Shielded: The Last Line of Cyber Defense
Inventory, Agility, Reality: How FS-ISAC Sees the Path to PQC
September 25, 2025
What if quantum computing grabs the headlines, but the real risk is complacency about cryptography? In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen welcomes Mike Silverman, Chief Strategy & Innovation Officer at FS-ISAC. Mike shares why treating cryptographic migrations as one-off projects leaves organisations exposed, how building inventories and risk-based models creates real readiness, and why crypto-agility, not quantum anxiety, is the foundation for long-term security. Learn how to prioritise crown-jewel systems, what timelines like 2030 and 2035 really mean, and why vendor coordination and PKI standards could decide the success of your migration.
As industries continue to treat cryptography as invisible plumbing, the risk of systemic disruption is growing. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Mike Silverman, Chief Strategy & Innovation Officer at FS-ISAC, about why complacency is more dangerous than quantum itself. Mike explains how decades of one-off migrations have left organisations brittle, why inventories and risk models are the essential starting point, and how cryptographic agility must become both a design principle and an organisational mindset. They discuss why timelines like 2030 and 2035 demand phased action, how vendor and supply chain readiness can make or break success, and why PKI standards and certificate interoperability are the hidden dependencies no one can ignore. From embedding PQC into normal app modernisation cycles to reframing the conversation for the boardroom, Mike delivers a pragmatic warning: you don’t need to boil the ocean, but you must start now.


What You’ll Learn:


Mike Silverman is Chief Strategy & Innovation Officer at FS-ISAC, the global, member-driven consortium dedicated to collective defense in financial services. In this role, he leads forward-looking initiatives on post-quantum cryptography, AI risks, cloud security, and sector resilience, helping financial institutions anticipate and prepare for the threats shaping tomorrow’s trust landscape.

With a career shaped by crisis response and industry collaboration, Mike has been at the center of efforts to align governments, regulators, and enterprises on how to secure financial systems under pressure, from pandemic coordination to the emerging quantum challenge. His work focuses on reframing cryptography as a first-class citizen, embedding it into inventories, risk models, and long-term technology refresh cycles that extend beyond any single algorithm.

Known for his pragmatic perspective, Mike stresses that the real danger is complacency, not just quantum breakthroughs. He argues that cryptographic agility is the only sustainable defense, that timelines like 2030 and 2035 demand phased and realistic planning, and that collective readiness across vendors and supply chains is non-negotiable. His message is clear: organisations don’t need to panic, but they do need to start now.

Your Roadmap to Crypto-Agility


[03:52] Step 1: Stop Treating Crypto as Plumbing

For decades, cryptography has been invisible, assumed to “just work” in the background. Mike argues this is the biggest blind spot. Every major migration, from DES to AES or from RSA-1024 to RSA-2048, has been treated as a painful one-off. That approach leaves organisations brittle and unprepared for the next wave of change. The lesson is clear: cryptography must be treated as a first-class citizen in security planning, with visibility, budget, and executive attention. Key Question: Are you still assuming crypto will take care of itself, or are you elevating it to a first-class security discipline in your organisation?


[09:58] Step 2: Define What Crypto-Agility Really Means

Mike recalls sitting in industry meetings where “crypto-agility” meant wildly different things to different stakeholders. FS-ISAC responded by publishing a sector-wide definition: the ability to swap algorithms (A→B) with minimal downtime, minimal disruption, and ideally no code changes. Achieving this requires both architectural foresight (decoupling crypto from applications) and organisational alignment (governance, vendor contracts, policy-driven controls). Key Question: If you had to change cryptography tomorrow, would it take a simple policy update or a rewrite across every app and vendor system?


[15:39] Step 3: Build Your Inventory and Risk Model

Silverman stresses a basic truth: you can’t secure what you can’t see. Few CISOs could raise their hand if asked, “Do you know where 100% of your keys are?” An accurate inventory, where keys live, how they’re managed, which systems depend on them, creates the foundation for prioritisation. Layering risk on top ensures crown-jewel systems and long-lived data are addressed first. Without this visibility, organisations risk wasting resources on the wrong assets. Key Question: Do you know where all your cryptographic keys and algorithms are, and which assets pose the highest risk if migration lags?


[20:15] Step 4: Plan for Legacy and External Dependencies

Even with a ten-year runway, Mike believes there will be legacy systems left behind. Large institutions with acquisitions face inconsistent policies, while smaller firms rely heavily on vendor products. Dependencies extend beyond the enterprise, supply chains, PKI standards, certificate profiles, FIPS-validated libraries all dictate what’s feasible. Success depends on coordinated timelines with vendors and regulators, not just internal willpower.
Key Question: Are you aligning your migration plans with vendor readiness and global standards, or assuming you can solve it all in-house?


[26:31] Step 5: Embed PQC into Normal Modernisation Cycles

Boards balk at funding PQC as a standalone project. Mike reframes it: cryptographic upgrades should be part of ongoing app modernisation and lifecycle refresh. From mainframes and point-of-sale systems to operating systems and middleware, modernisation already happens in cycles. The right approach is to bake PQC into those existing refreshes, so cost and disruption are absorbed by processes organisations already budget for.
Key Question: Are you presenting PQC as an extra burden, or embedding it naturally into technology refresh cycles your board already funds?


[36:46] Step 6: Act Now, Without Fearmongering

Mike is clear: the sky isn’t falling. But the longer organisations delay, the harder and costlier the transition will be. Starting small, augmenting asset management, training staff, asking vendors the right questions, creates momentum without overwhelming the business. Crypto-agility is a journey measured in years, not months, and the best way to reduce fear is to begin.
Key Question: Are you waiting for the “perfect moment” to start, or taking small, practical steps today that build toward crypto-agility?


Episode Resources


Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.


Need help subscribing? Click here for step-by-step instructions.