The conversation around post-quantum cryptography often stays technical. How these systems shape the institutions that depend on them typically receives lesser attention.
In this episode of Shielded: The Last Line of Cyber Defense, Carolina Polito, a researcher working at the intersection of cybersecurity, governance, and policy, approaches quantum readiness from a different angle. The challenge is not only about replacing cryptography but about how organizations make decisions, assign responsibility, and coordinate change across systems that were not designed for it.
Carolina’s perspective places quantum readiness within a broader context. Technology does not simply support institutions. It defines the boundaries within which they operate. That makes the transition to post-quantum cryptography as much an organizational process as it is a technical one.
Moving From Awareness to Execution
Awareness of quantum risk has grown steadily across industries. Most organizations today recognize that current cryptographic systems will need to change. What is less clear is how that transition should begin.
The difficulty often lies in translating awareness into action. Migration is not a one-time project. It spans multiple systems, teams, and timelines. Treating it as a standalone initiative can make it harder to integrate into existing processes.
Instead, progress tends to come from working within those processes. Aligning quantum readiness with system upgrades, procurement cycles, and ongoing risk management creates a path forward that is easier to sustain.
Why Prioritization Matters More Than Visibility
A common instinct is to begin with a complete inventory of cryptographic assets. While this seems logical, it is rarely achievable in practice.
Carolina highlights a different approach. Rather than aiming for completeness, organizations can focus on identifying what matters most. Assets that are long-lived, highly exposed, and difficult to replace tend to carry more weight in early decisions.
This shift does not eliminate uncertainty, but it makes it manageable. It allows organizations to act without waiting for perfect information, and to refine their understanding over time.
What Vendor Readiness Actually Means
Cryptographic dependencies do not sit entirely within an organization’s control. Many are embedded in vendor products, cloud services, and external systems. This makes vendor readiness a central part of the transition.
Carolina outlines what to look for in this context. Visibility into how cryptography is used, clarity on which algorithms are in place, and a defined roadmap for transition all shape how an organization can plan its own migration.
There is also a longer-term consideration. Cryptographic transitions are not one-off events. The ability to adapt to future changes, often described as crypto agility, becomes part of how resilience is built into systems.
Starting With No-Regret Decisions
One of the recurring challenges in quantum readiness is knowing where to begin. The scale of the transition can make it difficult to define a clear starting point.
Carolina points to a more focused way of thinking about this. Some assets carry higher stakes than others. Long-lived sensitive data, critical communication channels, and central trust mechanisms tend to remain relevant over time and are harder to retrofit later.
Focusing on these areas does not solve the entire problem, but it establishes a direction. It reduces the risk of having to revisit decisions later under more constrained conditions.
Coordination Across Systems and Policy
The challenges of quantum readiness extend beyond individual organizations. They appear in how standards are developed, how procurement decisions are made, and how national strategies evolve.
These processes are often interconnected, but not always aligned. When one moves ahead of the others, it can create gaps that are difficult to close later. New digital systems, for example, may be deployed without accounting for post-quantum requirements, increasing the cost of future transitions.
Progress in this space tends to depend on coordination rather than sequence. Standards, implementation, and governance need to move alongside each other, even if at different speeds.
The Takeaway
Quantum readiness does not begin with a complete solution. It begins with a set of decisions that shape how the transition will unfold.
Organizations that make progress tend to focus on structure rather than certainty. They assign ownership, identify critical assets, engage with vendors, and build momentum within existing processes.
Over time, these steps create a foundation that can adapt as the landscape evolves. The transition itself may be gradual, but the way it is approached determines how manageable it becomes.
You can hear the full conversation with Carolina Polito on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube.
About Carolina Polito
Carolina Polito is a researcher in the cybersecurity program at the Center for European Policy Studies and a PhD candidate in international relations at LUISS University in Rome. Her work focuses on the intersection of cybersecurity, governance, and geopolitics, with a particular emphasis on how emerging technologies shape institutional capabilities and policy decisions.