One year ago, NIST released its long‑awaited post‑quantum cryptography standards, marking the official start of the migration to quantum‑safe security. It was the moment everyone had been “waiting for” but did it really kickstart the shift?

In this anniversary episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen brings back some of the most important voices in the PQC conversation to revisit where we were, where we are, and where we need to go next:

Together, they deliver an unvarnished look at what’s changed in the 12 months since the standards were finalized and what still needs urgent attention.

What You'll Learn:

This is a rare, roundtable-style single-guest interview featuring voices from government, industry, and research in one conversation. If you need to understand not just why PQC migration matters but how to start, this is your playbook.

[00:45] Step 1: Busting the “Quick Switch” Myth –  A Year Later
When NIST released its PQC standards last year, a lot of organizations exhaled, assuming the hard part was over. “Great,” they thought, “we’ll just swap in the new algorithms and move on.” But as Dustin Moody warned then, and has proven true over the past 12 months, this migration isn’t that simple. It’s not just a patch or an update; it’s a deep, sometimes painful overhaul of systems, processes, and mindsets. One year on, companies are discovering that waiting doesn’t make the work easier, it makes it messier. Key Question: One year in, are you still treating PQC migration as “future work,” or are you finally planning for the hard parts?

[03:31] Step 2: This Migration Isn’t Optional – And Year One Proved It
When Dr. Garfield Jones said, “This migration shouldn’t be optional,” it sounded like a wake‑up call. A year later, it’s not just a warning, it’s policy. Government memos, executive orders, and procurement rules have already started pushing companies to act, with federal agencies asking for cryptographic inventories and refusing to work with vendors who can’t demonstrate progress. The message is blunt: if your systems aren’t on the migration path, you could be locked out of contracts or entire markets. Year one proved the pressure is real, and year two will only raise the stakes. Key Question: Are you keeping pace with mandates, or will you watch opportunities dry up as compliance deadlines kick in?

[09:14] Step 3: Start With a Real Inventory – And Keep It Current
A year ago, Bas Westerbaan of Cloudflare told us that the first step in PQC migration was a thorough cryptographic inventory. That advice hasn’t changed but the past year has shown just how hard that job is in reality. Most organizations don’t have a full picture of where cryptography lives across their systems, what protocols are in use, or even which data is most sensitive. Without that map, every other decision becomes reactive, and every fix becomes a scramble. One year later, companies that didn’t start this work are already struggling to answer the simplest question: “Where do we even begin?” Key Question: Is your cryptographic inventory still a “to‑do,” or have you turned it into a living, updated map of risk?

[15:39] Step 4: Crypto Agility – From Concept to Year‑One Reality
A year ago, John Ray warned that if we hard‑coded PQC algorithms the way we did with RSA and ECC, we’d just be setting ourselves up for another trap. That warning has aged well. In the past year, crypto agility has shifted from an abstract “future‑proofing” buzzword into an urgent architectural reality. Companies are already seeing that systems without flexibility turn every new standard or algorithm change into an expensive nightmare. The smartest teams are designing infrastructure so the back‑end decides what algorithm to use, instead of forcing every application to be rebuilt. Key Question: Are you building systems that can adapt, or are you locking yourself into brittle ones you’ll regret later?

[18:17] Step 5: The Hardware Gap – Still a Ticking Clock
Mamta Gupta flagged it last year, and it’s even sharper now: hardware lives on a different timeline. Devices being shipped today are designed to last 10–15 years but the cryptography inside them might not even last five. Standards are evolving, threats are evolving faster, and anything rigid will be obsolete long before it’s retired. In year one, we’ve already seen how this mismatch turns into a headache for companies that didn’t build in an upgrade path. The clock is still ticking, and the gap isn’t closing on its own. Key Question: Are you designing hardware for the future, or are you shipping next year’s legacy problems?

[21:49] Step 6: Compliance – A Moving Target, Still Moving
One year on, compliance hasn’t “settled down” the way some expected. Frameworks like FIPS 140‑3 and certification rules are still evolving, and Cassie Crossley warns that algorithms considered safe today might not pass tomorrow’s tests. For companies that locked in too early, that means costly rework; for companies that waited, it means they still can’t sit still. This is why crypto agility isn’t just a “nice idea,”  it’s survival. PQC isn’t a single migration; it’s an ongoing process of adaptation. Key Question: One year after standards dropped, are you ready for the next round of compliance changes?

Want exclusive insights on post-quantum security? Stay ahead of the curve - subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, and YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.

Need help subscribing? Click here for step-by-step instructions.