Introduction

Crypto agility has become one of the most frequently used terms in the post-quantum cryptography conversation. It features prominently in vendor marketing, government guidance and industry frameworks. It is positioned as both a goal and a capability — the end-state of a successful PQC transformation, and the means by which organisations will stay ahead of evolving cryptographic threats.

But despite its ubiquity, crypto agility remains poorly understood in practical terms. For many organisations, it exists as an aspiration rather than a defined capability. Vendors present it as something their products deliver out of the box. The reality is considerably more involved.

For CISOs, CTOs and enterprise architects, understanding what crypto agility actually requires — in terms of architecture, governance and operating model — is essential to ensuring that PQC readiness delivers lasting value rather than a one-off upgrade that will need to be repeated when the next cryptographic challenge arrives.

Why Crypto Agility Matters Now

To understand why crypto agility has become so important, it helps to look at the history of cryptographic change. In 1977, the RSA algorithm was described by Rivest, Shamir and Adelman. It has been used to protect the integrity, authenticity and confidentiality of information for decades. For most of that period, the underlying cryptographic algorithms remained stable. Organisations could implement them, embed them into their systems and reasonably expect them to remain effective for years or even decades without fundamental change.

It would be natural to assume that the post-quantum transition will follow a similar pattern: migrate once to quantum-resistant algorithms, and then enjoy a comparable period of stability. Unfortunately, the quantum era is different.

Quantum computing will continue to advance, and over time even today’s quantum-resistant algorithms may be challenged. Cryptographic research does not stand still, and the possibility that new vulnerabilities will be discovered in the recently standardised algorithms cannot be ruled out. NIST itself has acknowledged this by continuing to evaluate additional candidate algorithms beyond the initial approved set.

This means that cryptographic agility will not be a one-off transformation but an ongoing responsibility — much like maintaining security patches or updating threat-detection capabilities to stay ahead of evolving risks. Organisations that treat PQC migration as a destination rather than a capability will find themselves back at square one when the next algorithm change is required.

What Crypto Agility Actually Involves

In practical terms, achieving crypto agility requires several foundational capabilities working together. None of them are trivial, and collectively they represent a significant shift in how most organisations manage cryptography today.

The first requirement is the consolidation and modernisation of PKI services. In many enterprises, PKI has evolved organically over years or even decades, resulting in fragmented, inconsistent and poorly documented implementations. Multiple certificate authorities may be in operation across different business units, each with different policies, different configurations and different levels of oversight. Achieving crypto agility requires bringing these under centralised control, with consistent cryptographic policy that can be updated and enforced across the estate.

The second requirement is decoupling cryptographic operations from individual applications. In many organisations, cryptographic functions are embedded deep within application code. Encryption routines, certificate handling, key management and signature verification are built directly into the logic of individual systems. This tight coupling means that changing an algorithm requires changes to every application that uses it — a task that is expensive, time-consuming and operationally risky at scale.

Crypto agility demands a different approach: cryptographic operations should be abstracted into standardised services and APIs that applications consume, rather than implement directly. By centralising these functions, organisations can change algorithms, key sizes and parameters at the service layer without requiring changes to every consuming application.

The third requirement is automated certificate lifecycle management. When an organisation manages thousands or hundreds of thousands of certificates — as most enterprises do — the ability to issue, renew, revoke and replace certificates at speed is essential. Manual processes that may have been adequate when certificate volumes were lower simply cannot scale to meet the demands of a cryptographic transition. Automation is not optional; it is a prerequisite for agility.

The fourth requirement is designing new systems so that algorithms, key sizes and parameters can be changed through configuration rather than source-code rewrites. This is a design philosophy that must be embedded into architecture governance and procurement standards. Every new system, application or device that enters the estate should be evaluated for its ability to support cryptographic change without re-engineering.

The Gap Between Vendor Marketing and Reality

Vendors frequently present crypto agility as a product feature — something that can be achieved by purchasing and deploying a particular platform. While modern certificate management and PKI platforms do provide important capabilities that support crypto agility, the platform alone is not the solution.

True crypto agility is an organisational capability, not a product. It requires changes to architecture, governance, operating processes and design standards that extend well beyond any single vendor’s product. An organisation that deploys a crypto-agile platform but leaves its application estate tightly coupled to specific algorithms, operates fragmented PKI services and manages certificates manually has not achieved crypto agility. It has purchased a tool that enables agility, but has not built the surrounding capability to realise it.

This distinction matters because it has direct implications for investment planning. Organisations that equate crypto agility with platform procurement will underestimate the scope of work required and risk discovering — as many did during cloud and big data transitions — that the technology investment was only a fraction of the total cost.

A Fundamental Shift in Design Philosophy

At its core, crypto agility requires a fundamental shift in how organisations think about cryptography within their technology estates. Rather than treating cryptography as a fixed, embedded component of each system, it needs to be treated as a managed, centralised service that can evolve independently of the applications and infrastructure that depend on it.

This is analogous to other architectural shifts that enterprises have navigated over the past decade. Just as organisations moved from monolithic application architectures to microservices, and from on-premise identity management to centralised identity platforms, the cryptographic layer needs to be extracted, centralised and governed as a distinct capability.

The benefit of this approach extends well beyond PQC. Organisations that achieve genuine crypto agility will be better positioned to respond to any future cryptographic challenge — whether that is a newly discovered vulnerability in an existing algorithm, a change in regulatory requirements or the emergence of an entirely new class of threat. The investment in agility pays dividends across multiple future scenarios, not just the quantum transition.

From Transformation to Business as Usual

If implemented well, the ongoing rollout of new cryptographic algorithms can eventually become as seamless as today’s security patching. But getting an organisation to that state is not a business-as-usual exercise. It requires deliberate transformation of PKI architecture, application design, certificate management processes and governance frameworks.

PKI underpins almost every digital interaction across an enterprise — often invisibly. Every application call to a network or cloud service, every device authentication, every encrypted data transfer and even the communication between components inside a corporate network relies on certificates. All of this activity will ultimately need to support quantum-resilient algorithms, and the ability to adopt future algorithm changes efficiently.

The scale of this underlying dependency is precisely why crypto agility cannot be treated as a technical project. It is an enterprise capability that must be planned, funded and governed at a strategic level, with clear ownership and sustained investment over multiple programme cycles.

Common Pitfalls to Avoid

Based on our experience working with organisations across government and enterprise, there are several common pitfalls that undermine crypto agility efforts.

The first is underestimating the scope of cryptographic dependency. Most organisations significantly underestimate the number of systems, applications and processes that depend on cryptographic services. Without a comprehensive understanding of where cryptography is used — built through a structured cryptographic inventory — efforts to centralise and modernise will inevitably miss critical dependencies.

The second is treating crypto agility as a one-off project rather than an ongoing capability. Achieving the initial transformation is important, but maintaining agility requires sustained investment in tooling, skills and governance. Organisations that declare victory after the initial migration and reduce investment will gradually lose the agility they worked to build.

The third is failing to secure executive sponsorship. Crypto agility touches every part of the technology estate and requires changes to procurement standards, architecture governance and application design practices. Without visible, sustained support from senior leadership, these cross-cutting changes are difficult to drive and easy to deprioritise.

How Unsung Approaches Crypto Agility

Unsung helps organisations move beyond the buzzword and build genuine cryptographic agility. We work across PKI consolidation, certificate lifecycle management and architectural design to assess your current cryptographic landscape, identify where dependencies are tightly coupled and develop a practical roadmap towards a truly agile cryptographic architecture.

Our approach recognises that crypto agility is not achieved through a single platform purchase. It requires coordinated changes across architecture, governance and operations — and it must be sustained over time. We help organisations plan for this reality, ensuring that cryptographic flexibility is built into the foundations of their infrastructure rather than bolted on as an afterthought.

If your organisation is beginning to consider what crypto agility means in practice — beyond the vendor marketing — we would welcome the conversation. The decisions you make now about PKI architecture and cryptographic management will determine your ability to adapt for years to come.

‍

Want to explore this topic further?

This blog is part of a series drawn from our strategic whitepaper, Post-Quantum Cryptography: A Strategic Whitepaper for the C-Suite. It provides vendor-neutral, business-focused guidance on navigating the quantum era — covering the threats already in play, lessons from previous hype cycles, and practical steps your organisation can take today. Download your copy here: https://2f4v3l.share-eu1.hsforms.com/20qJjHSynQkuJKhI_xq9Msg