Post-quantum cryptography (PQC) isn’t a distant horizon, it’s now a present-day priority no one should ignore. While enterprises may still debate timelines for quantum breakthroughs, regulators are already publishing guidance, standards bodies are finalizing algorithms, and forward-looking organizations are moving into execution. For Will Collison, Interim Global Head of Cryptography at HSBC, the lesson is simple: start now, measure as you go. Waiting for certainty only increases cost, risk, and reputational exposure.
In a recent episode of Shielded: The Last Line of Cyber Defense, Collison joined host Jo Lintzen to share how HSBC, one of the world’s largest banks, is preparing for the quantum era. With two decades in information security and cryptography, he’s witnessed migrations before, from 1024-bit SSL certificates to stronger PKI, and knows how disruptive they can be when left too late. His message to peers is clear: treat PQC not as a theoretical concern, but as the next inevitable cryptographic shift.
Q-Day vs. R-Day: Why Waiting Isn’t an Option
The industry often frames the threat as Q-Day, the moment a cryptographically relevant quantum computer breaks RSA or ECC. But Collison argues there’s an earlier and more pressing milestone: R-Day, when regulators mandate readiness. Both are inevitable. Regulators in the UK, EU, Canada, and the U.S. are already signaling timelines, with 2030–2035 as the outer horizon for critical assets. For financial institutions, waiting for official deadlines is a losing strategy. “We can’t wait for Q-Day, and we can’t really wait for regulator day,” he cautions. “We should already be on the journey before regulators start to ask what’s going on.”
PQC, QKD, and Quantum Computing: Clearing the Confusion
One barrier to action is conceptual. Quantum technologies are often conflated; post-quantum cryptography (PQC), quantum key distribution (QKD), and quantum computing get lumped together. Collison separates them cleanly: PQC is the universal requirement, QKD addresses niche high-assurance use cases like backbone connections, and quantum computing is the attacker capability looming on the horizon. “Everybody needs to do PQC,” he stresses, “and there is nothing to stop you from using PQC over a QKD link.” The key is clarity: invest where the impact is broadest, and don’t let conceptual fog slow down preparation.
Identity at Risk: Where Quantum Hits Hardest
Quantum computers don’t endanger all cryptography equally. Symmetric algorithms like AES remain resilient, but public-key identity mechanisms, RSA, ECC, and the digital signatures that underpin authentication, are directly vulnerable. Collison draws the line clearly: the threat is to identity, not bulk data encryption. Once identity is compromised, trust in digital systems collapses. For organizations, that means prioritizing upgrades in PKI, certificates, and authentication frameworks. The technical roadmap must be designed with this distinction in mind, ensuring resources are directed to where quantum creates the greatest risk.
Crypto Agility: Designing for What Comes Next
Collison is pragmatic about the uncertainty of cryptographic standards. Even post-quantum algorithms, now being standardized, are subject to scrutiny and potential breakage. That makes cryptographic agility the real long-term goal. “Assume algorithms can fail,” he explains. “The win is cryptographic agility, being able to change without a rewrite.” For enterprises, that means engineering modular, pluggable cryptographic architectures that allow algorithms to be swapped quickly. Treating PQC as a one-off migration is shortsighted; building agility ensures resilience across multiple future transitions.
Cost, Talent, and Regulation: The Practical Pressures
For Collison, the cost logic is straightforward: if you start now, you can go slowly, achieve quality, and minimize expenses. If you wait, you’ll be forced to move fast, and fast rarely comes cheap. The same applies to talent. By investing early in graduates and training programs, HSBC is building a workforce fluent in quantum readiness rather than competing for scarce expertise later. Regulation adds another layer: falling behind peers risks not just technical debt but also public censure. “Looking at what a regulator might ask and you being shy of that or adrift from that is going to put more pressure on your organization,” he warns.
The Takeaway: Start Now, Measure as You Go
The message from HSBC’s cryptography leader is blunt: the longer you wait, the harder and more expensive the migration becomes. Organizations need to act before regulators demand it, before attackers exploit it, and before talent and vendor bottlenecks make progress impossible. Start with awareness and leadership buy-in. Prioritize revenue-critical and internet-facing systems. Build agility into your cryptographic architecture. And measure progress continually, so you can demonstrate posture to regulators, customers, and partners.
Quantum readiness isn’t a theoretical debate. It’s a strategic imperative. As Collison puts it: “Start now. It’s going to look a lot more expensive and a lot more painful in five years.”
You can hear the full conversation on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.
About Will Collison
Will Collison is the Interim Global Head of Cryptography at HSBC, where he leads the bank’s global cryptography strategy across 60 markets. A CISSP-qualified consultant with two decades of experience, he specializes in public key infrastructure (PKI), cryptography standards, and the automation of trust. Over his seven-plus years at HSBC, Will has served as Technical Director of Cryptography, Global Head of Cryptography Standards and Enforcement, and PKI Specialist, building frameworks for machine and digital identity and driving large-scale remediation programs. Prior to HSBC, he founded Secmundi Limited, advising international banks on cryptography strategy and operating models, and worked as a Trust Consultant at Barclays, guiding PKI implementations and automation of certificate issuance. Known for combining deep technical expertise with pragmatic execution, Will has long been a voice for crypto agility, helping organizations modernize securely while preparing for future shifts. Today, his focus is clear: ensuring enterprises can meet the challenges of post-quantum cryptography (PQC) and build a quantum-safe future.
Link to Press Release