Notifications
Clear all
Topic starter
25/06/2026 10:33 pm
TL;DR: Post-quantum readiness becomes operational only when organisations combine hybrid cryptography, certificate lifecycle discipline, executive governance, and continuous measurement, according to DigiCert, as shown by examples from Migros and NTT DATA. The practical lesson is that PQC migration is a governance programme, not a one-time cryptographic swap.
NHIMG editorial — based on content published by DigiCert: 2 award-winning approaches to enterprise quantum security
Questions worth separating out
Q: How should enterprises plan a post-quantum cryptography migration without disrupting operations?
A: Start by inventorying certificates, encryption dependencies, and sensitive data flows, then classify which systems need hybrid cryptography during transition.
Q: Why does certificate lifecycle management matter so much for PQC readiness?
A: Because PQC readiness depends on knowing where certificates live, how long they remain valid, and which services rely on them.
Q: What do security teams get wrong about quantum-safe planning?
A: They often treat PQC as a one-time algorithm replacement instead of an operating discipline.
Practitioner guidance
- Map cryptographic dependencies across the estate Identify every certificate, encryption pathway, and sensitive data flow that could be affected by PQC migration, including cloud and sovereign-cloud services.
- Use hybrid cryptography as an operating model Run classical and post-quantum modes in parallel where interoperability matters, and validate that policy enforcement is consistent across both.
- Rehearse short-lived certificate rotation Adopt short-lived certificates where feasible so teams can practise issuance, rotation, and rollback at production pace.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- How Migros structured its centre of excellence, executive policy, and education programme for quantum readiness
- How NTT DATA operationalised 47-day certificates and hybrid cryptography across multi-cloud environments
- Which governance and reporting tools were used to track progress and validate encryption-in-transit analysis
- What the award-winning programmes did differently across business leadership, technical adaptation, and measurement
👉 Read DigiCert's analysis of enterprise quantum readiness and PQC migration →
Post-quantum readiness: what IAM and security teams should change?
Explore further
25/06/2026 11:08 pm
Quantum readiness is becoming a lifecycle governance problem, not a cryptography-only project. The article shows that enterprise preparation now depends on inventory, prioritisation, policy enforcement, and renewal discipline, not just algorithm selection. That makes PQC migration structurally similar to other identity lifecycle programmes where visibility and accountability determine whether change can be executed safely. Practitioners should treat certificate and encryption dependencies as governed assets, not background infrastructure.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility.
A question worth separating out:
Q: Who should own quantum readiness across identity and infrastructure teams?
A: Ownership should sit with a governance model that spans security, infrastructure, and business leadership. PQC affects certificates, workload identity, and service continuity, so responsibility has to be shared and reported at executive level, not left to a single technical team.
👉 Read our full editorial: Quantum readiness needs governance, not just cryptography upgrades
