The migration to quantum-safe systems is often stalled by a desire for perfect visibility. Antti Ropponen joins host Jo Lintzen to discuss why waiting for a 100% accurate inventory often leads to inaction. Drawing on years of experience in cloud modernization, Antti highlights the similarities between "lifting and shifting" workloads and simply swapping cryptographic algorithms.

The conversation covers the necessity of moving beyond technical silos. Antti shares insights from an IBM study showing that the majority of quantum-safe programs now live outside the CISO office, often residing within CTO or digital transformation departments. He provides a framework for prioritizing migration based on risk, regulation, and business value, while offering practical advice on funding these multi-year programs by integrating them into existing IT refresh cycles.

About Antti Ropponen 

Antti Ropponen serves as the Global Quantum Safe Transformation Leader at IBM Consulting. He drives the execution and scaling of quantum-safe programs across EMEA, working directly with CISOs and CTOs to move organizations from theoretical risk toward real-world migration. With a background in cloud migration and security modernization, Antti focuses on the organizational and architectural complexities of large-scale cryptographic transitions.

[00:08:19] Step 1: Avoid the Inventory Paralysis Trap 

Organizations often stall their progress by trying to achieve a perfect, 100% accurate inventory before taking action. Data quality fluctuates quickly as systems change, making a complete snapshot nearly impossible. Focus instead on risk-based classification to identify where the most critical vulnerabilities live. 

Key Question: Are you waiting for a perfect list of assets before starting your mitigation planning?

[00:16:36] Step 2: Adopt Cryptographic Landing Zones 

Drawing on cloud migration best practices, organizations should utilize reference architectures and target patterns. Following established templates ensures that necessary security boxes are checked without requiring a deep dive into every individual system component. 

Key Question: Can you simplify your transition by applying standardized architectural patterns to your critical trust flows?

[00:21:10] Step 3: Elevate the Program Beyond Technical Silos 

Successful migration is an organizational and cultural transformation rather than a localized security project. Because these programs require coordination across hundreds of teams, they often find a more natural home in the CTO office or a digital transformation department where they have broader visibility. 

Key Question: Does your quantum-safe program have the organizational authority to influence the backlogs of application and platform teams?

[00:26:19] Step 4: Use Regulation as a Prioritization Factor 

Compliance frameworks like GDPR or the Cyber Resilience Act should be treated as tools for making a business case. By integrating regulatory requirements into your risk score, you can prioritize efforts that offer the highest value in terms of both resilience and legal standing. 

Key Question: Is regulation driving your roadmap, or is it one factor in a more holistic risk-based strategy?

[00:31:08] Step 5: Embed Migration into Existing Refresh Cycles 

Building a business case is easier when you align quantum-safe requirements with existing digital transformation or infrastructure refreshment programs. This approach avoids creating a "net new" legacy and ensures that future projects are quantum-safe by design from day one. 

Key Question: Which upcoming IT modernization projects can serve as a vehicle for your post-quantum upgrades?