.png)
The Entropy Podcast
The Entropy Podcast is a cybersecurity, technology, and business podcast hosted by Francis Gorman.
Each episode features in-depth conversations with cybersecurity professionals, technology leaders, and business executives who share real world insights on cyber risk, digital transformation, emerging technologies, leadership, and the evolving threat landscape.
Designed for CISOs, IT leaders, founders, and professionals navigating today’s digital economy, The Entropy Podcast explores how organizations can adapt, innovate, and build resilience in an era defined by constant change, disruption, and geopolitical uncertainty.
The name Entropy reflects the growing complexity and unpredictability of cybersecurity and technology ecosystems and the strategic thinking required to thrive within them.
To summarise the show in a nutshell it’s: Genuine conversations with unique minds on the threats, complexity and geopolitics shaping our world
Topics include:
- Cybersecurity strategy, risk, and resilience
- Post Quantum readiness
- Emerging technologies and innovation (AI etc).
- Business leadership and digital transformation
- Cyber threats, regulation, and geopolitics
- Lessons learned from real-world experience
New episodes deliver practical insight, expert perspectives, and actionable knowledge so you stay informed, strategic, and ahead of the curve.
Buy Our Swag:
We now have some slick new swag you can purchase through our Esty store.
https://theentropypodcast.etsy.com
Watch and Subscribe
You can also watch full episodes and exclusive content on our YouTube channel:
www.youtube.com/@TheEntropyPodcast
Achievements
The Entropy Podcast delivered strong chart performance throughout 2025, demonstrating consistent international reach and listener engagement.
- Regularly ranked within the Top 20 Technology podcasts in Ireland.
- Achieved a Top 25 placement in the United States Technology charts, holding the position for one week.
- Charted internationally across multiple markets, including Israel, Belgium, and the United Kingdom.
This performance reflects sustained global interest and growing recognition across key podcast markets.
Audio Quality Notice
Some episodes may feature minor variations in audio quality due to remote recording environments and external factors. We continuously strive to deliver the highest possible audio standards and appreciate your understanding.
Disclaimer
The views and opinions expressed in The Entropy Podcast are solely those of the host and guests and are based on personal experience and professional perspectives. They do not constitute factual claims, legal advice, or endorsements, and are not intended to harm or defame any individual or organization. Listeners are encouraged to form their own informed opinions.
The Entropy Podcast
Reframing Quantum Risk at the Board Level – Debbie Taylor Moore
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode, Debbie Taylor Moore breaks through the noise around quantum security and reframes it for what it really is: a business risk, not a technical curiosity.
Drawing on decades of experience across cybersecurity, AI, and national security, she explains why most organisations are approaching quantum readiness the wrong way by overcomplicating the problem, overhyping the threat, and underestimating the organisational challenge.
Instead of fear-driven messaging, Debbie advocates for clarity, prioritisation, and leadership accountability. From boardroom conversations to enterprise-wide execution, she lays out what actually matters: understanding your systems, focusing on real risk, and treating quantum as a multi-year modernization effort.
The conversation also expands beyond quantum, exploring how AI, geopolitics, and evolving cyber threats are reshaping enterprise security and why traditional approaches are no longer sufficient.
This is not a conversation about the future. It’s about what leaders should already be doing now.
Key Takeaways
- Quantum is a risk management issue, not a technical deep dive
Boards don’t need to understand quantum mechanics they need to understand business impact. - Stop treating it like a fire drill
This is a long-term modernization effort, not a last-minute emergency. - Prioritisation beats perfection
Focus on your most critical systems first not a massive, overwhelming inventory. - It’s a cross-functional problem
Security, DevOps, legal, procurement, and leadership all play a role. - Fear-based messaging is counterproductive
Clear, actionable risk framing is far more effective than hype. - Discovery alone is not progress
Many organisations are stuck mapping the problem instead of solving it. - The real gap is organisational, not technological
Talent, alignment, and execution are the hardest parts.
Soundbytes:
- “Quantum readiness isn’t just-in-time. It’s just-be-ready.”
- “Boards don’t need to be quantum experts — they need to understand risk.”
- “This isn’t an IT problem. It’s enterprise risk management.”
- “Don’t scare people. Give them the next actionable step.”
- “Most organisations have fewer than five people who truly understand this space.”
- “Discovery without action just creates a bigger problem.”
- “If you treat this like a fire drill, you’ve already misunderstood it.”
- “The cost of doing nothing is time — and time is the one thing you don’t get back.”
Francis Gorman (00:02.798)
Hi everyone. Welcome to the Entropy podcast. I'm your host, Francis Gorman. Before we dive in, if today's conversation challenges you, sparks a new idea or sharpens how you think about the world, don't keep it to yourself. Subscribe, leave a review and share this episode with someone who enjoys staying curious. Today I'm joined by Debbie Taylor Moore, the founder and CEO of Quantum Crunch, a global advisory firm focused on quantum security, risk management and readiness for enterprises, governments and critical infrastructure.
With more than 25 years of experience at the intersection of cybersecurity, AI, quantum and robotics, Debbie has held senior leadership roles, including VP and senior partner at IBM consulting, Verizan and secure info. Leading security programs across 26 countries. She currently serves as vice chair of the cyber AB board, supporting the U.S. Department of Defense alongside other prominent advisory roles. Debbie is a serial innovator and founder of two global security accelerators.
She has also testified before the US Congress on Emerging Technology and is widely recognized as a leading vice in cybersecurity and technology leadership. Debbie, it's my absolute pleasure to have you here with me today.
Debbie Taylor Moore (01:11.155)
Francis, it's a pleasure to be here and thank you for having me.
Francis Gorman (01:15.296)
It's my pleasure. The pleasure is all mine, Debbie, on this occasion, I have to say. Debbie, you've had an amazing career and you've seen so much of the technology landscape through different eyes and different roles as you've progressed through that career. What drives you? Where do you get your drive from? You seem to have a phenomenal ability to stay at the cutting edge.
Debbie Taylor Moore (01:40.758)
Well, I think that just having a real curiosity about the world and a desire for lifelong learning is really important, especially in today's landscape. To keep up is incredible. You have to be a lifetime learner. And you have to be willing to share as well, because I think everything that's old becomes new again. I've seen many cycles in cybersecurity where we are
going through sort of like the hype of a situation to some solutions, to investor enthusiasm, to like, you know, a place of nowhere in many instances. In cybersecurity, we don't always feel like we're ahead of the threat. We feel like we're just behind the adversary. And I think that with the space that we're talking about today, the post-quantum cryptographic migration space, that there's an opportunity to be slightly ahead.
if we don't just allow ourselves to be happy with being behind.
Francis Gorman (02:45.101)
And I think that's really key.
One of the things I do definitely want to talk to today is post quantum and post quantum readiness. I have a lot of people asking me about how do I talk to my board? And I don't think there's anyone better placed to probably answer that question than yourself, Debbie. So if if I want to sell post quantum readiness and get my board to understand the risk in real terms, what do I what do I need to do?
Debbie Taylor Moore (03:16.819)
Well, Frances, I think one of the things that we have to consider around boards is what they actually are responsible for and where they actually dwell. And that is really around ensuring that they are protecting the company, that they have duty of care and duty of loyalty around that, but also the shareholders. And so you'll see that there is a lot of emphasis on staying off of the front page of
newspapers from a reputation standpoint, lot of interest in not having liability in certain areas, particularly areas of cybersecurity. There is a lot of interest in continuing status quo in terms of their own collegial way that they work together. They've been in the trenches solving all kinds of problems and they tend to know each other and they tend to arrive at group think quite a bit. When you're walking in,
to speak to a board. Brevity is your friend, for starters. You wanna be brief, but also you wanna recognize that if you are talking about anything that is like a new threat or a new area of consideration, you have to consider that boards like most people will be going through the five stages of grief, particularly with this quantum piece. mean, at first it's sort of, know, denial, shock. There's a lot of...
wondering whether or not this should be prioritized because they've already been pretty much challenged with AI and with other issues. Trade and tariffs been a big one for a lot of boards, managing a lot of turbulence already. And so there's this bargaining, which is sort of like your, you know, after shock, anger, second, bargaining sort of third, and the bargaining is around, well, can't we just put this off? Can't we just...
kick the can to next quarter and wait before we have this conversation. And that leads us to sort of a procrastination that is not really gonna be helpful in a situation like that. You have to drive your board to acceptance. That is your job. Your job is to get rid of all the questions that are typically asked that sort of lean toward procrastination. I think things that boards...
Debbie Taylor Moore (05:39.561)
do not need to really focus on is they don't need to be an expert in quantum tech, number one, or quantum hardware. They don't need to worry about timelines. It's not a just-in-time type situation. It's a just-be-ready situation. They don't need to worry about all the details around which algorithms, what's the efficacy of C-bombs, and all of the technical piece that
We as a community spend a lot of time working on, and that doesn't necessarily need to be conveyed to the board. I think that the board itself needs to find focus, and in focusing, they really need to assign a specific group to work on emerging tech. And I would just say that AI and the issue with quantum readiness are sort of like two sides of the same.
existential coin. So they do not need to sort of reinvent the wheel. They've already gone through this on the AI front. They've already probably established at least the larger organizations, some level of like a center of excellence that's focused on AI, a group of people that are cross-functional, that spend their time understanding where the data sits, where the risks are, and they should not disband that group or create a new one. They should actually
work with that group. I think that it's your job to go in and really sort of remind them of what the current risk profile is and what you're already protecting against, but also understanding if your organization has a cataloging system or has determined what are the most important apps, systems, and particularly the system owners, because this is a people thing, that the
We need to focus there, sort of know your own organization before you go and try to hire consultants or bring other third parties in. And on the note of third parties, you probably may have, most organizations have some level of third party risk management program or third party cyber risk management program where you know who the vendors are that you're most dependent upon and who you're most intertwined with and who are your most reliant.
Debbie Taylor Moore (08:06.0)
reliant upon. And so I think that after you kind of covered that, you really need to push very hard with your board what your level of talent is. There are in the organizations that we work with and we do all these scenario workshops with boards continuously. We do a lot of work with folks who are in the, sit in the C-suite, who are trying to just get their arms around the scope of this type of project.
And one of the first things that you really have to examine is your talent inside your organization. Like what do you really have? And I would say that in the average organization I'm talking about in a Fortune 50 or a government organization, most have less than five people that would be really, really expert in this space because it's not really a space. It's never been a space. We've relied on today's encryption for
50, 70 years. mean, we could thank Ron Rivest and Adi Shamir and Len Adelman and Whitfield Diffie, Marty Hellman for really creating something great that we've been able to sort of set and forget and really only have to look at making changes or upgrading when, you know, a large standards body tells us that we need to deprecate this set of algorithms or we need to move to new encryption. So,
This is important that the board just really be focused on what is the scope of this, because I think it really has to be treated like modernization. It is really security architecture. does not belong to one department. It's cross-functional. Your DevOps team is just as much involved in this progress and this program as the security team or as the IT team.
I think that going in with a simple message and a simple story, a story that talks to the board about the actual risk, the actual risk with maybe a particular system that is sort of top of the list of, you know, an area within the organization that touches customers, that operationally, you can't produce revenue without it. You can't run the operation without it.
Debbie Taylor Moore (10:28.686)
and focus in on that and what would be the risk of that being compromised by quantum computer.
Francis Gorman (10:36.727)
I love that, Debbie, that brings it to life. Know your organization and set and forget two words or two sentences that are going to stick with me after this call, I One thing I worry about myself is the industry overusing fear in the market and around quantum at the moment. know, encryption will break. Harvest now, decrypt later. This type of kind of apocalyptic language.
instead of framing it back to what you just said there, actionable business risk, core systems, what's their susceptibility to what may come if a cryptographic relevant computer comes into fruition within the next five, 10 or 15 years. What's your viewpoint on the way we're communicating quantum risk or cryptographic resilience as an industry at the moment?
Debbie Taylor Moore (11:27.828)
That's a great question, Francis. And I think that it makes it otherworldly, the way that we're communicating. It also silos it in a way that it doesn't need to be siloed. It needs to be a part of the risk register the way AI might be, the way ransomware or technical debt might be. It's a long-term project. It's multi-year. It's one that you need to monitor your progress.
If you're on the board, you're accustomed to having to deal with those things where you're sort of nose in, but your finger's out. You're operationally not telling the organization exactly what they should do, but strategically you're signing off on the funding in order to begin such a project. I think that if you look closely at a lot of the plans that come before boards and C-suite, a lot of them have
the requirement to go out and just scan your environment for every cryptographic asset. Some of those are with actual solutions. Some of them are consulting teams. Some of them are a lot of tools that are stitched together. Endpoint solutions, app scanning, and network scanning tools, and all of it's.
It just points to a lot of work and lot of complexity. And the reality is that because it's a multi-year project, you really have to look at it in terms of including it as a risk, going after the most important applications first, so it's sort of 20-80, and allowing yourself the time to actually use the expertise that's available to you, both internally and externally.
not making it a fire drill, not pointing to competitors, well, what are they doing? My favorite is when people say, this is like an arms race. We've got to get there before our adversaries do. Well, it's not that it's just like an arms race. So much is that no matter whether it is or not, or whether you're paying attention to the time frames or not, or whether you're looking for regulatory to point out what the solution is or what the
Debbie Taylor Moore (13:53.234)
something concrete that you can cling to. The reality is that this technology is inevitable and your need to be able to protect your customers and shareholders is pretty inevitable. And so don't be scared or scare people. Just be ready to move to the next doable action step, which is just to begin the project.
Francis Gorman (14:18.189)
I think that's great advice, Debbie. think one of my pet peeves in this space at the moment is the C-bomb, know, suck everything into a C-bomb and here you go. Like I call that slop, significant list of problems because like where do you start? You know, I've got a million lines of cryptographic problems over like over here in this spreadsheet. Like what do I do with it? I also think some of these tools are going to create exposure points for organizations because I'm seeing people hook into
Debbie Taylor Moore (14:32.019)
Ha
Francis Gorman (14:47.207)
XDR and into their vulnerability scanning tools and into the CMDB. And then what to do? Suck it all off to some third party cloud somewhere that, you know, they haven't really thought about the assurance of. like if that gets breached, well, you've just given away the reconnaissance map of your entire infrastructure. So like that's going to create a whole different problem that you weren't expecting. So I do think that 2080 rule with a real architectural driven lens is the way to go. Yeah. And I.
Yeah, I worry with how we articulate some of these problems. And I think this is probably why boards may be a little bit cagey to start off with. So you've lived this experience. You've been in the boardroom. You're talking to these individuals on a weekly basis. How do I get more money? What's the magic potion?
Debbie Taylor Moore (15:37.875)
Yeah
Well, first of all, I would say I love what you just said about C-bombs. I think C-bombs are as overhyped as S-bombs were. I think that anybody knows that any sort of data collection that's static is not your friend in any environment. It's a good starting place, perhaps, but it itself becomes its own single point of failure. you have this data, you're collecting this data, you're sharing it with multiple sources.
It is making, it is enlarging your tax surface. It's making you much less secure as opposed to really honing in on where you need to have actionable steps. I think that when it comes to the board, the board understands, and I know with several organizations that I've worked with, they know what their current sources of revenue are.
They know what their most important systems are, typically, and there is an understanding of where there lies particularly dangerous exposure. And that's sort of the place to definitely start. I have seen where we have had workshops at the C-suite level, but cross-domain, and then board members come in to attend those workshops and to understand.
And initially people have a real fixation on just learning much more about quantum, which there are many great books. I recommend the Becoming Quantum Safe book by Jaysing Arun, Ray Harshankar, Wali Rajabi as a great starting place. And so we actually purchased that book and we provided it to the teams for review. And then they can make a decision if they want to give it to all of their leadership.
Debbie Taylor Moore (17:33.395)
But it's a great place to start. And I think once they sort of understand that quantum is really a threat vector and that a lot of the organizations that are looking to solve this problem with quantum security right now, some of whom might be involved in quantum innovation or might be involved in like, do I better prepare for quantum Monte Carlo simulation or
predictability or material sciences, some people are working on that side of the business. This quantum security piece though is strictly quantum threat vector. And so you really have to build scenarios which people are normally used to scenarios where the threat actor sort of shows up and announces themselves in some way or another.
This thread is quite a bit different and our scenarios are very focused around the idea that strange things are going to happen. We look at what an advantage a thread actor that gets to quantum advantage first has in deciding how they're going to use that knowledge, how they're going to exploit what they have, and that it may not be readily apparent to us.
for a very long time before we have to protect against it. And so I think that understanding the insidious nature of what it means to not be quantum safe or quantum ready and understanding the risk, particularly to your business, forgetting all the outside people, forget what your competitor's doing or what they're not doing, but seriously, whether your business would be very crippled under that notion. And then pulling that together,
You really want to make your board understand that this is accountability that sits with the risk manager. It really is enterprise risk management. It really is the board's decision to go forward and fund it properly as a modernization project. It's security architecture. It is much more than a departmental IT exercise, and it requires that there be people at very high level
Debbie Taylor Moore (19:56.711)
deciding the pace and scope, but also the KPIs, the key performance indicators for how each of the leaders in all the different areas move. And I think that if people aren't measured on it equally, cross-functionally, that it does just get dumped on the cyber people or on the IT people. I see a lot of system owners that are developing new applications and systems every day.
I think that it's important when you go in to split the legacy away from what's being developed today. The legacy stuff is gonna be difficult and it's going to be challenging, particularly with embedded systems and particularly just the scope of it. But also there's nothing that stops an organization from starting today with DevOps. Having DevOps actually leverage the hyperscalers that they use and a lot of the...
work that's been done, particularly with TLS 1.3 with many of the cloud providers. They have and give you the opportunity to build your applications and select and test. And that can be started as a future forward while you're also looking at the past. But I think when you go in for funding, you've got to bring the mindset toward modernization because this funding needed for a project like this is much beyond most
security and IT budgets. It's significant.
Francis Gorman (21:29.067)
I think that's a really key point. And when I look at this, I say, what can we do pragmatically at our level to kind of stem the leak in the dam here? And I look at things like, do our legal team understand the problem? Can we start writing clauses into contracts potentially with some of our key third party vendors around readiness? Do our procurement team own the problem? Are we asking the right questions up front so we don't bring in more problems?
Are our architecture review boards up to speed on what this problem is? Can they articulate it? we making sure our future architectures are robust? And as we do tech refreshes, are those third parties or those business owners aware of the constraints? Because it's not just, as you said, it's not just an algorithmic problem. This has issues with application timings being impacted. has issues with.
concurrent connections to middleware service or networking gear that may not be able to handle the quantum headspace, as we call it, with the NIST algorithms, essentially. So there's complexities here that are far deeper than just swapping out some crypto in your estate. It has fundamental impacts across the ecosystem, that technology ecosystem that need to be understood. And I think you said something really key there. This does seem to be the CSOs problem, but it shouldn't be.
Debbie Taylor Moore (22:50.482)
It shouldn't be at all. And I think that a lot of that is due to some of the messaging. mean, ultimately the CISO has to be involved, but it reminds me a lot of when AI, when we started looking at generative AI coming on the scene and it's suddenly in end user's hands in 2022 and chat GPT sort of arrived. You had a lot of organizations hitting the code red button. They got their legal teams together. They were trying to decide like, you know, how do we
keep this from being broadly used? How do we prevent data leakage? How do we prevent copyright issues? And legal was like all over this during that timeframe because it was, there's a set of policies that needed to be established in organizations and people pulled people from just about everywhere in order to better understand where they were at risk.
And because data sort of was back then primarily owned by like the chief data officer, the chief data officer was probably the first person to call and security people were being drug into those meetings, but not willingly. So really trying to secure beyond the data layer to the AI layer was something that security people kind of hoped they would bypass. But, you know, as time has proven that
Again, that too is an architecture issue that is cross-functional that involves a lot of different people. And so one of the things that's really important with cryptography is that it is so silently in the background. The board really does need to know where cryptography lives. They need to have an understanding around, maybe not deeply technically, but around their external facing servers.
around crypto protocols, around all the data that they have at rest. I had a workshop with a very large insurance company and they had decades and decades of data that really made up their actuarial tables. And it was tons of data, a lot of the HIPAA, having to be HIPAA compliant and having to be very protected anyway, but it was also...
Debbie Taylor Moore (25:16.945)
It was past data, but part of their future, how they leverage it. And understanding that they need to really understand the value of certain systems and what the impacts are. Impact is really important. And when I talk to people about this topic, the impact of doing nothing, the cost of time lost is really something
to drive home. I believe that the people that are responsible for building the systems, protecting the data, that's a lot of people in most organizations. And I think with boards, they are not going to be accountable if it becomes like a board-wide discussion or board-wide situation. I think that most boards manage risk within their audit committee. And within that audit committee, it's sort of like a little overwhelmed as it is with internal external audit and
its role financially. You really do need a technical committee that is just some named individuals who are responsible for providing a level of oversight. I think that when we look at the risk register and we look at like kind of what we're viewing, that it's really broad and kind of amorphous. And I feel that it's very important that even like I look at us here in the West,
that when we look at quantum readiness, we're always looking at, how far are we with quantum advantage? We're looking to the big players in quantum tech to understand how far they are to decide if we need to be engaged. And that's because people don't have a sense of the complexity and the length of time, but also they're completely eliminating the understanding around what other
foreign countries are up to and what they've accomplished in this space. We almost completely ignore it. And it's a huge consideration if you're a global organization, particularly around this idea, this risk register concept. And so three things, a very focused group that's accountable, broad cross-functional understanding, in other words, like sort of leveraging
Debbie Taylor Moore (27:46.108)
Whoever you put together for that AI Center of Excellence Council, it's kind of the same players need to be involved in this. And then the third thing is getting to scope. And I don't mean like just using all those stitched together tools in order to figure that out. I think that that is so overwhelming that when people create that initial, I guess we could call it a C-bomb, we could call it, you know,
cryptographic discovery and inventory set of data. When they see that, it just puts everybody back in their hole again, because they're so overwhelmed by it, because they understand that cryptography lives everywhere. And I think that once you get, once the lights go on, I have the scope of that, you can start to work on smaller pieces of it. But I love what you said.
about the architecture folks, the legal folks, all of these different areas that have to be concerned. It's a team effort. It's a broad team effort.
Francis Gorman (28:54.871)
think very much it is team effort. I think if people start to understand it's a team effort, that's that's one thing. But then bringing the team up to speed is a whole other is a whole other problem in and of itself. But no, you'll get there. You'll get there eventually. It's not it's not it's not an easy yards, but you'll definitely get there. Debbie. From from your from your perspective, you you work with Governments as well. So you've you're at that frontier or at a government level. What?
Debbie Taylor Moore (29:08.948)
yeah.
Francis Gorman (29:24.895)
industries you think are most unprepared right now for quantum readiness just to get themselves up to scratch. And from your role with the Pentagon, you have a whole different lens that you can bring to technology and potentially third party dependencies and the supply chain in this space. Maybe you'll just give me a few takeaways there of interest for this topic.
Debbie Taylor Moore (29:47.281)
Well, I think that in these sorts of instances, we expect government to lead. We expect government to be like sort of the early mover, if you will. And that, you know, I think that there have been some challenges with that over the last couple of years where there have been, you know, memoranda that have been put out that describe what is necessary and what needs to happen. And then you have that thin layer of execution.
Execution is always, you know, sort of the, it's the meat of things, if you will. And I think that data collection and really understanding like what is, what you're measuring or what you need to have visibility on in order to be able to actually remediate is a critical piece of the sizing portion of this project. And I think that, you know, when I look at critical infrastructure in general,
The financial industry has done a really great job with this. They're first movers. They've been first moving really since like 10 years ago about when NIST and others got involved with the National Center of Excellence and looking at all the algorithms that would hold up as standards. I think that as a global
world that the one thing you cannot argue with is that sovereignty does not help us. That the collaboration is what has brought us to this point and has made the NCCOE, Etsy, PKI Consortia, all of the National Cryptologic Foundation, all of these organizations that have worked really hard in this area. It's the global collaboration that has helped.
And so I think there's a lot that we don't need to reinvent the wheel. And when certain folks or certain parts of the community learn things and share them with others, I do think that it's what's interesting to me was back when the NIST NCCOE really started doing a lot of its work and it was looking for vendors to do initial testing that was going to ease the path for everyone else. And there's like around 60 or more companies involved there.
Debbie Taylor Moore (32:16.164)
Getting people signed up for CRADA, which is a collaborative research and development agreement, means that they have to leave a little bit of their intellectual property maybe on the table, or they may have to share in ways that they can't take forward commercially. And I think that there, that I would say that initially in the US there was like a little bit of hesitance around that, but that gradually people saw value.
in the collaboration and it has proven out to be very successful in that regard. But I would still say that amongst the 60 or so vendors that are ubiquitous in our world, that maybe it's a 20 80 in terms of who's working really hard, who's showing those results, who's really collaborating with others, who's being very open. And it reminds me all the time that if we are
If we were, you know...
We had to deal with an emergency in this situation. So say for instance, like in 2014 with Heartbleed, when we had the issue with OpenSSL having vulnerabilities and everybody needed to suddenly overnight upgrade to TLS 1.2. And how hard that was, how just the asset piece of it and understanding where you were vulnerable, finding
those assets and then, you know, starting the remediation process. It literally took people out for a you know, a week or more just being involved in that process. And I would say in this instance, this doesn't have to be an emergency. It doesn't have to be something that we are, you know, hair on fire, you know, trying to figure out or solve. There's a lot, there's so much that can be done.
Debbie Taylor Moore (34:14.276)
That's just part of what Jaime Garcia Gomez talks about the no regrets, like just doing basic hygiene and really sort of understanding where you're vulnerable is really, really important. think that organizations that have gotten themselves stuck with discovery, and I think that's a lot of governments, have really sort of not advanced quickly enough.
past that place. know IBM did a study on 565 respondents that were C-suite across 15 countries. And they asked people, generally speaking, where they were with this. And most of them, I think the numbers they came back with was that 21 % of the organizations that they looked at, they were like 21 %
complete with just a discovery phase. And the discovery phase is the very beginning of just understanding visibility and what you have that you need to protect. And so I look at governments, and those were businesses that were part of the respondent pool. I look at government and I would say it's even further behind than that, than industry.
Francis Gorman (35:38.509)
They got caught in the slop. The significant list of problems is overwhelming. Yeah. My analogy holds strong on this one, Debbie, I think.
Debbie Taylor Moore (35:40.879)
No.
Debbie Taylor Moore (35:46.511)
It is.
Debbie Taylor Moore (35:50.722)
It does. It absolutely does. It absolutely does. And I think that hedging against time or thinking, gosh, we're going to have insurance that just covers this or everybody's in the same boat or what's my competitor doing? I think what disturbs me the most with governments is when you're looking at, when you're forming commissions, you're forming commissions to figure out whether or not you're ahead of other governments.
Everybody's behind. You know, like, instead of forming the commission, how about evaluate deeply where you actually are and what you're actually doing. Like, that's what the commission should be involved in, is really doing the same thing that boards do. And boards are metering progress and checking on forward movement.
Francis Gorman (36:43.405)
It's a great insight. I think, you know, it's so simple. It's almost, know, how do people not see it sooner? Which is always the way, really, isn't it? Debbie, let's change tack for a second. We've talked a lot about quantum, but we're in a very strange world at the moment, geopolitically. And, you know, we're seeing the cyber attacks that are materializing here in Ireland alone. A company in Cork, you may have seen the American Medical Device Company.
had destruction were basically pushed against it causing massive damage to its environments from your 25 years in the industry. What should people be worried about or taking account of right now in terms of enterprise security?
Debbie Taylor Moore (37:29.348)
I think that enterprise security is completely changed forever. I think that there is a modicum of, up till now, would say there's a modicum of security companies, investors, platforms, operators, everybody was in the mode of staying a step ahead of the client, the constituent, the end user.
but was probably a step behind the adversary. I think that now, particularly with AI, we're dealing with the ability to scan systems and build exploits at machine speed, that we the humans have to take a different tact. And I think our tact is both in our planning. So I would just say, know how
in the days of transformation and in the beginning of DevOps and CI CD pipelines, we were always saying, you got to shift really far left with security. You got to get to the planning, like right in the planning phase. Like you need to bring security in in the beginning before you're building anything so we can talk about what could possibly go wrong. I think that that was a little bit of a pipe dream in most organizations. I don't think that happens a lot, but I think in the instance where we're
really from a regulatory standpoint, considering what could possibly go wrong, that the threat modeling will save us. I think if we try to imagine the unimaginable, mean, like a lot of people never could have imagined the pandemic. They never could have imagined CHEDGY-PT going out to every human being on earth. They never could have imagined DeepSeek R1.
coming in on the scene and completely sort of upsetting the idea of compute or how much compute is needed. They never could have envisioned trade and tariff. And I think that a lot of boards have been really consumed with that, particularly in certain areas. It's impacted everyone. Never could have envisioned that. Never could envision the current conflict. And I think that we as human beings, as security professionals,
Debbie Taylor Moore (39:54.724)
as the citizens of the world have to suspend our disbelief and really take our heads out of the sand and look at what is possible. And I think that threat modeling might seem like a little trite or simplistic, like the idea of it, but the reality of it, if you really sink your teeth into the reality of it and the reality of sitting with
what you know to be the weaknesses in your organization, what you know to be part of your risk profile, what you know to be technical debt or exceptions that have lived inside the organization for 10 years. That everybody just kicks the can around because it's like, it'd be too much to modernize that system because it's just, we need to, we need to.
measure the cost versus the risk and this sort of thing. I think that this project particularly gives you a real opportunity to clean up all of that as well. To really look at where you're vulnerable. And I think that it's a different kind of vulnerability that we're facing today. it's heartening to see that with AI, the security community has been fully brought in from
trying to avoid those meetings four years ago to now, kind of center stage. We are the folks with the right minds and the right concepts and the right POV to sort of lead in those areas, but we cannot do it alone. And that's the thing. We cannot do it alone. We cannot be the scapegoat or be the only sole accountability group or not be funded or not be invited to those.
board meetings to truly lay out for the boards what's going on. In the absence of real regulation, the boards are the last bastion of hope.
Francis Gorman (42:10.647)
Debbie, love that. And I love the term suspend disbelief. That's going to now become something I write on top of all my TREP models in the future. I can I can really broaden my mind to the art of the possible. Debbie, it's been an absolute pleasure to have you on. And I think the listeners will get a lot out of this episode. I know we could probably talk for another two hours, but I don't I don't think anyone's going to commute and have that much time on their hands to listen. So look, we'll leave it there.
Have a lovely day and I appreciate you coming on and spending time with me today.
Debbie Taylor Moore (42:44.527)
Thank you so much for having me. I really have enjoyed talking to you today and I hope that it makes people think just a little bit differently about this, about this issue.
Francis Gorman (42:55.789)
Pretty sure people are going to think a little bit differently after this one. Thanks, Debbie.
Debbie Taylor Moore (43:01.498)
Thank you, Frances. Take care.
