To The Point – Cybersecurity
Episode Summary
Title: Navigating Legacy Cybersecurity and Quantum Threats with Damien Fortune
Date: December 2, 2025
Host: Rachael Lyon
Co-Host: Jonathan Knepher
Guest: Damien Fortune, Founder & CEO, Centrix
Episode Overview
This episode dives into the challenges of legacy cybersecurity, the modern threat landscape—including supply chain risks, vendor accountability, and the shifting dynamics of on-premise versus cloud security—and the approaching quantum computing revolution. Damien Fortune, CEO of Centrix, shares his experiences from Wall Street to the cutting edge of cryptography, providing actionable advice for businesses and individuals on how to prepare for the anticipated “Q-Day” when quantum computers could break today’s encryption.
Key Discussion Points & Insights
1. Why Legacy Systems Remain a Persistent Threat
- Trade-off Between Convenience and Security
- Many organizations continue using mainstream, familiar tools for workforce efficiency, but this perpetuates cyber risks.
- Quote: “It doesn't really matter how many locks you have on your front door if you leave your window open. And most of the time, we find that's how these breaches do start.” — Damien Fortune [02:58]
- Inertia and Technical Debt
- Reluctance to retrain staff and upend workflows results in aging, vulnerable infrastructure.
- Industry norms and risk aversion: “There’s a saying that a CISO’s never going to get fired for using Microsoft or McAfee.” — Damien [03:50]
- Short Organizational Memory
- Fast turnover (average CISO tenure: 24 months) often leads to deferring difficult upgrades.
- “[...] maybe this will be the next guy’s problem and not mine.” — Damien [03:57]
2. Financial and Operational Barriers to Modernization
- Vendor Consolidation
- Organizations now seek to reduce platforms/vendors for cost and operational efficiency, but risk missing critical security redundancy. [04:28]
- Making the Business Case
- Security investments are often justified as “insurance” against potentially massive losses: “You really need this tool because the cost on the other side [...] is tremendous.” — Damien [04:53]
3. Reactive vs. Proactive Risk Reduction
- The “Yin and Yang” of Security Posture
- Overly aggressive patching/automation can have downsides—sometimes “being super up-to-date” can expose new vulnerabilities (e.g., CrowdStrike outage). [05:01]
- Continuous Awareness
- Maintenance basics aren’t enough; education must evolve with the threat landscape:
- “The trick still becomes that the bad guys have evolving tools that make them better and better at what they do.” — Damien [05:50]
4. Supply Chain, Partner Risks, and Accountability
- Software Bill of Materials (SBOM)
- Growing focus on detailed inventory of all software components and partner integrations: “We’re seeing more and more of these cyber bills of materials, as they’re called.” — Damien [06:43]
- Complexity of Legacy Systems
- Large, intricate systems can be impossible to fully inventory or audit.
- Cloud vs. On-Premise Security
- Tension between reducing threat surface (on-prem) vs. efficiency/convenience (cloud):
- “There’s a lot of pros and cons both ways. [...] Bringing more things out of the cloud reduces the threat surface.” — Damien [08:34]
- “You kind of have to live in the middle lane: give people access but have enough controls.” — Damien [09:17]
- Tension between reducing threat surface (on-prem) vs. efficiency/convenience (cloud):
5. Vendor Compliance & Shared Accountability
- Limitations of Compliance
- Compliance checklists often rely on outdated, self-attested info and are not a substitute for security or transparency:
- “A lot of times those things are unfortunately self-attested. [...] a certification that’s three months old might not even be all that useful anymore.” — Damien [10:19]
- Purpose-Built Platforms Over Email
- Emphasis on moving sensitive workflows off email to more secure, auditable platforms:
- “One of the things that we hear more and more from CISOs is we’re scared of doing business over email. It’s kind of like the last bastion of super insecure ways of collaborating.” — Damien [11:18]
6. The Quantum Threat & “Q-Day” Urgency
- Harvest Now, Decrypt Later
- State actors may already be storing encrypted data to decrypt when quantum computers mature — “Q-Day.”
- “If it's encrypted with today's encryption, it's going to be sitting on a shelf vulnerable in 5-7 years. And that's, we think at this point going to be well beyond Q-day.” — Damien [15:44]
- Shortening Q-Day Timeline
- Forecasts for quantum capability are accelerating: “This Q Day is going to be here in three years or less.” — Damien [14:19]
- Critical Infrastructure at Risk
- Utilities and national security data are top targets; “out of all the industries, the utility folks are the most proactive thus far.” — Damien [17:08]
- Action Steps
- Inventory your most sensitive/workflow-critical data and interrogate where and how it is stored and communicated.
7. Data Accountability & Human Factors
- Comprehensive Logging & Access Controls
- Security teams are increasingly asked: “How can we tell who’s the last person that touched this file?” — Damien [20:02]
- The Human Weak Link
- Security fatigue and distraction enable breaches—no amount of training can fully eliminate risk:
- “All it takes is that kind of fraction of diverted attention to prevent you from taking that extra step…” — Damien [22:20]
- Defensive Design
- Building systems that protect users from themselves:
- “...if you're accessing a file in our system, at least you'll know that that's from the person that it purportedly is from, or that this file has gone through some sort of screening to make sure that it's safe for you to click on…” — Damien [23:16]
8. Deepfakes, AI, and New-Age Phishing
- Proliferation of Convincing Scams
- AI (e.g., ChatGPT, Claude) makes social engineering both easier and more sophisticated:
- “The days of the poorly worded email from a Nigerian prince...are a thing of the past.” — Damien [24:12]
9. Damien Fortune’s Personal Background & Journey
- From Finance & Law to Cyber
- Graduated into the 2008 crash, law school as a pivot, then Wall Street and private equity.
- Real-world "infection point": Zoom-bombed meetings during early COVID sparked his focus on collaboration security. [26:53]
- “As a startup guy, being able to kind of step in and put on the general counsel hat is super interesting ... So understanding how to navigate those things, how to shape our policies ... has been super important.” — Damien [25:24]
10. Closing Advice: Preparing for Quantum
- Inventory and Awareness
- “Taking the moment to do the inventory ... there’s a lot here that’s sensitive and a lot more than I maybe thought of as I was walking around day to day.” — Damien [31:13]
- Ask institutions and partners about their data protection practices and rethink your own workflows—especially for anything involving sensitive information.
Notable Quotes
- Legacy Risk: “It doesn’t really matter how many locks you have on your front door if you leave your window open.” — Damien Fortune [02:58]
- Quantum Timeline Shift: “That Q-Day estimate keeps getting pulled forward ... speakers from the companies that make quantum computers were saying, look, this Q-Day is going to be here in three years or less.” — Damien Fortune [14:19]
- Utility Sector Proactivity: “...the utility folks are the most proactive thus far...they just make the lights go off, right. So they're being more proactive and we've been really encouraged by that.” — Damien Fortune [17:08]
- Human Factor: “All it takes is that kind of fraction of diverted attention to prevent you from taking that extra step...” — Damien Fortune [22:20]
- Practical Preparedness: “Taking a moment to do the inventory...and thinking about the systems that you’re doing those activities on and saying, okay, which of these needs to change?” — Damien Fortune [31:04]
Timestamps for Key Segments
- [02:18] Guest Introduction: Damien Fortune’s Background
- [02:37] Why Are Legacy Systems Persistent?
- [03:37] Barriers to Addressing Technical Debt
- [05:01] Reactive vs. Proactive Risk in Cybersecurity
- [06:42] Supply Chain/SBOM and Vendor Risk
- [08:34] On-Premise vs. Cloud Security
- [10:11] Shared Accountability & Vendor Compliance
- [13:11] Quantum Threat and Q-Day
- [16:04] Critical Infrastructure Risk
- [18:11] “Harvest Now, Decrypt Later” Explained
- [19:36] Data Accountability and File Integrity
- [21:36] Human Factors & Training Fatigue
- [24:09] AI-Driven Social Engineering
- [25:14] Damien Fortune’s Personal Journey
- [31:04] Closing Advice on Quantum and Encryption
Memorable Moments
- Damien’s analogy about lock and open windows—simple but powerful visual for risk.
- Discussion on security fatigue and the “fraction of diverted attention.”
- The revelation that Q-Day could be as soon as three years away, not the distant future many believe.
- “Certified fresh” files—Rachel Lyon’s wish for safer, more visibly “clean” messages/emails.
Final Takeaways
- Legacy system risks are as much about inertia, culture, and economics as they are about technology.
- Quantum-readiness needs immediate action: inventory and re-assess all sensitive data and communications.
- Human users will always be a factor—systems must be designed to protect, not just educate.
- The future favors adaptability: continuous improvement in tools, processes, and awareness is vital.