CyberWire Daily — "Quantum [CISOP]"
Date: December 16, 2025
Host: Kim Jones (A)
Guest: Michael Satilli (B), CISO at Quantilium
Main Theme: Preparing for the Quantum Computing Era in Cybersecurity
This episode demystifies quantum computing and its looming impact on security, particularly for CISOs and cybersecurity leaders. Host Kim Jones interviews Michael Satilli, CISO at Quantilium, about what quantum means for current infrastructure, why it's not too soon to start planning, and practical steps CISOs should take to prepare for the "quantum threat," especially regarding cryptography, risk management, and enterprise migration strategies.
Key Discussion Points & Insights
1. Quantum’s Arrival Isn’t Imminent—But the Countdown Has Begun
- Quantum computing will not replace classical computing in the next 1–3 years, but strategic plans (3–5+ years) should account for it ([00:02]).
- Data with "long shelf life" is already at risk due to "harvest now, decrypt later" strategies by nation states and large enterprises.
Quote
"The countdown for these concerns has already started. Think about how long your sensitive data needs to remain confidential. 5 years? 10? 20? If your data has a long shelf life, it may already be at risk." — Kim Jones, [00:02]
2. Quantum Computing, Explained Like You’re Six
- Difference boils down to bits vs. qubits:
- Bits: classical computers, 0 or 1.
- Qubits: quantum computers, 0, 1, or anything in between—enabling new, non-classical computations ([07:48]–[10:58]).
- Quantum computers augment, not replace, classical computers; most quantum setups still need classical systems as interfaces or controls ([07:48]–[10:13]).
Quote
“If it helps you in your brain to think of it as a super classical computer on steroids, I think that’s fine too.” — Michael Satilli, [10:59]
3. Why Should Cyber Leaders Care Now?
- Just as AI and cloud shifted quickly from “edge” to “mainstream,” quantum may do the same ([12:36]).
- Quantum can revolutionize areas like drug discovery, energy, and fraud detection, but it also brings new encryption-breaking risks ([14:06]).
- Quantum’s biggest security threat: breaking current encryption standards such as RSA, Diffie-Hellman, and ECC via algorithms like Shor’s ([18:22]–[19:30]).
Quote
“Most technologies that come out ... let you do amazing things and they let everybody do amazing things.” — Michael Satilli, [13:36]
4. The Real Cryptographic Risk
- Not just about speed; quantum allows running fundamentally different algorithms (e.g., Shor’s, Grover’s) that classical systems cannot match ([17:12]–[18:01]).
- Timeline for quantum computers powerful enough for breaking encryption: likely 10–20 years out, but planning must begin now ([14:06], [16:30]).
5. Strategic Planning for the Quantum Shift
- The true challenge is not the new algorithms but the migration/removal of legacy systems and the hidden, forgotten endpoints (e.g., IoT devices, payment terminals) ([22:59]–[25:58]).
- Lessons from past crypto migrations (e.g., SSLv3 → TLS): know your dependencies and inventory completely, as many organizations overlook endpoints that can’t be easily upgraded.
Quote
“Things fail at the interface ... so that we understand what things may be impacted and begin to plan for it.” — Kim Jones, [27:58]
6. Migration to ‘Quantum-Safe’ Encryption
- Post-quantum cryptographic solutions are already supported by major industry players (e.g., Cloudflare, browsers like Firefox & Chromium) ([28:37]).
- Transition doesn’t have to be a “big bang”—systems can be upgraded for compatibility and phased migration ([30:03]–[30:47]).
Quote
“It doesn’t have to be an all or nothing swap...” — Kim Jones, [30:03]
7. Defending Against ‘Harvest Now, Decrypt Later’
- The most realistic near-term risk: adversaries collect encrypted data now to decrypt when quantum tech matures ([33:51]).
- Prioritize secrets with long-term sensitivity; short-lived secrets (e.g., CC numbers) may not be worth the same level of concern ([34:22]).
- Reinforce defense in depth: the actual risk depends on whether adversaries can even access your encrypted data ([32:01]).
Quote
“Those days are numbered.” — Michael Satilli on the assumption that encrypted data will always remain secure, [34:22]
8. No New Quantum-Driven Attack Vectors—Just More Powerful Old Ones
- Like with AI, quantum won’t necessarily introduce fundamentally new attack types, but increases in speed and volume of existing threats ([32:56]–[33:51]).
- Main new tactic: scale and feasibility of “harvest now, decrypt later” as nation states leverage future quantum capability ([34:22]).
9. Call to Action: Inventory and Crypto Agility
- Organizations are doing worse at basic IT/service inventory than 5–10 years ago ([35:25]).
- Doing inventory isn’t sexy, but not knowing your assets and connections will cost you in the post-quantum world.
Quote
“If you don’t know what your company is connecting to, what your organization’s connecting to ... it’s going to sting you eventually.” — Michael Satilli, [35:25]
Memorable Quotes (with Timestamps)
- “The countdown for these concerns has already started. Think about how long your sensitive data needs to remain confidential. ... If your data has a long shelf life, it may already be at risk.” — Kim Jones, [00:02]
- “If it helps you in your brain to think of it as a super classical computer on steroids, I think that’s fine too.” — Michael Satilli, [10:59]
- “Most technologies ... let you do amazing things and they let everybody do amazing things.” — Michael Satilli, [13:36]
- “It’s not that a quantum computer would be able to brute force a password ... There are certain algorithms ... that cannot be run on a classical computer.” — Michael Satilli, [17:15]
- “If you don’t know what your company is connecting to ... it’s going to sting you eventually.” — Michael Satilli, [35:25]
- “Those days are numbered.” — Michael Satilli on assuming encrypted data will always remain safe, [34:22]
Notable Timestamps
| Timestamp | Segment | |------------|------------------------------------------------------------------| | 00:02 | Kim Jones opens with urgency on quantum threats | | 07:48 | Satilli explains quantum computing “like I’m a six-year-old” | | 10:37 | Qubits and their significance | | 12:36 | Why should security pros care | | 14:06 | Positive & negative impacts of quantum | | 17:12 | Encryption vulnerability specifics | | 19:30 | Shor’s algorithm and breaking public-key crypto | | 22:59 | Challenges of migration—legacy devices and IoT | | 25:58 | Past lessons from crypto deprecations | | 28:37 | Migration to quantum-safe algorithms happening now | | 33:51 | Harvest-now, decrypt-later attack explained | | 35:25 | Final advice: inventory and being proactive |
Actionable Takeaways for CISOs
- Start Now: Assess which assets depend on pre-quantum encryption. Inventory your infrastructure with a focus on crypto agility.
- Ask Vendors: Every vendor should have a quantum-safe migration roadmap. If they don’t—ask why.
- Plan for Phased Transitions: Leverage current hybrid technology support (post-quantum and classical) in both browsers and networks.
- Prioritize Secrets: Focus resources on data with long-term confidentiality needs.
- Improve Asset Inventory: Update and maintain detailed lists of endpoints, connections, and dependencies—including those you don’t “see.”
Tone: Candid, practical, and slightly humorous, with two practitioners reflecting on real-world security headaches and lessons learned.