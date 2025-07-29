In the global race to secure digital infrastructure against quantum threats, post-quantum cryptography (PQC) often takes the spotlight – and rightly so. Quantum computing has the potential to break the cryptographic systems that currently protect our data, communications, and national infrastructure.

But there’s another capability that deserves equal attention – crypto-agility. Quietly, but powerfully, it is emerging as the foundational layer upon which a truly quantum-resilient future will be built.

What is crypto-agility – and why it matters

Just as security by design and, more recently, privacy by design have become essential principles in the development of modern IT solutions, it’s time to embrace a new imperative: crypto-agility by design. In a world where cryptographic algorithms can become obsolete overnight – due to advances in computing power, quantum threats, or newly discovered vulnerabilities – crypto-agility is no longer optional.

Crypto-agility is the ability to swiftly switch between cryptographic algorithms – whether in response to a new vulnerability or to adopt an emerging standard – without disrupting operations. It’s not about replacing cryptography once; it’s about building the flexibility to respond again and again as threats evolve, and standards mature.

This proactive approach ensures long-term resilience and trustworthiness, much like how security and privacy are now embedded from the ground up. As digital ecosystems grow more complex and interconnected, crypto-agility must become a foundational design principle – not an afterthought.

Quantum computing isn’t the only threat. The recent vulnerabilities in widely used libraries like OpenSSL are stark reminders of how brittle our current cryptographic landscape can be. Yet, our recent CRI research reveals a troubling picture:

Only 35% say their organizations maintain a centralized inventory of all cryptographic keys, algorithms, and certificates in use.

54% of organizations operate on legacy infrastructure that lacks compatibility with modern cryptographic standards.

Just 40% are prepared to respond effectively to the discovery of a critical vulnerability in a widely used cryptographic library.

These are not just technical blind spots – they are business risks.

Building crypto-agility: What it takes

Crypto-agility isn’t a feature you can simply buy off the shelf. It must be intentionally designed into your systems, processes, and organizational culture. Here’s what that journey looks like:

Maintain a live cryptographic inventory: Know which algorithms, keys, and certificates are in use – and where they reside.

Know which algorithms, keys, and certificates are in use – and where they reside. Automate key and certificate management: Manual processes cannot keep up with today’s evolving threat landscape.

Manual processes cannot keep up with today’s evolving threat landscape. Design modular, update-ready systems: Avoid hard-coded cryptography. Use configuration files and CI/CD pipelines for rapid updates.

Avoid hard-coded cryptography. Use configuration files and CI/CD pipelines for rapid updates. Rotate keys regularly: Annual key rotation should be the baseline – automated rotation is even better.

The barriers are real – but so are the rewards

Crypto-agility is not just a technical challenge; it’s an organizational shift. Our CRI research shows that:

67% of organizations struggle with dedicated budget and personnel for crypto transitions.

59% lack the expertise to assess, plan, and implement crypto-agility.

54% operate on legacy infrastructure that’s incompatible with modern standards.

These numbers reflect inertia – but they also highlight the opportunity for leaders to act before the curve. As Bernd Meurer, Field CTO at BT Group, notes:

“Many of our customers have done a high-level assessment of systems and communication interfaces, but a full impact analysis for post-quantum readiness is still in draft in many cases.”

This is the reality for many large enterprises – and a call to action for all.

Some early adopters are embedding crypto-agility into their PQC pilots through hybrid cryptography, which combines classical and quantum-safe algorithms. This allows them to test emerging standards without breaking existing systems.

A strategic advantage in the post-quantum era

Crypto-agility is the bridge between today’s encryption and tomorrow’s post-quantum world. It enables resilience not just against quantum, but also against the unknowns that lie ahead in our increasingly complex threat landscape.

At Capgemini, we believe that crypto-agility is no longer a “nice to have.” It’s a core business capability, and a marker of forward-thinking leadership. Organizations that build it now will gain the flexibility to evolve, adapt, and thrive – no matter how the future unfolds.

The quantum era is coming.

Crypto-agility will define who’s ready.