With regulations and executive orders requiring the initiation of PQC migration within the next 12 months, and completion as soon as 2030, the time to start your PQC migration is now. But where to start? Complexity has always been the enemy of security and will be a significant challenge as most enterprises have widespread cryptographic deployments, spanning network and security devices, servers, applications and clouds.
As with the start of all cybersecurity initiatives, we should begin by inventorying and assessing the current cryptographic state, classifying assets, criticality, and then prioritizing migration.
We should approach PQC migration like another Y2K enterprise-wide IT initiative, but with less clarity as there's no definitive end date when quantum computers will emerge with the ability to crack current encryption.
That shouldn’t lull us into complacency though, as malicious actors have for many years been stealing and storing data for future decryption. Store Now Decrypt Later (SNDL) attacks have been with us for some time, as evidenced by the targeting of submarine cables and global networks.
CISOs and security teams should consider building specific cross-functional migration teams spanning IT, operations and Governance, Risk and Compliance (GRC). Here are some ideas to help frame your planning:
Identify and inventory all the places cryptography is used in your organization, including public key infrastructure, algorithms, protocols, email/messaging, network services, applications, etc.
Teams should be mindful of the cryptography it has deployed, as well as other crypto tools provided by vendors in the form of cloud services, networking and security devices.
With inventory completed, the next step is to assess the criticality of cryptographic assets that need to be migrated to quantum safe solutions. Considerations include regulatory requirements, potential impact of compromised data, business loss, and reputational loss. Start with less critical assets and progressively migrate the more important systems.
Determine an appropriate migration strategy that is designed to accommodate developments in algorithms and other forms of cryptography. While quantum resistant solutions based on NIST approved Post Quantum Algorithms (PQAs) are currently popular, your strategy should allow use of hybrid solutions using classical encryption, symmetric keys and PQAs. There’s no singular solution for every organization, as migrations will vary depending on each organization's unique requirements and legacy cryptographic infrastructure.
Pay particular attention to whether you’ll implement the PQC solution, rely upon vendor-provided products with cryptography, or some combination of both - ensuring the solution consistently meets the myriad of local, national, and global regulatory and standards requirements.
Be especially mindful of existing cryptographic deployments, compatibility, and vendor reliance during and after the migration. This is where an agile crypto strategy comes into play – ensuring that you can switch algorithms and strategies with changes in technology.
Continuously test and validate processes and performance throughout the implementation to ensure the migration is happening as planned and unforeseen issues are identified, such as compatibility, form factor flexibility and vendor lock-in.
Security teams should also consider a PQC Posture Management solution to ensure continuous monitoring of cryptographic infrastructure for anomalous behavior, indicators of compromise, and vulnerabilities. Be mindful of vendor integrations and in-house systems to ensure robust protection for data at rest, in transit, and in process. A crypto posture management platform with threat detection and incident response capabilities will be valuable in managing the complexity of legacy and future crypto assets.
These are just a few ways to frame your PQC migration planning. Please feel free to contact Arqit for a deeper discussion.
11 August 2025