Root Causes 521: How Prepared Are Enterprises for PQC? (Part 1)

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

August 22, 2025

We're back discussing the results of Sectigo's 2025 State of Crypto Agility report. We explore the second half of the report on post quantum cryptography (PQC) including enterprise awareness of PQC, the most influential drivers for PQC migration, expected budgets and more. You can follow along by downloading the full report here: https://www.sectigo.com/2025-s...

Podcast Transcript

Tim CallanSo Jason, we are continuing our deep dive into Sectigo’s recent survey results where we surveyed 272 IT decision makers, certificate decision makers specifically, about their certificate agility and their certificate readiness.

Jason SorokoThis is a part two of a something we had already started.

Tim CallanPart two of three.

Jason SorokoPart two of three.

Tim CallanAnd please refer the previous episode where we went over the results of readiness for the march to 47 day certificates, and we gave the basics of the survey. So we're not going to do that again here. You can get that from there. What we want to do here is dive into the questions around post-quantum cryptography and its readiness. And because there are more questions for this section of 47 day certs, you and I are breaking this into two chunks. This will be chunk one, and then episode three in our series will be chunk two. Does that make sense?

Jason SorokoPerfect, Tim. What was the first question?

Tim CallanThe first question is, how well does your organization, excuse me, understand the quantum computing threats to cryptography?

Jason SorokoSo a basic awareness question.

Tim CallanBasic awareness question. Clear understanding - 25%. Basic knowledge - 33%. Beginning to learn - 42%. No knowledge at all - 0%.

Jason SorokoInteresting. I can tell you that no knowledge at all was a more like a 90% in most anecdotal conversations, which is crazy, but I think with this group, it's how they were screened.

Tim CallanWe screened. So if they had no knowledge at all, they were screened out. So by the time they're answering this question, those people have been remove. So that that gives you kind of the break of the rest. This, of course, is how these people self-report their level of knowledge. Someone else may not agree. But this is their perspective on their level of knowledge. And even there, I think you see a lot of acknowledgement among the people in this group that in general, they don't have a lot of information. That three quarters of them kind of say, look, I don't really know as much as I as I could or should.

Jason SorokoI think that's an important question. I think the way to frame this is this - we are literally zooming in on the much smaller population of people - a much smaller population of people - who have some form of awareness and so the problem with it, though, is that it colors the rest of the questions in the sense that this answer was really good, because I think it's maybe one of the most important ones in that, hey, there's just so much more to know, and I'm acknowledging that. As you just said. Therefore, let's see how the rest of the questions then follow up because asking people who barely know the topic a whole bunch of questions is sometimes difficult.

Tim CallanAnd that's why, ultimately, we did make the decision to screen out the people who said they didn't know anything, because we didn't feel like their answers were going to be revealing or useful for the remainder of the survey, and instead, what we wanted to do is focus on those people who did feel they had some level of knowledge. But do, again, understand that the answers to everything else you see is already screened for people who come into this already knowing what PQC is and having some sense for what needs to happen.

Jason SorokoVery good.

Tim CallanAll right, next question. Which best describes your organization's preparedness for the security risks posed by quantum computing. So this is a pick one. And again, we're going to go from most to least as we've been doing.
Actively implementing post-quantum cryptography solutions - 16%
Planning to implement within the next 12 months - 18%
Planning to implement within 12 to 24 months - 23%
Evaluating options but no immediate implementation plans - 33%
And not evaluating options at all - 10%
So the breakdowns - evaluating people who have no plans is 43%.
People who have plans but have done nothing is 41%. And then people who are actively doing something is 16%.

Jason SorokoI think the rest of the questions will help to parse this out in terms of what the activities actually are.
The fact that it’s a little bit bottom heavy, meaning less activity than versus more activity, is probably what I would expect at this point.

Tim CallanI’m not surprised. I'm not at all surprised. These are early days, and I think what we're trying to do, those of us who have been watching this, like you and me, we're trying to galvanize action. What's really going to be interesting is, I want to see what this question looks like in a year.

Jason SorokoIt's going to really change.

Tim CallanBecause that's what we want to be looking at. We want to be tracking progress over time. This as a baseline doesn't surprise me at all.
We should think of this as the baseline. I think what's going to be interesting is what happens moving forward.
Next question. What would help your organization feel more prepared to begin evaluating post-quantum cryptography? And this is a pick as many as you want, and this is in descending order.
So access to internal or expertise and resources - 59%
Better familiarity with PQC standards, processes and policies - 52%
More education on PQC concepts and practical applications - 44%
Stronger understanding of PQC relevance to our organization - 33%
Clearer guidance on how to begin - 26%
Established and widely accepted industry standards or frameworks - 22%
Support aligning PQC with other cyber security priorities - 11%
More clarity on the right timing for PQC adoption - 11%
And a well-defined business case, or ROI, to justify investment - 7%
So I think you see the real kind of starting stuff up at the top. Access to expertise 59%, better familiar with the standards 52%, more education, 44%. So, what I'm seeing and when you look down to the bottom, things like clarity on the right timing for adoption, well-defined business case, nobody is picking this. So what we're getting right now is, what we're hearing is, I don't even know. My head is swimming. I'm just hearing about this. I don't know what this is. I don't know anything yet. I need to learn.

Jason SorokoTim, that's a perfect answer. That's exactly how to categorize this. And that's what I'm sensing. And I'll tell you something, I think it's Bruno Couillard who came on the podcast and said, hey, if you're starting up right now in IT at all, this whole topic area is so ripe for you right now. There are people who are going to want your skills if you start to build them.

Tim CallanI agree. I think this aligns with the previous question also, where, again, most people have no plans, or they plan to do something, but they haven't done anything. I think we would see the same thing here. Where this is just, this is very early days, and this one too will be interesting to see what it looks like in a year.

Jason SorokoI'm only going to add one thing to what you just said, which is that the large number of people who are still looking at, or maybe are unaware of guidance documents, because I don't know a jurisdiction right now in the world that has electricity that doesn't have a guidance document on PQC.

Tim CallanAbsolutely correct. You're right. And that actually leads directly into the next question.
So next question here. NIST has signaled the deprecation of RSA 2048 and ECC 2056 by 2030. That's in a guidance document, isn't it? Were you previously aware of this change? Meaning previous to this question? So it's a yes/no question. It's a yes/no question because remember, they were screened. If they had no awareness, they were screened out. So the question is, yes, they were fully aware, or they know of it, but they don't know the details.
Fully aware - 42%
Know of it but don't know the details - 58%
Remember, this is what they were screened for.

Jason SorokoYes, but even those, here's what's going through my head. Like, this is your top.

Tim CallanYes. These are the people who were screened and 58% of them say, look, I know there's a thing, but I don't really know the details.

Jason SorokoWow. That means you don't even know the thing that you said. It’s amazing. It's truly amazing. It really shows how - - the question right previous to this one, which is, I don't know. This is the question and answer that really proves more than half you or who were screened really don't know.

Tim CallanReally don't know. Yes. Agreed. And so all these are kind of crystallizing on the same thing. Which is that the stage now is educating the community. It's the educate the community stage that we're in, and we're in that stage hardcore.
Next question.
That sort of sets aside the awareness and knowledge segment of these questions. So let's put a little parentheses around that. Now we're going to move into actions and implementations.
So next question, question 12, has your organization conducted an assessment of systems vulnerable to quantum computing attacks? And the answer is yes.
So again, yes, fully - 14%.
Partially - 46%
Planning to do so within the next 12 months - 40%
No known plans - 0%
I think this is over optimistic. I think this is some of what we talked about in the last episode, where people are probably overestimating how prepared they are. I'm skeptical that 40% of enterprises have a full assessment of the systems that are quantable for computing attacks. I'm skeptical that 4% have that.

Jason SorokoAnd some of them might be interpreting it as I know where all my publicly trusted certificates are. Like that could be part of it right?

Tim CallanThe rest of this - partially 46%, planning to do so within the next 12 months 40%, that strikes me as credible. That they've done some work.

Jason SorokoFor sure. For sure.

Tim CallanWe run into this a lot. We run into this when we when we ask about things like, do you know where all your certificates are and people say yes, and we know factually that they don't. So I think what we start to see here again is is not this I don't know what I don't know and so the vulnerability connected to this is that you can get yourself in trouble with a partial plan or a partial implementation that you think is full.

Jason SorokoLook, I think that if more than half of the respondents didn't know about the NIST deprecation immediately, I'm like, look, I'm not sure if then more than half the respondents even know how to answer any of these questions is, frankly, my thought. I think that people do know what they're doing, what they're not doing. It's just I think you're absolutely right in saying this smells to me like you're asking your 10-year-old, hey, did you do your homework yet? I did. No, you didn't.

Tim CallanWell, I think there could be an aspect of that too, which is just the I don't want to admit that I'm as ill-prepared as I really am.

Jason SorokoYou're seeing classic bias here, and that's perfectly fine.

Tim CallanAll right. Question 13, do you have a budget allocated to quantum safe security initiatives over the next year? What's your guess for yes?

Jason SorokoI'm betting this cohort probably has a higher number than you and I would have suspected, Tim. That's my answer.

Tim CallanA whopping 89% said, yes. Which is good. Now, again, I think to some degree, a lot of the people who wouldn't have this budget got screened out. But I also think there's a difference between I'm aware of the problem and I have budget. And these people have budget.

Jason SorokoIt actually shows, Tim, that this cohort that has awareness has actually put some money behind or some plans and money behind it, and might not even fully understand how to utilize that budget, what to do. So that's interesting, but it's good. They heard the clearing call.

Tim Callan- - over next year. So, it might be, listen, we're going to need some budget. We got some stuff in quarter four. We got stuff moving into 2026. I don't know what I need to do now, because what I need to do now is secure budget.
And that may be what we're seeing there. Another way to think about it. This is forward looking. So for some of these other ones, I've said I'm going to be interested in seeing what this looks like in a year. This is people's intentions for what they'll be doing over the next year.

Jason SorokoIt might be the most optimistic answer we've seen so far in the survey.

Tim CallanAll right, moving on.
Next question - how do you expect your organization's PQC investment to change over the next two to three years?
So significantly increase is 5% or more. Increase between 1% and 5% and stay the same. Do you want to think in your mind about what they are and then I'll tell you?

Jason SorokoI would expect an increase for sure, just as a general direction.

Tim CallanSo, and there's also go down. Go down is 0%. It's not even on the list. So significantly increased 5% or more - 40%.

Jason SorokoThere you go.

Tim CallanIncrease between 1% and 5% - 52%. Stay the same – 9%. Decrease – 0.

Jason SorokoThere you go. Profoundly, we are at the beginning stages, Tim.

Tim CallanWe're at the beginning stages. But what I like about this is, again, a lot of recognition that we will be doing things. We will be implementing plans. We will be spending money. We will be putting solutions in place. A lot of recognition that we will be doing things.

Jason SorokoGreat question. great answer.

Tim CallanA lot of a lot of intention here. We see not a lot of action, but a lot of recognition of the need, and a lot of intention for action.
So then the next, I think it's four questions, and then that's where we're going to stop this episode are clustered around prioritization.
So here's the first one. Question 15 - What are your organization's top quantum safe priorities? And again, this is a pick many. There's a list of about eight things here and I'm going to go top to bottom in terms of the most to least.
Inventory. So this is your organization's top quantum safe priorities.
Inventory and classification of cryptographic assets - 51% selected that.
Risk assessments or impact analysis related to quantum threats - A slightly smaller 51% also selected that.
Research and evaluation of post-quantum cryptography algorithms - 47%.
Migration planning and roadmap development - 41%.
Then there's a big drop off:
Upgrading or replacing cryptographic libraries and protocols - 27%.
Certificate management modernization - 24%.
Vendor engagement or third party assessments - 21%.
Training and upscaling internal teams on PQC - 19%.
Pilot projects or POC implementations - 16%
And then lastly, there was a nothing, which was, it rounds to 0%. It's not actually zero. There is a little bar there, but it rounds to zero, and there's a don't know that also rounds to zero. So tiny number of people said nothing, but 99 plus percent of them were doing at least one of things on this list.

Jason SorokoSo inventory is top of the list, and then taking context of the inventory, which is risk is number two. That's perfect. It's exactly what I would hope. It's just I don't understand why it's only 50% but okay. That's fine. At least those are the biggest numbers.

Tim CallanAnd well to some degree, it was top quantum safe for priority. So somebody feels they've already done inventory, they're not going to pick one of those. This was a pick three, I believe. So they couldn't pick them all. So when you look at it that way, what we see is a strong focus toward early stage stuff. This aligns with the other things we've seen. I'm trying to do inventory, and I'm trying to do risk assessment, and I'm trying to understand what these algorithms are. What's the stuff that's not getting picked very much? - Vendor engagement, pilot projects. Because they're not ready for that.

Jason SorokoNo. We're too early stage for that.

Tim CallanSo again, this aligns with the other things we're seeing.
Next one, Question 16. Which best describes your organization's current approach to PQC migration? This is a pick one. And I'm going to go over the list.
Gradual phase in - 27%.
Waiting for more mature solutions - 23%.
Hybrid approach, e.g., running traditional and PQ systems in parallel long term - 16%.
Complete system overhaul - 14%.
And, we don't have a strategy yet - 20%.
So thoughts?

Jason SorokoIt’s a good blend. I think that the 20% just saying, hey, don’t know nothing.
After now hearing some of the numbers of all of these put together, I'm having a hard time kind of piecing together how these people kind of came up to these things. However, none of these things are shocking or surprising. I don't know. There's no gigantic insight that jumps out for me here.

Tim CallanI think complete system overhaul 14, that's a hard thing to do. So perhaps at this stage, people think they're going to do a complete system overhaul. I'm skeptical that anybody really is. Because it’s a hard thing to do.

Jason SorokoYou're totally right. Anything that was put in recently. But we're talking about there are organizations out there that have a lot of legacy and are looking at this as an excuse to like all right, system x, y and z, this is the time to go.

Tim CallanThat stuff that somebody wrote in the 1980s - -

Jason SorokoTime to go.

Tim CallanWe’re gonna get rid of it. Yes, exactly. I'll also contend that gradual phase in and a hybrid approach, e.g., running traditional PQ

Jason SorokoI would say that that's absolutely expected. That's the right way. That's right where we're going to be for the short and medium term for sure.

Tim CallanAnd then what are the most influential factors driving your organization's need for PQC adoption? Again, I think this is a pick up to three. We had a big list this time. It's more. It's maybe like 10 or 12 options. So most influential factors driving your organization's need for PQC adoption. I think a couple these will be interesting to you, Jason.
Number one - preparing for NIST algorithm deprecation of RSA and ECC - 50%. Top of the list.
Second - proactively preparing to meet upcoming standards and new government mandates. So it's very similar. 48%. Second on the list.
Third one - we conducted a risk assessment that revealed long term exposure - 47%.
Fourth one - protecting our brand reputation for potential outages or business interruptions - 46%.
Then again, we drop off pretty fast. So here's the next one.
We handle highly sensitive or long lived data - 40%.
After that, our leadership made PQC a priority or raised concerns about quantum risk - 31%.
Next one - regulatory audit or compliance review highlighted cryptographic risks - 31%.
Ater that - we want to position ourselves as an industry innovator or early adopter - 30%.
Now it's going to drop again.
We are modernizing our infrastructure and want to future proof it - 25%.
Client or partner required us to explore quantum safe strategies - 24%.
A competitor announced its own PQC initiatives - 24%.
Harvest and decrypt mitigation. First mention of harvest and decrypt - 22%.
And a breach or near miss highlighted weaknesses in our current encryption - 21%.
So what I see when I look at this is the action really is being driven by guidance.
From regulatory guidance, government mandates, standards and NIST.

Jason SorokoExcellent. Excellent.

Tim CallanNot their own understanding. Not we want to protect ourselves from harvest and decrypt. That's not the reason. The reason is there's a government mandate that we're supposed to do this.

Jason SorokoSo look, I find it very interesting that this is one of the very first times in the survey that some numbers really line up, which is that 50 or so percent of you in this cohort that actually know about the deprecation from NIST definite like hard guidance, this question kind of asks the question a slightly different way, which is, are you doing anything about it, and do you have plans about it? The answer is, yeah, this is my reasons. That deprecation that I heard about is the clarion call that I'm following.

Tim CallanAnd so I think that's my big takeaway from this question, is that those clarion calls, to use your phrase, are working. The NIST announcements, the various announcements from a broad number of governments, you said earlier, I don't think there's a country that has electricity that doesn't have some kind of guidance. That's why enterprises are taking action, and that's why we do it.

Jason SorokoSo anybody who hears the call - that call - is putting budget aside, is starting to build plans, and that's - -

Tim CallanLearning and evaluating, understanding what they need to do.

Jason SorokoI think that's what this survey is revealing. That's really interesting.

Tim CallanAnd I like that. Because I think that means that these, this guidance that we've seen from a bunch of different places, and you and I have reported on a lot of different episodes, is doing what it's supposed to do.
Last question on priorities, and last question for this episode, which is question 18, how are systems prioritized for PQC migration?
So here are your choices. I think that's our last one. That's our last one. So how are systems prioritized for PQC migration? Again, in descending order. This is a pick multiple. In descending order.
Data sensitivity - 66%.
Risk level - 57%.
Compliance requirements - 57%.
Business impact - 50%.
Durability of secrets - 49%.
And system age - 37%.
So not a lot of spread in here.

Jason SorokoNo. And I think that shows that there's just so much overlap in those concerns. I'm worried about my data and I'm also worried about being under compliance. So that's to me, I'm not sure people separate it, which is, an interesting thought.

Tim CallanI mean data sensitivity being the top performer I actually like because it means that this is a little more of an eyes open process, rather than saying, oh, I'm doing this, because I was told to.
Though they were and they acknowledge that. Now they're saying now that I'm doing this, because I was told to, I'm sitting down and saying, okay, what's the data I most want to protect?

Jason SorokoExcellent point, Tim. That is a higher order thought than just I was told to. You got it.

Tim CallanSo again, I like that. I think that's good, and that that's outperforming compliance requirements. They're all kind of clustering near each other. So, I think that's where we want to break this one.
And then we’ll get into another set in another episode. But the thesis or the synthesized thing that that we saw, that you and I saw here when we look at this data, is that it's very early, people are still trying to figure out what to do about it. There is broad recognition that something has to be done about it, and this mostly came from various guidelines and government guidance and things along those lines. And now that that broad recognition is in place, there is definitely intent to do something, but specifically what we're doing maybe is a little less clear and actual activity, true action, is pretty scarce at this stage.

Jason SorokoI gotta put it into a slightly like stepping way back context, and then we can end this, which is the way, way back context is probably 90% of people, hopefully we're less than that and I'm hoping it's only 85 to 80% of people, are just completely unaware of what is they're facing. That's just the God-honest right now of what's going on. And that's crazy. This survey is a double click on the smaller cohort of people who do have awareness and the thing that I love that I'm hearing, and you've said it is once they've heard the call, they're thinking very rapidly. They don't have full plans. They are putting budget aside, and they're thinking higher order thoughts about risks around data. Great answer.

Tim CallanI think that's entirely understandable. You've got a community of people who are being introduced to this new need and this new risk that wasn't really in their minds six months ago.
And they are doing the right things you would do under these circumstances, which is get information and formulate a plan and formulate a strategy, and that's what you would hope to see. So in that regard, I'm actually, I don't know if I want to say not surprised, but pleased with what we see when we look at the results of this.

Jason SorokoI think this is classical, classical risk response that's healthy and good, and that's great. I think that you've mentioned something earlier in this podcast as well. I think it’s going to be utterly fascinating when we redo this next year.

Tim CallanLike every single question, I'm really going to be interested in the year over year.
But this still establishing this baseline now is interesting. So listeners, if you didn't - go back and listen to the previous episode where we're going to describe readiness for 47 day certs. A lot of fascinating stuff there. Very interesting one. And also stay tuned, because the next episode, which may or may not be available depending on how quickly you listen to this, the next episode, we're going to finish off the PQC survey results.

Jason SorokoExcellent, Tim.

Tim CallanAnd I'll mention one more time, there's a whole paper on this with the charts and everything available from Sectigo. So you can come get the charts and things for yourself.

Jason SorokoThanks, Tim.

Tim CallanAll right. Thank you, Jason.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!