Post-quantum cryptography (PQC) isn’t a future problem, it’s a present reality. But according to cybersecurity leader Yolanda Reid, too many organizations are still treating it like Y2K. That’s a mistake. The real difference? Y2K was a single fix. PQC is an ongoing shift in how systems are designed, secured, and maintained. And that shift has already begun.
In a recent episode of Shielded: The Last Line of Cyber Defense, Reid, former Associate Partner at IBM Consulting and a veteran of the U.S. defense and intelligence community, outlined why post-quantum preparation is about more than just swapping algorithms. From cultural blind spots to executive denial, Reid laid out the hard truths organizations need to hear, and act on, before it’s too late. With over two decades of experience at Raytheon, BBN Technologies, EverWatch, and the Department of Defense, Reid has seen the front lines of cybersecurity and national defense. But her perspective on PQC goes beyond technical expertise. For her, post-quantum migration is about leadership, organizational readiness, and designing systems that don’t assume perfection, but plan for breakage.
One of the clearest misconceptions she challenges is the comparison to Y2K. “With Y2K, we just did a quick update and moved on,” Reid says. “PQC is different. Our language, our policies, our procedures, all of that is about to change.” The idea that post-quantum migration can be treated as a one-off upgrade isn’t just wrong, it’s dangerous. According to Reid, organizations will need to adopt an entirely new posture: one built around flexibility, continuous updates, and deep cryptographic awareness.
And that awareness needs to start at the top. Reid shares a telling moment from a recent client engagement. A senior leader, responsible for an entire technology organization, was unfamiliar with PQC and initially dismissed it because “I’m not doing quantum.” That kind of mindset, she says, puts organizations at real risk. “You are in charge of the technology. You need to care.” For Reid, crown jewels like encrypted communications and financial data are on the line, and ignoring PQC because it sounds unfamiliar isn’t an option.
She emphasizes that PQC isn’t just about algorithms, it’s about control. In many organizations, cryptographic decisions still sit with end users or developers. That, Reid argues, is a mistake. People prioritize speed and convenience, not security. “They’re not going to always have the education or understanding to know why this matters,” she explains. “And often, they just don’t care.” To build resilience, organizations need to shift control away from users and toward cryptography teams with the expertise to enforce policy without friction or failure.
One of Reid’s strongest messages is around breakage. Whether it’s key exchange upgrades or signature changes, systems will break. And that’s not a flaw, it’s part of the process. Legacy systems weren’t built with PQC in mind. Reid advises leaders to expect breakage and design for it, with teams capable of troubleshooting and fast recovery. “You don’t want to do a full rollback unless you have to,” she says. “You need people who can think, and who understand what to do when something fails.”
That unpredictability extends to performance as well. Contrary to common fears, PQC doesn’t always slow systems down. “Some environments have actually gotten faster,” Reid explains. But the only way to know is to test early and plan proactively. Waiting until the last minute will only shrink the window to adapt.
Still, Reid warns that the biggest risk isn’t technical, it’s timeline complacency. She’s especially critical of organizations that treat 2030 as a comfortable deadline. “People think they have five years,” she says. “But the awareness should have happened already. Our plans should be done. We should be testing now.” Comparing it again to Y2K, she points out that awareness started in the late ’80s, with implementation stretching well over a decade. “Five years is nothing,” she says bluntly.
Adding to the urgency is the convergence of AI and quantum computing. Reid notes that while regulators are still struggling to set guardrails around AI, the next wave, quantum plus AI, is already in motion. “In a traditional world, we had time between technologies,” she says. “But that’s not the world we live in anymore.” She warns that adversaries are already exploring how to exploit quantum for malicious purposes. Just searching online for “adversarial quantum use” shows how quickly the threat landscape is shifting. “If you’re on the good side, you need to start thinking now about how to use quantum for good purposes.”
For Reid, the way forward starts with crypto inventory. Every organization needs to understand what data it has, how it’s encrypted, and what needs to be protected. “You can’t solve the problem without understanding your environment,” she says. She recommends a combined approach: do internal audits where possible, but also bring in outside experts to identify what might be overlooked. “The more you know, the more ownership you have.”
At the end of the episode, Reid opens up about her own journey as a cancer survivor and single mother, experiences that have shaped her view on resilience and leadership. Facing uncertainty, she had to identify what mattered most and build systems around protecting it. That same mindset, she says, applies to post-quantum security: prioritize what matters, build strong defenses, and plan to adapt.
The final takeaway of Reid’s message is clear. This isn’t just about compliance or future-proofing. It’s about redesigning systems now, before the disruption arrives. The decisions organizations make today will determine not just how they migrate, but whether they can lead confidently into a post-quantum world.
You can hear the full conversation with Yolanda Reid on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.