Cybersecurity Headlines – Department of No: Quantum-Safe Certificates, Iranian Cyberattack Risks, 90 Zero-Days

Date: March 9, 2026
Host: Sarah Lane, CISO Series
Guest Panelists:

• John Barrow, CISO at J.B. Poindexter & Co.
• Derek Fisher, Director of Cyber Defense & Information Assurance Program, Temple University

Episode Overview

This episode centers on key cybersecurity news and current threats facing organizations, with an emphasis on quantum-safe certificates, the persistent challenge posed by Iranian cyber actors amid geopolitical tensions, and the record number of zero-day vulnerabilities discovered in the previous year. The panel discusses how security teams prioritize threats, the evolving phishing landscape, the promise and pitfalls of next-gen technologies like 6G and quantum computing, as well as the enduring realities and limitations of security risk management.

Key Segments and Insights

[00:00 – 01:13] Opening and Weekly Priorities

• John Barrow: Focusing on major tech implementations and preparing for RSA Conference.
• Derek Fisher: Attending the Women in Cybersecurity conference and participating as a volunteer.

[01:13 – 18:40] “No or Know” Rapid Reaction Segment

iPhone Hacking Toolkit “Karuna”

[02:38]

• Derek: Sees a pattern where government-grade tools leak into broader use, citing Stuxnet and EternalBlue. The real lesson is, "You can't keep it contained. It's eventually going to get out."
• John: Not a top priority, but always checks for new Indicators of Compromise (IOCs); describes this as a "quick sweep and then onto the next thing."

  "Are we impacted? Let's validate, let's do some proactive threat hunting..." – John Barrow [04:05]

LastPass Phishing Campaign

[04:49]

• John & Derek: Both agree phishing attacks are constant and more about security awareness than panic.
• Derek: "It's got a lot of the keys to the kingdom...I would chalk [this] up to like a security awareness avenue, as opposed to something like drop everything."
• John: "Our email security protections should block most of these."
• Sarah notes personal hesitation over moving away from LastPass.
• Derek: Switched to Bitwarden following LastPass’ poor breach handling.

Passwords Versus Biometrics/Passkeys

[09:22]

• Derek: "Not everybody is using passkeys...whether we like it or not, passwords hold up 90% of what we do online."
• John: Biometric options are under consideration for shared-use environments — more efficient, less risky than enforcing strong passwords on shared kiosks.

6G and Quantum-Resistant Crypto

[11:03]

• John: 6G is not an immediate concern, but recognizes the need for secure-by-design.
• Derek: Advocates for early adoption of secure practices, unlike retroactive fixes for 5G.

  “If we don’t get it right from the start, we’re going to have a lot of problems that we had with bolting on security in 5G later on.” – Derek Fisher [12:17]

International Competition in 6G

[14:29]

• Derek: Notes the risk of fragmented standards and supply chains, echoing issues seen with Chinese tech dominance in 5G.

.arpa Domain Phishing

[15:33]

• Derek: Attackers now mimic trusted infrastructure, demonstrating the need for skepticism even with seemingly normal data flows.
• John: More concerned with detecting this than standard phishing; would pressure vendors for updates.

  "This one's a little more...it's harder to detect from your tools... I'd want my team to dive in a little deeper." – John Barrow [17:21]

[20:15 – 25:05] Quantum-Resistant HTTPS Certificates and Quantum Readiness

• Host Steve explains Merkle Trees’ role in efficient, quantum-resistant certificate handling.
• John: "Adversaries are already… gathering encrypted data and hoping to decrypt it once quantum computing matures… I think a lot of organizations are going to wait to the last minute."
• Derek: Stresses the need to “get secure from the start,” citing previous tech waves (cloud, AI, 5G), and expects quantum technology to become widespread in several years.

  “Quantum computing does exist… it’s kind of in the hands of a few... That’s going to change.” – Derek Fisher [23:27]

[25:05 – 29:49] Iranian Cyberattack Threats Amid Conflict

• John: Expects Iranian actors to target critical infrastructure, referencing warnings from government agencies.

  “They're going to do anything they can to hurt us...” – John Barrow [25:46]

• Derek: Cites the book “This Is How They Tell Me the World Ends,” underscores that major nation-state capability is already present — current events are more about escalation than new threats.
• John: Adds context around mutual access to power grids among nations; real concern is a rogue nation willing to act.

[29:49 – 36:42] Zero-Days: 2025 Sets Record, Enterprise at Risk

• Google Threat Intelligence Group: 90 zero-day vulnerabilities exploited in 2025, up 15% from 2024. Almost half in enterprise software/appliances.
• Derek: Finds it most concerning how many of the zero-days tie back to spyware and nation-state operations. Notes that many more zero-days are likely sitting unused, “in a vault somewhere.”
• John: Points out the oddity and inherent risk in vendors who cause and also sell protection against vulnerabilities:

  “It's kind of a self-licking ice cream cone. It's like, the company that introduces the most vulnerabilities is also claiming to be a security company.” – John Barrow [32:21]

• Panel: Agree that software vendors rarely face serious consequences, so the risk is just integrated into normal business and consumer expectations.

[36:42 – 39:07] Closing Advice

John Barrow:

"The key to success of a cyber program is all about having relationships of trust and strong internal and external partnerships... also balance your storytelling. Tell them all the good things your team’s doing... but also explain... there’s constant attempts." [36:52]

Derek Fisher:

"Stay curious... things change so rapidly... being able to stay curious and being able to stay nimble and being able to adapt to things as they change and getting yourself and your team prepared for that, I think is critical in security these days." [38:10]

Notable Quotes

• “You can’t keep [espionage tools] contained. It’s eventually going to get out.” – Derek Fisher [02:38]
• “Are we impacted? Let's validate, let’s do some proactive threat hunting to make sure we don’t see any of these IOCs...” – John Barrow [04:05]
• “I'd want my team to dive in a little deeper. And not just my team, but I would go to my email security vendors… to be able to detect this and identify and prevent these type of phishing attacks.” – John Barrow [17:21]
• “Quantum computing does exist… It’s just in the hands of a few organizations or companies. But that's going to change in probably the next several years.” – Derek Fisher [23:27]
• “It's kind of a self-licking ice cream cone. It's like, the company that introduces the most vulnerabilities is also claiming to be a security company.” – John Barrow [32:21]

Key Takeaways for Security Professionals

• Stay vigilant about new attack vectors but don’t lose sight of prioritizing foundational security measures and broad indicators.
• Phishing remains a constant; regular security education and up-to-date email protections are essential, regardless of attack novelty.
• Transition to passwordless authentication and biometrics is slow, but worth pursuing where feasible for usability and security.
• Quantum computing and next-gen technologies (6G) should be on the roadmap; early exploration and secure-by-design principles are critical.
• Nation-state threats are persistent and often escalate with global conflict — risks should already be integrated into critical infrastructure plans.
• Zero-day vulnerabilities proliferate fastest in enterprise and high-value targets; organizations can’t outsource risk entirely to software vendors — accountability should be demanded.
• The ultimate differentiator for resilient security organizations: strong internal/external relationships and continuous, honest communication.

For full stories and further discussion, visit CISOseries.com.