The transition to post-quantum cryptography isn’t a single event. It’s a long migration that most organizations haven’t started. The threat is already active: adversaries are harvesting encrypted data today and holding it until quantum computers become sufficiently stable to decrypt it. Meanwhile, there is no clear owner of encryption inside most enterprises. It’s embedded across networks, applications, devices, and infrastructure, making coordinated action difficult. Compounding the challenge, global fragmentation is emerging as different countries and regions develop their own post-quantum algorithm standards. Organizations may soon need to support multiple crypto suites depending on who they’re doing business with. Most boards aren’t demanding a quantum solution today, but the window for orderly, deliberate planning is closing fast.
In this episode, Raj Patil, CTO at enQase, explains how enQase’s full-stack platform helps enterprises implement quantum-safe security through a structured, integrated approach. This covers everything from cryptographic asset discovery and governance to out-of-band key generation for network appliances, without requiring organizations to rip and replace existing infrastructure. Joining him are Ross Young, co-host at CISO Tradecraft, and Adam Palmer, CISO at First Hawaiian Bank.
Want to know:
- Why is the post-quantum cryptography transition harder than simply implementing new standards?
- What three factors should frame every CEO conversation about quantum risk?
- Where should a highly regulated enterprise start, and what can reasonably wait three to five years?
- Why should we be planning for “harvest now, decrypt later” attacks right now?
- How do you build and track a cryptographic bill of materials across hundreds of applications and devices?
- Why is crypto agility more important than picking the perfect algorithm?
Check out the episode for the answers you need.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, enQase
Full Transcript
[Voiceover] Connecting security solutions with security leaders, Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. I’m your host, Rich Stroffolino. Today, we’re going to be talking with enQase and what they are doing with quantum encryption. Definitely, increasingly, something that we’re seeing in the news, we’re seeing industry discussions about. It’s on the tip of everybody’s lips, so I’m super excited for this conversation. Now, the problem that they’re addressing, it’s the transition to post-quantum cryptography. We all know we need to get there at some point. How do we start doing that? How do we keep doing that? Helping us get some answers to these questions are Ross Young, the co-host at CISO Tradecraft, and Adam Palmer, CISO at First Hawaiian Bank. Ross, I’m going to start with you. Why is transitioning to post-quantum cryptography, why is that a problem?
[Ross Young] Yeah, so every so often, encryption gets better, and it gives us abilities to start securing things more securely. And if you don’t keep up with that, then bad things happen. We’re already seeing examples where the Chinese MSS party breaks into telecoms. So, if they can break into telecoms and steal your text message or start tapping the telecoms to see your internet-connected traffic, well, I want to make sure they can’t decrypt my traffic because I have post-quantum-proof encryption. Same thing on laptops and phones. If that can easily be broken, more data can be stolen. So, it’s something we need to make sure we plan for because it might not come out in just a day to roll this out across a whole organization. This is something that’s going to take months for organizations to roll out.
[Rich Stroffolino] All right. So Adam, why are we still struggling with transition to post-quantum cryptography? It seems like we have some standards out there now to kind of adopt. Why the struggle?
[Adam Palmer] Yeah, great question. I think as a CISO, my board, and I think most board of directors, don’t expect me to produce a quantum solution today, but they expect that as the CISO for a bank, that I understand the timeline and that I have a roadmap. And I believe that quantum isn’t necessarily a day-one crisis and catastrophe, but it’s going to be a long cryptographic migration journey, and I believe that smart security leaders, smart, forward-thinking CISOs need to start planning now.
[Rich Stroffolino] So, today we’re going to be talking with Raj Patil, the CTO over at enQase. Now to start out, we’re answering three essential questions. Raj, you need to help us out here. How do I explain the value of your solution to my CEO? What does your solution do and what does it not do? And what is the pricing model? Can you help us out, give us these preliminaries?
[Raj Patil] Sure, Rich. I’m very happy to be here. So, when you start speaking to the CEO, I think we recommend not starting with the quantum computers, the algorithms, or physics. Start with the basic shift in our assumptions, assumptions we have been very comfortable with for the past few decades. For decades, we have relied on central mathematical foundations to protect our digital trust. So, everything that we do has been used by mathematics. Quantum computers doesn’t break those overnight, right? It’s a challenge, that long-term durability of those assumptions, it does challenge that.
This change impacts the organization at multiple levels. There’s a risk to the business, reputation, and compliance requirements. It’s an inevitable scenario that we need to address. So, again, these are three important factors to it. So, you’re looking at the risk, the timeline, and the cost. So, the conversation with the CEO essentially would be around those three and say are we willing to take the risk if it happens, not when it happens? And what are we going to do in terms of the timelines? When are we going to really start looking at this in terms of planning it out and executing it? And the last one is, of course, it’s about the cost. It’s all about protecting long-term business value and maintaining the trust in changing cryptographic landscape while remaining compliant with regulatory requirements.
So, the second question was, what do you do and what you don’t do? enQase provides a full-stack platform that enables enterprises to implement quantum safe security in a structured and integrated way. Our platform includes both physics-based hardware and software. So, that’s why we are a full-stack quantum encryption company. So, we deliver a unified control layer, bringing together Post-Quantum Cryptography, centralized key governance, hardware-rooted entropy, and policy enforcement across data in transit as well as data at rest. We help organizations with their entire journey from discovering their existing crypto assets, help prioritize and implement those, and take care of everything that probably is required. What we don’t do is we do not ask you to replace your entire infrastructure. We work with what you have in place. We do not require you to rewrite most of the applications. We don’t expect you to hire PhDs in quantum computers or cryptography to make it work. Overall, it’s a structured approach through a single integrated platform, not a fragmented set of tools or vendors.
What’s our pricing model? So, we have multiple models here. Our core platform, which is mesh, fabric, and governance, is based on a usage annual subscription model. The Blueprint, which is nothing but a cryptography bill of materials, is based on time and effort, and the hardware is a straight-out purchase of the hardware. So, we also provide entropy as a service. So, it all depends on the use case. We have multiple pricing options and very, very flexible.
[Rich Stroffolino] Excellent. All right. Well, we’ve gotten the broadest strokes of what enQase is doing there, but I’m sure we have a lot of questions here. Ross, I’m going to start with you. What are the questions you have for enQase?
[Ross Young] Yeah, so I would go back to say I think when it comes to post-quantum encryption, there’s really two places you see that done. One is on the endpoint, and one is on the server side. Which of the two are you tackling more? Is it helping to deploy better encryption on the Mac, the phones, or is it on the TLS or ciphers and certificates that people have to roll out on their app servers?
[Raj Patil] Ross, so the way we do it is we encrypt data in transit. The difference that we have is we do out-of-band key generation. So, this essentially integrates with your network appliances. We do not do it at a server. We do not do it at a browser or a mobile device. Those last mile would be a different set of libraries that you could use. What we do is for any of your network appliance to become quantum safe without really having to wait for the vendor to do it, we deliver the quantum safe keys to those particular appliances, and you could encrypt the data in transit along those networks and devices. Again, there are multiple ways you could do things, and this is one of the approaches for us to secure the backbone for any enterprise.
[Rich Stroffolino] Adam, I’m sure you’ve got a lot of questions there. What do you want to learn more about with enQase?
[Adam Palmer] So, as a CISO for a bank, my question would be what decisions should a regulated, highly regulated enterprise like my own, make this year versus what can reasonably wait or be delayed over the next three to five years? Where do I start? What’s the priority?
[Raj Patil] So, Adam, there are a couple of things that you’re looking at. The first one we recommend is looking at the organization and essentially creating a cross-functional group of people who would be responsible for rolling this out. So, you know this, that the encryption doesn’t really belong to a particular group or a person in an organization. In fact, there’s no clear owner for this. It’s embedded everywhere. It’s in the network, it’s in the devices, it’s in the applications, it’s with infrastructure, cybersecurity, you name it. The risk group also is a very important part of this equation. So, the first thing we recommend doing is getting that cross-functional group of people to be informed first.
The second thing that we recommend is create a cryptographic bill of materials. Essentially, it’s to get a good idea of all the crypto assets that you have in the organization. Where are those, who’s using it, and how frequently are they being used? This actually gives you a nice map of what you have, and then you can map out your risk based on the exposure from the quantum encryption.
The third thing, but actually the most important thing, is you have to protect yourself against something called a “harvest now, decrypt later” attack, which is happening right now. Data can be harvested in its encrypted form and kept till a point where you could decrypt that. You can’t really bring a lot of value for every single data that has been harvested, but there could be some data that has a long shelf life. So, those are the three areas that we could recommend, and this would really pave a path to coming up with a plan that could span from two years to five years depending on the size and the complexity of the organization.
[Ross Young] So, you mentioned in your discussion here of helping people go down the journey. Imagine I’m a CISO at a large enterprise. I have 10 different offices, I have a bunch of applications running on AWS in the cloud. I need to actually show a status. I might have 500 total things that need to get to a post-quantum encryption. Is there anything that you recommend for tracking that deployment so, hey, out of the 500 things, I’m now at 70 have transitioned to post-quantum.
[Raj Patil] Yeah, absolutely, Ross. So, that’s a great question. So, we have a framework called the Governance and Compliance Framework that continuously monitors as you progress through your migration path. And again, this is a phased approach. You tackle the most at risk first. And as you go through that process, it kind of monitors and says, or if let’s say, as you said, 500 devices and applications, you could have finished like 100 in the first two or three months. So, there is a part of the platform that helps you through this process of understanding where you are, and also in terms of the compliance requirements. So, let’s say you’re required to do a compliance with HIPAA, SOC2, any of these, they will actually help you say, okay, on a scale of 1 to 10, you’re at a 5 or a 6. So, there is a level of measure as you go through the process of migrating.
[Ross Young] Thank you.
[Raj Patil] So, I have a question for both Adam and Ross. Are you also looking at PQC and in terms of what’s your roadmap and thought process of how this is going to pan out in the next – at least for 2026. Let’s talk about the immediate year where it’s a lot in focus. What are you hearing from your groups and community in terms of their approach and how do you really want to address this?
[Adam Palmer] So, I can speak for myself and say that I’m taking a very pragmatic approach at this time. So, tracking the post-quantum standards, I’m trying to ensure that I’m building an accurate crypto inventory and have agility. I’m trying to engage my vendors, persons like yourself who are experts in the area and can guide me early and really protect the critical data that I need to today. And so for me at this time, I view that quantum computing isn’t necessarily a breach headline right now, but it could be for tomorrow. And again, as a CISO at a large, mid-sized US bank, I’m trying to prepare early, and I believe that will make the overall transition far less painful.
[Ross Young] Yeah, I’m starting to see CISOs start to say, “Hey, what kind of solutions can we use today to scan to figure out how many problems would be affected?” So, for example, there’s typically a cyber threat exposure management or CTEM type tool where you can scan your entire internet surface and then it can say, “Hey, here’s all the things running TLS 1.2.” And you’re like, “Well, we know we got to get to 1.3, and we know we got to get the right ciphers that are post-quantum proof on each of these applications.” And so that just kind of inventory is the step where I see people today. I still think there’s a little unsurety of which post-quantum encryption cipher should I use on my TLS ciphers, but I think everybody knows that this is a problem that’s coming due. And then also just saying, “Hey, desktop team, we know we have Macs, we know we have Windows. Can you make sure that you also put the post-quantum encryption on the endpoint there as well, too?”
[Raj Patil] So, Adam, you actually mentioned something about crypto agility. How are you looking at it? What are your thoughts and how do you think this could really pan out in the next five, six months?
[Adam Palmer] Well, I think that’s part of the planning and that’s where I’m relying on vendors like you to help me, to guide me. But looking overall, I think I view this as a really a strategic issue. For me, the biggest operational problem isn’t the algorithm, but it’s how hard it is to change algorithms in a large environment. So, environments like mine, we are challenged in even knowing where cryptography is embedded across all of our applications, API, vendors. So, I think that the organizations that are trying to build crypto agility will adapt faster, and I think that the organizations that survive this quantum transition are going to be the ones that are trying to build crypto agility, not the ones necessarily that pick the perfect algorithm.
[Raj Patil] Right. And also you have to, once you make a transition, do you at least foresee, in the worst case scenario, to having to make additional changes in the next 12, 18 months? The chances of that occurring are low, but still if it does, do you also incorporate that as a part of your planning in terms of enhancing and making sure that your crypto agility would support something like that?
[Adam Palmer] Yeah, I agree. I think that we, and I always say we have to have an adaptive defense and an adaptive strategy, so everything we look and plan for, I’m not rewarded as a CISO for sticking to today’s plan. I’m rewarded for changing based on the business and threat landscape environment. So, absolutely it’s something we’ll continue to look at and are planning for.
[Rich Stroffolino] All right, we have time for one last question. Either Ross or Adam, lay it on Raj.
[Ross Young] All right, so we talked a little bit about how we’re going to fix this problem. I guess the biggest question that remains on most CISOs’ minds, how soon do you think it’s going to be before we actually see this attack being weaponized, right? If I’m using bad versions of encryption that can easily be deciphered, is this six months? Is this two years? Is this five years? Where do you think we’re going to be before this becomes a real issue for companies?
[Raj Patil] Ross, that’s a billion dollar question. So, we do not know the QDay date and the chances of us actually having gone past the QDay are very high. I don’t think anybody, any actor on the planet, would stand up and say, “Hey, listen, we’ve broken the encryption.” They’ll just be very, very quiet about that because that’s very strategic, very important, gives them an edge over everything else. There are two parts to the question, Ross. The first part is the harvest now decrypt later. So, data is getting harvested. That sits with them. There’s not much you can do about that. It’s gone. It’s data’s gone from your control. The second part of that is, again, when and if it gets decrypted, when we start breaking the algorithms that’s been expected, then, of course, this particular data that’s been harvested becomes of value to someone out there. So, it’s two steps to the entire thing. Our recommendation is first look at harvest now decrypt later and then wait for the inevitable. We don’t know when, but it is going to happen. And the billion dollar question, again, is if it does happen, where does that put you as an organization? That’s something that you have to ask and answer.
[Rich Stroffolino] Well, Raj, what’s one thing we didn’t ask about that we need to know?
[Raj Patil] Well, I think there is a general awareness of the importance of post-quantum cryptography and also, for us to migrate towards it and why it’s required. But there’s so many versions and ways of doing it. NIST PQC has become a standard, but globally, there are organizations, entities, regions, and countries creating their own set of algorithms. It could be complementing NIST or it could be completely different. So, there are some countries on the planet that are saying, “We don’t really want the NIST PQC. We’ll have our own stack of encryption.” This is something that’s kind of evolving. It’s not set yet, and it will continue to evolve. And that’s why the question about crypto agility is very important.
For example, Adam, if you are doing business with multiple countries in the globe, I’m sure you are, then when you do communicate with them, you’ll have to support their crypto suite and just not what you think is right. So, that’s another area which is coming up very fast and adding a lot of complexity to what we’re doing. In the next six months, you will end up supporting multiple versions of post-quantum cryptography or other versions of it, and that’s something I think should also be on the radar and as a part of your plan.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to enQase.com. If you have any feedback or questions for Raj, you can send them over to us at feedback@CISOseries.com. And a big thank you to Adam and Ross for helping us learn more about what you guys are doing. And thank you, Raj, for your time and being game to answer all of these questions. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com. Thank you for listening to Security You Should Know, connecting security solutions with security leaders.