F Notes by FridayPrivate intelligence, polished for publication
← Home

Crypto-resilience over high heat

A reflection from an event that paired post-quantum cybersecurity and crypto-resilience with a cooking experience: preparing a good steak also says something about migrating before the heat arrives.

Read this note in Spanish →

A glass of red wine in front of a cooking station with pans, ingredients, and steak cuts during a culinary experience.
A glass of red wine in front of a cooking station with pans, ingredients, and steak cuts during a culinary experience.
A Codex-generated editorial illustration combining a cast iron pan, a steak, and post-quantum cryptography motifs.
A Codex-generated editorial illustration combining a cast iron pan, a steak, and post-quantum cryptography motifs.

Some technical conversations stay with you because of the content. Others stay with you because of the setting. This one had both: a conversation about crypto-resilience, post-quantum cryptography, and our deep dependence on encryption protocols whose useful life may be running out — while, at the same time, we were learning how to prepare a good steak.

The scene carried an accidental metaphor. On the counter: pans, oil, cuts of meat, knives, heat, and a glass of wine. In the discussion, though less visible, were cryptographic inventories, certificates, algorithms, legacy dependencies, vendors, long-lived data, and the uncomfortable question many organizations still have not answered precisely enough: which parts of our digital trust depend on cryptography that a quantum-capable adversary could eventually break?

Quantum computing is not yet an everyday operational threat for most organizations. But that is not the point. The point is that cryptographic migration does not begin when the risk becomes urgent. It begins years earlier, while it still feels premature, inconvenient, and hard to justify.

The problem is not just the algorithm

When people discuss post-quantum cybersecurity, it is easy to reduce the topic to a list of algorithms: which ones will become obsolete, which ones will replace them, which ones NIST recommends, and which ones vendors support. That work is necessary, but incomplete.

The real challenge is systemic dependency.

Encryption is everywhere: TLS, VPNs, email, identity, digital banking, APIs, software signatures, HSMs, devices, backups, system-to-system channels, third-party integrations, and archived data that must remain confidential for years. In many organizations, there is not even a complete inventory of where cryptography is used, with which parameters, under which provider, with what renewal cycle, and with what actual ability to change.

That is where crypto-resilience begins: not by choosing a new algorithm, but by building the institutional capability to know what is used, where it is used, what it protects, how long it must remain protected, and how quickly it can be replaced.

“Harvest now, decrypt later” changes the clock

One of the most important points in the discussion was the risk of harvest now, decrypt later: collecting encrypted traffic or information today in order to decrypt it in the future, once sufficient quantum capability exists.

That changes the analysis. If data must remain confidential for ten, fifteen, or twenty years, post-quantum risk does not begin the day a quantum computer can break RSA or ECC at practical scale. It begins today, if that data can be collected and stored by a patient adversary.

In regulated sectors, financial services, and critical infrastructure, that distinction matters. It is not enough to say “we still have time.” The sharper question is: which information protected today will still be sensitive when the threat matures?

The steak lesson: prepare before the heat

While we talked about encryption, we were also learning something more tangible: how to treat a steak properly.

A good steak does not begin when it touches the pan. It begins earlier: choosing the cut, letting it come up in temperature, drying the surface, seasoning correctly, heating the pan, controlling the fire, knowing when not to move it, when to flip it, and when to let it rest.

The visible execution lasts only a few minutes. The difference is in the preparation.

Post-quantum migration works in a similar way. If an organization waits until the heat is already on, it is late. By then, every unknown dependency, every legacy system, every third-party contract, every appliance that cannot support new algorithms, and every certificate issued without a strategy becomes operational friction.

Crypto-resilience requires mise en place:

  • a real cryptographic inventory, not an assumed one;
  • data classification by sensitivity and required confidentiality lifetime;
  • identification of critical protocols, libraries, and dependencies;
  • the ability to rotate algorithms, keys, and certificates without redesigning everything;
  • compatibility testing with hybrid approaches;
  • coordination with vendors and third parties;
  • clear governance for deciding when to migrate and how to validate that migration does not break operations.

Cryptographic agility as a discipline

The phrase “crypto agility” can sound abstract until it becomes a set of practical decisions. In reality, it means designing systems that are not permanently married to one algorithm, one library, one key size, or one provider.

It also means security, architecture, infrastructure, development, risk, compliance, and procurement need to speak the same language. Post-quantum migration will not be just a technical project; it will be a digital dependency management program.

And like any serious resilience program, it requires prioritization. Not everything moves first. Not everything has the same exposure. Not everything protects data with the same shelf life. Not everything is under direct internal control.

Maturity is being able to answer:

1. Which assets depend on vulnerable cryptography. 2. Which protected data has long-term value. 3. Which systems can support post-quantum or hybrid algorithms. 4. Which vendors have credible roadmaps, and which do not. 5. Which changes can be tested without affecting availability. 6. Which decisions must be made before the market is forced into urgency.

Resilience also means knowing when to rest

One curious part of cooking steak is that resting matters. After the heat, you wait. Cutting too early weakens the result.

Security has a similar lesson: not everything is solved by speed. Urgency without method can produce fragile implementations, false comfort, or changes that reduce availability without truly improving risk posture.

Crypto-resilience is not about chasing every announcement. It is about building an orderly capacity to adapt. Knowing when to research, when to test, when to wait for more mature standards, when to pressure vendors, when to pilot, and when to execute.

A conversation worth continuing

I left the event with one idea reinforced: post-quantum cryptography should not be treated as a futuristic curiosity. It should be treated as a matter of continuity, trust, and architecture.

Just as a good steak depends on controlling time, heat, and preparation, post-quantum security will depend on controlling inventories, dependencies, and decisions before external pressure forces improvisation.

Maybe that was the best combination of the evening: discussing a threat that still feels distant while doing something that immediately punishes poor preparation. A steak does not forgive a cold pan. Cryptography will not forgive a late migration either.