As governments and regulators accelerate PQC adoption timelines, the urgency for organizations to act has never been greater. In this episode of Shielded: The Last Line of Cyber Defense, host Jo Lintzen speaks with Kevin Hilscher, Senior Director of Product Management at DigiCert, to explore the practical first steps of post-quantum cryptography adoption. They discuss why upgrading to TLS 1.3 is a non-negotiable starting point, how discovery of crypto assets lays the groundwork for any migration, and what enterprises should know about hybrid cryptography and its competing standards. From fragmented global regulations to aggressive timelines and the looming challenges of vendor readiness, Kevin provides a candid, real-world perspective on how organizations can build a quantum-ready roadmap before regulatory deadlines and quantum breakthroughs arrive.

What You’ll Learn

Kevin Hilscher is Senior Director of Product Management at DigiCert, where he leads the device trust product team and oversees PQC readiness across the company’s portfolio. With a background at Microsoft and deep experience working with OEMs, banks, healthcare providers, and defense organizations, Kevin has been at the forefront of preparing enterprises for the quantum era. His focus spans securing connected devices, enabling regulatory compliance, and helping global customers prepare for the transition to PQC. Known for his pragmatic approach, Kevin bridges the gap between evolving cryptographic standards and real-world business needs, helping organizations take the first steps toward a secure, quantum-ready future.

With the shift to post-quantum cryptography accelerating, Kevin’s message is clear: early discovery and TLS 1.3 readiness, not just new algorithms, will define the path to a quantum-ready future.

For many industries, the first challenge isn’t technical; it’s awareness. Kevin explains that cybersecurity teams often have to “sell upwards,” using the right data, talk tracks, and materials to educate leadership about PQC and secure sponsorship. Without this “step zero,” projects stall before they begin. Education is critical, not just inside your own enterprise, but across vendors and partners who may not even know what PQC is yet. Key Question: Do your executives and stakeholders truly understand the urgency of PQC, or are they still in denial?

The foundation of every migration is discovery. Kevin stresses the importance of cataloging where and how cryptography is used, TLS versions, crypto libraries, SDKs, and source code. For banks, that means checking third-party apps and firewalls. For OEMs, it’s embedded devices still running RSA or ECC. Discovery reveals not just internal risks but also gaps in vendor readiness, enabling informed conversations about timelines and support. Key Question: Have you mapped your crypto landscape, from TLS versions to third-party dependencies, so you know what needs to change?

Before PQC algorithms even come into play, enterprises must meet the TLS prerequisite. As Kevin notes, the IETF has been blunt: quantum-safe algorithms will only be supported in TLS 1.3 and above. Yet many organizations are still stuck on TLS 1.2 in legacy apps and infrastructure. Migrating now means you can act independently of PQC timelines while also future-proofing your systems for what’s next. Key Question: Are you still relying on TLS 1.2, or have you taken the first real step toward a quantum-ready foundation?

“Hybrid” is one of the most confusing terms in PQC. Kevin highlights the difference between hybrid key exchange (pairing a PQC algorithm with RSA or ECC for TLS handshakes) and hybrid certificates (dual-signed X.509s). While hybrid key exchange is standardized and deployable today, hybrid certificates remain stalled by competing standards like composite, Chimeria, and Chameleon. Without clarity, organizations risk paralysis. Key Question: Do you know which type of hybrid you’re preparing for, and are you moving ahead where standards are ready today?

Global regulators are setting ambitious deadlines, 2030 in the EU, 2027 for U.S. federal procurement. Kevin warns that critical systems like SCADA, SAP, and ERP will struggle to meet those dates, especially with legacy TLS and outdated infrastructure. While crypto SDKs are ahead, enterprise apps and HSM certifications will lag. Organizations must pressure vendors for roadmaps while also preparing for phased upgrades.

Key Question: Are you planning your migration based on regulatory optimism, or on the real pace of vendor and infrastructure readiness?

Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.

Need help subscribing? Click here for step-by-step instructions.