Challenge
A large telecommunications provider realized that preparing for the quantum era would require a coordinated effort across its entire enterprise. Unlike a single IT project, this quantum-readiness initiative needed to span the company’s IT systems (such as customer databases and internal applications), its network infrastructure (the routers, switches, and transmission systems that carry data), and even OT (operational technology) components in its facilities. The stakes were high: as a critical infrastructure company, the telecom had to ensure that its communications and services would remain secure and reliable even when quantum computing could threaten current encryption methods. Moreover, regulators and national security guidelines were increasingly highlighting telecoms as key players that must lead in adopting post-quantum cryptography (PQC) and other mitigations.
The challenge was multifaceted. First, the company needed to understand its current cryptographic landscape – where exactly were algorithms like RSA or ECC used across thousands of applications and devices, and which of those would be vulnerable to quantum attacks or difficult to update? This cryptographic inventory (or CBOM) would be massive, given decades of accumulated technology. Second, implementing quantum-safe solutions would affect many departments and budgets. The company needed a clear governance structure to drive this multi-year program and secure funding, while balancing it with other business priorities. Third, the telecom relied heavily on vendors for equipment and software (from switch manufacturers to CRM software providers); aligning those vendors with its quantum-safe requirements and the timelines of emerging standards was a complex coordination problem. Lastly, timing and prioritization were critical – not everything could be fixed at once. The company needed to prioritize which systems to upgrade first (for example, infrastructure supporting long-lived data or critical security functions) and embed crypto-agility into its future upgrades so that this transition, and any future ones, could be managed with less upheaval.
How Applied Quantum Helped
We worked with the telecom provider to design a comprehensive enterprise quantum-readiness program and post-quantum migration roadmap. Key elements of our approach included:
Cryptographic Asset Inventory (CBOM): Our team collaborated with the telecom’s IT and network engineers to conduct an exhaustive cryptographic inventory. We utilized automated scanning tools on codebases and configurations, and supplemented these with workshops and surveys of system owners. The result was a detailed Cryptography Bill of Materials (CBOM) cataloguing every major instance of cryptography in use – from the TLS protocols securing customer-facing websites and VPN tunnels in the corporate WAN, to encryption used in databases, to the firmware in network devices that might use embedded cryptographic chips. This inventory highlighted, for example, which customer-facing systems still used aging RSA certificates, which network links were protected by legacy encryption that lacked easy upgrade paths, and where cryptographic libraries were embedded in software code. By identifying these, we set the foundation for all subsequent planning, ensuring no critical areas were overlooked.
Governance and Funding Structure: We helped establish a formal program governance model. This involved creating a cross-functional steering committee – including executives from the CISO’s office, network operations, IT architecture, and product development – to oversee the quantum-readiness initiative. We defined roles and responsibilities, ensuring there was clear ownership (for instance, the CTO’s office would own the overall roadmap, while the CISO’s team would define crypto policies, and business unit leaders would implement changes in their domains). We also assisted the client in building a business case to secure funding. By quantifying the risks (e.g., the potential cost and service impact if core communications were compromised in a few years) and highlighting regulatory expectations (such as government mandates for critical infrastructure to have a PQC plan by a certain date), we helped justify the investment. The outcome was that the board approved a dedicated multi-year budget for the quantum-readiness program, a significant win that gave the effort momentum and authority.
Vendor and Standards Alignment: Recognizing that much of the telecom’s environment depended on vendor equipment and industry standards (like 5G, DOCSIS for cable, or optical transport protocols), we developed a vendor engagement strategy. We surveyed the telecom’s key technology suppliers to understand their roadmaps for PQC support or other quantum-safe features. For vendors without clear quantum-safe plans, we recommended leveraging procurement – updating RFPs and contracts to require compliance with PQC standards within defined timeframes – thereby pressuring suppliers to prioritize quantum-safety in their product roadmaps. We also advised the client to actively participate in telecom industry groups and standard bodies that were starting to address quantum security, so they could both influence and stay informed of progress (for instance, contributing to a standards working group on quantum-safe 5G enhancements). This vendor and standards alignment ensured that the telecom’s internal plans would not operate in a vacuum; they were synchronized with the broader ecosystem.
Risk-Based Prioritization: With the CBOM data in hand, we facilitated a risk assessment to prioritize what needed to be addressed first. We identified “choke points” and high-risk scenarios – for example, cryptographic systems that protected particularly sensitive or long-lived data (like root certificate authorities or archives of customer data) and components that would be difficult to retrofit later (like millions of deployed IoT/CPE devices with fixed crypto). Those areas were assigned the highest priority. We delivered a matrix scoring systems by criteria such as criticality, quantum vulnerability, upgrade complexity, and regulatory importance. This allowed the telecom to sequence its migration: immediate action on certain items (like upgrading software libraries in systems that could be patched easily, replacing expiring certificates with quantum-resistant ones when standards allow, etc.), versus longer-term actions (like planning for hardware refresh cycles to include PQC-capable devices, or running pilot projects on less urgent areas to gain experience).
Phased Roadmap with Crypto-Agility: Finally, we synthesized everything into a phased roadmap spanning multiple years. The roadmap was divided into phases aligning with the company’s planning cycles. In the near term (next 1-2 years), the focus was on immediate steps: pilot-testing PQC in isolated environments (e.g., a test network segment), training teams on crypto-agility, and adding PQC requirements into all new tech procurements. The mid-term phase (3-5 years) targeted broad implementation: replacing or upgrading cryptography in prioritized systems (often with hybrid dual-algorithm solutions) and rigorously testing interoperability and performance as new algorithms rolled out. The long-term phase (beyond 5 years) considered integrating more advanced defenses (like QKD on select core links, if viable) and institutionalizing continuous crypto-agility practices – regularly reviewing and updating cryptography as standards and threats evolve. Throughout the roadmap, a key principle we instilled was building crypto-agility: ensuring that any new system or upgrade the telecom undertakes (be it a new customer portal or a network equipment refresh) is designed to allow easy swapping of cryptographic algorithms in the future. This principle would make the current PQC transition smoother and also future-proof the organization for any later changes.
Outcome
With our guidance, the telecom provider formally launched its Quantum-Readiness Program, which became one of the strategic initiatives reported at the executive level. They now have a living cryptographic inventory (the CBOM) that gives unparalleled visibility into their security posture – something that even proved immediately useful by revealing a few instances of outdated encryption that were fixed as “quick wins.” The governance framework we set up meant that progress didn’t stall: a dedicated program office was created, and the cross-functional steering committee began meeting regularly to track milestones, manage inter-department dependencies, and address obstacles. This ensured that the PQC migration wasn’t siloed in the IT security team alone, but had buy-in and active participation from network engineering, product teams, and procurement.
Early achievements of the program included successful pilots: for example, the telecom’s security team, working with one of its router vendors, tested a firmware update that enabled a post-quantum key exchange algorithm on a pair of backbone routers in a lab environment. The test showed that the new algorithms could be run with minimal performance impact – a critical validation that helped persuade any remaining skeptics in management. In another win, the procurement team’s new quantum-ready requirements prompted several key suppliers to accelerate their own PQC product plans.
By prioritizing critical risks first, the company has already mitigated some exposures – for instance, upon finding an internal administrative tool using a hard-coded RSA key, they promptly updated it to use a quantum-safe authentication method – closing that potential vulnerability. They also set up a crypto-agility lab, where developers practice swapping out cryptographic libraries and testing systems – building “muscle memory” for handling future cryptographic changes.
Overall, the telecom is now seen as an industry leader in quantum readiness. Not only can they assure regulators that they have a concrete plan aligned with national timelines, but they’re also communicating to their enterprise customers that security is a top priority, even for threats on the horizon. One executive remarked that what once seemed a nebulous challenge is now a structured program – the company isn’t waiting around, it’s proactively getting ready for the quantum future.
© 2025 Applied Quantum. All rights reserved