Complacency, not quantum, is the real threat. Quantum computing may dominate the headlines, but the deeper risk is decades of treating cryptography as invisible plumbing that “just works.” According to Mike Silverman, Chief Strategy & Innovation Officer at FS-ISAC, the industry must stop thinking about cryptographic migration as a one-off project and start treating crypto as a first-class citizen in security. In a recent episode of Shielded: The Last Line of Cyber Defense, Silverman joined host Johannes Lintzen to explain why acting now, long before 2030, is the only way to build resilience, and why crypto-agility, not quantum anxiety, must guide the future.
Silverman’s perspective comes from experience under pressure. Just four months after joining FS-ISAC, he was thrown into the financial sector’s pandemic response, spending eighteen months on coordination calls with government and industry. The lesson was clear: waiting until a threat arrives is too late. Post-quantum cryptography (PQC), he argues, is no different. Trust is the foundation of financial services, and cryptography is the glue holding that trust together. Failing to act before disruption hits would risk systemic damage.
One of Silverman’s central points is reframing the misconception. “It’s not so much about the threat from quantum computers,” he explains. “The real issue is the lack of focus or investment that we as an industry have had on cryptography as a whole. We’ve treated it as it’ll just work. That plumbing will always be there.” Past migrations- from DES to AES or RSA key expansions, were handled as emergency scrambles. The industry cannot afford to stumble into PQC the same way.
Instead, organizations must design for crypto-agility. For Silverman, that means the ability to swap one algorithm for another with minimal downtime, minimal disruption, and ideally no code rewrites. Achieving this requires more than technology. It demands architectural foresight to decouple crypto from applications, organizational policies that govern choices consistently across business units, and vendor coordination to ensure systems are ready to support new standards. As he recalls, even in large industry meetings, stakeholders were talking past one another, proof that clarity and shared definitions were urgently needed.
But agility begins with visibility. Silverman often asks audiences to raise their hands if they know where 100% of their cryptographic keys are, few, if any, can. Inventories and risk models are the essential foundation. Without them, organizations can’t scope the migration or prioritize crown-jewel systems. And even with a ten-year runway, Silverman cautions, some legacy systems will remain. For that reason, prioritization is critical: protect the most valuable, long-lived assets first and accept that lower-risk systems can follow later.
Timelines make this more urgent. Regulators and industry groups often point to 2030 and 2035, but Silverman stresses these must be read as phases, not finish lines. By 2030, inventories should be largely complete, and high-value systems migrated. By 2035, broader coverage should be achieved. Yet hitting these milestones depends on factors outside any single organization’s control. Vendors must deliver early so institutions can test. PKI and certificate standards are still evolving, making interoperability a moving target. Without global coordination across regulators, vendors, and networks, deadlines could collapse under their own weight.
Even if the technical path is clear, the boardroom can be another bottleneck. Silverman acknowledges that PQC doesn’t directly drive revenue, making it a tough sell to executives who prefer to invest in growth initiatives like AI or new trading platforms. “This isn’t going to build your revenue,” he notes, “but it will help you maintain your revenue and keep the trust.” The answer is not to present PQC as a standalone burden but to embed it into ongoing modernization cycles. From mainframes to point-of-sale hardware, systems are refreshed every few years. Making PQC part of those refreshes ensures funding is available and disruption is minimized.
Silverman also highlights that the threat is not just quantum. Mathematical attacks on RSA have been claimed for years, even if disproved so far. “There could be a mathematical fault in RSA that we just haven’t uncovered yet, and we need to be ready for that potential,” he warns. In other words, crypto-agility is not simply about preparing for quantum, but for any cryptographic disruption.
His closing message is pragmatic, not alarmist. “I don’t want to come across as a fear monger. The sky is not falling. We have time. But the best day to start was yesterday, and the second best is today.” Starting small, adding cryptographic attributes to asset management, training staff, asking vendors the right questions, creates momentum. Delay, by contrast, only compounds risk.
The takeaway is clear: the quantum timeline isn’t your biggest problem, complacency is. Migration will take longer than expected. Vendor dependencies will make or break success. Standards are still moving targets. And boards must be persuaded to treat cryptography as fundamental to trust, not invisible plumbing. Those who act now can turn PQC into a managed evolution. Those who wait risk panic, triage, and systemic disruption.
You can hear the full conversation on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.
About Mike Silverman
Mike Silverman is Chief Strategy & Innovation Officer at FS-ISAC, the global, member-driven consortium dedicated to collective defense in financial services. In this role, he leads forward-looking initiatives on post-quantum cryptography, AI risks, cloud security, and sector resilience, helping financial institutions anticipate and prepare for the threats shaping tomorrow’s trust landscape. With a career shaped by crisis response and industry collaboration, Mike has been at the center of efforts to align governments, regulators, and enterprises on how to secure financial systems under pressure, from pandemic coordination to the emerging quantum challenge. His work focuses on reframing cryptography as a first-class citizen, embedding it into inventories, risk models, and long-term technology refresh cycles that extend beyond any single algorithm. Known for his pragmatic perspective, Mike stresses that the real danger is complacency, not just quantum breakthroughs. He argues that cryptographic agility is the only sustainable defense, that timelines like 2030 and 2035 demand phased and realistic planning, and that collective readiness across vendors and supply chains is non-negotiable. His message is clear: organisations don’t need to panic, but they do need to start now.