Post-Quantum Migration: A CISO's Roadmap

A pattern I've seen in conversations with sixty-plus CISOs: they know post-quantum is coming, they're glad somebody else is working on it, and they have no formal program. That's understandable in 2025. It's professionally indefensible in 2026. Here's how to stop being underwater.

Month 1–2: Inventory

You can't migrate what you can't find. Build a Crypto Bill of Materials (CBOM) for every binary, container, function, and certificate in production. Most of our customers find primitive sprawl they didn't expect — including AES-128 where they assumed AES-256, and SHA-1 where they assumed SHA-256.

Month 3: Risk model

Triage by data lifespan, not service criticality. Anything you store for 7+ years (regulated data, IP, financial records) is the priority. Service availability is solvable later. Data confidentiality you've already lost is unrecoverable.

Month 4: Pick a deployment shape

Three choices: drop-in TLS sidecar (lowest application risk), SDK replacement (more performant), or eBPF runtime (no application changes, but harder to debug).

Month 5–7: Hybrid Kyber turn-up

Roll out hybrid X25519+Kyber-1024 mTLS across services in waves. Start with low-criticality, low-customer-impact services. Expect to discover three broken TLS clients you forgot you had. Most ours discover four.

Month 8–9: KMS bridge

Wrap your existing AES-GCM data keys with Kyber-derived envelope encryption. Your DEKs don't change; your KEKs become PQ-safe. This is the operationally cheap path to PQ-safe data-at-rest.

Month 10–11: Long-term archive re-encryption

Cold backups and immutable archives are the highest-value harvest-now targets. Re-encrypt with hybrid Kyber. Yes, this is slow. Yes, it has to happen.

Month 12: Crypto-agility audit

Once you're PQ-safe, prove you can rotate primitives in a controlled exercise. If you can't rotate Kyber-1024 → Kyber-768 in one production exercise, you're not really agile. NIST will change parameters again before 2030.