
In this week’s episode, Greg speaks with Ellen Bo…
Loading summary
A
What do CISOs need to do to prepare for the post quantum reality? We'll talk about it on this episode of Safemode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cybersecurity. An attack is coming.
B
It's about keeping us safe. He's just a disgruntled hacker.
A
She's a super hacker. Stay alert.
B
Stay safe.
A
Stay safe. This is Safe Mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment this week, we're going to be talking with Ellen Boehm, the SVP of strategy and AI innovation at Key Factor, talking about an op ed that she wrote for us on cyberscoop that looks at the quantum security executive order that recently came out and the next steps that are going into it, Talking about what CISOs need to do in order to meet the timelines that were laid out in executive order and do all of the things that need to be done inside organizations and get the right people in the right rooms to talk about what needs to happen in order to meet those timelines. But first, normally we have our reporter chat this week. As you can see, I'm rolling solo because my staff is busy reporting out some really, really interesting stories that I can't wait for all of you to read. But in the meantime, I definitely suggest that you check out Cyberscope. We've had some really, really interesting stories this week. I want to start off with Matt Kapko's story about the first documented case of what looks to be agentic ransomware called Jade Puffer. A company called Sysdig released some research earlier this week that looked at this ransomware case where it looks like whoever is responsible for it did a lot of prep work to feed into AI and the stages of the attack that were normally overseen by humans have all been turned over to many different LLM models. A really interesting story for you to check out. Matt also had a story that looked at this email campaign that looks to be powered by Chinese espionage that is going after universities in the U.S. in Canada, really targeting physics and engineering departments. Really interesting research from proofpoint that looks at this espionage case. But I would say that the story that has been dominating for cyberscoop this week is a story from our Derek Johnson that had a researcher reach out to us that found that 2,404pages on military run webpages, particularly army pages that were dealing with AI innovation and some AI labs. They had their 44 pages hijacked by Pro Kurdish hacktivists that were going after President Trump and the US Ambassador to Turkey, Tom Barrack. If you've been paying attention this week, the NATO summit happened and that was in Turkey. So we believe that this hacktivist campaign was tied to that. But some really interesting research that came to us about by way of a researcher reaching out to us over signal to be like, I think somebody hijacked these websites. And we reached out, got confirmation and looked at what transpired there. It's been really dominating our audience this week. So I ask you to check all of those stories out. Check out everything that we have going on at Cybersuit. But really interesting stories this week. But outside of that, we're going to get to our interview with Ellen. Really interesting conversation looking at what sizzos can do to prepare for for these rushed quantum timelines. Check it out. All right. Now joining us on this week's interview segment for Safe Mode is Ellen Boehm, the SVP of Strategy and AI Operations at E Factor. Ellen just wrote an op ed for us in the wake of the administration's post Quantum executive order that looked at what the order really means for CISOs. And really interesting conversation because we see time and time again when policy is released that the way that it rolls out inside organizations isn't always ideally done. So happy to have Ellen on to talk about what she thinks and what she wrote for us. So Ellen, welcome to the program.
B
Hi, thanks for having me, Greg.
A
So for the op ed, you really frame the motion put into effect by the executive order as a leadership problem and not a cryptography problem that reframes a lot of how the industry has been talking about PQC for a while. What made you land there?
B
So in talking to customers about this, especially over the recent past, we have tried to uncover the best way to communicate this up to C staff or even at the board level is to think about how this impacts the business. And so framing it in that this is cryptography really contributes to critical infrastructure that runs our business today. And we don't think about anything going wrong with it because usually nothing does except for when we are faced with a big migration like we will be faced here when we have the cryptographically relevant quantum computer available. And so I think that's where we're shifting the conversation away from just talking about how this is a very technical thing. And then there's this computing power is going to be able to break our today's math that maybe is too technical, but being able to level it up and say, how is this going to impact your business? And then how do we take a look at it from that aspect is how we're starting to frame more of the conversation, especially in light of how AI is coming more into the conversation and grabbing some of that spark spotlight instead of talking about things like, like pqc, which, you know, it's anybody's opinion about what's going to happen first, you know, AI taking over the world or PQC breaking all of our current encryption. But anyway, that's kind of the, the origin of the thought.
A
So when it comes to the threats regarding quantum cryptography and, and having a quantum computer, the harvest now, decrypt later the threats and the timelines, they've been talked about publicly for years, whether it's been NIST working on the algorithms or hyperscalers or everybody's been talking about, you know, getting to Q day and harvest now, decrypt later. But we've also seen the timelines move up. And now with the executive order, obviously that was a big part of it. Why do you think it took a deadline with legal teeth or some actual policy behind it to actually move organizations faster than they've been moving to get to this new paradigm?
B
Yeah, that's a great question. I wonder why that's the case as well. And sometimes I just think about, even with my kids, it's like, okay, there's this deadline. I've got my homework to be done before this. And everybody, not everyone, but a lot of people wait till the last minute, everything's fine. I don't need to necessarily prepare ahead of time. So I think compliance drives behavior and regulations being regulated to do something elevates that up in terms of priority because we have a lot going on. There are, there's plenty of other enterprise programs that are being worked on within the IT organizations and this is just another one to add to the list. So I think it's, it's good to see the U.S. government and again, this is not only a U.S. you know, recognizing this. Many other nations have already been talking about how this is going to come so globally. I think it's good to see that we're saying the same thing. And I think it's also good to have some of the hyperscalers, you know, such as Google accelerating their timeline and how they are being able, being ready to prepare for this. So when you have others kind of moving in the same direction, that drives people to get on board as well. So I think the other thing that we're seeing now is the shift from moving towards this is something out in the future that's going to happen to starting to actually make the plans and coming up with what are the little pieces that I need to do within my organization to prioritize getting ready for this. Because it's going to take a long time. When we migrated from systems from SHA1 to SHA2 or RSA to ECC and this is just different types of encryption, it took a decade. So we expect that this is also going to take a long time. So knowing that we've been through this before, let's kind of come up with some of the plans of attack.
A
So you mentioned compliance there and gentle's devil advocate here. Some scissors would argue that this is just a new compliance deadline on top of an already crowded list. You think about just gdpr, AI, you know, what have you, what convinces you that this one is different and not just one that needs to be just thrown on the stack in order to check the box.
B
I really do believe that because cryptography exists inside all of our systems, anything that's connected, that it is going to have a big impact. When you start to think about the high value assets, the critical infrastructure systems that run our society, that run our. Just think again, things that people expect to always work, they are going to stop connecting. I really do believe that if, if again someone can hack into a main system and be able to just do bad things, I guess in a more generic term. So I think the impact is real and I think that's why we have to be coming up with well, what is the most impactful system into my business and do just a normal risk assessment about if that goes down, what happens, or if I am a supplier to the government or a vendor that is involved in running the nation's electricity, power grid, water, any and all of those things that if those stop working over time, you know how it is when we run out of power, we're in a heat wave right now. And I was driving down the road and so traffic lights were out and that's like a mild inconvenience. But can you imagine if that existed everywhere and, or just, you know, connectivity or the Internet going down? We can all think of these examples and how they impact human life. And if this is any, any of those systems being controlled by our governments, it just, it shows the impact that it could have when a Bad actor could get in, into those systems.
A
So let's talk about like the lessons learned from prior IT governance inside organizations and how they can apply to what we're seeing here with pqc. You know, when organizations get ownership wrong, do you think that it is a failure that nobody owns it, or that too many people think that they do? And how do you see that applying to, you know, further work that needs to be done to hit these PQC deadlines?
B
That's, that's a great question. So it depends on the organization, right? Some that are large enough have dedicated cryptography teams separate from cybersecurity teams. There is IT teams, infrastructure teams. And where we are seeing people be successful is when they pull together cross functional groups that involve probably even engineering products, legal compliance, procurement, and come up with a holistic plan for PQC readiness and migration. Because again, that cryptography is embedded in all of the systems that they use. And, and whether this is in certificates or keys or protocols, third party product. And this is where the procurement thing comes into play. You should be asking your vendors how are they preparing their systems. The software that you buy, the hardware that you, the connected hardware that you might deploy within your operation, all of that has some sort of embedded cryptography in it. And how is that going to operate when things shift apart post quantum? So that's why this does have to be a group, a working group of cross functionally from different departments in order to not miss anything to make sure that we've got all of the boxes checked and have a plan to work across the business.
A
So where do you see the friction showing up there between the different parts of the business that you talked about, the legal to procurement, the product? Because I think just in terms of, even, just in terms of software updates, like I think a lot about critical infrastructure and how when there is a vulnerability, it's, it's hard for critical infrastructure to update because you can't just take something offline or you know, hit a button like it's an iPhone. So I'm, I'm wondering, does that sort of mentality sort of lead to friction when talking about different avenues of the business that come together for something that is, you know, levels above just applying a patch?
B
That's a great question. So I think it really comes down to metrics, depending on the department. Okay. So when I've done work in critical infrastructure or in product development, and that's more of an engineering or a manufacturing environment, there are different metrics for uptime and for reliability and for cost. Right. That that drives their decisions upon which they need to invest, spend time on new programs. So if you're looking at a cryptography migration program and you can't understand how that relates to your overall metric of uptime within the factory, product shipped, more products sold, you know, it really get, it all just depends on where, what your job is and especially as the executive leaders, what they're being metriced to do. And back to where we started this conversation. I think tying back the impact to having strong cryptography running your enterprise, that needs to be a business initiative, that needs to be something that the CISO is advocating for and can translate the importance of this into how the business is going to be more successful, how you're going to keep your strong brand because your products are being hacked into or your services are, can be trusted by those that you sell to. If you are selling in the financial services industry, if you're in the health care industry, some of these that already maybe I think are a little bit more ahead on the regulatory or just standards, you know, when it comes to security or cybersecurity, I should say, I think they might get this a little bit more. So it's all about translating what we're trying to do in the metrics that make sense for those different parts of the business. But that always has in the end being able to say, well, this is going to make us more successful in the end as a company moving to
A
these deadlines inside an organization, part of it is just figuring out where you need to upgrade things. The visibility and this has always been a challenge inside it shops that whether it's just endpoints, IoT, whatever, visibility and actually cataloging the entirety of the network has always been a big issue for CISOs or CIOs or anybody that is responsible for that technology. And now with pqc, I feel like cryptographic inventories too are going to be another thing that we put on that list. And that strikes me as something a little bit harder than tracking down where all the laptops are inside an organization. So why, like, why is that so hard and what can be done to make that lift lighter as companies do reasonably put these plans into action?
B
Yes, that's definitely a challenge. And it's, it's a great point. Cryptography doesn't exist only in one place. It's not just in source code, it's in APIs, it's in other libraries, it's in drivers that run software, it's in our cloud services. And so you have to be able to inventory all of those different locations to be able to see what exists. So CISOs can have that clear picture and then once you have that, to build context around what it's connected to and then help prioritize what is the most vulnerable system. What is maybe protecting data that requires long term confidentiality. So you know, let's say there's some 10 year period of which data needs to remain confidential that's already within the harvest now, decrypt later sort of risk timeframe that you mentioned earlier. So that's the kind of thing that we have to understand is discover it, put context around it, figure out what assets it's connected to, what is it protecting, what business processes, processes would be disrupted if this goes down and then figure out how to, how to remediate in a structured way. And this again, expect it's going to take time, expect it's going to take five years, maybe seven years to migrate everything over. And you have to make sure that you also do it in such a way that let's say if you start with your route migration, that that doesn't break the back end of whatever else it's connected to. In the meantime, you have to be able to keep your business running while you're doing this migration. So having this complete inventory context around it, understanding where everything is connected is essential. Sounds like pretty common sense stuff, but it's hard to do so have having the right kind of system and automation and tools and tracking. If you only have Excel to do this, that's okay too. We've had plenty of customers that say, well we're just at least starting and trying to put in a spreadsheet better than nothing. But yeah, the point is to start somewhere and to start to have a plan and then, and have a, a little coe or cross functional team that is thinking about this as part of their daily job and not having it be an afterthought.
A
Yeah, to, to your point about this being hard, is there a point where an organization is so far behind on visibility that the honest move is to just say plainly whether that's to their board or their regulators as they, you know, look at this deadline and go look, we're, we're just really behind and, and we're going to have to start at square one from there with our plan instead of, you know, kind of leaving it to the wayside and saying, oh, we'll catch up with that and hope nobody asks about it and kind of solve it on its own, like where do you fall there? Because I do feel like the Visibility and the inventory problem really is square one here as we move toward this deadline.
B
100% it is. Yeah, I don't, I don't know. I, I feel like we are at the point now and this executive order and these announcements have helped shed some more light back onto this that I think if people haven't done anything yet, but they can at least start with inventorying today, you're still not going to be, you know, behind. Right. It's starting, I think is the, is the hardest part. And, but these timelines, they are aggressive and, and they are within the window of enterprise planning cycles today, like 2030, 2029. It's, that's like in, you know, this, the, a flick of a, you know, snap your fingers and it'll be here. So I, yeah, I think having an inventory is the place to start and then you can decide is it easier just to roll new hardware or roll new system. I think that might be more challenging, you know, unless you're a smaller company or maybe you don't have as many assets. But for a lot of our large customers, they're talking about scanning thousands and thousands of systems and they have a lot of assets and they can't just start over from scratch. So it's again prioritizing, coming up with the high value pieces and starting from there and then taking it over time.
A
So we were talking about AI earlier, about how this fits into it all, and the piece that you wrote ties pretty tightly to the PQC AI machine identity. Is that connection as urgent as the piece really makes it sound, or is it partly a way of giving crypto agility more weight than it might carry on its own?
B
Well, we can't ever write an article or talk these days without AI. Right,
A
right. I'm sorry, you know, I had to bring it up.
B
It's in my title. Did I tell you that? No, I'm just, it's, I think it's, I really do think it's important because it. Two, two things like, so AI agents or AI software or AI assisted coding and hacking is here and it is happening. So if PQC relevant computer and an AI is kind of converging at the same time, it's almost like a perfect storm of us having new ways of our systems being attacked, systems already being potentially ready to be compromised, data already being stolen, even if it's encrypted. That's only made easier because we have these AI tools, because we have different models that are being used in both positive ways from our. Internally, we use them for a variety of different purposes, and they help make us smarter, and they help us do QA testing and checking for bugs. But if we do all that, then attackers are doing the same thing. So I think that's why it's probably, I think, a reason or a catalyst to think about some of our critical systems more quickly than if AI wasn't here. And we were just talking about, you know, someone trying to like a person physically, only a person trying to do this. AI agents can work 24 hours a day, seven days a week. You can spin up multiple ones, they can work together. It's like if that's a reality. So that's why I do think that it is, it is here, you know, and at this time, I think it is relevant. Now, to what extent really is it as effective? That's to be seen. But if we can think about it and we can imagine what some of these AI software agents can do, then I think it's a risk that we have to manage. And you just have to decide within your business, how much do I think is that going to be attacking me versus traditional attacks?
A
So, finally, your piece ends on three yes or no questions for organizations to ask themselves. Do we have a clear picture of where our cryptographic risk lives? Do we have a funded sequence migration plan that meets the order's deadlines? And can we demonstrate that our trust infrastructure is agile enough to adapt as standards and threats continue to evolve? Honestly, what percentages of large enterprise could say yes to all three of those today? And if they can't say yes to all three, what one would be most important to concentrate on at this point in time?
B
Well, I would definitely say the minority is checking all three of those boxes. I think I am seeing many more customers. And it also depends on industry. So I think financial services seems to be a little bit ahead in terms of understanding this, which I think is great. I think critical infrastructure is starting to follow. I think this executive order might influence that as well. Because, again, this is not just for federal agencies. It is for. It should have this, like, carryover effect into private industry, commercial industry. So. But I would say that most everybody does understand I have to have a team to start looking into this. Whether they're assigning it to cryptography or they're assigning it to cybersecurity. They are getting people on board to come up with plans. So I think that is a pretty high percentage from a let's build a team, let's kind of understand who it is. And then moving over to the inventory. That's still maybe only 25% of teams feel like they're good in that regard. And I think again, it ties back to we just need some more emphasis around driving and raising up the priority of this. Again, Executive order I think was great to accelerate and drive some more conversations around this. And just we're running against the clock here with this, with the cryptographically relevant post quantum computer coming. It is not, it's not going to be pushed out. It's, if anything it might get pulled in a bit. So that's really the reality that we're in today.
A
Yeah, Q Day. I, I know we don't have an actual date for Q Day yet, but it's like you said, sooner than later we're going to blink and all of a sudden the world is going to be a post quantum world. So really appreciate you hopping aboard and writing an op ed for us, laying out the practical details on how organizations can move to meet this deadline.
B
Yeah, thank you so much, Greg. It was great talking to you.
A
Absolutely. Thank you for joining the program. Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy, brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your CISOs, your sysadmins, your mom, your dad, anybody that wants to know more about cybersecurity. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.
Safe Mode Podcast – Episode Summary
Episode Title: What the Post-Quantum Executive Order Means for CISOs
Podcast: Safe Mode Podcast
Host: Greg Otto
Guest: Ellen Boehm, SVP of Strategy and AI Innovation at Key Factor
Release Date: July 9, 2026
This episode of Safe Mode Podcast explores the ramifications of the recent U.S. executive order on post-quantum cryptography (PQC) for Chief Information Security Officers (CISOs). Host Greg Otto interviews Ellen Boehm, author of a recent cyberscoop op-ed, to break down what the executive order requires, why it matters, and how CISOs and their organizations should begin preparing. The conversation reframes PQC as a leadership and business challenge rather than a purely technical issue, discussing compliance, organizational dynamics, inventory and migration hurdles, the interplay between PQC and AI, and the real-world urgency behind cryptographic readiness.
Deadlines Prompt Action:
Global Context: U.S. isn't alone—other nations and major cloud hyperscalers are also moving on PQC.
Quote:
Impact Is More Fundamental:
Risk to High-Value Assets:
Quote:
Cross-Functional Teams Essential:
Vendor Readiness:
Quote:
Different Departments, Different Metrics:
Critical Infrastructure Special Case:
Quote:
Complex Challenge:
Structured Approach Needed:
Prioritization:
Timelines:
Quote: