“If we wait until the day a quantum computer exists, it’s going to be too late. Not only because of the threat that happens on that day, but also the harvest-now decrypt-later threat that many of us are aware of.” – Kevin Reifsteck
Quantum computing is no longer an abstract risk; it has become an engineering, policy, and planning challenge already shaping today’s security decisions. In this episode of Shielded: The Last Line of Cyber Defense, Kevin Reifsteck, Director for Critical Infrastructure Protection at Microsoft, joins Jo Lintzen to discuss how Microsoft is coordinating a company-wide migration toward post-quantum cryptography and helping governments around the world align on the same journey.
From setting global timelines to redefining national readiness, Kevin offers a rare inside look into how one of the world’s largest technology providers is guiding both public and private sectors toward quantum-safe resilience.
Building a Roadmap for a Quantum-Safe Future
Microsoft’s post-quantum journey began several years ago with the creation of the Quantum Safe Program, a cross-company framework that unites engineering, product, and policy teams under one direction.
“Just earlier this year, we committed to transitioning all our products and services. Our aim is to do that by 2033, a couple of years before the 2035 date where most governments are coalescing around for the transition. We want to roll out capabilities to our customers by the year 2029.” – Kevin Reifsteck
This timeline reflects both urgency and structure. By 2029, Microsoft plans to deliver quantum-safe features to its customers, ensuring compatibility well before regulatory deadlines. The goal is not only compliance but leadership, setting an example for global alignment through clear milestones and transparent communication.
Why Policy Must Lead the Way
While technology forms the foundation, Kevin stresses that leadership and policy determine the pace of progress. Without coordination across borders and sectors, migration will remain fragmented and uneven.
“One of the biggest things that we’ve been advocating for governments to do is really make the transition to post-quantum cryptography and quantum safety a priority in their national cybersecurity plans. A part of that is also ensuring that there’s someone who has the responsibility and accountability for making that happen.” – Kevin Reifsteck
From financial services to healthcare, policy action must combine awareness, accountability, and guidance. Governments that embed PQC in their national strategies will not only protect critical data but also empower industries to move early, supported by clear regulatory signals and global interoperability.
Debunking the “Algorithm Swap” Myth
One of Kevin’s most striking observations is how often the scale of post-quantum migration is misunderstood. Replacing algorithms is only a fraction of the work. The real challenge lies in re-architecting the systems and hardware that carry encryption at a global scale.
“There might be a tendency to think this is just switching out an algorithm, and it’s just changing a little bit of code in software. But when you think of something like a hyperscale cloud provider such as Microsoft, that is a lot of encryption that’s happening. That’s a lot of computing power. There’s a lot of specialized hardware equipment that goes into making that encryption happen efficiently and quickly.” – Kevin Reifsteck
True migration demands coordinated planning across data centers, communication systems, and operational technology that may remain in service for decades. For sectors like energy or manufacturing, these upgrades take years to complete and require both engineering depth and policy flexibility.
Protecting What Lasts the Longest
Data has lifespans. Some records lose relevance within months; others must stay confidential for decades. Kevin points out that sectors such as healthcare and finance hold data that cannot afford exposure years down the line.
“You cannot really think of any more sensitive data that lives a long time than people’s healthcare data. In some ways, I’m more worried about that data than I am financial sector data.” – Kevin Reifsteck
Microsoft’s approach focuses on prioritizing long-lived systems and high-value information first. This principle guides governments and enterprises to focus on what would cause the most damage if compromised, rather than spreading attention thinly across all assets.
Aligning the World Through Standards
Global security depends on common rules. For Microsoft, that means advocating for consistency across standards bodies such as NIST, ISO, and IETF, ensuring that nations move forward together instead of in isolation.
“For us, the advocacy around using global standards, whether that’s for algorithms or for integration of those algorithms into standard protocols, is a huge part of our advocacy when we approach governments worldwide. We’ve seen good signs into general alignment of those with some small discrepancies.” – Kevin Reifsteck
By encouraging alignment of timelines and algorithm selection, Microsoft aims to prevent fragmented requirements that would create unnecessary friction for international systems. Cooperation ensures not only interoperability but also confidence in the shared digital infrastructure that connects economies.
Lessons Learned: Focus and Leadership
After years of driving internal transition, Kevin shares two lessons that apply to every organization planning the same shift: clarity of focus and leadership buy-in.
“The challenge that it can take to inventory cryptography across your enterprise, it’s not a trivial matter. That’s why I really emphasize figuring out how to focus on what’s most important because otherwise, you’ll get overwhelmed.” – Kevin Reifsteck
“Having that strategic leadership and foresight and emphasis on, now this is an important thing that an organization needs to do and we’re going to make space and resources and time available to make this transition, is hugely important.” – Kevin Reifsteck
Inventorying cryptography is a monumental task, and without executive sponsorship, it risks becoming a checklist exercise. Kevin underscores that successful migration requires prioritization and clear authority to act, qualities that separate planning from progress.
The Future: Invisible but Essential
When the post-quantum transition reaches maturity, Kevin believes most people may never notice it, precisely because it will have been done right.
“The thing that is going to be most impactful in terms of driving this at scale might be the thing that nobody really notices if it goes well, which is our large technology providers, the Microsofts and others in the world will do such a great job at integrating this into our everyday products and services that the vast majority of the population maybe doesn’t even notice that it happens.” – Kevin Reifsteck
The quiet success of post-quantum migration will rest on the shoulders of large providers and governments that invest early, collaborate globally, and embed resilience into their systems long before it becomes visible.
The Takeaway: Start Now, Lead with Clarity
Kevin Reifsteck’s message is direct: quantum resilience depends on leadership. The groundwork must be laid today through strategy, coordination, and foresight. By setting milestones, aligning policies, and building systems that can evolve, organizations can face the quantum era with confidence rather than urgency.
Quantum safety goes beyond a technological milestone; it is a measure of preparedness and global collaboration. Those who begin now will define the standard for trust in the decades ahead.
Listen to the full conversation with Kevin Reifsteck on Shielded: The Last Line of Cyber Defense, available on Apple Podcasts, Spotify, and YouTube Podcasts.
About Kevin Reifsteck
Kevin Reifsteck is the Director for Critical Infrastructure Protection at Microsoft, where he leads global strategy across cybersecurity policy, quantum-safe readiness, and public–private sector collaboration. His work bridges engineering and regulation, helping Microsoft’s product teams align with evolving post-quantum cryptography standards while advising governments on how to prioritize critical systems and national resilience. Before joining Microsoft, Kevin served as Director for Critical Infrastructure Cybersecurity at the National Security Council, The White House, where he shaped U.S. policy for securing essential services and modernizing cyber risk management. Today, Kevin plays a central role in driving Microsoft’s Quantum Safe Program, which sets clear timelines for transitioning products and services to post-quantum cryptography and helping customers worldwide prepare for the quantum era. Known for his strategic clarity and cross-sector insight, he continues to champion global alignment, government readiness, and responsible innovation in securing the foundations of the digital world.