Wooden blocks spelling roadmap

Once a cryptographic inventory exists, the next question is rarely “what do we migrate” — it’s “what do we migrate first.” Get that wrong, and effort gets spent on low-value systems while the highest-risk exposure sits untouched for another year.

Two Variables, Not One

Prioritisation should weigh two things independently: business impact if the cryptography is compromised, and effort or disruption risk to change it. Plotting candidate systems against both — rather than ranking on impact alone — surfaces the systems that deliver the most security value for the least operational risk, which is exactly where a migration programme should start.

Start in the High-Impact, Low-Effort Quadrant

In practice, this quadrant is usually populated by externally facing TLS/mTLS endpoints and code or firmware signing workflows — meaningful security value, and changes that can be piloted on a contained channel with a rollback path, rather than touching a monolithic legacy system with unclear dependencies.

Weight by Data Longevity, Not Just System Criticality

A system can be operationally minor but hold data with a very long confidentiality requirement — an archival store, a long-term records system. Data longevity deserves its own weighting in the prioritisation model, separate from how “important” a system feels day-to-day.

Don’t Let the Hardest Systems Set the Pace

Legacy systems with limited cryptographic configurability, embedded devices, and third-party black-box components are often the hardest to migrate — and the temptation is to let planning stall while a solution is found for them. A better approach: sequence them deliberately later, with a documented interim mitigation, rather than letting the hardest 10% of the estate block progress on the other 90%.

Revisit the Priority List Continuously

Prioritisation done once, at the start of a programme, goes stale as fast as any other inventory. New systems get built, old ones get decommissioned, and business criticality shifts. Treating prioritisation as a living output of continuous exposure assessment — not a one-time planning exercise — keeps the migration roadmap honest as the environment changes underneath it.

Scroll to Top