2026 will force every CISO to confront decades of deferred maintenance, or risk catastrophic failur

2026 will force every CISO to confront decades of deferred maintenance, or risk catastrophic failur

BackerLeader 42 220 362
calendar_todayschedule3 min read

The Quantum Wake-Up Call: Why CISOs Need to Fix Their Tech Debt Before 2026

The cybersecurity world is racing toward two simultaneous inflection points that will fundamentally reshape how organizations approach digital security. While everyone's attention remains fixated on AI implementation, a quantum cryptography crisis is quietly building momentum that could make the Y2K transition look like a minor inconvenience.

Chuck Herrin, Field CTO at F5, has spent the past year traveling 300,000 miles globally, witnessing firsthand how enterprises are struggling to balance immediate AI security demands with the looming post-quantum cryptography (PQC) transition. His observations, during Black Hat 2025, paint a sobering picture of organizational unpreparedness.

The Fundamentals Crisis

"Most companies can't tell you how many exposed API endpoints they have, plus or minus 5,000," Herrin explains. This visibility gap becomes exponentially more dangerous when IDC research shows that companies investing in generative AI expand their attack surface by roughly 5x. Yet organizations continue to skip the basics in favor of flashier AI initiatives.

The problem isn't just about AI applications; it's about treating them as entirely new entities, rather than what they actually are: distributed applications that require the same fundamental security controls we've always needed. API visibility, continuous discovery, authentication, authorization, and rate limiting remain as critical as ever, but they're getting lost in the AI hype cycle.

"A world of AI is a world of APIs," Herrin emphasizes. "You absolutely cannot secure your AI systems without securing the interfaces that serve them."

The Multi-Lens Approach to AI Security

Traditional security approaches are failing because they're over-indexed on single data sources, typically traffic logs. Herrin advocates for a multi-lens approach that combines traffic analysis with source code discovery, network segmentation visibility, and DNS monitoring. This comprehensive view becomes essential when dealing with AI applications that may process multiple modalities—text, images, audio—each representing a potential attack vector.

Before deploying AI applications externally, organizations need to answer fundamental questions: How many modalities does your model need to process? Can you use a narrower model to reduce attack surface? Do you understand what versions of interfaces you're exposing?

"If you can use a narrow model that doesn't expose multiple modalities, you have fewer avenues to monitor, manage, harden, test, and validate," Herrin notes.

The Quantum Time Bomb

While AI security demands immediate attention, the quantum threat operates on a different timeline that's equally urgent. F5's research reveals that 91.4% of the top one million websites don't support PQC, with adoption remaining devastatingly low across critical sectors: banking (2.9%), healthcare (8.5%), and government (7.1%).

The "harvest now, decrypt later" attacks are already happening. Nation-state actors are collecting encrypted data today, banking on future quantum computers to decrypt it. This means any data requiring long-term confidentiality—intellectual property, healthcare records, financial information—is already at risk.

"If you've got data that you need to keep safe and confidential for 50, 60, 70 years, you need to be on this now," Herrin warns. "The day that a cryptographically relevant quantum computer hits the scene, you must consider data that was previously encrypted as compromised."

The Banking Paradox

Despite heavy regulation, financial institutions are moving slowly on PQC implementation. The largest banks are actively working on it, they have tens of millions of interfaces to upgrade, but it's a multi-year project. Smaller institutions aren't even considering it yet.

"AI is sucking all the air out of the room," Herrin explains. "Nobody is coming to them saying 'save me a million dollars next year' with PQC. There's no big business use case driving adoption."

This creates a dangerous prioritization problem. Organizations are pouring resources into AI initiatives while ignoring the cryptographic foundation that protects all their data.

The Tech Debt Reckoning

The convergence of AI expansion and quantum threats will force a massive tech debt reckoning. Legacy IoT devices, SCADA systems, HSMs that can't support PQC key lengths, all will require urgent attention.

"Tech debt is going to come due with interest," Herrin predicts. "You're going to have to upgrade your old IoT devices, your legacy systems. It's going to drive a whole raft of unplanned projects."

Practical Steps Forward

For CISOs navigating these challenges, Herrin recommends starting with continuous discovery, improvement, testing, and validation; automating these fundamental processes before pursuing advanced capabilities.

"You can have complete cybersecurity mastery on the 10% of interfaces you're aware of, and you're going to get burned because of the 90% you don't know about," he explains. "You fundamentally can't skip the fundamentals."

The organizations that will thrive are those using AI to strengthen their security posture rather than just racing toward advanced use cases. F5 customers are already using AI to understand legacy configurations, explain complex rule sets, and gain visibility into inherited technical debt.

The message is clear: 2026 will separate organizations that invested in foundational security from those that chased shiny objects. The time for eating vegetables before dessert is now, before both quantum computers and AI-powered attacks make the choice for you.

1 Comment

1 vote
🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.

More Posts

AI Agents Don't Have Identities. That's Everyone's Problem.

Tom Smithverified - Mar 13

Defending Against AI Worms: Securing Multi-Agent Systems from Self-Replicating Prompts

alessandro_pignati - Apr 2

TypeScript Complexity Has Finally Reached the Point of Total Absurdity

Karol Modelskiverified - Apr 23

Hardening the Agentic Loop: A Technical Guide to NVIDIA NemoClaw and OpenShell

alessandro_pignati - Mar 26

The Audit Trail of Things: Using Hashgraph as a Digital Caliper for Provenance

Ken W. Algerverified - Apr 28
chevron_left
15k Points624 Badges
182Posts
112Comments
71Connections
LLM Training & Evaluation Specialist with hands-on experience building major AI models. As one of th... Show more

Related Jobs

View all jobs →

Commenters (This Week)

1 comment
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!