Abstract
Most conversations about post-quantum cryptography start with algorithms. Sarah McCarthy starts with people. As Quantum Readiness Program Lead at Citi, Sarah works in the realm of payments, compliance, and cryptographic change inside one of the world’s most regulated and interconnected financial institutions. In this episode of Shielded: The Last Line of Cyber Defense, she brings that perspective to bear on what large-scale PQC migration actually looks like in practice.
Sarah’s background spans research, vendor-side work, and enterprise security, giving her a view across the full cryptographic supply chain. That experience shapes how she thinks about readiness. At Citi, the quantum readiness program began in 2022, predating much of the current regulatory urgency. What started with foundational questions about data sensitivity and retention has expanded into a formal vendor survey, internal education efforts, and a growing set of no-regret technical actions already underway.
One of the clearest themes from the conversation is the gap between how organizations think about PQC migration and what it actually demands. The instinct is to frame it as an algorithm upgrade. In practice, it requires identifying which systems hold sensitive data, understanding how long that data needs to stay protected, coordinating across teams that may not yet see cryptography as their problem, and building internal champions who can translate technical risk into organizational action.
Sarah also addresses the vendor landscape directly. Citi’s quantum readiness survey of suppliers is surfacing meaningful patterns about where the ecosystem stands and which vendors are genuinely prepared to engage with these questions. Unsurprisingly, the most capable responses are coming from key management providers and hardware security module vendors. Others are still catching up, not just technically but organizationally.
The episode also tackles the regulatory picture across payments. Standards bodies and working groups are moving, but interoperability across jurisdictions remains a live challenge. For organizations waiting on regulatory direction before acting, Sarah’s message is clear: some steps make sense right now regardless of what regulators decide. Upgrading AES key sizes for data at rest, moving to TLS 1.3, and identifying crown-jewel data are all defensible moves that will not be undone by future guidance.
Sarah closes with what she expects from the next twelve months at Citi and with the framing that best captures her overall approach: quantum migration is an operational challenge before it is a technical one. The organizations that prepare well will find the actual algorithm switch far more manageable than they feared.
What you’ll learn:
- How Citi’s quantum readiness program has evolved since launching in 2022
- What a vendor quantum readiness survey reveals about supply chain preparedness
- Why PQC migration is fundamentally a coordination problem, not just a technology upgrade
- What no-regret first steps any organization can take today, regardless of size or resources
- How to identify and prioritize crown-jewel data before full migration begins
- Why internal champions matter more than a large dedicated team
- What regulators and standards bodies in the payments space are signaling for 2026
- How to frame quantum readiness as an operational challenge to get organizational buy-in
- What Citi is focused on achieving over the next twelve months
- How the 80/20 rule applies to post-quantum migration: preparation is the hard part
Sarah McCarthy is the Quantum Readiness Program Lead at Citi, where she brings together a world of payments, compliance, and post-quantum cryptography. Her background spans academic research, vendor-side security work, and large-scale enterprise risk, giving her a rare cross-sectional view of the cryptographic supply chain. At Citi, she leads efforts to assess and reduce quantum risk across a globally interconnected payments environment, including the design and rollout of a quantum readiness vendor survey program. Her work focuses on translating complex cryptographic risk into practical organizational action across highly regulated, multi-jurisdictional systems.