Navigating the shift to post-quantum cryptography takes more than awareness; it requires a forward-looking strategy, crypto-agile architecture, and long-term planning across software and hardware. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Hart Montgomery, Technical Director at The Linux Foundation and a leading voice in cryptographic modernization. Together, they explore practical solutions and emerging standards that will define how organizations prepare for a quantum-secure future.

Hart Montgomery is the Technical Director at The Linux Foundation, specializing in post-quantum cryptography and secure blockchain architectures. With a PhD in lattice cryptography and a background as a blockchain researcher at Fujitsu, he brings deep expertise in both theoretical and applied security. Hart leads critical initiatives such as the Post-Quantum Cryptography Alliance and the Open Quantum Safe Project, helping secure the global open-source ecosystem through crypto agility and supply chain transparency. His unique blend of academic rigor and practical experience makes him a leading voice in post-quantum cryptography and secure software development.

Quantum security isn’t a project; it’s a phased transformation. Here’s a step-by-step roadmap to guide your organization through the post-quantum transition, from quick wins to long-term strategy.

The first step in quantum readiness is knowing what cryptographic assets you rely on and where they might be vulnerable. Hart highlights that over 90% of closed-source software contains open-source dependencies, many using outdated or insecure cryptographic algorithms like MD5 or single DES. To fix this, organizations must start by creating a Cryptographic Bill of Materials (CBOM) and Software Bill of Materials (SBOM) to expose hidden risks in the stack. From there, implement centralized cryptographic microservices to eliminate inconsistency and bring cryptographic controls under policy enforcement. Key Question: Can you confidently say where every cryptographic risk lives in your stack?

[08:39] Step 2: Target Low-Cost, High-Impact Migrations First
All cryptographic transitions are complex, but some are technically easier to implement with minimal performance impact. Start there. Hart points to TLS handshakes, ephemeral key exchanges, and messaging as ideal first steps, areas where larger PQ signatures and keys add little overhead. Organizations like Signal, Apple, and AWS have already migrated these areas, proving it's possible to build momentum while limiting operational risk. Start with what’s easy, then scale the lessons to more critical or complex systems. Key Question: What’s your TLS handshake worth in the quantum era?

[14:48] Step 3: Use the “Open Source Hamburger” to Rethink Software Supply Chain Risk
Modern software is built like a hamburger. You start with an open-source framework (the bottom bun), write a small layer of custom code (the meat), and stack on more open-source libraries (the top bun). According to Hart, that custom code might make up just 20% of your full application; the rest is open source that you didn’t write and might not fully understand. This model demands rigorous supply chain hygiene. Without a clear SBOM and CBOM, organizations risk inheriting vulnerabilities from long-abandoned GitHub repos or outdated crypto defaults buried in libraries. Treat every third-party dependency like a potential attack vector and standardize cryptographic practices across them. Key Question: Are you treating your software stack like your own or trusting a hamburger of unvetted, third-party code?

Quantum attacks aren’t here yet, but the threat is real today. Encrypted data can be harvested now and decrypted later once quantum computers become viable. For any data that must remain secure for 5–10+ years—think health records, financial transactions, or national security—this is a clear and present risk. Hart emphasizes that while we can’t predict exactly when quantum computers will break RSA or ECC, we can estimate how long data needs to remain secure. That risk equation alone should drive immediate planning, especially when factoring in hardware timelines for things like secure elements and smart devices. Key Question: Will your encrypted data still be safe in 2035?

Quantum migration isn’t a one-time change; it’s an ongoing capability. Crypto agility means designing systems that can switch algorithms, protocols, or key sizes as threats evolve or standards change. Hart advocates a “black box” model: developers shouldn’t choose cryptographic algorithms themselves. Instead, they should call secure APIs governed by central teams. This kind of agility already exists in tech-forward companies like Google and AWS, where cryptographic updates happen at the service level, not deep in app logic. Adopting this model now prevents lock-in and future-proofs your infrastructure. Key Question: Are your systems flexible enough to rotate cryptography with minimal code rewrites and business disruption?

IoT devices, embedded systems, smart meters—these components can't be updated overnight. They’re often deployed for a decade or more and may rely on cryptographic hardware that’s not post-quantum ready. For many organizations, this is the longest lead time in the entire migration process. As Hart warns, there’s often no choice but to replace or phase out outdated systems, and that requires years of planning, budgeting, and supply chain coordination. Secure hardware lifecycles must become part of your PQC strategy now, not later. Key Question: Have you identified cryptographic hardware in your infrastructure that must be upgraded and started planning its replacement?

Want exclusive insights on post-quantum security? Stay ahead of the curve—subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, and YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.