Post-quantum cryptography (PQC) isn’t a someday problem; it’s a today problem. While many enterprises still think of quantum computing as a distant threat, regulators are already setting deadlines, vendors are already integrating algorithms, and the time to act has arrived. For Kevin Hilscher, Senior Director of Product Management at DigiCert, the migration to PQC starts not with futuristic algorithms, but with something organizations can do right now: upgrading to TLS 1.3.
In a recent episode of Shielded: The Last Line of Cyber Defense, Hilscher joined host Jo Lintzen to share a practical roadmap for PQC readiness drawn directly from his work with banks, healthcare providers, defense contractors, and connected device OEMs. Far from abstract, his message was grounded in discovery, vendor engagement, and the very real challenges of preparing outdated systems for the quantum shift.
Hilscher’s journey into PQC started not as a cryptographer or mathematician, but as a product leader hearing concerns directly from customers. After joining DigiCert from Microsoft, he noticed that OEM clients were increasingly asking about quantum threats and the risk that classical algorithms like RSA and elliptic curve could eventually be broken. Those conversations prompted him to dive deeper, first within DigiCert’s device trust product team and later across the company’s full product portfolio. Today, he’s advising industries with very different levels of urgency: highly regulated sectors like banking, where awareness is high, and consumer device manufacturers, where denial is still common.
That divergence makes education the first step. Hilscher describes what he calls “step zero”: arming security teams with the data, presentations, and materials to explain PQC to their leadership and secure budget. Without that sponsorship, projects don’t get off the ground. But for those ready to begin, step one is clear: discovery. Every enterprise needs to identify where cryptography is being used, from TLS versions in hardware and third-party applications to crypto libraries embedded in their software. Only by mapping the current landscape can organizations understand what needs to change.
And what must change immediately, according to Hilscher, is TLS. “The IETF has put out a statement effectively saying, put bluntly, we will not be supporting any of the PQC algorithms in anything less than TLS 1.3,” he explains. That means companies still running TLS 1.2 are already behind. The good news is that this upgrade is actionable today, independent of the algorithm debates still underway. Enterprises can update their systems and pressure their vendors to do the same, laying a foundation for quantum readiness without waiting for the future to arrive.
The discussion then turns to hybrid cryptography, a source of both progress and confusion. Hilscher distinguishes between hybrid key exchange, already being implemented in TLS handshakes by providers like Cloudflare and Chrome, and hybrid certificates, which remain stalled by competing standards. Some regulators, like Germany’s BSI, are in favor of hybrids, while NIST leans toward going straight to pure PQC signatures. For now, enterprises need to understand the distinction, embrace hybrid key exchange where possible, and prepare for certificate standards to evolve.
Fragmentation doesn’t stop there. Different geographies favor different algorithms, from Classic McEliece to ML-DSA to Falcon. For vendors like DigiCert, that means supporting multiple algorithms across SDKs like TrustCore. For enterprises, it means facing tough choices about interoperability when software must operate across borders. Just as in the past, where export-grade cryptography forced companies to ship different builds, the PQC era may once again require region-specific cryptographic stacks.
One area where Hilscher sees promise is Falcon, also known as FNDSA. With signature and key sizes smaller than ML-DSA, it could be a lifeline for resource-constrained IoT devices. In environments like elevators, medical devices, or embedded controllers, where memory is tight and updates are slow, Falcon could make the difference between extending a product line or retiring it altogether.
But Falcon or not, the timelines are aggressive. The EU wants critical assets to be quantum-safe by 2030. The U.S. CNSA 2.0 requires federal procurement to support PQC by 2027. Canada, the UK, and Australia have issued similar mandates. Hilscher is blunt: some industries won’t make it, especially those relying on antiquated systems like SCADA and ERP. Updating them in just a few years is a monumental challenge. And even for enterprises ready to migrate, vendors may be a bottleneck. While crypto SDKs are already integrating PQC, enterprise applications like SAP or VMware lag, meaning large-scale upgrades are unavoidable.
That’s why he urges companies to start now. “You don’t want to be caught flat-footed in 2028 or 2029,” Hilscher warns. “Heaven forbid something happens and a quantum computer shows up. Right now we’re just preparing for something that could happen, but the probability is high.”
The shift, as Hilscher sees it, is both technical and cultural. It requires early discovery, vendor pressure, TLS upgrades, and global awareness. It requires enterprises to educate themselves and their partners, to plan around realistic timelines rather than regulatory optimism, and to take practical steps today rather than waiting for final standards.
The takeaway? PQC migration isn’t just about algorithms. It’s about building awareness, securing buy-in, upgrading foundations, and preparing your ecosystem before deadlines—and quantum breakthroughs arrive.
About Kevin Hilscher
Kevin Hilscher is Senior Director of Product Management at DigiCert, where he leads the device trust product team and oversees PQC readiness across the company’s portfolio. With a background at Microsoft and deep experience working with OEMs, banks, healthcare providers, and defense organizations, Kevin has been at the forefront of preparing enterprises for the quantum era. His focus spans securing connected devices, enabling regulatory compliance, and helping global customers prepare for the transition to PQC. Known for his pragmatic approach, Kevin bridges the gap between evolving cryptographic standards and real-world business needs, helping organizations take the first steps toward a secure, quantum-ready future. With the shift to post-quantum cryptography accelerating, Kevin’s message is clear: early discovery and TLS 1.3 readiness, not just new algorithms, will define the path to a quantum-ready future.
You can hear the full conversation with on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.