CyberWire Daily - Quantum [CISOP]
Episode Date: December 16, 2025In this episode, host Kim Jones tacks a topic that is rapidly moving from theoretical to operational reality: quantum computing. While classical computing will remain the backbone of our systems for y...ears to come, quantum technologies are advancing fast enough that CISOs must begin preparing today. Kim explores what quantum computing really means, why it matters for cybersecurity, and how leaders should begin planning for its inevitable impact. To help demystify the subject, Kim is joined by longtime colleague and cybersecurity practitioner Michael Sottile—now the CSO of a quantum computing firm—who brings decades of hands-on experience across industries and a front-row seat to quantum's evolution. Want more CISO Perspectives? Check out a companion blog post by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
This exclusive N2K Pro subscriber-only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter, building full-stack zero-trust networks from the ground up.
Trusted by security and network leaders everywhere, meter delivers fast, secure by digital.
design and scalable connectivity without the frustration, friction, complexity, and cost of managing an endless proliferation of vendors and tools.
Meter gives your enterprise a complete networking stack, secure wired, wireless, and cellular in one integrated solution built for performance, resilience, and scale.
Go to meter.com slash CISOP today to learn more and book your demo.
That's M-E-T-E-R-com slash C-I-S-O-P.
Quantum Computing isn't replacing classical computing anytime soon,
with soon being defined as within the next one to three years.
That said, given that most strategic planning cycles are three to five years long,
it seems full-hardy not to consider quantum computing and its impacts.
While everyone argues about timelines, there's one thing that's already certain.
When quantum does scale, it will break a lot of what we depend on to keep our organization secure.
The problems with quantum aren't going to automatically appear out of the blue.
Rather, the countdown for these concerns has already started.
Think about how long your sensitive,
data needs to remain confidential?
Five years?
10? 20?
If your data has a long shelf life, it may already be at risk.
Data can be stolen today, stored cheaply, and decrypted later once quantum capabilities
are strong enough, what is commonly known as Harvest Now, decrypt later strategy.
Many nation states and some larger enterprises are already behaving like this is inevitable.
So what should the CSO do now to try and get ahead of this seemingly existential threat?
Here are some thoughts.
Start identifying your quantum vulnerable assets.
Which systems use pre-quantum encryption algorithms?
Where are your encryption keys stored?
Who owns the system dependencies to include third-party dependencies?
Focus on cryptoagility.
Ensure your infrastructure can swap out cryptographic algorithms with,
major disruption, and consider beginning the migration to post-quantum cryptographic algorithms.
Further, if you've hard-baked today's encryption into your systems, you may have set yourself up for a painful future.
Keep abreast of emerging standards. NIST has already selected several post-quantum algorithms.
Every vendor you rely on should have a migration roadmap, and if they don't, you should be asking why.
Build awareness.
Boards don't need to be told the physics.
They do, however, need to understand that there's strategic risk and a transition timeline.
Quantum computing isn't happening tomorrow, but assuming it's decades away will result in your infrastructure becoming needlessly vulnerable.
CISOs are not just operators.
They are strategic business leaders.
It's time for us to start thinking about quantum and moving our enterprises toward being able to
to better mitigate risks associated with this technology.
My two cents.
Welcome back to CISO Perspectives.
I'm Kim Jones, and I'm thrilled
that you're here for this season's journey.
Throughout this season,
we will be exploring
some of the most pressing problems
facing our industry today
and discussing with experts
how we can better address them.
Today, we are diving into a technology
that is poised to greatly impact security efforts,
quantum computing.
Michael Sotilli is an amazing cyber practitioner
who might have had the privilege of watching grow up within the profession.
As CISO of Quantilium and a good friend,
I could think of no one better to help me demystify quantum computing for this audience.
I sat down with Michael to help separate truth from fiction around quantum computing
and help CISOs figure out what they should be focused on now
in order to prepare for this next major technological innovation.
A quick note that the opinions expressed by Michael in this segment are personal
and should not be interpreted as representing the opinions of Quantilium
or any organization that Michael has worked for in the past.
First things first, Michael, it is great to see you.
Thanks. Likewise, it's been at least probably, what, 8, 10 years since we'd last work together, yeah.
It's been, yeah, we're just shy of 10, 2016.
It has been way too long.
You've come up in the world, which is always a great thing to see.
So do me a favor.
I mean, you and I obviously know one another.
My audience doesn't tell my audience about Michael Sotili.
Sure.
All right.
So I am Michael Sotili.
I'm currently a CSA for a quantum computing company.
I've been involved in cyber defense, data security, information security,
using all the terms that you used to use back to describe it going back a couple of decades since the late 90s.
I love security, very passionate about it.
I spent my entire career working for various organizations, fintech, software development,
healthcare, a little bit of defense in most of the roles that report to a traditional CSO
up until about a year ago when I began working as a CSO myself.
When you became a traditional CSO, that's fantastic.
I see so, yes, at a very non-traditional company.
Fantastic.
So given your company is in the quantum computing space, I thought you would be the ideal person to talk to us.
I mean, quantum computing is still being mentioned on the edges of conversations within cybersecurity.
And for me, that's concerning, because I remember when AI and Cloud were being mentioned on the edges.
and then all of a sudden it's here.
And I think that there's an opportunity here on this podcast for us to bring the conversation in from the edges
and begin to get a deeper understanding as well as your expertise in terms of figuring out,
what should I really be worried about, what should I really be concerned about,
what should I be doing to prepare?
So using a phrase that I know you are very familiar with, though it's been a while,
explain it to me like I'm a six-year-old.
What is quantum computing?
Okay, so generally speaking, quantum computing is a shift in paradigm in how a computer can operate.
So today we've got classical computers.
Every computer we use is we consider a classical computer.
It's got a register.
It's got binary, you know, settings that you can control electronically.
It's either zero or a one.
And that can be a very low-powered computer that you wear as a calculator watch for anybody
still the old Cassio calculator washes
all up to a mainframe to even
the supercomputers, right, that are built with
millions and millions of dollars
of processors from, from
Nvidia, right? These are all
these are all riffs on
on basically the same concept,
just doing it at scale and with faster, better
hardware. Right? So
this is what we've had now in computing
for, oh my gosh, going back
what, close to 100 years, 70, 70 years
now? Yeah.
So there's, there's a, I don't want to say,
newer concept, but it's getting a lot more buzz
lately, a lot more
technological dancements have really come out the past
few decades, especially the past few
years. With quantum
computing, right? So quantum computing, rather
than looking at a register with
a bunch of zeros and ones,
you have, and depending on
who's making or developing
the quantum computer, you've
got some ions, some photons,
some atomic particles,
that could either be a zero,
a one, or something
thing in between.
And that allows a quantum computer
to do different things.
It allows the quantum computer to do things a little bit
differently than a classical computer,
but even more so, depending on
the problem it's looking to solve,
it can be exponentially
quicker.
I don't think that you'll find
too much out there today
stating that a quantum computer
will replace classical computers.
I haven't seen any from the, you
I've worked with quantum computers for the past year or so.
I don't see them replacing them.
I see them augmenting them.
Heck, even quantum computers, pretty much everybody's today,
still requires classical computers to operate and run
and kind of service that liaison between the human and the quantum computer.
So it's not that we're evolving from just classical to just quantum.
It's we're evolving from classical to a hybrid approach
where we're going to have classical computers,
and they will have another tool at their disposal,
and that tool is a quantum computer.
Let me interject here for a second.
Go take us a step back.
You said we use some sort of subatomic particle that can enter the traditional one or zero state, but also something in between.
Is that, and I am by no means an expert, but I do try and do little research.
Is that what is referred to by this thing I keep hearing about a qubit?
Or is that something different?
No, you are correct.
So in classical computers you have a bit, which is short for binary digit.
and it's a zero or one.
With quantum computers,
you have a qubit,
and it's a zero, one,
or something in between,
and that's achieved through things.
Science that I can't quite understand,
much less explain,
but you're talking about superposition
and some really crazy out there,
physics ideas.
And in all honesty,
when I first started learning more about quantum,
so before I took the role in then now,
I did several months of research on it,
and I consider my,
myself a highly technical person, relatively smart, and I read a lot, and it was very frustrating
because you're trying to apply long-held principles that you understand about classical
physics and trying to apply it to like, okay, how does this translate to a classical computer
once we're moving to the quantum world? And it's really, it's really frustrating. It doesn't
do it nicely, at least for late people, which I consider myself, just to be clear. I think it's
helpful for
people to look at quantum computers
as a device that can do
some very, very specialized
things that we never thought imaginable
with classical computers.
Regardless of how it works, if it helps you
in your brain to think of it as a
super classical computer on
steroids, I think
that's fine too. I don't think it's really worth
getting too mired up in the details
on exactly how they work. Plus,
there's dozens, if not
more quantum computer.
companies and they all they all kind of do do these things differently right there's there's several
different ways of uh of utilizing these these principles to achieve a quantum computer so it's
and they're all many of them are very very very different from one another okay so why should i
care as a senior cyber professional should i care yeah you should right so it's funny you mentioned
earlier when you when you were introducing the topic that cloud and ai they were
on the edges and out of nowhere they were here.
It's easy to forget about cloud because it's been so long ago,
but AI was very, very recently.
And I like reading the tech articles and I was reading about it.
And then all of a sudden it's like, holy crap, it's here, right?
I mean, out of nowhere, right?
You're reading about it for a decade and then, bam, it's here within a few months it's
seen.
Like it just, it was, for me, it still is kind of mind-blown.
How quickly that happened, but it shouldn't be that surprising with what we saw on
cloud. And I'd like to think that quantum won't be as surprising as AI, but it might be.
You never really know. We need to care about quantum computing from a security perspective.
It'll enable us to do great things, right? I feel like most technologies that come out,
they're a bit of a double-edged sword. They let you do amazing things, and they let everybody do
amazing things. Let's double click on that. And that's heading in the direction I wanted to poke at.
it will enable us to do amazing things.
And again, all technology is a double-edged sword.
What kind of things should I be looking at as a CISO to say,
whenever quantum gets here, this will be easier, this will be harder,
or whenever quantum gets here, this is going to break and this is going to be a problem?
What are those type of things I should be thinking about now?
Sure.
Well, first, the positive things, right?
There is so much for humanity that quantum can do for security and non-security, right?
Outside of the security world, I mean, there aren't many sectors out there that won't be able to potentially benefit massively from pharmaceutical development and research and development, cancer treatments, energy.
Really, it's almost limitless, right, how this could potentially help us one day.
Well, the security side, ways it can help us is you could theoretically, and we're talking like 10 plus years from now, most likely.
And we can talk about the timeline in a bit, but one day, quantum computers could theoretically significantly help with fraud detection.
So if you're working for a card processor, you're looking for, for example, for a fraudulent activity in a payments ecosystem, you would be able to ideally use technology that's bolstered by quantum.
computing to make that easier.
Compliance could become easier with quantum computing,
achieving additional resilience just in your own enterprise.
Quantum computing can help in many ways.
That said, quantum computing also presents some challenges and opportunities
from a security perspective, particularly as it comes to encryption.
We've lived in this space now for 30, 40 years where we've had some
great encryption algorithms and they stick around for a few years and then somebody finds a way
to get around it or theoretically bypass it or make it not as effective so some tweaks are made
and then everybody has to scramble change their infrastructure change their client server
configurations add add things to them and evolve with that and once we get to the point
where quantum computers are able to break much of what we consider to be classical computing
encryption technologies, we need to be prepared for how we handle that.
And now is the time to start planning for that.
It's not the time to start freaking out.
By all estimates, we have at least five to ten years, depending on you talk to, if not
10 to 20 years before use computers are powerful enough to really pose a significant, imminent threat.
So let's parse that a little bit.
So reflecting back a little bit in terms of quantum computers being able to break encryption algorithms,
I'm assuming, and please correct me if I am wrong, I'm assuming it's because of the speed of
the computational power that they can bring to play.
With dealing with more than one state or a binary state, I can then potentially run
massive amounts of calculations to attempt to break the encryption.
algorithm a lot quicker than I could with the fastest supercomputer here, which means a lot of
our strongest algorithms may end up breaking quicker. Am I interpreting that correctly?
You're not too far off, right? So it's not so much just the speed. It's not that a quantum
computer would be able to brute force a password, for example, although in theory that is not,
that's not out of the question. There are certain algorithms out there, and we'll talk about
Shore's algorithm and Rovers algorithm in a bit that cannot be run on a classical computer.
It's not that they're not fast enough.
It's just the algorithms and cells are designed to be run in a state where you've got
cubits that are able to represent information in the zero or one or something in between.
And you don't really get that in a classical computer.
So it's not really necessarily that it's doing what a supercomputer can do even faster.
I'm sorry, a classical computer can do even faster.
It's just doing it differently.
and also, by the way, massively faster.
Okay.
So given that, the probability of a standard encryption algorithm standing up to analysis, for lack of a better term, using a quantum computer, it won't, or won't stand up as long as it would if I were running it through a classic computer.
Correct, yeah.
So there are, so it's been known now since, since I think the mid-80s.
there's been an algorithm that was designed in
might have been mid-80s,
been 90s, a very long time ago
called Shores Algorithm,
which requires a quantum computer,
but Shores algorithm allows you to do
some very interesting fancy math,
including factoring large numbers
into two primes, right?
So when you look at current crypto schemes,
not all, but many of them,
you're looking at RSA,
I think Diffy Hellman, elliptic curve cryptography, a handful of others.
They rely on some very complex math problems that classical computers, even the supercomputers, just have a really hard time solving.
Shores algorithm was developed several decades ago as a way to prove that a quantum computer one day can break these cryptosweets.
And one day, it turns out, most likely is in the next.
5, 10, 15 years or so.
Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch?
What if you could build the hardware, firmware, and software with a vision of frictionless integration, resilience, and scalability?
What if you could turn complexity into simplicity?
Forget about constant patching, streamline the number of vendors you use,
reduce those ever-expanding costs, and instead spend your time focusing on helping your business and customers thrive.
Meet Meter, the company building full-stack zero-trust networks from the ground up, with security at the core, at the edge, and everywhere in between.
Meter designs, deploys, and manages everything in enterprise needs for fast, reliable, and secure connectivity.
They eliminate the hidden costs and maintenance burdens,
patching risks, and reduce the inefficiencies of traditional infrastructure.
From wired, wireless, and cellular to routing, switching, firewalls, DNS security, and VPN,
every layer is integrated, segmented, and continuously protected to a single unified platform.
And because Meter provides networking as a service, enterprises avoid heavy capital expenses
and unpredictable upgrade cycles.
Meter even buys back your old infrastructure
to make switching that much easier.
Go to meter.com slash CISOP today
to learn more about the future of secure networking
and book your demo.
That's M-E-T-E-R dot com slash C-I-S-O-P.
So when do I as a CISO actually start?
And we both grew up in financial services.
So let's use an example that's near and dear to both of us without naming companies.
When do I start as I do strategic planning for a three-year window, start tapping the chief operating officer, the chief information officer, and the business is to say, you know, all this stuff we're using to secure our environments right now, we need to start.
migrating. And oh, by the way, not only do I need to start migrating, I need to start
migrating to things that will theoretically stand up to potential future problems that aren't
necessarily baked into the regulatory frameworks that I have to deal with, a la PCID, D, S, etc.
Yep. So when is that inflection point that I should begin to have those type of conversations
if you're telling me
I need to worry about this now.
So let me break it out into
I think maybe simpler steps to look at.
Please.
Okay, so when this thing happens,
this nebulous thing where Shores Alderman
has been implemented and you can no longer use
RSA or ECC or Diffy-Hellman,
the tools to get us past that already exist.
It is conceptually super easy.
You update the config on a server, you update the config on a workstation, everything works beautifully.
If it fails to take into account, things like IoT, things that don't have.
Yeah, I was about to say, I know I have my BS flag over in the closet there, and I know you still have yours handy.
Right here.
There it is.
Right here, right in the BS flag.
That's why I said, conceptually, it's very easy.
I'm thinking back, I'm going to go back in my time machine about 10 years.
Might have been 11 or so.
I was working in FinTech.
and SSLV3 was deprecated
and we knew it was going to be deprecated
it was long coming and then Poodle came out
the padded oracle on the man
the Poodle thing right
and so all of a sudden everybody had to
adjust quickly
and upgrade change configurations
all that servers and workstations
super easy wasn't really a problem there
the problem was when you had IOT
internet of things connected devices
in Fintech specifically
we had
card terminals
some car terminals
can be updated remotely
some can't
some are really old
and we ended up
finding it
in one fintech environment
there were tens of thousands
of old terminals
that could not be upgraded
that were no longer
able to be able
to accept
SSLV3 connections
and they were kind of left behind
how do you handle those right
so what we thought
initially was going to be
super easy
oh, you just make some little config changes
on an F5 somewhere.
No, no, no, no, no, no.
You need to look at what's connecting to you.
So you need to look at the whole ecosystem, right?
Not just your own organization,
but how companies and individuals interact with you
as well as how you interact with others.
So I say that to remind us, we've done this before.
We've had massive crypto changes you've had to make before
when we decrypt when we deprecated SSLV3,
move to TLS10.
And then, four or five years after that, TLS 101 and one one were deprecated with Beast.
Yeah.
We have changes that happen every few years.
But these are examples where heads up, this is going away.
And for lack of a better term, your keister's going to be in a sling.
If you're not, you know, if you don't do this because, you know, heads up, it's gone.
You and I were in situations where we knew this was coming.
We knew this was coming.
We knew this was coming.
and, oh, by the way, nobody did anything until they were 90 days out.
And in both cases, and you and I would probably say, in some cases, 90 days was generous by the time we actually got the attention.
But we'll be nice.
One of those nerds that you're already talking about.
Why is it a big deal?
Exactly.
So, you know, it's a similar thing.
So the counter argument to what you're saying is, yes, we've done this before, and the sky didn't fall, you know, nations didn't fall.
dictatorships didn't rise based upon us waiting till 90 days out until we had to.
I don't like waiting to 90 days out because I like to be proactive.
But we're now sitting here talking about, are we in a situation where I should be telling CISOs, know that it's coming, familiarize yourself with the tool sets that are out there and understand that when this hits, is it going to be, hey, we're heads up.
This is going to be a requirement.
Be ready.
Or, oh, by the way, somebody just.
got popped badly and quickly, and we have to scramble, but should I be having those
conversations or thought processes literally 10 years out? I think so, and I also want to just
look back at that time frame, right? I referenced S-S-L-V-3, TLS-1-1-1, and those were, you know,
almost 10 years ago, almost five years ago. If we're going to try to find a pattern in there,
it stands to reason every four or five years something big happens in crypto. I personally don't
think from what I'm reading what you see out there, that a quantum
computers are going to present an imminent threat in the next four or five years, right?
We agreed earlier in the conversation, let's call it 10.
So before this becomes an issue for us, chances are we're going to have another encryption
issue where we have to, we have to scramble, we have to replace TLS 1-3 with 1-4.
I'm making that up, right?
But there will be some other big thing that happens.
And I feel like the lessons we've learned at all of them, frustratingly, and maybe it indicates
we haven't learned the lesson, but you need to know, you need to inventory all your services,
how they're interacting with others,
how others interact with your services,
so that when the next bad thing,
be that TLS-13 being deprecated,
be it post-quantum of cryptography
being implemented and mandated,
so that you'll prepare for those things.
So not just the stuff,
but the interactions that happen between that stuff,
so that we understand what can,
because things fail at the interface.
So we can understand what things may be
impacted and begin to plan for it.
So that makes sense to me.
Let's assume using the time frame that you use, because, yeah, it is about every five years
we have a massive crypto upheaval.
When the next crypto upheaval happens, and by your timeline, we're probably a year
and a half out, would it make sense for us to migrate or begin to migrate to quantum
safe algorithms within the environment?
Absolutely.
In many cases, we already are.
I think one of the...
Example.
Example.
So, one of the world's largest wafts, so Cloudflare, they've supported post-quantum
cryptography solutions now for, I think, since October, November of last year, if not longer.
So any website that sits behind that particular waft, they are protected with it.
Now, during the TLS handshake, right, the server and the client are going to negotiate,
which set of algorithms and key strengths do we want to use.
So the client also has to be configured to utilize one of these post-quantum algorithms as well.
However, Edge, all Chromeane-based browsers, Firefox, which isn't really right,
but Firefox, Chromeian-based browsers, and all the big browsers already, they support it, right?
So these are already solutions that are supported today, right?
So if you've got a, if you're running a browser,
or relatively recently updated in browser,
it should have support for post-quantum encryption algorithms.
And if you're communicating with a website that sits behind a WAF
or is configured with its own and its own SSL configs
to utilize one of these algorithms as well,
there's a good chance that those during the TLS handshake,
they will agree on, they'll negotiate and agree on a post-quantum encryption
to be used, depending on...
And that also tells me that it doesn't have to be potentially
and all or nothing swap,
that if I am cunning with my magic,
and again, another phrase you heard before,
if I'm cunning with my magic,
I can configure the systems or the edge devices
such that they are capable of going that high,
but don't have to go that high necessarily.
Absolutely.
So that it doesn't have to be a,
okay, we're going to flip the switch today
and bring this down and then this comes up,
versus we can then do something like plan on transition
within the environment
so that we can support customers
that are already there or they are quicker,
but we can also deal with customers
that aren't quite there yet.
Absolutely.
Yeah, absolutely.
Yeah, absolutely.
Oh, good.
Thinking back to how FinTech dealt with card terminals,
it wasn't so much, you know,
the bad thing that happened,
it wasn't so much that new technology was enabled.
It's now that all of a sudden we had to support TLS1-2,
it was SSLV-3 is going away.
So we didn't have a hard time implementing something new.
We had a hard time deprecating the old.
And that old was so old, it was kind of forgotten.
And you just kind of lose track of the fact that it's out there.
Right.
We lost track in this particular orb of the fact that there are car terminals that are basically
it's knucklebuster v1.1.
Right?
I mean, it was like one of the oldest things out there.
And we had thousands of them that were connecting to us.
And they were just kind of left behind.
So my concern is,
And I think what we need really preparing for five, 10 plus years from now is keeping track of everything so that what is still kind of fresh in our mind today doesn't become totally forgotten tomorrow, if that makes sense.
Makes sense.
Now, we've talked about good things.
We've talked about what we should be doing.
We haven't really talked about a lot of the bad things other than potentially encryption breaking within the environment.
What are the bad things should I be worried about?
Well, so I think one of the things people gloss over is most security organizations, especially if you're air quotes here, so advanced you're talking about the quantum threat is defense in depth, right?
So in order for this to really be a bad thing for you, the attacker needs to get to your encrypted data in the first place, right?
And ideally, it's not just as simple as going online and downloading an encrypted blob of data from you, right?
So if you're augmenting your security program with things like vendor due diligence checks, right,
you're making sure ISPs and upstream providers have controls in place to protect your traffic.
If you've got controls in your own enterprise, your own environment to make sure that you're keeping,
you know, the bad actors out, the good people in, the data protected, that's a huge thing you can do
to help yourself as well.
Okay.
And again, I'm going to pivot this back to potential bad things as well, and I'll use the AI analogy for that.
There's been a lot of talk, and there will be more talk on this podcast this season regarding the good, the bad, the right, the wrong, and different of AI as we go forward.
One of the things that I talk about where I talk about AI is with rare exception, with very rare exception, what I'm looking at is I'm looking at increasing.
and volume accuracy and speed of the same type of attacks I've been fighting for over 30 years.
There are not a lot of new attack vectors that have resulted from AI.
So the question I would ask you is putting on your crystal ball, all of our caveats in place,
are there any new attack vectors I should be anticipating from quantum?
None that come to mind.
One of the bigger concerns, I think, that's out there with,
with quantum, and rightfully so is the concept of a horrors now to crypt later.
So you've got adversaries, especially nation state adversaries,
you've got footholds with ISPs and are able to doubt or are able to intercept
encrypted comms.
Today we get a little bit complacent and say, yeah, yeah, they got it, but it was encrypted.
Yeah, right?
Are we seeing an uptick in that, though?
I know what you're talking about.
We're seeing an uptick in that.
We hear about it.
I'd like to think my own government's doing that otherwise, otherwise where my
where my tax dollars going.
So if we assume our own government's doing it,
you've got to assume others are as well.
However, getting that data isn't the easiest,
and it's also a lot of data, right?
However, there's a lot of storage out there.
So I would be concerned about Harvest Now to Crip Later attacks.
And a lot of it also depends on how long you want your secrets to remain secret for.
So if you're talking about a credit card number or a password to a bank account that you can change
with really little repercussions, you know, within five minutes,
those secrets don't need to last as long.
When you're talking about nation state secrets, who kill JFK, things like that,
you want those secrets to last a very long time.
So you don't want to rest on the fact that, hey, it's encrypted,
nobody can ever crack it because those days are numbered.
What's the one thing we did not mention, talk about,
as bring up that you would want my audience to know or hear from you?
You know, aside from making a CISO, I've also in the past four years or so, I've consulted a lot.
And I've talked with dozens of organizations.
And we talk about advanced security measures and security programs and security strategy and some really, really technical concepts.
And it's exciting. It really is.
I see companies doing a worse job today
than they did five or ten years ago
on maintaining an inventory.
It's not just list your laptops and servers.
It's, you know, where is all your data?
Where are all your services?
Who are you connecting to?
Who's connecting to you?
What connections do you have to the Internet?
What connections are coming into you from the Internet?
So on and so forth.
All those, right?
And the tracking mechanisms,
the inventorying tools, I don't think, have really kept up with the evolution of the size and
complexity of enterprises today. And I say all that because it's really frustrating. And when you read
about, when you read about breaches, a lot of these are occurring on those fringe cases that
aren't really necessarily being tracked in an inventory somewhere, but they should be. You should be
aware of all these things. And all that to say, your crypto ecosystem, your encryption ecosystem is
is certainly one of those things that you need to have a better understanding of so you know
what is where and who's interacting with it. And that's not, it's not sexy. It's not super
fun. At the end of the day, it's a list, ideally in a purpose-built tool or service for it,
but there's really no way around the fact that if you don't know what your company is connecting
to, what your organization's connecting to is connecting to you or so on and so forth,
you've, you're, it's going to sting you eventually.
Michael, it's been great not just to learn about this topic from you, but just to catch up, man, and see how fantastic you're doing.
So thank you for making the time, man.
Let's not make it 10 years next time.
Thanks.
I appreciate it.
Next time I'm in the Phoenix, I'll give you a call.
And that's a wrap for today's episode.
Thanks so much for tuning in and for your support as N2K Pro subscribers.
Your continued support enables us to keep making shows like this one,
and we couldn't do it without you.
If you enjoyed today's conversation and are interested in learning more,
please visit the CSO Perspectives page to read our accompanying blog post,
which provides you with additional resources and analysis
on today's topic.
There's a link in the show notes.
This episode was edited by Ethan Cook,
with content strategy provided by Myon Plout,
produced by Liz Stokes,
executive produced by Jennifer Ibin,
and mixing sound design and original music by Elliot Peltzman.
I'm Kim Jones.
See you next episode.
Securing and managing enterprise networks shouldn't mean juggling vendors,
patching hardware, or managing endless complexity.
Meter builds full-stack zero-trust networks from the ground up,
secure by design, and automatically kept up to date.
Every layer, from wired and wireless to firewalls, DNS security, and VPN is integrated, segmented, and continuously protected through one unified platform.
With meter security is built in, not bolted on.
Learn more and book your demo at meter.com slash CISOP.
That's METER.com slash CISOP.
And we thank Meter for their support in unlocking this.
this N2K Pro episode for all Cyberwire listeners.