“The tendency is to think of it primarily as upgrading our algorithms. But it’s really a coordination problem.” — Sarah McCarthy
Most organizations frame post-quantum cryptography as a technology challenge; a problem for the security team to solve and hand back. Sarah McCarthy has spent the last several years inside one of the world’s largest and most regulated financial institutions, and she sees it very differently.
As Quantum Readiness Program Lead at Citi, Sarah works at the intersection of payments, compliance, and cryptographic change. In this episode of Shielded: The Last Line of Cyber Defense, she offers a practical account of what large-scale PQC migration actually demands and why the organizations that treat it as a technical upgrade are often the ones that stall.
The Program That Started Before the Urgency Did
Citi’s quantum readiness effort began in 2022, well before much of the current regulatory pressure took shape. That head start has mattered. It gave the program time to develop internal relationships, build shared understanding across business and technical teams, and identify where the real dependencies lie before the clock started running loudly.
Sarah’s own background spans academic research, vendor-side security work, and enterprise risk, giving her a view across the full cryptographic supply chain. That cross-sectional perspective shapes how she approaches readiness at Citi. She is not simply asking what algorithms need to change. She is asking who owns the systems, what data they protect, how long that data needs to stay secure, and what it would actually take to move each piece.
What the Vendor Survey Is Revealing
One of the more distinctive elements of Citi’s approach is a formal quantum readiness survey issued to vendors across their supply chain. The patterns emerging from those responses are instructive. The most capable and substantive answers are coming from key management providers and hardware security module vendors, the segment of the ecosystem that has been closest to cryptographic infrastructure for the longest time. Other vendors are still working out who inside their organization should even be the one answering.
That gap matters for two reasons. First, it tells Citi something concrete about where their migration dependencies lie and which relationships need more active engagement. Second, it reflects a broader reality about where the ecosystem stands. Awareness is spreading, but organizational readiness, the ability to actually respond to, plan for, and execute cryptographic change, is still unevenly distributed.
The First Step Is Simpler Than Most Organizations Expect
When Sarah describes where Citi’s quantum readiness work actually began, the answer is deliberately unglamorous. The first focus was data at rest, specifically ensuring that AES key sizes were sufficiently large to provide meaningful protection. This required speaking with the teams responsible for databases, understanding what upgrading key sizes would involve, and confirming that all sensitive data was actually covered by adequate controls.
There is nothing post-quantum about AES itself. It is an established symmetric encryption standard. But ensuring it is implemented correctly and at sufficient key length is a no-regret step that improves the organization’s overall cryptographic posture regardless of how quantum timelines or regulatory requirements evolve. It is also a tractable problem. Teams can understand it, own it, and make progress on it without waiting for guidance on lattice-based algorithms.
Sarah’s broader point is that TLS 1.3 migration falls into the same category. Moving to stronger, more modern transport layer security is a defensible decision that will not be undone by future quantum standards. These are the moves that should happen now, not because they solve the post-quantum problem, but because they are right regardless.
You Do Not Need a Large Team to Start
One of the most practically useful moments in the conversation is Sarah’s description of the quantum readiness team at Citi itself. By her account, it is a remarkably small group. The point is not to highlight any constraint but to correct a common assumption that meaningful progress requires a large, formally structured program.
What matters more than headcount is the presence of internal champions, people who understand the risk, can speak to it credibly across different parts of the organization, and are willing to build the relationships needed to bring other teams along. Quantum readiness in large organizations spreads through influence before it spreads through mandate. Finding the people who are willing to carry that message, and equipping them to do so effectively, is often more valuable than building a larger team.
For organizations without a formal cryptography center of excellence, the starting point is identifying who informally anchors the relevant decisions and building from there. Structure follows momentum, not the other way around.
Use Cases as a More Practical Entry Point
There is a persistent assumption in the PQC space that cryptographic asset discovery, building a full inventory of every key, certificate, and algorithm in use, must be the first step before anything else can happen. Sarah offers a different framing. Starting with use cases, asking which systems handle the most sensitive data, how long that data needs to remain protected, and how complex migration would be, often surfaces the highest-risk areas faster and makes the work more legible to the teams who need to be involved.
This is not an argument against inventory work. It is an argument for not using the absence of a complete inventory as a reason to delay everything else. The use-case lens gets organizations moving and builds organizational credibility for the larger program.
The Reframe That Changes Everything
The framing that ties Sarah’s entire approach together is also the one with the widest implications. PQC migration is a coordination problem before it is a technology problem. The algorithm changes, once the groundwork is done, represent something closer to 20% of the total effort. The other 80% is preparation: identifying stakeholders, building shared understanding, sequencing changes across interdependent systems, and creating the organizational conditions for the migration to succeed.
Teams that hand this to a security function and wait for a technical answer tend to stall because the blockers are rarely technical. Teams that treat it as an operational challenge, something that requires the same cross-functional discipline as any large infrastructure change, tend to move. The cryptography, once the organization is ready, tends to follow.
What the Next Twelve Months Look Like
Citi’s near-term goals reflect this operational orientation. The focus is on demonstrating that post-quantum algorithms perform adequately in real-world payment environments, pushing back against persistent myths about performance overhead and space requirements. Proving this in practice, not just in benchmarks, builds the internal credibility needed to accelerate migration work across the organization.
The Takeaway
Quantum readiness is not a future event to prepare for. It is a present discipline to build. The organizations that will handle this transition well are already asking the coordination questions: who owns what, what data matters most, what steps create no regret regardless of how timelines shift, and how to bring the rest of the organization along. The algorithm upgrade, when it comes, is the jump. The preparation is everything that makes the jump possible.
You can hear the full conversation with Sarah McCarthy on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube.
About Sarah McCarthy
Sarah McCarthy is the Quantum Readiness Program Lead at Citi, where she works at the intersection of payments, compliance, and post-quantum cryptography. Her background spans academic research, vendor-side security work, and large-scale enterprise risk, giving her a cross-sectional view of the cryptographic supply chain. At Citi, she leads efforts to assess and reduce quantum risk across a globally interconnected payments environment, including the design and rollout of a quantum readiness vendor survey program.
Citi is a global banking institution operating across more than 160 countries and jurisdictions. Its operations span consumer banking, institutional clients, treasury and trade solutions, and investment banking, making it one of the most interconnected financial institutions in the world. Citi’s quantum readiness program, active since 2022, reflects its commitment to addressing emerging cryptographic risk at the scale and complexity that global financial infrastructure demands.