Quantum threats are no longer theoretical, and waiting could cost you. In this episode of Shielded: The Last Line of Cyber Defense, Johannes Lintzen is joined by Mamta Gupta, a quantum physicist turned cybersecurity strategist at Lattice Semiconductor. Together, they break down how crypto agility, hardware-based trust anchors, and PQC readiness are now essential for any organization managing long-lifecycle systems. You’ll come away with practical steps to assess, upgrade, and future-proof your cryptographic infrastructure.

Mamta Gupta is the Senior Director of Strategic Business Development for Security, Telecommunications, and Data Centers at Lattice Semiconductor. With a master’s degree in quantum physics, specializing in superfluidity, superconductivity, and critical phenomena, she brings a rare blend of theoretical insight and real-world engineering to the cybersecurity space. She has led key PQC strategy efforts at Lattice, helping develop quantum-resistant FPGA-based architectures and secure supply chain practices. A leading advocate for confronting the “Harvest Now, Decrypt Later” threat, Mamta is known for her pragmatic, cross-functional approach to building crypto-agile infrastructure.

The quantum threat is already operational, not hypothetical. Adversaries are actively collecting encrypted data today with the goal of decrypting it once quantum computers reach maturity. This tactic, known as "Harvest Now, Decrypt Later," means data with a long shelf life, such as health records, financial data, and national infrastructure, is already at risk. Waiting for quantum computing to become mainstream before acting is a critical miscalculation. Organizations must treat post-quantum cryptography as a present-day risk mitigation priority, not a future optimization. Key Question: Are you taking immediate steps to protect long-lived data from eventual quantum decryption?

[10:43] Step 2: Design for Crypto Agility Across Hardware and Software
The pace of cryptographic change is rapid; regulatory mandates, algorithm approvals, and threat intelligence evolve constantly. At the same time, the life cycle of deployed hardware can stretch over a decade. This disconnect demands systems that are flexible by design. Crypto agility ensures that organizations can upgrade algorithms, rotate keys, and adapt trust models without re-architecting infrastructure or replacing physical components. Without agility, today’s protections could become tomorrow’s liabilities. Key Question: Is your infrastructure architected to support cryptographic evolution across its full lifecycle?

[14:38] Step 3: Run a Three-Part PQC Readiness Assessment
Before launching a migration, organizations need full visibility into their current cryptographic environment. This begins with a cryptographic inventory, reviewing all firmware, certificates, keys, and the algorithms used to protect them. Next, evaluate your trust anchors, components like secure boot mechanisms, TPMs, or silicon-based keys to identify weak points or dependencies on outdated cryptographic methods like RSA or ECC. Finally, conduct a vendor readiness check across your digital supply chain. Determine whether suppliers of silicon, firmware, or software are equipped to support PQC or if they introduce downstream risk. This structured assessment turns uncertainty into a prioritized roadmap for upgrading your infrastructure with confidence. Key Question: Have you completed a full assessment of your cryptographic assets, trust anchors, and vendor readiness?

[17:21] Step 4: Build a Crypto-Agile Root of Trust Using FPGAs
The root of trust is the foundational layer of system security, and its resilience is essential in a post-quantum world. Field Programmable Gate Arrays (FPGAs) offer a key advantage over ASICs: reprogrammability. With FPGAs, cryptographic algorithms can be updated after deployment, providing the agility needed to respond to evolving standards and threats. They also enable secure firmware validation, hybrid cryptography, and alignment with upcoming compliance deadlines without requiring hardware swaps. Deploying FPGAs as the root of trust creates a flexible security architecture that supports long-term cryptographic adaptability. Key Question: Does your hardware architecture support post-deployment cryptographic updates without physical replacement?

[25:33] Step 5: Architect Hybrid Cryptography with Strategic Intent
Transitioning to post-quantum cryptography doesn’t mean abandoning classical algorithms immediately. Hybrid cryptography, running both classical and quantum-safe algorithms in parallel, offers a way to maintain current protections while building future resilience. However, this approach adds complexity in key management, execution order, and performance optimization. Systems must be designed to support multiple key types and enforce clearly defined policies on trust precedence and key retirement. A well-architected hybrid model ensures security and agility without introducing operational friction. Key Question: Have you developed a hybrid cryptography strategy that balances performance, policy, and long-term resilience?

[31:13] Step 6: Launch a Cross-Functional PQC Pilot
A pilot is the fastest way to move from theory to execution. By testing PQC readiness in a contained environment, organizations can surface critical constraints, such as firmware signing limitations, key size restrictions, or vendor gaps. Pilots also help unify teams across engineering, compliance, and leadership, creating a shared understanding of what the PQC transition entails. Running a pilot allows for experimentation, measurement, and iteration before committing to large-scale deployment. It’s a low-risk, high-leverage way to build momentum and organizational buy-in. Key Question: What would it take to launch a practical PQC pilot inside your organization in the next 90 days?

[36:56] Step 7: Build a 12-Month Action Plan Aligned to Regulatory Timelines
PQC migration is not a weekend upgrade; it’s a multi-year journey that requires strategic pacing. CNSA 2.0 mandates post-quantum protections in all new systems by 2030, and enforcement has already started impacting procurement. ENISA, the EU cybersecurity agency, has also issued guidance with specific requirements for hybrid cryptography. Organizations must build an actionable 12-month plan that includes cryptographic audits, vendor engagement, proof-of-concept evaluations, and measurable internal milestones. Aligning to regulatory timelines now ensures you don’t lose compliance or customers later. Key Question: How are you structuring your next 12 months to show measurable PQC progress aligned with global regulations?

Want exclusive insights on post-quantum security? Stay ahead of the curve—subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, and YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.