Post-quantum cryptography (PQC) isn’t a future headache waiting to arrive in 2030; it’s a migration challenge organizations should already be tackling today. While some executives still dismiss quantum computing as a decade away, the real risk lies in the shrinking time available to prepare. For Adrian Neal, Senior Director and Global Lead for Post-Quantum Cryptography at Capgemini, the warning is clear: if you think PQC is a three-to-five-year project, you’re already behind.
In a recent episode of Shielded: The Last Line of Cyber Defense, Neal joined host Johannes Lintzen to lay out the real-world challenges of quantum readiness. Drawing on nearly forty years of experience across finance, defense, and telecoms, he explained why PQC migration is more like an eight-year journey and why failing to start now will lead to emergency triage, chaos, and potentially systemic collapse once the first quantum “black swan” hits.
Neal’s perspective is shaped by history. He recalls the hype cycles around PKI at the turn of the millennium and the “non-event” of Y2K. But Y2Q is not Y2K, he stresses. There is no single deadline that forces action, no fixed date to rally around. That lack of a hard stop makes procrastination even more dangerous. In his words, “sooner or later, you’re going to see the panic start to seep into the boardrooms and the CISOs when they realize” that eight years of work won’t fit into a three-year budget cycle.
The differences between industries make the challenge more complex. Governments, for example, must protect information with decades-long or even permanent secrecy requirements, demanding solutions that will outlast the algorithms standardized today. Financial services, on the other hand, are likely to be among the first targets of quantum-powered attacks, driving earlier adoption of PQC. And across the board, organizations will face ugly surprises when they discover legacy systems and forgotten dependencies that simply cannot be upgraded in time.
Performance realities add another layer of urgency. Neal shares a striking example from hardware security module testing: when one of the new PQC algorithms was loaded, throughput collapsed from 10,000 transactions per second to just 200. On paper, PQC may appear comparable or even faster than RSA. But under real-world loads, the algorithms behave differently, and the impact on capacity planning, SLAs, and costs could be enormous. “These algorithms are different,” Neal emphasizes, “they are very, very, very different.”
Beyond technology, the real bottleneck may be the boardroom. Neal explains how CISOs often struggle to secure funding for migration programs, since PQC offers no immediate revenue benefits. In some cases, regulators themselves are asking whether legislation is needed to force organizations into action. For Neal, regulation may ultimately be a friend, providing executives the leverage they need to unlock budget and resources. Without it, apathy will continue to stall progress, leaving organizations dangerously exposed.
Another key theme of the conversation is crypto-agility. Neal does not expect today’s PQC algorithms to last as long as RSA or elliptic curve cryptography. Some candidates already collapsed during the NIST competition, and others may fall within five years. That means designing systems that can swap algorithms without wholesale rewrites is essential. But agility requires governance, and governance today is often lacking. During discovery exercises, Neal’s team has found out-of-policy certificates, weak implementations, and governance blind spots that could turn standardized algorithms into insecure deployments. “Poor implementations,” he warns, “they will get you in the end.”
For organizations asking where to start, Neal’s advice is blunt: focus on crown-jewel systems. Identify the assets so critical that losing them could put you out of business, then map dependencies and build a critical-path plan around them. This is not a project where everything can be tackled at once. It is a staged journey, with critical systems leading the way and non-critical work parallelized around them. Only with a clear critical path can organizations avoid being derailed by hidden legacy systems and unexpected blockers.
The message Adrian Neal delivers is not optimistic spin but hard-earned realism. Migration will take longer than most organizations admit. Performance impacts will surprise those who only read benchmarks. Regulations may be necessary to unlock real investment. And crypto-agility, not static standards, will be the survival trait of the next decade. His closing advice is as blunt as it is urgent: “Apathy will kill you here. This is not the time for apathy. This is the time for action.”
The takeaway is clear: PQC migration isn’t about waiting for algorithms or hoping regulators delay. It’s about acting today, identifying crown jewels, building critical paths, testing performance, tightening governance, and designing for agility. Those who start now can make quantum a non-event, just like Y2K. Those who wait risk panic, chaos, and collapse.
You can hear the full conversation on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.
About Adrian Neal
Adrian Neal is Senior Director and Global Lead for Post-Quantum Cryptography at Capgemini, where he advises governments, financial institutions, and global enterprises on preparing for the quantum era. With nearly four decades of experience spanning banking, defense, telecoms, and startups, Adrian has been at the center of major security transformations, from the early days of PKI to today’s post-quantum migration programs. His work focuses on helping organizations identify critical systems, manage dependencies, and design long-term strategies that combine technical execution with board-level buy-in. Known for his candid perspective, Adrian warns that migration is closer to an eight-year journey than a three-year sprint, that crypto-agility is the only sustainable defense as algorithms evolve, and that apathy will kill you. His message is clear: the sooner organizations begin planning, the better chance they have to avoid panic, triage, and systemic disruption when the first quantum “black swan” arrives.