For years, many teams treated cryptography as “set and forget.” Choose an algorithm, pick a key length, ship the library and move on. That era is over. Hashes get broken. Protocols age. Quantum risk has moved from research papers to government directives, most notably the US NSM-10 and NIST’s PQC program, which set clear expectations for migration planning. Each time a weakness is disclosed, enterprises launch a frantic, cross-functional scramble to locate dependencies and roll out fixes. I have witnessed those fire drills up close. Cryptography or crypto agility is how we stop reacting to incidents and start engineering resilience, so a change in standards or a new threat does not translate into business disruption.

What crypto agility is and why leaders should care now

Crypto agility is the organizational capability to change cryptography on demand, at scale and with confidence. Practically, it means organizations can move from RSA and ECC (two families of public-key cryptography used for things like HTTPS, digital signatures and key exchange) to post-quantum algorithms, deprecate weak ciphers or rotate compromised keys across thousands of endpoints in hours, not quarters. This is no longer a purely technical concern; it is a business continuity imperative. Payments, customer logins, software updates and data protection all depend on trustworthy cryptography. As governments and regulators sharpen their guidance, deadlines will follow. If an organization’s trust layer is brittle, this carries operational, regulatory and reputational risk, whether the risk is visible or not.

From inventory to action: The Cryptographic Bill of Materials (CBOM)

Organizations can’t change what they can’t see. A CBOM is the “ingredients list” for an organization’s crypto estate: every key, certificate, algorithm, protocol and library; where it lives; which business service it underpins; who owns it and when it expires. At HCLTech, our joint approach with IBM discovers assets across hybrid environments, catalogs them and maps them to applications and business processes. IBM Guardium® Quantum Safe provides discovery, analytics and, critically, remediation workflows. That last piece matters. Many tools can flag weaknesses, but far fewer can fix them systematically. Our goal is a single source of truth plus repeatable change at scale.

The real risks of waiting

The headline risk is harvest-now, decrypt-later. Adversaries can record encrypted traffic and sensitive archives today and unlock them later as quantum-capable decryption matures. There is also the risk of a forced, chaotic migration when standards or vendors mandate change on a fixed timeline. And then there is everyday fragility: expired or weak certificates that drop channels, failed authentications and trust-eroding outages. I have seen a single expired certificate disable a revenue-critical application. The business impact arrived in minutes, not years. We have seen this before. The industry shift from SHA-1 to SHA-2 caused avoidable disruption. Starting PQC planning now helps prevent a repeat at larger scale.

Why crypto change is hard

Cryptography hides in plain sight. It’s embedded in legacy apps, proxies, appliances, SDKs and vendor platforms, and owned by different teams with different budgets and change windows. Tooling, like certificate management, HSMs (Hardware Security Modules) and identity, are increasingly fragmented. Manual processes and tribal knowledge fill the gaps. Without a single source of truth, every incident becomes bespoke archaeology. The antidote is programmatic: centralize visibility, automate the high-risk routine, such as renewals, rotations and policy checks, and treat crypto change as a rehearsed capability, not a one-off project.

Communicating progress without the crypto talk

Stakeholders need evidence of risk reduction and readiness, communicated in three layers:

1. Inventory and coverage — percentage of systems with verified CBOM entries and accountable owners.
2. Exposure — percentage of assets using quantum-vulnerable algorithms and median time-to-remediate.
3. Momentum — pilot deployments of NIST-selected post-quantum algorithms and the number of applications proven crypto-agile.
4. Supplier readiness — procurement applies PQC-aware OEM selection criteria, reviews vendor roadmaps and supported algorithms and tracks conformance.

Turn these into dashboards and scorecards that tie each metric to business services, compliance obligations and customer impact. Keep it simple and transparent.

10 steps: A practical path to crypto agility and PQC readiness

1. Establish ownership and sponsorship: Appoint an executive sponsor and a cross-functional program office that spans security, networking, application, identity, platform and risk. Publish policies for algorithms, key lengths, certificate authorities and rotation cadences.
2. Build the CBOM: Use automated discovery to enumerate certificates, keys, protocols and crypto libraries across on-prem, cloud and edge. Tag each asset with system, owner, environment and business process.
3. Assess and prioritize: Classify assets by criticality, external exposure and quantum vulnerability. Produce a risk-ranked backlog and focus on business-critical and internet-facing systems first.
4. Automate the basics: Centralize certificate lifecycle management, enforce crypto policy checks in CI/CD and standardize key management through HSMs or cloud KMS with automation hooks.
5. Prove agility with controlled change: Run wave-based exercises: rotate keys at scale; upgrade cipher suites; replace a library and rehearse rollback. Measure time-to-change and user impact.
6. Pilot PQC: Select representative use cases, stand up pilots using NIST-selected algorithms, evaluate performance and compatibility and document integration patterns.
7. Expand through patterns: Turn pilots into reference architectures. Embed them in platform tooling and inner-source libraries so product teams adopt them by default.
8. Govern and report: Track coverage, mean time to remediate crypto events, policy conformance and migration velocity. Report progress in business terms: services protected, outages avoided, audit findings closed.
9. Plan for coexistence: Build hybrid, classical and PQC, deployments with crypto-agile interfaces to keep pace with changing standards and vendor support.
10. Practice continuity: Run tabletops for expired or compromised certificates, deprecated ciphers and vendor library breaks. Treat this like disaster recovery for trust.

Concrete use cases that resonate

Two examples help non-specialists connect the dots:

• Customer-facing TLS: An expired or compromised certificate can block transactions or enable man-in-the-middle attacks. Crypto agility means you can locate every affected endpoint in seconds and fix it in minutes
• Software integrity: If a code-signing key is compromised, attackers can deliver malware that appears legitimate. Agility lets you revoke, reissue and re-sign without stalling release trains

These scenarios make the business case tangible: continuity, trust and compliance.

Metrics that define success (and the ROI question)

Crypto agility is fundamentally about resilience. The strongest signal is continuity: fewer trust-related incidents, shorter outages and faster time-to-restore when crypto breaks. Leading indicators include percentage of the estate under CBOM management, percentage of external endpoints with automated certificate renewal, median time to rotate keys across a defined scope, reduction in quantum-vulnerable assets and the number of PQC-ready patterns adopted by product teams. ROI shows up as avoided downtime, reduced audit findings, faster incident response and lower change risk. But the dominant value is simple: keeping the business running.

Build crypto agility as an enduring capability

Quantum timelines will continue to compress, standards will evolve and new vulnerabilities will surface. Organizations that treat crypto agility as a one-off project will chase the next incident. Those that build it as an enduring capability will adapt calmly, communicate clearly and preserve trust when it matters most. Start small, measure relentlessly, automate everything possible and practice change until it is routine. That is how you operationalize crypto agility and arrive at PQC readiness without breaking what already works.