Post-Quantum Cryptography (PQC) Crypto-Agility Selling to the CISO and Chief Cryptographer — 60-Min Training

Direct Answer

Post-Quantum Cryptography (PQC) Crypto-Agility Selling to the CISO and Chief Cryptographer is a 60-minute training for AEs, SEs, and channel managers running $150K–$1.8M ACV cycles against incumbents like DigiCert, Entrust, PQShield, Crypto4A, ISARA (Quantinuum), InfoSec Global, Cellcrypt, Fortanix, Sectigo, AppViewX CERT+, and Venafi (CyberArk).

The session teaches sellers to qualify against the three-buyer reality (CISO, Chief Cryptographer, Compliance Officer), run a structured discovery on harvest-now-decrypt-later (HNDL) risk economics, demo against the customer's actual cryptographic inventory, and trap-set the multi-year renewal at month 18.

Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why Post-Quantum Cryptography Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. PQC selling is regulator-driven and physics-driven. The National Security Memorandum 10 (NSM-10) and OMB Memorandum M-23-02 require federal agencies to inventory cryptography by 2024 and migrate by 2035. NIST FIPS 203, 204, 205 finalize the new algorithms.

Set the frame on the whiteboard.

• Three buyers, one regulatory clock. CISO funds; Chief Cryptographer picks; Compliance Officer reports to the regulator. NSM-10 drives federal and federal-contractor demand.
• Harvest-now-decrypt-later is the active threat. Adversaries are harvesting encrypted data today to decrypt with future quantum computers. 20-year data sensitivity (defense, IP, healthcare) is at immediate HNDL risk.
• Crypto-agility is the architecture, not the algorithm. DigiCert and PQShield lead on crypto-agility platforms that allow swapping algorithms without app rewrites.

End the segment with Mark Roberge's rule: *"Sell the crypto-agility platform, not the algorithm selection."*

Section 2 — The 60-Minute Discovery Block (15 min)

1. Opening (3 min): "Walk me through your cryptographic inventory project — algorithms in use, key sizes, certificate counts, code-signing posture."
2. Cryptographic inventory baseline (10 min): "Have you completed an NSM-10-style inventory? Most enterprises discover 30%+ more cryptographic assets than they inventoried."
3. HNDL exposure baseline (10 min): "What's your highest-sensitivity data — 20-year defense, healthcare, IP? That data is at active HNDL risk today."
4. PQC algorithm coverage (10 min): "Which NIST PQC algorithms do you need supported — CRYSTALS-Kyber for key exchange, CRYSTALS-Dilithium for signatures, SPHINCS+ for stateless signatures, FALCON for compact signatures?"
5. Crypto-agility posture (8 min): "Can your application stack swap cryptographic algorithms without code changes? Crypto-agility middleware is the modern bar."
6. Certificate management posture (7 min): "How many TLS certificates are under management? PQC migration touches every certificate."
7. Renewal posture (5 min): "When is your current PKI or certificate management contract up? What contractual extraction friction would we navigate?"

Section 3 — The POC That Wins (15 min)

Failure modes to ban. Algorithm-demo POCs without crypto-agility. Single-app POCs. No HNDL-exposure assessment.

Wins to coach. Crypto-agility middleware deployed. Walk through DigiCert's and PQShield's published POC agendas — both deploy crypto-agility middleware that allows swapping algorithms without app rewrites. HNDL-exposure assessment delivered. Map customer data classifications to HNDL risk windows.

NIST PQC algorithm interoperability tested. Run interoperability tests across CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+, and classical algorithms in hybrid mode.

End with Andy Paul's rule: *"Show the customer their HNDL exposure reduced, not your algorithm count expanded."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face DigiCert, Entrust, and Venafi in eight of ten enterprise deals. Coach the room on three counter-moves.

Counter-move 1 — The crypto-agility depth wedge. Ask the Chief Cryptographer: *"Does your incumbent's platform support runtime algorithm swap without app rewrites? PQShield and DigiCert lead crypto-agility."*

Counter-move 2 — The hybrid-mode wedge. Ask: *"Does your incumbent support hybrid-mode certificates — classical + PQC algorithm — for compatibility during migration? Sectigo and DigiCert publish hybrid-mode pilots."*

Counter-move 3 — The certificate-volume wedge. Ask the CISO: *"How many certificates does your incumbent manage today? PQC migration multiplies certificate operations 3–5x. Throughput matters."*

Show Force Management's command-of-the-message rule: *"Displace on crypto-agility depth, not on algorithm count."*

Section 5 — Pricing Conversation and Procurement (10 min)

Landmine 1 — Per-cert vs. Per-platform pricing. Per-platform scales with migration; per-cert punishes scale.

Landmine 2 — Multi-year discount math. Three-year deals justify 12–18% discount; five-year deals justify 22–28%.

Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.

Section 6 — The Trap-Set for Renewal at Month 18 (5 min)

Trap-set 1 — Cryptographic inventory completed within 90 days. The number is the renewal narrative.

Trap-set 2 — Crypto-agility middleware deployed within 9 months. Lock in the architectural commitment.

Trap-set 3 — Hybrid-mode certificate pilot live within 12 months. Below 50% coverage is renewal-risk red.

Trap-set 4 — Joint regulator-readiness dashboard in QBR. Build the NSM-10-style dashboard into the QBR. By month 18, the dashboard is the renewal narrative.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

FAQ

Should we lead with inventory or with algorithm migration? Lead with inventory — most enterprises have not completed an NSM-10-style inventory. Without it, the migration timeline is unknowable.

How do we handle a customer mid-DigiCert or Entrust renewal? Run a complementary crypto-agility deployment in a non-overlapping area. Build proof for the displacement conversation at renewal.

What is the right POC size for a Tier-1 enterprise? 60–90 days, crypto-agility middleware in one production app, hybrid-mode certificates tested.

How do we price against DigiCert's market-leader positioning? DigiCert wins on certificate breadth; we win on crypto-agility depth and PQC interoperability. Position complementary at the entry tier.

What if the customer asks us to integrate with their existing PKI, KMS, and HSM? Yes — every modern PQC platform integrates with Microsoft AD CS, AWS KMS, HashiCorp Vault, Thales Luna, Entrust nShield. Demo live in the POC.

Sources

• NIST — FIPS 203 (ML-KEM, formerly CRYSTALS-Kyber), FIPS 204 (ML-DSA, formerly Dilithium), FIPS 205 (SLH-DSA, formerly SPHINCS+)
• White House — National Security Memorandum 10 (NSM-10)
• OMB — Memorandum M-23-02 on Migrating to Post-Quantum Cryptography
• CISA — Quantum-Readiness: Migration to Post-Quantum Cryptography (2026)
• Gartner — Market Guide for Post-Quantum Cryptography Solutions (2026)
• DigiCert — State of Post-Quantum Readiness (2026)
• Force Management — Command of the Message and MEDDPICC Reference (2026)
• Mark Roberge — "The Sales Acceleration Formula" Premium-Pricing Chapter
• Andy Paul — "Sell Without Selling Out" Discovery Cadence
• Jeb Blount — "Fanatical Prospecting" Renewal-First Doctrine