As regulators publish guidance and timelines tighten, organizations can’t treat quantum readiness as a “future-us” problem. Will Collison details HSBC’s approach: begin the migration now, build crypto agility into architecture, and manage both internal upgrades and external dependencies across vendors, partners, and customers. He clarifies where PQC (for everyone) and QKD (for select high-assurance links) fit, and why identity (public-key) mechanisms not symmetric crypto like AES, are the primary risk from quantum computing. Will also reframes “legacy” systems as revenue-critical systems that demand careful, early planning, and he lays out a pragmatic cost model: if you wait, you’ll lose the ability to go slow, forcing a fast (and expensive) scramble. The mandate is simple: start now, measure progress, and design for change so you can swap algorithms when needed.

What You’ll Learn

Will Collison is the Interim Global Head of Cryptography at HSBC, where he leads the bank’s global cryptography strategy across 60 markets. A CISSP-qualified consultant with two decades of experience, he specializes in public key infrastructure (PKI), cryptography standards, and the automation of trust. Over his seven-plus years at HSBC, Will has served as Technical Director of Cryptography, Global Head of Cryptography Standards and Enforcement, and PKI Specialist, building frameworks for machine and digital identity and driving large-scale remediation programs.

Prior to HSBC, he founded Secmundi Limited, advising international banks on cryptography strategy and operating models, and worked as a Trust Consultant at Barclays, guiding PKI implementations and automation of certificate issuance. Known for combining deep technical expertise with pragmatic execution, Will has long been a voice for crypto agility, helping organizations modernize securely while preparing for future shifts. Today, his focus is clear: ensuring enterprises can meet the challenges of post-quantum cryptography (PQC) and build a quantum-safe future.

The first barrier isn’t technology, it’s leadership alignment. Will emphasizes that cryptographers alone cannot drive PQC migration; it requires CIOs, CEOs, and developer communities to take ownership. At HSBC, demonstrating early trials with quantum key distribution (QKD) helped leadership see quantum as real and urgent, not distant theory. By pairing opportunity narratives (business applications) with security risks (broken RSA), Will built credibility and won support across the C-suite. Without this awareness step, migrations stall, as PQC remains “just a cryptography issue” instead of a business priority.

Key Question: Do your executives see PQC as an organizational shift, or just another crypto upgrade?

Confusion often slows action: leaders lump quantum computing, post-quantum cryptography (PQC), and QKD into one bucket. Will makes the distinction clear, PQC is mandatory for everyone, QKD is optional for select high-assurance links, and quantum computing is the attacker capability on the horizon. PQC secures identity mechanisms that quantum computers can break; symmetric algorithms like AES remain largely safe. For organizations, this clarity avoids wasted investment and helps focus resources on the universal priority: PQC. QKD may add value in specific backbone use cases, but it’s not a substitute for PQC adoption.

Key Question: Does your roadmap clearly differentiate between PQC (a must-do) and QKD (a niche add-on)?

Migration is not just about legacy; it’s about revenue-critical systems that are hardest to touch. Will highlights that the most important services, core banking, internet-facing platforms, high-value transaction systems, are also the most delicate. These cannot be treated as “old and optional”; they need careful, phased planning. Starting with these systems ensures resilience where risk and business impact are highest. At HSBC, prioritizing internet-facing services and those with zero downtime tolerance became the backbone of the PQC roadmap. Organizations should resist the temptation to defer these systems, as they represent both the highest stakes and the longest lead times.

Key Question: Have you identified which systems are both critical and hardest to migrate and started with them?

Will posits that PQC migration isn’t a one-and-done fix. Because cryptography is open to attack and algorithms are deliberately stress-tested by academics, today’s standards may not be tomorrow’s. The real goal is crypto agility, building systems that can switch algorithms without costly rewrites. This means designing pluggable crypto frameworks, modular architecture, and future-ready PKI. Organizations that treat PQC as a single migration will find themselves repeating the pain in a few years; those that embed agility now will be able to adapt at the push of a button. Agility turns a crisis response into a strategic advantage.

Key Question: If the next PQC algorithm is broken tomorrow, could your systems swap it out without disruption?

Waiting only makes migration harder and more expensive. Will lays out the math: if you start today, you can go slow and control costs; if you wait for Q-Day or R-Day (when regulators mandate action), you lose the option of “slow” and are forced into expensive, rushed remediation. Early investment also lets you train in-house talent instead of competing in a skills-short market later. Regulators and peers are already moving, meaning inaction risks reputational damage as much as security exposure. The smartest play is to begin now, measure progress, and use the lead time to stay ahead of both attackers and regulators.

Key Question: Are you starting early enough to spread cost and build skills, or setting yourself up for a rushed, expensive scramble later?

Want exclusive insights on quantum migration? Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.