3275: Cloudflare Discusses AI, Quantum Risk, and Data Protection

[00:00:03] How prepared is your industry for the cyber threats of tomorrow? And what are the consequences if you're not? Well in this episode I'm joined by Christian Reilly, Field CTO for EMEA at Cloudflare. And my guest brings a frontline view into how modern organisations are adapting, or sometimes struggling, to deal with escalating risks from phishing, DDoS attacks, and the growing complexities of their tech stacks.

[00:00:31] And together we'll examine why industries like IT, gaming, and financial services are more resilient compared to healthcare and education. Where legacy systems and low digital maturity often end up leaving critical gaps. Sound familiar? Well my guest is going to explore the mind shift required at board level, highlighting how companies are beginning to treat cyber security not just as a technical necessity,

[00:00:57] but as a foundational pillar for business resilience and operational efficiency. Whether it be AI enabled, incident response, or long term implications of post-quantum cryptography. The conversation today is going to cover the pressures facing security leaders and the opportunities for organisations that get this right. Security has got to be personal, cultural and continuous. Not just an annual compliance checkbox.

[00:01:26] So how can your business move from reactive defence to proactive readiness? And what are the practical steps needed to take today to build a better security posture? One that scales with future threats? Well it's time to find out by officially introducing you to today's guest. Welcome to the show. Can you tell everyone listening a little about who you are and what you do? Yes, Christian Riley.

[00:01:54] I'm the field CTO for the EMEA region, which is Europe, Middle East and Africa for Cloudflare. Which effectively means that I spend a lot of my time working with our biggest, most strategic customers across the whole of that region. Helping them sort of plan for their next generation of transformation activities for all the good things that we can help them with here at Cloudflare.

[00:02:13] And there's so much I want to talk with you about today, especially around your recent research at Cloudflare that shows a somewhat of a stark contrast in cyber security preparedness between industries like IT, gaming and financial services. Especially when compared to sectors such as education and healthcare. So what factors contribute to these differences?

[00:02:38] What did you find and how can the more underprepared sectors maybe start enhancing their cyber security defences? Well, I think first of all, I said, what a wonderful question to get us started. Yeah. I mean, I would say that in many cases, and this isn't an exact science because every organization on the planet is different in their own right. But I think there's a few things. There's the question of the age of an organization.

[00:03:01] And what I mean by that is if you think about the more gaming technology media companies, they tend to be a lot younger in age compared to maybe a healthcare organization or an education sector, for example. And I think as part of the age of an organization, you then have to consider what's the legacy technology stack.

[00:03:18] And of course, that can be hugely complicated depending on how old an organization is, kind of what technologies they've grown up with, and then how they're sort of approaching balancing what we would look at as transformational activities with technology versus kind of managing that day to day.

[00:03:33] And then if you put a sort of a cybersecurity perspective on that, I think there's a big difference between how organizations understand the attractiveness of their systems to those bad actors and what the likelihood of their organizations being attacked are. And I would say that it's not really unusual for modern organizations, and I'll go back and say those that are newer in age, to be a little less burdened by the historical technology.

[00:03:58] And certainly we see that digital native businesses, which are gaming, media and so on, have a lot more cloud provided technology in their estate. Now, of course, that doesn't mean that cloud provided technology doesn't come with security concerns, but there's definitely a difference between, I'd say, organizations who rely on cloud technologies to offer their services and those services that drive revenues directly, kind of versus the customers that don't. So there's a big thing to consider there.

[00:04:53] So what lessons can other sectors learn from cybersecurity strategies that are implemented in those industries? And are you able to share any specific success stories? I don't want to focus too much on the doom and gloom because there's a lot of good stuff out there too, isn't there? Yeah, absolutely. And I think that question of how organizations can be better prepared is probably the most asked question that I get. And I'm very fortunate in my role to work with big customers and big organizations in all sorts of different sectors.

[00:05:21] And to be honest, I don't know that I could give a specific formula to say, here's how you should be better prepared. I mean, I would certainly say that a lot of preparedness comes from a combination of culture in an organization and a depth of understanding kind of what you actually have, why you need to protect it and from whom. And of course, that's not always straightforward because it brings into question risk. And that's a giant topic in and of itself.

[00:05:47] How do we manage risk and how do we apply controls to help with that risk in whatever state that you have? But I want you to go back to something that I mentioned earlier. When you have this scenario where, let's say, your primary revenue stream comes from online services, then you really don't have a choice when it comes to protecting those assets and, more importantly, ensuring that you can recover from a cyber-related incident.

[00:06:09] And so the other side of that, which I think we've seen a lot, and I'm sure both of us could give a litany of examples, it's not just the actual cost of lost revenue when something happens. It's the reputation risk as well. And I think we've seen plenty of examples over the years of e-commerce or financial services who have been compromised. And the fallout from those attacks tend to last a long time.

[00:06:33] But I think if I sort of look at it through a cloudflare lens, we work with a lot of big organizations who have these very online services scenarios. And as you mentioned, there's a lot of success stories where we're very proud, and I would say we're expert at detecting some of the things that we would typically work with customers to help with, which is big distributed denial of service attacks or whatever. But I think to your question about success, I think the success is always when it's kept simple.

[00:07:00] We often talk about how complex everything is, how the bad actors are getting better and more sophisticated. But the reality is that where cybersecurity tends to win is in simplicity. And if security is too complicated, or maybe in the case of an organization who's protecting their own workforces, what you don't really want is an implementation of cybersecurity tool that becomes problematic for the end users. And the reason you don't want that is because end users are getting smarter and they find a way around everything that you put in place.

[00:07:29] And that's really not a situation you ever want to be in because clearly you can't secure what you don't know about. So I think it's when I would say lessons learned, I think the simplicity is a key one. I think over the years, we as an industry have always gone for the best of breed. And what that's led to is kind of a very big patchwork quilt of security implementations, which are difficult to observe, they're difficult to manage. And you don't really get the benefit from them because they're all from different vendors and different piece parts. So I would say that the folks are doing it the best.

[00:07:59] I'm looking at it through a lens of simplicity. And how can I make sure that I don't break the end user experience by having too much security that makes it impossible for people to work? And I think very often when talking about cybersecurity, we focus on the firefighting, preventing attacks, but less on the positive impact that this work can have on an entire organization.

[00:08:19] So for any business leaders that are listening to our conversation who might be slightly unaware of the scale of the value that these unsung heroes in cybersecurity deliver, I'm curious. How have you seen modern cybersecurity measures contributing to the overall operational efficiency in the workplace? Are there any trends that you've seen in industries that have maybe done this and embraced stronger security protocols and unlocked some of that additional value too? Without a doubt.

[00:08:49] I mean, I would say that probably at least 50 to 60% of the conversations I have are really focused on kind of rethinking what the strategies are for enabling what I would call a seamless experience in quote marks for their workforce. And the reason that's so important is because it's targeted at driving individual productivity. We've been talking about individual productivity for probably a decade or more.

[00:09:14] And I think if you put it in the context of how the demographic has changed, different workforce, younger workforce, more digital savvy, plus the rise of home working, hybrid working, and just the sheer number of business applications that are still either delivered internally in the classic sense or delivered via software as a service. I think the traditional models that we applied to security just don't work anymore.

[00:09:38] And I think the most obvious one, and when you talk about sort of the protocol, I'm going to use that in a slightly wider context, would be around zero trust. We have many conversations about zero trust. And at the root of that, to an extent, it is unfortunately we kind of have to take ourselves back to the pandemic, which obviously everybody's trying to forget and move on from. But if you think about what happened during the COVID times, there was a giant challenge for all businesses around the world.

[00:10:03] So obviously I spent quite a lot of my early career in a large organization planning for all sorts of business continuity and disaster recovery scenarios. None of those ever included all of our offices. And we had 160 offices around the world being taken offline at the same time due to something like COVID. And so the question of how do you actually keep an organization running in that fully remote scenario was something that I don't think many people planned for.

[00:10:29] And so to kind of get around that and to make people productive and to try and help businesses continue, I think there was a rush to deploy traditional VPN technologies. And don't get me wrong, for the most part, they worked fine. They're not really based on zero trust in any meaningful way. And they certainly aren't designed around the same concepts of least privilege, which are sort of super fundamental to zero trust.

[00:10:51] And so I think when you look at security, you look at performance and you look at the user experience, I think those three things are really key to delivering those productivity gains. And as I said, 50 to 60% of the conversations I had with CISOs are about the move to zero trust. And that's just a giant trend that I see across every industry that we serve. And I think a decade ago, the C-suite were often accused of struggling to see the value in cybersecurity and something that might happen one day.

[00:11:20] And thankfully, that has completely changed now, I would say. And with cybersecurity now becoming a major investment area for businesses all around the world, is there anywhere you think organizations should better focus their resources to help build that more resilient cybersecurity posture and improve cyber hygiene, etc.? Yeah, again, I think it depends on perhaps how we define resources. And the reason I say that is because certainly in my conversations, in my experience,

[00:11:49] I would suggest that it's becoming increasingly important, if not mission critical, to garner board level support for cybersecurity initiatives overall. But I think specifically around resilience, and this is a huge topic that comes up time and time again, I think that board level involvement and the resources that are from the board all the way down, whether they're human resources, financial resources, technology resources, it's beginning to start with that board level engagement.

[00:12:16] And to go back to your point, I think traditionally and in my own experience, cybersecurity risks, they were maybe something that got presented to a governance risk and compliance committee or a few people who are sort of passingly interested, but certainly not at the board level. And I think today that's sort of changed rapidly. And you mentioned the C-suite earlier. I've seen a huge shift in the role of the CISO, what the CISO now has to do, being able to clearly articulate the trends and likelihoods of many different distributed attacks

[00:12:46] and attack types and different groups and individuals and the geopolitical side and all of that kind of thing. Having to understand all that, but then articulate it in a language so that the board can understand and then help guide their investments in whatever those three buckets of resources are. It would be really easy for me just to say, hey, focus on this, focus on that. But the reality of it all is that, as I mentioned earlier, every company is different in its own right. And I think that's where the elevation of these discussions to the board becomes super critical

[00:13:14] to attain a level of cyber resilience that's contextual to their business. And I would say that outside of all the technology things that's happening, I would say that's a massive shift in the way that those conversations are handled. And one thing that is a little disappointing is we're still seeing those lazy headlines around human workers being the weakest link in cybersecurity. And there are so many different things that we can do to avoid that. In particular, not just having a once a year compliance training test

[00:13:44] where you're hitting next, next, next for an hour and then moving on. But education and training, done the right way, are often seen as critical to the company's cybersecurity strategy. And there's many different variants of this. But from what you've seen, what are some of the more effective strategies or innovative programs you've seen that ensure employees remain proactive in defending against cyber threats? Because it is a big risk there, but there are so many good ways to avoid this, aren't there? There are.

[00:14:11] I would say that the very best companies that I've seen do this in terms of the effectiveness of cybersecurity programs. They're not the ones who do what you said, where they don't just make sure that you've got to read these things and click through next and then you get a check in your HR system. It's those who are, and I'm going to use a word here, relentless in the pursuit of their end user education. And I would say that the very, very best ones, and I won't mention them by name should I embarrass people,

[00:14:38] but they're the ones who have educated their workforce to really understand that there's no difference between protecting the company data versus protecting your own data at home. I think we all know somebody who may have clicked on your Gmail or Hotmail link or whatever, and then suddenly your hard drive is ransomware and you can't access the photos of your golden wedding or your kid's graduation. To me, that's actually genius because if you play on the hearts and minds of that

[00:15:05] and make it personal, then I think in the business context, you've got a higher likelihood of success. And I think if I sort of think about that program as a concept, not just for end users, but also for security professionals, I think we've moved on, or at least I hope we've moved on, from the sort of traditional tabletop exercises and planned simulations where we knew that 9am, the 747 was going to fall onto the data center in San Francisco. Real world doesn't work like that.

[00:15:34] And if there is an attack and if there is a compromise and a breach, it's a very, very different thing than doing scenario planning from an expected time. But I still think we've got a lot of work to do. And what we see at Cloudflare is that phishing is by far and away the number one attack vector. So those links that you talked about, the humans doing what humans do. And I would also say that for the most part, I don't believe anybody in the workforce does things intentionally. There are,

[00:16:01] of course, examples of insider attacks and so on, but I'm thinking in the general populace of you accidentally clicked on a link. We still see that as the number one challenge. And I think the interesting thing there may be in the next few years, what happens with generative AI? What happens with attacks that get much more clever and much more believable? Things like business email compromise is a big one, but anything that's sort of phishing or social engineering related,

[00:16:26] we've got to double down on the education. And then again, I think that's also about culture change because you can't really penalize people for making mistakes. So I think it's all about the three words, education, education, education. And with emerging technologies like AI, quantum computing, and IoT, all transforming the world of cybersecurity. And one of the most worrying aspects for many is that countdown that they

[00:16:52] may have seen on the internet to the so-called Q day when quantum computing could potentially break encryption. With all these scary headlines filling up our news feeds, how can organizations better stay ahead of some of these developments and ultimately protect their critical services and data? Yeah, well, I think this is a really fascinating topic, right? And Cloudflare, we've been working on our quantum or post-quantum readiness for a number of years now. And I think like any new

[00:17:19] technology trend, we have to sort of balance this in a little bit of realism, right? I don't think the mainstream quantum computing is going to hit us next week, the week after next year, or maybe not even the year after. But the concern at the moment, and quite rightly so, is around a philosophy that is called harvest now, decrypt later, right? Which is kind of a really cool phrase, right? But what that really means is that even if quantum computing isn't ready now, some of the cryptography that we

[00:17:48] have in place and is used routinely for many different types of encryption can actually be literally stored now and then potentially broken at a later date. So I'm not suggesting that we're going to see the mainstream quantum computers in every location very soon. But what we are concerned about is what happens if the cryptography today that is not post-quantum ready can be harvested and then decrypted really simply later on. And if you think about the implication of that, lots of what I would

[00:18:17] consider to be basic hygiene for security has been in place using sort of the standard encryption technologies we've got now. Any data that's at rest for various regulatory reasons or just internal rules reasons, you really should be encrypting some of that at rest. And the question there is, so if I harvest the cryptography keys for that now, how easy is it for me to break later? So I think there's lots of, like any new thing that comes out, there's a little bit of confusion maybe, there's a

[00:18:46] little bit of how do we really wrap our minds around what needs to be done here. But I think certainly from a quantum point of view, we should be continuing to understand what the risks are from that sort of harvest now, decrypt later. Now the whole AI thing is completely different, right? I mean, two years ago, nobody had heard of ChatGPT, nobody had heard of OpenAI. And now there's a new model every day that comes out. I think that the downside of the pace of that AI is that organizations simply

[00:19:13] don't have time to understand what's a good bet from not a good bet, because the speed of the evolution and capability of the models is outstripping the natural cycle of technology adoption, which is kind of an interesting inflection point in general. But I think preparedness for AI, and we're seeing a lot of this in the conversations we have, how do I figure out how to protect what goes into the model? How do

[00:19:38] I validate the input from prompts? How do I validate the response from prompts? I think that's just good understanding of how to put guardrails in place that don't necessarily stop people from using those technologies in an environment, but certainly help to guide and control them. Because like we've seen in the last six months, agentic AI is now a big thing. We're going to see autonomous agents going around looking at data

[00:20:04] sources, making decisions. And it kind of gets interesting to me about the responsibility of those agents, like who do they report to? They're not like me and you, right? They don't have physical bosses. So I think there's some really interesting things that are going to happen, perhaps on the compliance and the risk and the legality side. But many organizations that we talk to are already putting, I would say, reasonable guidelines for usage in place for whatever comes next with AI.

[00:20:29] So if we take a look across multiple industries, I'm curious, what do you consider to be the most pressing cybersecurity challenges that will dominate corporate cybersecurity agendas over the next three to five years? And as I say that out loud, I know five years is impossible now, and it's almost like 20 years in old money. But anything that you would suggest that you're seeing there, any trends you're seeing and how businesses should prepare? Yeah, absolutely. I mean, we've talked about quantum and obviously there's a significant amount of work

[00:20:59] happening in terms of post-quantum ready cryptography. So I won't repeat myself on that one, but I think that's going to be an incredibly important set of considerations for CISOs going forward. Not only how can we sort of protect about some of the things that I mentioned earlier, but where and how does that post-quantum cryptography fit in our environment? And I think if you sort of peel that back a little bit and say, okay, so why would we be doing that? It's really, again, around sort of

[00:21:26] data security. And again, if you think about all of the promise of AI, whether it's generative or agentic or whatever comes next, is predicated upon access to data. And so I think most CISOs are going to be looking at this and saying, actually, now we're going to be opening up these data sources to very different use cases. It's not sort of the classic, my application talks to the middleware, talks to the database, and my user logs in and we've got business logic and we've got all that

[00:21:53] sort of stuff. It's going to be about, actually, how can we get the value out of all the data that we have in the organization? And again, this is not a new phenomenon because I think many organizations going back to big data, if you remember that from 10 years ago, and nobody talks about that anymore because there was really no so what. But if you think about it, all of the data that gets generated is going to continue to grow massively, right? So if you think about IoT that you mentioned,

[00:22:19] you think about Industry 4.0, you think about cyber physical systems, we think about all the things that we're seeing, whether it's autonomous vehicles, whether it's smart factories, whether it's smart cities, we're going to get literally drowned in more and more data. So I think the question is not only where does that data get generated, how does it get secured, where does it get used, but how valuable is that data? So things like data security, posture management are going to be increasingly important. Yeah. I mean, it's going to be a really interesting time in the next five years.

[00:22:48] I wish I had a crystal ball because two years ago, I would never have seen the GPT things coming out, but I think we can see enough to kind of understand the source of all this sort of potential next generation business advantage is going to be rooted in data. So I think we're going to see a significant focus on the protection of that. And a few moments ago, we were talking about cyber security training, how it's an area where many organizations often struggle to keep up. And if we were to give everyone listening one big

[00:23:16] valuable takeaway, is there anything that you would advise that a business could do straight away or implement more effective training programs that not only educate, but also empower employees to be that first line of defense against cyber threats? Any big takeaways or tips that you'd leave anyone with around that? Yeah. I mean, the one thing I would say is, is obviously the end users, one line of defense,

[00:23:40] but then having your incident response team and your security operations team be more AI enabled. And I am going to use that as a really terrible phrase, but my point is that when you think about all of the influx of bad things, I mean, of course we have anti phishing systems, anti malware, all those kinds of things. But the reality is that things always find the way in. If we had a perfect scenario, it would be for the end users to have an easy button, right? To report things or report

[00:24:08] suspicious links or suspicious emails or suspicious activity. And then for that to be dealt with, with autonomously, right? Because I think the biggest challenge that we have for most security operation centers is the sheer volume of things that they have to comb through and look at. And so I think we're going to see very quickly kind of a whole new AI enabled security operation center and incident response team that really is kind of the, let me call it the autonomous part of a good

[00:24:35] security posture. I think the more we can offload from the humans to allow the humans to do what they're really good at, whether that's reporting, analyzing certain things and patterns and whatever, but given the hard work to the AI systems, I think will give us a really nice scenario that hopefully should make it easier to report things, easier to diagnose things and easier to fix things before they become a problem. Well, thank you so much for coming on and sharing your

[00:25:02] insights with everyone today. So much gold in some of your answers and advice there. And I think we're at a moment where everybody listening is feeling that pressure to be in a state of continuous learning. And as someone that is leading the way here, any tips on where or how do you self-educate? How do you keep up to speed with all these trends and changes and everything that you're seeing out there in this space? Anything you could share around that? Yeah, I'm very fortunate to have been in this industry a long time. And so I'm connected to lots

[00:25:32] and lots of people who are far smarter than I am on LinkedIn. And I think LinkedIn, for me, 15, 20 years ago, when cloud became a thing, I was very well connected and part of a group on Twitter, now X, that was kind of visionary and willing to share things in a set of key trends that turned out to be very significant to the technology industry. I now get most of my knowledge from LinkedIn, quite honestly. All the Cloudflare knowledge I get from our wonderful web presence and Cloudflare TV and our blogs and all the technical blogs that we have and the brilliant people we have in the company

[00:26:01] here. But just in terms of general industry trends, I found that LinkedIn has become my new go-to place, just as Twitter X was almost 20 years ago, which sounds crazy, when cloud came out. And there's just so many brilliant people and so many people willing to share their opinions and their initiatives and their knowledge. I mean, I could make a career of just reading that every day, to be quite honest. Love it. And I will add a link to the Cloudflare study that we mentioned there that highlighted

[00:26:28] that 64% of business leaders expect a cybersecurity incident within the next 12 months, but only 29% of them feel prepared to defend against them. So I'll add a link to that. But is there anywhere else that you'd recommend anybody listening check out if they want to keep up to speed with the work that you're doing at Cloudflare or contact you or your team? Where would you like to point them? Well, to cloudflare.com. You'll find the Cloudflare blogs on there. You'll find a lot of our threat research on there. You'll find a lot of our white papers on there. You'll find a lot of our deeply

[00:26:57] technical blogs. As I said, we have some wonderfully talented people here. And especially if you're interested in some of the things we talked about around post-quantum, you'll find some great examples there of the pioneering work we're doing in the industry. So yeah, cloudflare.com, plenty of great assets on there, plenty of great videos on Cloudflare TV, and yeah, a wealth of information for all the things that we do here. Well, somehow in 30 minutes, we managed to pack in there the importance of industry readiness and

[00:27:23] response. And making that possible, of course, is modernizing the workplace with robust cybersecurity, investing in cybersecurity, educating and training. And as a result, there is a positive outlook around this. I'd love people listening to share their stories, how they're prepared for future cyber attacks. But more than anything, just thank you for coming on and starting this story today. Really appreciate your time. It's been my pleasure. Thank you for having me.

[00:27:50] As Christian made clear there, the most successful cybersecurity strategies don't just protect, they empower. Whether it's giving employees the tools to report threats with confidence, build AI-enabled security operation centers, or fostering a board-level culture, one that views cybersecurity as essential to growth. That path to resilience is increasingly human as much as it is

[00:28:16] technical. So as we enter this era where risks are rising, the technology is evolving faster than policies can keep up, and the margin for error is shrinking. The good news is, with the right foundations built on simplicity, education and trust, organizations can turn those cybersecurity strategies into a competitive advantage. But hey, I'm just a guy talking into a microphone here.

[00:28:43] What does your team need to do to prepare for those threats of tomorrow? And what role will you play in making security a more shared responsibility across your business? Let me know. Tech blog right to outlook.com, LinkedIn X, Instagram just at Neil C. Hughes. Let me know your thoughts and I'll return again with another conversation. Hopefully I'll speak with them. Bye for now.