As executives continue to postpone action, the window for preparing secure systems in the quantum era is rapidly closing. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Adrian Neal, Senior Director and Global Lead for Post-Quantum Cryptography at Capgemini, about the real timelines and challenges of PQC migration. Adrian explains why a “three-to-five-year” plan is unrealistic, why organizations should expect closer to eight years, and how unprepared boards risk panic and triage once the first quantum breakthrough hits. They discuss why crown-jewel systems must be prioritized, how banks and governments face different pressures, and why performance under PQC will shock existing infrastructure, illustrated by tests where an HSM fell from 10,000 transactions per second to just 200. From regulatory pressure that may be needed to drive boardroom buy-in to the hard truth that today’s algorithms may not last, Adrian delivers a candid warning: apathy will kill you. The time to act is now.

What You’ll Learn

Adrian Neal is Senior Director and Global Lead for Post-Quantum Cryptography at Capgemini, where he advises governments, financial institutions, and global enterprises on preparing for the quantum era. With nearly four decades of experience spanning banking, defense, telecoms, and startups, Adrian has been at the center of major security transformations, from the early days of PKI to today’s post-quantum migration programs. His work focuses on helping organizations identify critical systems, manage dependencies, and design long-term strategies that combine technical execution with board-level buy-in.

Known for his candid perspective, Adrian warns that migration is closer to an eight-year journey than a three-year sprint, that crypto-agility is the only sustainable defense as algorithms evolve, and that apathy will kill you. His message is clear: the sooner organizations begin planning, the better chance they have to avoid panic, triage, and systemic disruption when the first quantum “black swan” arrives.

The biggest misconception Adrian encounters is the idea of a “three-to-five-year” migration. As he bluntly states, that only works if everything goes perfectly and in the real world, it never does. Organizations must plan for eight years at best, with the expectation of mid-course corrections and even emergency triage when hidden dependencies surface. Late action only makes the crunch sharper, as boards suddenly realize time has run out. Key Question: Are you planning for an idealized three-year sprint, or budgeting for the reality of an eight-year marathon?

Quantum risk can feel abstract until regulators, supervisors, or global bodies spell out the consequences. Adrian points to the Bank of International Settlements, which recently warned of systemic financial collapse if banks fail to act. Similarly, the UK surveyed CISOs not to congratulate them, but to ask why nothing was happening. These signals are the early tremors  and ignoring them risks being blindsided when regulation becomes mandatory. Key Question: Are you treating industry warnings as background noise, or as early instructions to act before mandates arrive?

Benchmarks on paper rarely match performance under real load. Adrian recalls a test where a PQC algorithm dropped a hardware security module from 10,000 transactions per second to just 200. That kind of shock will ripple through SLAs, capacity planning, and cost models. Enterprises can’t wait for standards alone, they need to start testing now to understand what PQC will mean for their unique environments. Key Question: Have you run PQC under production-like loads, or are you still trusting theoretical benchmarks?

When mapping a migration, not all systems are equal. Adrian insists the first priority must be crown-jewel systems, the assets so critical that losing them could put you out of business. By identifying these early and mapping their dependencies, organizations can build a critical-path plan, sequencing work in the right order and avoiding surprises later. Everything not on the critical path can be parallelized, but the critical path itself must be guarded fiercely. Key Question: Do you know which systems are truly crown jewels, and how delays there will cascade across your migration?

Even if today’s algorithms are standardized, Adrian cautions they may not last. History has already shown finalists falling apart late in the NIST process, and cryptographers warn that vulnerabilities may be found within five years. That means crypto-agility is no longer optional: organizations must decouple applications from crypto libraries, move to policy-driven controls, and be ready to swap algorithms without rewriting code. Governance is equally critical, because poor implementation, not just weak algorithms, will be the Achilles’ heel. Key Question: Can you change cryptography across your systems with a policy update, or would it take a rewrite in every app?

For many CISOs, the hardest part isn’t technical, it’s convincing the board. Adrian highlights how legislation may actually be a friend, giving executives the leverage to unlock budgets by framing PQC as a compliance necessity. Without that pressure, boards tend to see migration as a cost center with no immediate revenue benefit. By aligning to regulatory timelines, CISOs can turn PQC from a “someday project” into a non-negotiable investment. Key Question: Are you waiting for regulators to force your hand, or using regulation as a tool to unlock boardroom commitment today?

Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.

Need help subscribing? Click here for step-by-step instructions.