With the 2035 deadline for post-quantum cryptography rapidly approaching, organizations must act immediately to ensure a smooth transition. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Dustin Moody, a mathematician at NIST, to discuss the practical steps organizations should take to prepare for this monumental shift in cryptography. They explore the critical timeline, common challenges, and how the post-quantum cryptography migration can be effectively managed.

What You'll Learn:

Dustin Moody is a mathematician leading the post-quantum cryptography standardization project at the National Institute of Standards and Technology (NIST). Since 2016, he has led one of the most consequential cryptographic initiatives of our time, selecting and standardizing algorithms that will secure digital systems against quantum threats. As the principal architect of NIST’s post-quantum cryptography standards, Moody has played a pivotal role in establishing the 2035 migration timeline and crafting crucial guidance for organizations transitioning to quantum-safe cryptography. His work bridges the gap between theoretical cryptography and practical implementation, helping organizations understand and prepare for the post-quantum era through crypto agility, risk assessment, and strategic planning. Moody’s expertise, combined with his collaborative approach, makes him a leading authority on securing digital infrastructure against emerging quantum threats.

The year 2035 might sound far away, but if you're a large organization, your migration timeline starts now. As Dustin Moody warns, this isn’t going to be a quick plug-and-play switch. The good news? NIST has laid out a clear roadmap. Here’s how to get started step by step.

[03:55] Step 1: Appoint a PQC Taskforce and Map Your Migration -
2035 marks the end of your post-quantum transition, not the beginning. Large organizations may need a decade or more to migrate fully, meaning the planning must start immediately. Moody recommends building a dedicated internal team to lead the charge, assigning ownership, and developing a migration roadmap tailored to your systems and dependencies. The first foundational task is a cryptographic inventory, a deep dive into all the ways cryptography is used in your infrastructure. This includes both internally developed systems and supply chain components. Engaging with vendors, suppliers, and customers early ensures alignment and reduces friction later in the transition. Key Question: Have you built a dedicated team and started your roadmap, including a cryptographic inventory?

[13:22] Step 2: Design for Agility from Day One -
Crypto agility isn’t a future nice-to-have; it’s a current necessity. Organizations need the ability to adapt cryptographic algorithms over time, responding to new threats and evolving standards without disrupting live systems. NIST’s formal definition of crypto agility includes the flexibility to update cryptographic components across software, hardware, protocols, and infrastructure—seamlessly. Implementing agility now ensures you’re not locked into today’s choices and gives you options to respond quickly if vulnerabilities are discovered down the road. Key Question: Are your systems built to evolve or will they need to be rebuilt the next time the landscape shifts?

[18:24] Step 3: Protect Long-Lived Data from Quantum Exposure -
Quantum threats aren’t theoretical; they’re already impacting data security. According to Dustin, adversaries are actively collecting encrypted data today with the intent of decrypting it later, once quantum computing reaches maturity. This makes post-quantum readiness especially urgent for industries that manage data with long shelf lives—such as healthcare, finance, critical infrastructure, and national security systems. Even if your data is secure now, if it’s still sensitive a decade from now, it’s already vulnerable. While symmetric encryption like AES offers partial protection, the public-key encryption methods used to exchange keys are often the weakest link. Organizations must begin assessing where these vulnerabilities exist and how to mitigate them. Key Question: Are you still treating quantum threats as a future problem or are you protecting your data from being decrypted tomorrow?

[25:00] Step 4: Build Momentum with a 12-Month Action Plan -
You don’t need to solve everything in a year, but you do need to start. The next 12 months should be focused on building momentum: resourcing your PQC strategy, launching your inventory, and plugging into real-world guidance from initiatives like NIST’s National Cybersecurity Center of Excellence. Use this time to learn from early adopters, experiment safely, and begin aligning teams around risk, infrastructure, and timelines. The transition may span a decade, but your first steps start today. Key Question: What progress will your organization be able to show by this time next year?

Want exclusive insights on post-quantum security? Stay ahead of the curve—subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, and YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.

Need help subscribing? Click here for step-by-step instructions.