Conceptual illustration of post-quantum cryptography

Defusing the Q-bomb: How to assemble your quantum-ready team

July 8, 2026
Alones // Shutterstock

Defusing the Q-bomb: How to assemble your quantum-ready team

Quantum risk starts with readiness. And that means understanding where cryptography lives, deciding what needs to change, and coordinating the work across teams, ZeroTier reports.

“Harvest now, decrypt later” (HNDL) threats mean adversaries don’t need a quantum computer today to cause damage tomorrow. They can capture encrypted data now, wait for quantum computers to mature, and come back for anything still valuable. That puts traditional security mainstays in the blast radius, including: digital signatures, identity systems, transport layer security (TLS) communications, and the trust models enterprises rely on every day.

The fix starts with a Cryptographic Center of Excellence (CCOE) framework, or a cross-functional team built to find cryptographic debt, set policy, pressure vendors, and manage the transition to quantum-safe standards before attackers get the better timeline.

What is the first step toward quantum readiness?

The first step is assessing your cryptographic blast radius. For example, for an enterprise with 1,000 team members, there are likely thousands of internal applications, legacy databases, and microservices all running different security protocols. To tackle this without halting production, a “nuts-and-bolts” framework can be used to categorize your risk.

The good news? Symmetric cryptography, like AES, remains secure for the foreseeable future when deployed correctly. If your team is already using AES-256 for data at rest, leave it alone for now. That’s not your immediate fire. The urgent risk sits in asymmetric cryptography like public key encryption, signatures, certificates, identity, authentication, and key exchange. This is the foundational plumbing keeping your team securely connected, including TLS sessions, API keys, SSH access, and code-signing certificates. If asymmetric encryption fails, your entire internal network trust model collapses.

A practical way to prioritize across a massive corporate footprint is to look at data value over time. Think of it in a basic data shelf-life formula. Ask yourself: How long must this data remain confidential? If the data loses value before 2026, your current controls may be enough. If it stays valuable past 2027 (such as standard financial records), start strengthening classical keys, hashes, and certificate practices now by mandating longer key lengths across all business units. If it stays valuable beyond 2029 (such as core intellectual property, long-term trade secrets, or healthcare records), you must move it toward NIST-approved post-quantum cryptography immediately.

That means planning for standardized algorithms that your developers can actually implement. Instead of allowing 1,000 different teams to guess what "quantum-safe" means, give them a concrete list of the new standardized building blocks to swap into their code:

  • ML-KEM (formerly CRYSTALS-Kyber): Use this for key establishment, securing the initial handshake when two systems talk to each other.
  • ML-DSA (formerly CRYSTALS-Dilithium): Use this for digital signatures, proving an identity or verifying that software code hasn't been tampered with.
  • SLH-DSA (formerly SPHINCS+): Use this as a specialized alternative where stateless hash-based signatures make technical sense, such as signing firmware or boot images for long-lived embedded devices, including industrial controllers, medical hardware, vehicles, that must stay verifiable for 10-20 years in the field.

The old names still show up in the market, but your roadmap should align with the finalized standards. By breaking this down into clear use cases, you turn an abstract quantum threat into a standard, operational ticket in an engineer's regular development queue.

Who belongs on a quantum-ready team?

A cloud center of excellence (COE) is an operating model that rests on four pillars: executive sponsorship, policy and oversight, discovery and metadata, and implementation discipline. Let’s break them down.

The first pillar is executive sponsorship. Your board, CEO, CIO, and CISO need to treat quantum readiness as an enterprise risk program, not a niche security project. That mandate is what secures a dedicated budget, enforces realistic corporate timelines, and establishes an operational cadence for regular progress reviews. Without it, every business unit will make its own cryptographic choices. That’s how drift turns into debt.

The second pillar is policy and oversight. This means a CISO-led strategy executed through cross-functional implementation. Let’s be real: In a large enterprise, a CISO isn’t the direct boss of every department. Instead, they act as a cross-functional orchestrator. While the CISO drives the high-level strategy and defines what “quantum-ready” means, the technical heavy-lifting belongs to the CTO, the VP of development, and, of course, a PMO, if one’s available in your organization.

This kind of alignment is nonnegotiable for complex, multifaceted operations. When you're managing a massive enterprise footprint, you can't just hit pause on daily business to overhaul your security infrastructure.

A cross-functional structure gives compliance, security, and vendor managers the leverage they actually need to drive execution, handle exceptions, and force third-party vendors to deliver hard timelines instead of vague assurances.

The third pillar is discovery and metadata. This is where infrastructure teams, operations specialists, developers, and data security engineers find exactly where cryptography lives, inside certificates, APIs, embedded devices, private networks, SaaS integrations, custom code, and legacy systems. This inventory belongs in a centralized database rather than a spreadsheet buried in someone’s downloads folder.

To handle the day-to-day grind of tracking all these moving parts, you should ideally have a dedicated PMO team. A lean group, ideally made up of a program office leader and three project managers, is what keeps the operation from stalling and ensures teams are actually hitting their benchmarks.

The fourth pillar is implementation. The aforementioned PMO engine is what successfully drives the fourth pillar, or implementation. This is where core developers, DevOps teams, DevSecOps engineers, and even cryptographers turn policy into working systems. Their ultimate mission is crypto-agility, or the ability to swap algorithms, rotate keys, test hybrids, and respond fast when standards or risks change.

Your CCOE shouldn’t map the cryptographic landscape by hand. Spreadsheets may work for a first-pass audit, but they break down fast once teams start looking across certificates, APIs, applications, networks, cloud services, embedded systems, and third-party dependencies. Quantum readiness depends on knowing where cryptography lives, what algorithms are in use, who owns them, how long the protected data must remain secure, and whether each system can be upgraded without breaking production.

That’s where specialized tooling comes in, broadly categorized into inventory, audit, and project management tools. Inventory tools are relatively straightforward, using active and passive scans to catalog cryptographic assets like certificates, keys, and libraries. Audit tools are significantly more complex. They analyze data in motion, often requiring deep network traffic analysis via tools, and uncover hidden, hardcoded, or shadow cryptography embedded within legacy systems. Finally, PMO and posture management tooling orchestrate everything, translating these inventory and audit insights into a living dashboard of policy gaps, weak algorithms, and priority migration tracks.

The vendor ecosystem is already forming around these capabilities. Many providers excel at powering cryptographic inventory and complex audit workflows, while other platforms support certificate lifecycle operations. Together, these solutions give your CCOE leverage. The right PMO-integrated tooling suite helps experts focus on high-level decisions, exceptions, and testing strategy, rather than manually chasing down every legacy system or dependency by hand.

Always remember, though, the goal isn’t tool sprawl, but rather visibility, repeatability, and proof. A quantum-ready enterprise must clearly show what cryptography it uses, where it is vulnerable, and which systems need refactoring. Your CCOE should treat this inventory, audit, and PMO toolkit as the core operating layer for crypto-agility.

What should your CCOE prioritize first?

Once your tooling maps the risk, your CCOE will need a structured way to prioritize the workload. Here’s a quick look at a four-box framework used to categorize implementation difficulty:

  • Low Difficulty (New Products): Implement now. Choose whether to build or buy PQC capabilities for net-new data in transit before fresh technical debt can accumulate.
  • Moderate Difficulty (Vendor Supported): Audit external roadmaps. This is a massive orchestration project to ensure your vendors and their downstream suppliers are aligned on PQC readiness.
  • High Difficulty (Custom Software): Refactor for crypto-agility. Updating in-house applications gets tricky quickly, especially if the original developers are gone or the architecture is undocumented.
  • Extreme Pain (Legacy Systems): Tackle deep cryptographic debt. You must retire or encapsulate outdated protocols and hardcoded keys, because they simply won't age gracefully.

Where does crypto-agility fit into DevSecOps?

Finally, you might be asking yourself: Where does crypto-agility fit into DevSecOps? The answer? Inside a broader definition of DevSecOps, one that protects a company’s entire infrastructure, not just software development pipelines, especially over time, where the landscape of threats will be evolving. This holistic approach is essential for building true crypto-agility: the ongoing ability for an organization to rapidly implement new algorithms, like Falcon, as they become necessary.

Operationalizing this means managing a few distinct workstreams that are closely interrelated, yet not entirely connected. You must continuously plan dynamic encryption policies across all network assets, verify PQC and hybrid performance in test environments before deployment, and detect operational anomalies in real time.

By embedding these loops across your entire corporate footprint, swapping an algorithm ceases to be an engineering crisis and, instead, becomes a routine configuration update, keeping the enterprise resilient as standards evolve.

The quantum clock’s ticking, and architectural panic won’t help. By creating a CCOE, you give your enterprise a way to move with discipline. To make quantum readiness a routine update rather than an engineering crisis, you need to solve the issue at the network layer.

By leveraging a quantum-safe network overlay, teams can embed end-to-end PQC protection directly at the transport layer without demanding massive application rewrites. By decoupling security from the application layer, enterprises have a practical path to defuse legacy cryptographic debt, protect distributed systems, and move toward quantum-secure networking before the Q-bomb goes off.

This story was produced by ZeroTier and reviewed and distributed by Stacker.


Trending Now