“Cybersecurity doesn’t exist if you have no cryptography.” – Bruno Couillard, Crypto4A Technologies
The conversation around post-quantum cryptography (PQC) often focuses on algorithms, timelines, and looming breakthroughs in quantum computing. What gets discussed far less is the harder truth. The real challenge is not choosing the right cryptographic primitive. It is learning how to operate in a world where cryptography itself must change continuously.
That was the core theme of this special panel episode of Shielded: The Last Line of Cyber Defense, hosted by Jo Lintzen. Bringing together Bruno Couillard, Crypto4A Technologies, Bill Buchanan, Professorm Edinburgh Napier University, Mamta Gupta, Lattice Semiconductor, Jeremy B, NIST, Adrian Neal, Capgemini and Yolanda Reid, former Associate Partner, IBM, the discussion explored what PQC actually demands from organizations once you move past theory and into real systems, real governance, and real risk.
What emerged was not a checklist, but a reset. Post-quantum security is less about a migration milestone and more about a new operating reality.
Cryptography Is Not Plumbing. It Is the Security Boundary
Bruno Couillard opens with a statement that frames the entire conversation. Cybersecurity depends entirely on cryptography. Identity, confidentiality, integrity, trust, and resilience all sit on that foundation.
For decades, organizations treated cryptography as infrastructure that should never change. Algorithms were selected once, embedded deeply, and left alone. That mindset shaped protocols, systems, and even career paths.
The post-quantum shift breaks that assumption.
In a world where cryptographic primitives evolve, break, or are replaced, organizations must understand where cryptography lives, why it exists, and what assumptions it relies on. Without that visibility, every security control built on top becomes fragile. PQC forces this reckoning whether teams are ready or not.
The Quiet Exposure Happens During Data Processing
Bill Buchanan highlights a gap many architectures still accept as normal. Data is encrypted when stored. Data is encrypted when transmitted. But the moment data is processed, it is often exposed in plain form.
In cloud environments, analytics platforms, and machine learning pipelines, this exposure is constant.
Advances in lattice-based cryptography change what is possible here. Techniques like fully homomorphic encryption, secure enclaves, and privacy-preserving computation allow data to remain encrypted even while being used. That shift matters because it moves security from the edges of systems into their core logic.
For organizations handling sensitive data, this is not an academic improvement. It reshapes how privacy, trust, and resilience can be designed into modern systems.
Hardware Lasts for Years. Threats Change Every Quarter
Mamta Gupta brings urgency to the discussion by pointing out a structural mismatch. Devices, hardware platforms, and embedded systems are built to last for years, sometimes decades. Meanwhile, threat models, regulations, and cryptographic requirements evolve every few months.
This creates a narrow planning window.
Organizations that delay PQC preparation risk deploying systems that cannot be upgraded in time to meet new mandates. Organizations that lock in rigid cryptographic choices too early risk betting on assumptions that will not age well.
The answer is not speed alone. It is crypto agility, the ability to adapt cryptographic components without replacing entire systems. That requires architectural forethought, not reactive fixes.
Migration Fails or Succeeds in Discovery
Jeremy B grounds the conversation in execution. Post-quantum migration begins with discovery, not replacement.
Most organizations do not actually know where cryptography is used across their environment. Certificates, keys, protocols, third-party dependencies, and vendor implementations often sprawl across systems with little centralized visibility. Discovery efforts frequently surface unknown certificates, legacy implementations, and dependencies no one remembers approving.
Consultancies and assurance schemes can help bring structure and confidence, especially early on. But ownership cannot be outsourced. Teams still need to understand what they run today, how it fits together, and what can change safely.
Without that groundwork, any PQC roadmap is guesswork.
The Most Dangerous Failures Are Invisible
Adrian Neal delivers a warning. Post-quantum algorithms are unforgiving.
Older schemes like RSA often failed loudly. Newer algorithms fail quietly. Weak governance, poor implementation, or policy drift can result in encryption that appears to work while providing little real protection.
This is the most dangerous failure mode. Systems look secure. Dashboards stay green. Meanwhile, security has already collapsed.
In a PQC world, governance, testing, and implementation discipline matter as much as algorithm strength. Discovery that once felt optional becomes essential. Cryptographic hygiene becomes a survival skill.
This Is a Leadership Conversation, Not a Project
Yolanda Reid reframes the issue clearly. Post-quantum cryptography is not a one-time upgrade. There is no finish line. Cryptography will continue to change for as long as modern systems exist.
That change directly affects what leaders care about most. Communications. Financial systems. Identity. Trust. Treating PQC as a technical project creates the illusion of safety without durability.
Executives do not need to understand cryptographic details. They do need to understand the risk model. Post-quantum security requires long-term operating approaches, clear ownership, and sustained attention. Without leadership engagement, even strong technical work becomes fragile over time.
The Takeaway
This panel does not offer predictions or panic. It offers clarity.
Post-quantum security is not about being early. It is about being prepared to change.
Prepared to discover.
Prepared to govern.
Prepared to adapt cryptography as the foundation of digital trust.
The organizations that succeed will be the ones that stop asking when PQC arrives and start building systems that can evolve when it does.
You can listen to the full panel conversation on Shielded: The Last Line of Cyber Defense, available on Apple Podcasts, Spotify, and YouTube Podcasts.