The Comfortable Lies of Cybersecurity with Adam McElroy

Show Notes

In this episode of The Entropy Podcast, Francis Gorman speaks with Adam McElroy, CTO at Eclypses, about cybersecurity, storytelling, AI, post-quantum readiness, and the evolving role of security leadership. Adam argues that modern cyber leaders must move beyond technical reporting and learn to communicate risk in ways boards and executives can act on.

The conversation explores why security decisions in large enterprises take time, how AI is accelerating existing technical debt and governance gaps, and why quantum risk is no longer something organizations can comfortably defer. Adam frames post-quantum readiness as a generational risk comparable to Y2K: manageable if organizations plan early, potentially damaging if they procrastinate.

A central theme is that cybersecurity is no longer just a technology problem. It is a business resilience issue involving boards, executives, architects, regulators, CISOs, CIOs, CTOs, and risk leaders. Adam also challenges the industry’s reliance on perimeter defence, arguing that organizations need to think more seriously about making data unusable if it is exfiltrated. 

Key Takeaways

• Storytelling is now a core cybersecurity leadership skill.
• Cybersecurity is business, not a separate technology function.
• AI has exposed existing technical debt faster than expected.
• Zero Trust is still valid, but there is no silver bullet.
•  Organizations should assume breach and protect the data itself.
• “Harvest now, decrypt later” is a present-day risk.
• Quantum procrastination is becoming indefensible.
• The CISO cannot carry cyber risk alone.
•  AI adoption needs policy, education, and discipline.

 

Soundbytes

"There is no such thing as business and technology. It’s all business at the end of the day."

“AI wasn’t built to be secure, it was built to be amazing.” 

“The CISO cannot protect the organization by themselves.” 

 “The dashboard will never be green in my world.” 

Transcript

Francis Gorman (00:04.716)
Hi everyone, welcome to the Entropy podcast. I'm your host, Francis Gorman. Before we dive in, if today's conversation challenges you, sparks a new idea or sharpens how you think about the world, don't keep it to yourself. Subscribe, leave a review and share this episode with someone who enjoys staying curious. Today I'm joined by Adam McElroy, Chief Technology Officer at Eclipsis. Adam brings more than 25 years of security leadership experience, spanning cyber risk, advisory, technology innovation and enterprise security.

Before joining Eclipsis, he served as group head of cyber risk at Bank of Ireland. At Eclipsis, Adam brings the customer voice into the heart of the business, helping ensure the company technology, messaging and strategy stay grounded in the real world problems security leaders are trying to solve. His work has been recognized through multiple industry awards and he's a regular speaker at security forums and conferences. Adam, lovely to have you here with me today.

** ADAM ** (00:55.464)
Great to see you, Francis.

Francis Gorman (00:57.742)
Good to catch up, Adam. know we were talking in person not so long ago and it's always always nice to have you in my company. So it's great to get you on the show. Finally, I know you did give me a nudge the last time as to when you were coming on. So we have you here now at last. So we'll I'm sure we'll I'm sure we'll have I'm sure we'll have a great conversation. Adam, I wanted to ask you often refer to yourself on LinkedIn as CTO and the chief storytelling officer. What stories do you think the cybersecurity industry is still failing to tell properly?

** ADAM ** (01:10.629)
grant.

** ADAM ** (01:25.98)
I think it was captured very nicely. I the last time we met, one of the other speakers described the executive comfortable lies that we all tell each other. What do we do to get through the day? And certainly, what I try to do is relate to the real world scenario and help lay out story lines, lay out plot lines, lay out a journey that gets us to a better place. And storytelling is a great example.

It really is. A long time ago in a galaxy far, far away, it's worked for some pretty famous film producers. Why don't we adopt the same strategy ourselves?

Francis Gorman (02:09.694)
It's funny you say that I was listening to Stephen Bartlett, diary of a CEO yesterday. I can't remember exactly which guest was on, but storytelling came up as one of the key skills of the future. They talked about Elon Musk being able to portray this, you know, this futuristic view of living on Mars and, know, driving share price through that vision, et cetera. So in a world of AI and I suppose convoluted machine outcomes, think storytelling and that ability to be

natural in your environment and to link those dots together is really a key skill. have to ask you've been in the industry for a long time and in big institutions for a long time where cyber risk is very real, very political and very expensive to fix. What do people outside of those rooms completely misunderstand about how security decisions actually get made?

** ADAM ** (03:03.764)
Probably the largest misunderstanding is how long it takes to make a decision. In those rooms presenting to a board, to a committee, it's important to present information in a style which they can readily understand because there are so many things on their agenda. There are so many issues in a large and complex organization that each demand executive attention.

So presenting things in a readily consumable style. I mean, the skill of a modern CISO is storytelling. It isn't about presenting data. I haven't met many board level execs who really understand vulnerability remediation statistics. What they're much more interested in is preserving shareholder value and keeping consumers safe.

If we can articulate things in that way, whether it's a risk or an opportunity, or indeed the progress of a project over multi years, that's when I think we all move together towards a better place.

Francis Gorman (04:10.774)
That's interesting. I think the progress I often feel sometimes in cybersecurity, there's a lot of activity. What are we seeing the outcomes of that activity become tangible in terms of exposure being reduced, et cetera? And I think that's that's a complexity of large organizations. But it's also a symptom of the industry and how we focus our work efforts. And I'm saying that because.

I'm looking out at the frontier technologies that are coming, specifically post quantum readiness and quantum computing and all of these different advances with AI rolling around in the background. Do you think that a lot of cybersecurity programs that are launched today are going to be undermined tomorrow with the technology landscape and that lack of forward thinking that's out there in some organizations?

** ADAM ** (05:05.352)
believe we've all learned, particularly over past five or six years, the need to be a lot more flexible. The events of the pandemic, the change in working patterns, being more inclusive, developing people from different backgrounds, different skill sets, and different expectations has created a more diverse and flexible workforce, and also brought that flexibility into how we deliver those programs.

But I absolutely agree with your implicit point there, Francis, that we don't know what's coming tomorrow. We've just seen Anthropic have to go and explain themselves to major governments around the world with their latest innovations. Who knows what's going to be released tomorrow, truly? And so for us to be as reactive as we need to be imposes a real burden on the available operating expense for what's left to be proactive.

And how do we balance that equation? How do we both keep the lights on and operate the business today? And then how do we prepare to operate the business in whatever the future brings tomorrow? And I do want to emphasize we're operating the business. There is no such thing as business and technology. It's all business at the end of the day. We live in a digital society powering a digital economy. So it's all business for us.

Francis Gorman (06:32.162)
Makes lot of sense. And I think that gets lost a lot of times when people kind of, you know, try to separate out the different divisions. You know, you have a business strategy to get executed by all of the different facets that underpin it. But it is the business strategy as the as the core driver, because without the business, there is no value without value. There is no need for those underpinning assets. So think that's that's really key to tie together there. I want to talk a little bit about artificial intelligence and where we are at the moment.

You just touched on on Tropic and mitos or mitos, whichever way people want to want to pronounce it. And what we've seen there and I know the initial thing was very much it's a hype cycle. It's one of the best marketing campaigns you've seen in a long time. know, this can this can break anything. But I think I read yesterday that it discovered vulnerabilities in Apple's M5 chip. Now, I need to fact check that one. But if that is true, that's probably the first time we've seen a technology identified in something that wasn't of a lower

posture and an apple are obviously known for security checks and balances. When you look at AI and the adoption of AI Adam, what worries you most in that space?

** ADAM ** (07:43.302)
I think it's the lack of discipline really Francis. AI is an incredible tool that can be used to better so many different areas. It's a stepping stone on the journey towards quantum. It's available on existing hardware, existing infrastructure. But how do we use it in an ethical way? How do we use it in a way that protects our consumers, how it protects ourselves? And I think there's a...

a little bit of acceleration happening that has some unexpected consequences. So how do we protect our crown jewels, the data that we have? How do we defend against all the vulnerabilities we know probably exist in the infrastructure, which Anthropic have so helpfully recently discovered for us at an unexpected pace? So there's nothing really new that the Mythos release has exposed. It's...

It's all of our darkest fears, the things we know were there in the technical debt have been really brought into sharp focus.

Francis Gorman (08:50.958)
Do you think that this evolution in technology and this kind of awareness or someone to say, you know, the lights been shown in the dark and now we can, we can't on see what we knew was, there. Do you think that this adoption of AI and the speed that AI is being adopted at has broken zero trust in terms of its strategic intent?

** ADAM ** (09:11.923)
Broken Zero Trust, no. I think it probably has really made it obvious there is no single product that can deliver Zero Trust by itself. So Zero Trust as a strategy, as a concept, as originally envisaged by John Kindervagh is, I think, still perfectly robust and effective. It once again just highlights that whilst computers can do really routine things very quickly,

and predictably they can only do what they're told to do. And if we don't tell them to do it, then that exposes a gap. So Zero Trust, when implemented comprehensively, still I think has a lot of value to bring. But there is no silver bullet. Certainly we're not a silver bullet in our space. And there is no single vendor that could deliver an entire Zero Trust stack, in a way at least that can be readily consumed by a modern enterprise.

Francis Gorman (10:09.102)
You've touched on eclipses there in your space, so I'm going to pull in that thread for a second. Are we thinking about security? Wrong. And what I mean by that is, are we too obsessed about stopping the attack happening versus making the data useless if attack does occur?

** ADAM ** (10:28.295)
Yeah, I think there is a lot in what you say there in the sense that certainly in the past 10 years, I hope most people realize no one is invulnerable anymore. The perimeter does not really exist or the perimeter has been redefined in some quite flexible ways. mean, we, extensive digital supply chains through multiple levels of second, third, fourth party relationships, challenges the idea of a Moton Castle model. So,

In that sense, can we really harden the perimeter in a way to keep everybody out? And some of the largest threats are people who you trust day to day. Everyone has the opportunity to have an unfortunate accident, let alone someone that's having a bad day at work and puts the finger in the socket. So for us in our world, make the data unusable once exfiltrated. Make it secure between A and B.

so that if it were to leak, it's unusable outside of that channel, is just one layer of a defence in depth strategy that really addresses the modern architectural expectation.

Francis Gorman (11:39.724)
Yeah, it's definitely a mind shift to think that maybe we make the data useless if it gets exposed, but usable once within our boundary. does create a skew on our layer defense system and a pivot from what the norm is. In terms of that, Adam, we are...

We're now in an era where a harvest now decrypt later is a very real threat for certain data types. And I want to be careful to say certain data types, because I think I've said before, if you steal my wife's shopping list, it's probably of limited value and high cost for you to decrypt. But there is definitely sectors and data that has to be preserved for decades, if not longer, that is at risk from attack to be decrypted later.

When you sit down and you're doing an awful lot of conferences, awful lot of forums where you're talking about post quantum readiness and the considerations that companies should have in a quantum era. Do you still get questions around, is it a today problem or is this something we can push down the road or are people starting to realize we need to take action now?

** ADAM ** (12:51.022)
It's certainly shifting, not only in the past six months, but probably in the past 12. The accelerating pace of developments in the quantum space, whether it's from IonQ, Nvidia, IBM, Google, we're seeing announcements certainly every week with the pace of their developments in the general quantum space. We focus purely in the...

the security space using existing technology. But the pace of the threat appears to be accelerating. And certainly, nation states that are considered to be adversarial are now coming back to the academic world and sharing some really impressive academic progress in their work. And we have the developed nations all coordinating on a consistent story around risk education.

national economic strategy, national resilience. So, you the pace is really changing and Harvest Now Decrypt later for regulated industry, protected information, whether that's medical, pharmaceutical, energy. It's not just about what's on your wife's shopping list. It's also about how do the things on that affect the supply chain for the supermarkets.

And as we saw recently in the UK, the disruption to Marks and Spencer's because food supplies are critical industry. So it's some of that trend analysis that you can divine from data, not just the specific records that is interesting. And harvest now decrypt later is a threat today using existing vulnerabilities and threats. It just becomes faster, deeper, more elusive when it's AI and quantum powered.

Francis Gorman (14:45.806)
Yeah, and I think that's that's something that is definitely I saw CNN had a big article out the other day. It was a bit apocalyptic, but you know, it's mainstream in now, which kind of alludes to the last six months point you made at the start of this. And the G7 roadmap, Adam, I know you shared it on LinkedIn earlier, so I know you've I know you've had a look on it. They've brought it out. I was I was I reading it myself this week. I think the first step is is it awareness and planning?

if I'm if I'm correct on top of my head something in and around around that pillar. One thing that strikes me is ownership though. think it needs to be awareness ownership then do some planning. What are you seeing? What are you seeing across the board? Is the ownership a major problem or a major inhibitor to progress?

** ADAM ** (15:30.266)
Well, there's some really distinct approaches to the ownership point, and I couldn't agree more. In some cases, we have clear leadership in some of the tech firms where we have senior fellows of large hardware manufacturers being dedicated to pursuing this. In financial services, we have heads of quantum being appointed and participating in knowledge sharing across industries and across geographies.

But then we also have the architectural layer, architects taking ownership saying, we're responsible for the encryption pattern. So we're going to view this as just part of our existing role. We're responsible for defining how we do this. So ownership comes in in many forms. And I think that's what's really impressed me as we start to see a greater adoption of post quantum, as we start to see more.

embedding of it inside those business models, it happens in many layers. The thing that frustrates me, and I think it's widely reported, is just quantum procrastination. The nation demands it, the industry expects it, the regulators are writing it, that it's going into standards bodies like the PCI. The fact that it may be delayed five years or 10 years is becoming irrelevant.

Francis Gorman (16:57.474)
When we talk about that, that relevance and that need to act now, the risk piece seems to be quite challenging in most organizations who actually owns the risk. My view, it's a, it's a top level risk that needs to federate down. What, what are you seeing out there, Adam? And when, when you're discussing this with, with other security leaders is, is that ownership and that risk piece is, there team Maddox that are coming through in your conversations?

** ADAM ** (17:24.998)
Yeah, there's some interesting changes in that dynamic. mean, in the past couple of weeks, we've seen things from Canada that this is now certainly top of the shop. In the UK, we've had letters from government as well as the national security agencies to chief execs in the major industries reminding everyone that cyber and the resilience agenda is a board level obligation. When it comes to quantum,

whether it's coming out of the G7 or one of the industry regulators, the timelines feel a little soft to me, Francis. The drive isn't quite there. There's so much that is implicit in expectations around the adoption of modern standards without explicitly saying address the threat of AI. But then we have government directives, letters to chief execs, letters to chairman.

that really should remind people there is no plausible deniability any longer. This has been mentioned enough. As you mentioned, it's in headline news. No board member can abdicate their responsibility any longer on this issue.

Francis Gorman (18:46.016)
It is interesting. I am finding it amusing talking to different people and getting the different perspectives. And, you know, I've had Debbie Taylor Moore on talking about board and a similar kind of vein. It's, you we've never had to deal with a risk like this that has been so federated across the business world that it's not just a technology problem anymore. And I spoke to Louise Davie, who was very much in the same trade that, you know, that the risk has it's a top of risk, but it's it's.

dispersed across everything we do. She even used an example of, you know, what worries her most has been in an elevator on a high rise building and wondering, you know, what cryptography underpins that. And if that could be compromised, you know, as her as her kind of elevator pitch to the to the board. If you're talking to executives, Adam, and you want to bring this down to a level that's consumable and not full of tactical jargon and MLK and this, that and the other that is going to go completely over their head in your in your vein of storytelling, how do you bring this to life for them?

** ADAM ** (19:43.954)
Well, this is a generational risk, Francis. For those of us that remember the year 2000, the reason it wasn't catastrophic is because we planned. And this is another instance where we do have time to plan and therefore we should not fail. But it's those who avoid planning are those that will suffer the consequences. We unfortunately live in a world where it doesn't

You don't have to be a headline brand in order to be targeted. Just your existence out there on the network, the fact that you exist is enough to attract negative attention, is enough to attract an adversary to come and harvest your data. They don't even necessarily care whether it's usable immediately. It might be useful in the future. And that is the significant shift. It's just your pure existence.

And then we compound that with the state of the world and the geopolitical threats and the rise of hacktivism, the radicalised groups around the world, the criminal gangs around the world, all of whom have access to the same tools that we as defenders have access to. It really is a heavily militarised world we live in on the digital landscape. So with that in mind, every exec needs to add this to the risk register. On the flip side,

The rise of quantum could present wonderful opportunities for everyone. And that's where I know there's significant investment in some of the larger banks around the world about how do we create quantum powered products, not just think about technology and how do we protect our services at the end of the day.

Francis Gorman (21:34.28)
I think you're right and that is a really interesting field. Like how do we

do we build the missing layer, which is the software piece at the moment? You everyone's talking about the computational layer without the software and the application piece, et cetera. It's kind of kind of useless, right? So, you know, there is that there is that value piece that I know a lot of companies are working Horizon Quantum is one and based in Singapore, good Irish man at the helm of that ship as well. So plug plug plug to Irish entrepreneurship there as well. But, you know, it is is fascinating. And I think

for I would call myself a slight bit of a geek or a nerd in this space. know, I do watch this with some level of enthusiasm to see what what comes next, even if, you know, the AI piece mixed with quantum could be quite destructive. I know when I was at your talk the last time we kind of talked about AI becoming an implicit trust technology and what that means for organizations. Is there anything that keeps you up at night understanding or from your observations you've seen working across the fence, et cetera, with

how AI is being deployed and used in the modern.

** ADAM ** (22:41.051)
There's a couple of things. One is, inside large mature organizations, there are some very pragmatic approaches to using AI. It's similar to how we started adopting data lakes. The fact that we can have a lake, unfortunately, opens up everything inside that lake to anyone who has access to it. It wasn't originally conceived with a security model in mind. And that's where we are with AI. AI wasn't

built to be secure, was built to be amazing. And there are some large defense organizations, defense contractors, large institutions, brand names around the world who are taking a very pragmatic, walk, crawl, run approach to AI. Internal models, local language models, on-prem deployments of these fantastic tools. There are others who are allowing

consumer grade, multi-tenant use on the corporate credit card and without policy, without coaching, without education of their users to make it safe, safe for the individual, safe for the organization and safe for the data subjects because does it feature in your data access policy that you will be using it to train someone else's AI model?

And these sorts of things are being reported now in the press in many sectors. So it's an interesting thing. And certainly, we have the ability to deploy some amazing tools. have horsepower. We have bandwidth. We have almost infinite compute available to us, assuming the supply of silicon, obviously. But the tools are there. It's just upon us all to use them responsibly as well as effectively.

Francis Gorman (24:36.918)
Yeah, I think we'll have to see how that all evolves over the over the coming weeks, months and years and really understand where we're going to end up. And I have to ask you, so you obviously have a strong background in governance and risk and you've worked in large institutions like banking, etc. What threw you into the technology vendor side? Was there a call there that you saw that you wanted to dip your toes in and do something more exciting? Or did you genuinely see problems that had to be solved?

pulled you over there and how different is that to you kind of large regulated entities that you've been in in the past.

** ADAM ** (25:12.688)
Well, I think the thing that really drew me is I have firsthand appreciation of how hard it is to be a CISO, how hard it is to be a CIO managing decades of technical debt and under investment and being introduced to a technology that doesn't require massive re-engineering of the legacy estate, that heritage architecture that runs at national level critical industry.

providing systemic services to a nation. That's one of the things that drew me to Eclipsis because it doesn't need all of that turmoil. It's hard enough for a CIO or a CISO to do their day job without worrying too much about the threats of the future. And certainly, Eclipsis provides some options for some use cases where we can take that burden away.

And this is a circular journey for me as well, Francis, coming back to technology after 25 years. I'm frightened to think that some of my code may still be live out there in some brand name products in the security space. But all credit to my teams who did a much better job than me personally in crafting those products.

Francis Gorman (26:29.302)
it is out there and I'm sure might as well have great fun pulling it apart to see what vulnerabilities exist after all these all these years.

** ADAM ** (26:34.224)
Don't look too closely at those remarks statements, please.

Francis Gorman (26:39.15)
Adam, I have to ask you, what's the most dangerous assumption enterprise are still making about encryption?

** ADAM ** (26:47.332)
the dangerous assumption is that it's all going to be okay tomorrow. It's that comfortable lie, you the sun's going to come up tomorrow. Well, okay, that's probably true. Or the comfortable lie that quantum isn't real. Well, there are some significant brands investing many millions of dollars who beg to differ. And there are national security agencies that are giving all of us some very clear directions in that space.

I'll go with the scientists on this one. And at the end of the day, if it takes another 10 years, 20 years, 50 years, from a risk perspective, that's a good outcome. It gives us even longer to prepare. My fear is that we will be underprepared and it will have a negative impact on people who really don't deserve it because we've been talking about this for long enough now.

NIST started their PQC project in 2016. So we've had 10 years already and we're potentially looking at less than three years to run. We should have been doing this for some time now.

Francis Gorman (27:59.727)
When we say all of this stuff and we bring it together, what really comes to light to me is the role of a CISO is now heavily burdened with so many different strands that need to be covered. You've got governance, compliance, risk, reg, standards that need to be maintained and adhered to and evidenced. You've got the exposure and attack surface. You've got AI and now quantum has come and landed on top.

Does the role of a CSO need to evolve or do we need to think differently about how we secure organizations into the future?

** ADAM ** (28:35.328)
it's both of the above. As we've seen through things like SolarWinds, the CISO cannot protect the organization by themselves. It is a team sport, it's a full contact sport. And the combination of the CIO, the CISO, the CTO, and today the board responsibilities. In a regulated industry, the CISO is not actually the person directly on the hook, it's the CTO.

It's the CFO, the Chief Risk Officer. They're the people who are front and centre to the regulator. But that doesn't get the CISO completely off the hook. But as I said, I believe it's a team sport. We need specialists in multiple areas. And we also need to be able to communicate to provide an application owner, a senior responsible owner, an executive with...

information in a format and style that they can readily consume so that they can make the most informed business decisions. Because the business decision ultimately is, do I keep running this application, this service? Do I upgrade it? Do I patch it? Or actually, do I deprecate it and replace it with something that's fit for the future that's going to support the business strategy? It shouldn't be the CISO's obligation to patch a platform.

that they've told the business was out of support two years ago.

Francis Gorman (30:08.046)
It's interesting because that communication aspect comes back over and over again in these conversations, the ability to make complex topics easy to understand for the people who have to make the final call on them, which is normally your board or your non-executive directors. it's fascinating to me that that is thematic over and over again, that the most complex problems have the most simplest outcomes, which is just say it in language that people can understand and relate to in a way that allows it to be actionable.

And I think that gets lost in so many organizations. And before we finish up, I just want to ask you about risk and what or who taught you the most about risk and how has that stood to you over all these years in the industry? Because risk is a key part of everything we do.

** ADAM ** (30:56.013)
Well, is. I tease my second career. Risk is very different in the military. It makes it very real. For me, in the world we live in, Francis, it's, yeah, we have frameworks, we have rules, we have standards. That makes it a lot easier to remove levels of uncertainty and get down to some clearer objectives, describe a scenario, describe an action plan.

describe the tools that you have to address it and act upon it. In some ways, risking in what we do is a lot simpler. But importantly, we can only control what we can control. And that, I think, is a key message for many boards that the dashboard will never be green in my world because I'm not in control of all the players on the pitch. There's...

and on a certain number of other people who want to play on our playing field. And they invite themselves whenever they choose. So, at best the dashboard will be amber. I'd like to make it as close to a shade of green as I possibly can, but it will never be that lovely glowing green in the world.

Francis Gorman (32:12.622)
Adam, I'm going to finish on that. was an absolute pleasure having you on. Thank you for all the insights. And I'll be seeing you soon, I'm sure somewhere across the quantum cycle.

** ADAM ** (32:22.913)
Absolutely, Francis, always a pleasure.

Francis Gorman (32:25.529)
Thank you.