
Service terms can tie to upgrade windows and to fixes for weak or broken crypto. Penalties and rewards can align goals and speed upgrades. Add strong post-quantum terms to new and renewing contracts now.