Root Causes 522: How Prepared Are Enterprises for PQC? (Part 2)

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

August 28, 2025

In this episode, we break down more PQC insights from Sectigo’s 2025 State of Crypto Agility report. We discuss how enterprises are preparing for the shift to quantum-safe encryption and what challenges lie ahead.

Key topics we cover:

Barriers to implementing PQC in legacy systems
Enterprise challenges and lessons learned
The PQC skills gap in today’s workforce
Confidence levels in current systems’ ability to adopt PQC
The most important features organizations want in PQC solutions

If you’re interested in post-quantum cryptography, or enterprise crypto agility, this episode is for you. Follow along and download the full report here: https://www.sectigo.com/2025-s...

Podcast Transcript

Tim CallanSo Jason, we are starting our third in our series of three of episodes talking about the results of Sectigo’s recent crypto agility survey. Again, we talked a little bit about the survey and the opening episode of these three so we're not going to repeat that here, but I encourage you, if you haven't listened to that episode, when you're done here, to go back and listen to that. And there's some interesting facts about preparedness for 47 days in that episode. Also the episode right before this one is the first part of the survey results of PQC. So we definitely recommend give that a listen if you haven't listened to it after you're done with this, because that's directly relevant to this. And then today, we're going to finish up the PQC data, just because there was too much to fit in one episode.

Jason SorokoLet's hear it, Tim.

Tim CallanAll right, so picking up where we were last time. We're now on question 19.
Question 19 reads, what level of involvement do the following stakeholders have in PQC decisions at your organization? And so here are the choices. It's final decision maker, contributor, actively involved in the decision, consulted, asked for input but not deciding, aware, not involved and don't know. So with that, let's do it in order of final decision maker, and then we can talk about where the contributors fit in, because it looks different when you look at that.
So final decision maker, CISO, remember, this is what level of involvement for the following stakeholders and PQC decisions at your organization.
CISO - 51%
Security, crypto architects - 39%
Infrastructure team – 19
Compliance or legal team – 17
CIO – 14
CTO – 11
And the Board of Directors - 10%
So what do you think of that?
CEO - 22%. And it goes down from there.

Jason SorokoI think the way the question is asked is you're reading off the final decision makers. Real final call people.
And I think that this is probably a good order. You want CISOs involved. I find that CISO awareness has actually been really low. This cohort - just to remind people who are listening to this episode three and might not have heard the others - this is a double click on people who have been screened to actually have awareness. And so it's funny how the awareness of CISOs is probably quite low overall but once an organization has awareness, the CISO is kind of put into the driver's seat of making the final call. This is what this is saying.

Tim CallanWhen I read this, the top two being CISO and security/crypto architects, is that the organizations that have a PQC endeavor today, this is being driven from a security mindset.
This is people saying, we have to do this to remain secure, as opposed to when we talked about, for instance, 47 day certs, where we saw that it was very much driven from an operations mindset. We have to do this to remain up.

Jason SorokoThat's a good point. I would prefer, I mean, I'm glad it's being driven from somewhere, but I would actually prefer if this was looked at from even higher. CEOs is number three on the list, and, final decision maker, I'm really not surprised that other C levels are leaving it to security, which is, a good thing but I think really shows how it might not have the highest priority in some organizations.

Tim CallanAnd so now, this is where I wish we could put up this chart. It’s an interesting chart in that remember the next one down is contributor, actively involved in the decision, and after that, is consulted, asked for input but not deciding. And between the top three for some of these, like CTO, it is almost the entire band. So contributor, CTO 43%, CIO 36% compliance/legal team 41%. So a lot of a lot of involvement there. And then a lot of people who are consulted but not actively involved in decision, again, that same crowd, CTO 40%, CIO 39%, compliance/legal team 36%, infrastructure team 44%. So it does feel like there is a community involved in these things, which I think is different than just the legal, the security team off doing things, and we may compare this, I think, to other security initiatives, which often are entirely being done by the CISO and security architects and everybody else just gets told, this is what we're doing. This is very different in that we see a lot of roles that are considered to be part of the process, even if they're not the actual decision maker.

Jason SorokoWhich is a good thing. It really does need to be cross disciplinary and top down driven for sure.

Tim CallanAll right, so that's that question. The next one. So question 20 - what resources have you allocated to PQC efforts? Again, this is a pick many, and I'm not sure if this is a top three. I think this might be an up to three. But it's a pick many. So this is going to add up to more than 100%. I'm going to go into sending order of highest to lowest. Training programs on quantum risk and PQC. Again, this is what resources have you allocated?
Training programs to quantum risk and POC - 57%.
Budgets specific to PQC initiatives - 56%
CCOE, Cryptographic Center of Excellence - 50%
External consultants or professional services - 47%
Development and operations roadmap - 46%
Procurement of new tools or platforms - also 46%
A dedicated internal team - 45%
And external pen test partners - 33%
Have not allocated any resources to PQC is not truly zero respondents, but small enough that it rounds to 0%
So thoughts?

Jason SorokoA lot of these numbers are actually quite similar. So, from the top down, other than, say, the pen test partners, actually that number 33% is actually even a little high.

Tim CallanI was quite surprised at that in all honesty.

Jason SorokoBut looking at things like CCOE in terms of allocation for efforts, this shows actually a lot of maturity here in terms of what's being done. More than half that actually have budget tied training programs are at the very top, 57%. These are all really good and positive things, Tim.

Tim CallanI agree, especially this early. And as we said a number of times last episode, we'll probably say more times here, I'll be interested to see what these numbers look like in a year. I'm expecting to see them grow.
All right, the next one. Question 21 - which areas has your organization prioritized for PQC implementation? Again, I think this is a pick many or pick all. It’s probably just a pick everything that's relevant, okay? Because it's kind of a long list. So again, in descending order of how much they picked:
Digital signatures - 50%
Critical infrastructure or OT systems - also 50%. Slightly smaller.
Data storage - 49%
Authentication - 49%
Cryptographic libraries and protocols - 48%
Data in transit - 46%
So that batch is all very similar. Then it drops down a little.
VPN or remote access - 40%
Web applications and APIs - 39%
IoT devices - 37%
Secure email and messaging - 37%
WAN - 32%
And local area network - 28%
We have not prioritized any specific areas yet is down at 1%

Jason SorokoSome of this makes a lot of sense. Digital Signatures at the top and things that are authentication based lower, which indicates the order in doing things.

Tim CallanWhich is good. Which is good.

Jason SorokoI would say that critical infrastructure or OT systems, it's interesting how the blend of topic areas and then cryptographic types is kind of blended into the questions here. And, just seeing critical infrastructure or OT systems quite high is interesting to me, because not everybody who is responding to this would even have critical infrastructure or OT systems, but it kind of ranked pretty high. So digital signatures high is not surprising, because that's really where to start. But the OT systems piece was kind of surprising to me.

Tim CallanDigital signatures. I mean your point is, I think, well taken, Jason, which is that some of these things, the same initiative could follow more than one of these. Because some of these are a use case, some of these are an environment. Some of these are a technology. APIs is a technology. IoT devices is a use case. So, in that sense, the same thing could be more than one of these cryptographic libraries, protocols as technology. And the other thing is, to some degree, everything on this list is probably something you're going to want to do. So maybe that's why we see a big cluster where we got five things within 2% of each other up at the top.
Next one. Question 22 – how concerned are you about the following quantum computing threats? And it's a five point scale, from extremely concerned to not at all concerned. So it goes extremely concerned, very concerned, moderately, slightly, not at all. And let's do let's do the top two, because that's what makes this really interesting. So the number one in the top two comparison is compromise of secure communications, which is to say man in the middle attacks - 68%. Next on the list is harvest now decrypt later attacks - 60%. Again, this is a top two, and then after that, trust now forge later attacks - 59%. So do you have some thoughts on that?

Jason SorokoI think that the level of concern, being either extremely or very concerned, is very healthy. I actually, Tim, I'm going to flip it around just slightly, because I'm looking at the chart, and it's showing me that up to 6% of people have no concern at all about harvest now and decrypt later and trust now forge later and 3% no concern at all compromises. It’s like, wow. You are brave or crazy. Whoever responded with that.

Tim CallanI agree. Because nobody is ready. Like there's no one in the world who can say that we're completely hardened against a harvest and decrypt or a trust now forge later attack. Therefore not to have any concern at all. It doesn't – you’re not having not any concern at all, because you know that there's no risk to you.

Jason SorokoYou put it on the other hand. Like the numbers you read off were really about the people who had an awful lot of concern. And I think it's really healthy. In fact, I think if people really understood what they were being asked fully, and the respondents had a really full level of understanding, I think you'd have even a much higher level people who had an awful lot of concern. It might be the early stages of where we are at with things, even though it's just it's an interesting response.

Tim CallanI mean, there are, also though, I think sometimes in the world of security, you see this, well, I'm not a major bank. Who is going to do this to me.

Jason SorokoIt's fallacy of the underdog.

Tim CallanI wonder if there's an underdog fallacy going on here. For sure. That occurred to me. I also think it's interesting that man in the middle is actually the leader in the top two, even though it's the furthest out. And looking at this question, it doesn't clarify time. So someone might be saying, look, in the long run, I think this is something we need to worry about. And maybe that's what they meant when they answered this question. But I did see that it was interesting that man in the middle actually ranks above harvest and decrypt, which is a vulnerability you're facing right now. While man in the middle you’re not.

Jason SorokoIt does rank higher, but not a ton higher. So who knows.

Tim CallanThey’re all kind of clustered together.

Jason SorokoThey are clustered together. You ask the question, you get an answer. And I think this is one of these questions that got an answer and I'm just glad to see that the majority respondents aren't saying that it's all nothing. This is good.

Tim CallanAt least in general there's a high level of concern, which is what we want, because that's how people are going to take action.
All right. 23. What challenges have you experienced or expect to experience when implementing PQC? Again, this is a pick many with a bunch of things. So challenges you're experiencing. Top to bottom in terms of number of people who picked it, starting with:
Coordination across teams - 56%
System complexity - 50%
Lack of expertise/skills gap - 49%
Legacy/outdated infrastructure - 47%
Lack of budget - 43%
Now it drops off.
Technically complex to implement - 38%
Unclear ROI - 29%
Don't know where to begin - 28%
Unexpected downtime/operational failure - 26%
Performance concerns - 25%
Internal silos/institutional barriers - 25%
Performance trade-offs and impacts - 25%
Lack of available HSM - 20%
Absence of clear ownership - 20%
Production or systems failure - 19%
And 2% said, we have no challenges.

Jason SorokoWow. No challenges at all.

Tim CallanFirst of all, 98% of people feel that they have challenges.

Jason SorokoAnd the coordination across teams, internal silos and absence of ownership are, to me, are all kind of the same. And none of these answers are low, I would say. And the fact, coordination across teams came out as number one, that's really telling. And that's why Tim, you and I, when we are talking about PQC as a topic, we quite often are talk talking about taking inventory of your cryptographic assets. I think for some of you who are responding to these answers, what we're learning here is taking inventory of teams who are responsible for cryptographic assets is part of your inventory taking. Some of you are even having a hard time doing that.

Tim CallanI mean, I think, there's actually a lot to dig in on this question. I think it's very interesting. So coordination across teams, yes, to your point, that is the top response. Again, and we alluded to this on an earlier question, where we talked about how there's many C- level stakeholders involved. One of the things that we see with PQC in particular is that cryptography touches everything.
And so, like, everyone's a stakeholder, and it's built into our technical systems in such a way that everyone in any kind of technical role has to be involved in the solution. This isn't a job just for the CISO or just for the CIO or just for the CTO. It is something that all of those groups and more need to be involved in, and so coordination across teams I can see as a big challenge.

Jason SorokoIt's one of the biggest challenges I think there is with it. Some organizations that I've seen, Tim, actually have this interesting structure where the team that's most familiar with this topic might not even have any kind of say or even knowledge about how cryptographic assets are used within the organization. They're just a client organization within the bigger sphere.

Tim CallanYes, absolutely. You get teams like security and compliance that have a very narrow focus, and they may have a lot to contribute in terms of understanding how but then you got different teams like IT and operations that have to actually implement it.
I mean, moving down the list, the next one system complexity. I mean, I think this directly connects to what we were just saying that again, there's we got, I mean, this sometimes gets compared to Y2K and I think there are some good comparisons to be made between Y2K and PQC, but one of the ways that it's very different is in the case of Y2k we had to implement a series of independent fixes, like, oh, there's a bunch of places where we use a date. Let's go look at them and get them all fixed. But what we had much less in the year 2000 than we do now is this complete tangled web of digital operations to the point where everything touches everything else, and this the net of digital operations today in 2025 is 25 years older than it was in 2000 and it's just so much more integrated and incredibly complex. And everything, everything, everything, has a digital component. And so, that's going to play a role in this for sure.

Jason SorokoTim, I'm really hoping that, once again, a lot of these questions, we're very interested in what they're going to look like a year from now. And this is one where I'm really hoping that the internal challenges starts to go down, and then more of the system challenges goes up, because I would like for people to start actually tackling that exact problem that you're defining. Just 25+ years of just, oh my God, look how obsolete my stuff is.

Tim CallanAnd that's number four – legacy/outdated infrastructure. That's an interesting - -

Jason SorokoI'm hoping that goes up, and the I don't even know how to start this problem by organizing my people, goes down.

Tim CallanWe've talked a lot about this legacy infrastructure thing. This is going to be a tough one. There's a bunch of stuff where you just deploy your patch and you move on, and that's fine, but there's a bunch of stuff where it's really not going to be that simple.

Jason SorokoThere's not going to be a patch for this problem. That's for sure.

Tim CallanI think these are all valid problems. Lack of budgets at 43%. Hopefully that's a temporary problem. That's what I would love to see drop off.

Jason SorokoBudget allocation is actually ranked fairly high throughout most of the other questions. I think what this question is answering is we have budget, it's just we now that we see the problem, it might not be enough.

Tim CallanDo we have enough budget? That's true. That's good. In which case, again, I'd love to see that drop next year as people get their get their hands around the problem.

Jason SorokoExactly.

Tim CallanAll right. Question 24 – where does your organization face the most significant PQC related skills gaps? Again, this is a pick many.
At the top: Implementation expertise - 54%
Cryptography expertise - 52%
Strategy development or roadmap planning - 47%
Risk assessment capabilities - 45%
Migration planning – 42%
Certificate management – 40%
Integration expertise – 38%
Incident Response related to PQC – 37% and
Legacy system modernization – 33%
We had 3% who reported we don't have any skills gaps.

Jason SorokoNo problem. We got this covered. I always love the ones that are, like, just kind of the ridiculous answers. Maybe somebody is just having fun with the way they're answering.

Tim CallanBut 3% is pretty small. Like on a survey, you can ask any crazy thing, and a 1% or 2% of people will pick it. I mean, that's pretty much universal coverage of people have a skills gap in some form.
So implementation expertise is at the top, followed by cryptography expertise.

Jason SorokoMakes sense. It's a complicated space. I think, Tim, just having awareness of what's ML-DSA, what's SLH-DSA. Like what the heck even is that requires a skillset that's rare, and I think it's part of what you're seeing here.

Tim CallanI agree. I wasn't that surprised by this set of responses in all honesty. I was like, okay, I believe that. And that's what we're going to have to fix.
All right. 25. What barriers do you expect to experience during PQC implementation with your legacy systems?
Integration complexity - 53%
Compatibility issues - 49%
Aversion to downtime risk - 49%. That's an interesting one.
High cost of upgrades - 43%
Technical limitations or no PQC support - 41%
Employee skills gap - 39%
Lack of vendor support for PQC - 38%
Compliance or audit implications - 32%
Performance constraints and degradation - 30%
Organizational resistance to change - 22%
And we don't expect any barriers - 8%
So again, the question was, what barriers do you expect to experience during PQC implementation with your legacy systems?
So with that?

Jason SorokoTim, it's just there's no patch. This is going to have major implications. And we're struggling to figure out how to sort out what the future looks like. This is what this is saying, and it's what we've been saying all along. Once people are looking at this problem, it's a tough one.

Tim CallanIntegration, complexity, compatibility issues. Sitting there very high. Also the next one, aversion to downtime risk. So I think this is another problem, right, which is, how are we going to do this with these systems that we depend on and keep them operating?

Jason SorokoIt's just tough. It's just tough for sure.

Tim CallanAll right? 26. Two more questions. Second to last question here. How confident are you in your current system's ability to integrate PQC without major disruption? This is a pick one. So I'm going to go in descending order of confidence.
Extremely confident - 15%
Again, this is how confident are you in your current system's ability to anchor to integrate PQC without major disruption?
Extremely confident - 15%
Very confident - 23%
Moderately confident – 34%
Somewhat confident – 28%
No confidence at all - Zero.
So what do you think of that?

Jason SorokoTim, it's interesting. I would like to know a bit more about which systems in particular are getting this because it's an aggregate of all your systems.

Tim CallanYes. It’s systems plural by the way. Systems apostrophe, not system apostrophe s. So they mean all your systems is how the question is written, but go on,

Jason SorokoTherefore, there's actually quite a bit more confidence here than I would have expected, in terms of very confident and extremely confident coming in at, what is it? 38%.

Tim CallanBetween the two of them it's 38%.

Jason SorokoSo that's pretty high terms of a lot of confidence. It’s obviously a lower number than the lower confidence, meaning there is less confidence in this pie chart than there is high confidence. On the other hand, the amount of higher level confidence is actually a little bit surprising to me.

Tim CallanI wonder if this is reflective of people just saying, well, look, we're going to crack our knuckles and get this done.

Jason SorokoMaybe that’s what that's saying.

Tim CallanWe're not going to go back to pen and paper. We know that. So we're gonna figure it out. That's kind of what I what I see when I look at this.

Jason SorokoI tell you what, I don't necessarily guarantee I see it, but I will hope that that's what it's saying for sure.

Tim CallanAll right. Last question, number 27. What are the most important factors and features when selecting a PQC solution support? So here's our choices again. This is a pick many in descending order.
Integration with existing platforms and technologies - 58%
Ease of implementation - 55%
Automation options - 49%
Budget - 48%
Cryptographic agility - 43%
Support for current NIST PQC standards - 43%. Kind of low.
Ability to discover cryptographic assets - 39%
Support for hybrid certificates - 36%
And availability timeline - 31%

Jason SorokoScreams out loud at the very top. Make whatever your building vendors, easy to implement. Absolutely. Those top three. Integration with existing platforms and technologies, ease of implementation and automation options. All up there at the top. I saw the same thing you saw Jay, which is someone's looking at this and saying, oh my God, we're going to have to touch everything everywhere. How are we going to get this done? And again, I'm afraid of downtime. I'm afraid that I don't understand, really understand, the problem. How are we going to get this done? We need things that are integrated. We need things that are that are going to be easy for us to execute on, and we're going to focus on that.

Jason SorokoI think this reads - and I'm glad this is the last question, because it really signals what the future needs to look like, which is, I think, that vendors in this space need to make solutions that really fit in seamless - as seamlessly as possible, because the problem is already so hard for customers. By providing answers that help them to integrate and automate and slide in solutions, which may not be possible entirely, but this is what the customer is looking for, and that that reads really clear here.

Tim CallanI agree with that.
So let me just take a second and say, if you're sitting and listening to this, and we were saying a lot of numbers, these things can be much easier to digest in chart form. So I'm going to point you at a couple resources, one of which is there is a publication, white paper, published by Sectigo with all the results from this survey, including a chart for every question we went over for both the 47-day and the PQC components of the research. So you can go and you can literally look at the raw numbers in a chart for every single question. And that's available from Sectigo. You can go download that from Sectigo’s website. So that's point number one that I recommend.
Point number two is that I believe that you and I, Jason, will be doing at least a couple webinars on this, where we'll have the charts in front of us. Our analysis is going to be a lot like this, but again, you'll be able to see the numbers while we talk about it. So if that's something that would help you, those are coming up in the future. Keep your eyes peeled on that. And I think there was a lot of fascinating stuff here, personally,

Jason SorokoTim, I'm going to also offer that if you watch our YouTube video versions of these podcasts, which are in video form, I will be able to - -

Tim CallanWe can put up the charts.

Jason SorokoWe will put up the charts on the YouTube video. So please check out our YouTube channel.

Tim CallanThe majority of our listeners are still listening on audio. So this is a great opportunity, I think, to swap over to YouTube and you can see the charts while we're discussing it. That's something we probably should have said that at the top of this. But if that's something that'd be useful, that'll be there as well.

Jason SorokoPerfect, Tim.

Tim CallanThank you, Jay.

Jason SorokoThank you.

Tim CallanThis has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!