AI, Quantum, and the Next Evolution of Cyber Defense: Why Crypto Agility Can’t Wait

Rik Turner, Chief Analyst for Cybersecurity at Omdia, interacted with us to explore the evolving landscape of enterprise defense, post-quantum readiness, and the market forces shaping cybersecurity innovation.

With decades of experience spanning journalism, fintech analysis, and cybersecurity research, Turner brings a unique perspective shaped by global insight and a career focused on teaming technical knowledge with market intelligence.

Turner shares how enterprises can future-proof security investments through AI, crypto agility, and governance. 

Vishwa: What areas of cybersecurity does Omdia specialize in? How does its research help enterprises anticipate threats and market shifts?

Rik: We cover all aspects of cybersecurity technology and services for business customers, with a particular focus on the enterprise end of the spectrum, because that’s where most of the innovation comes, and is also where the largest deals are struck.

Vishwa: Given Omdia's focus on market research, what are the most significant trends you're seeing in venture capital and M&A within the cybersecurity vendor landscape?

Rik: North America leads VC funding, of course, due to the size of the US market, but the second largest region is the Middle East and Africa, exclusively because of the presence of Israel, where start-up activity and thus also funding are far greater than the size of the country’s domestic market would suggest they should be.

Israeli start-up activity and funding have both continued to be healthy despite the country’s huge military operation over the last two years.

In terms of sectors, cloud and application security are the ones attracting the largest share of VC funding. Other significant segments have been non-human identity (NHI) management (i.e., governance and security) and security for AI. 

These are also the leading segments for M&A, as many of the larger players in the market recognize the need to be present in these emerging segments.

Vishwa: Which emerging cybersecurity technology segments are currently the most over-hyped, and which are the most under-invested, in your opinion?

Rik: Cyber generally has been overshadowed in hype terms since November 2022 by AI, which is, of course, the darling of the markets. Indeed, any new start-up in cyber is well advised to include “AI” in its name to attract VC attention.

It’s no coincidence that one of the main talking points this year has been AI SOC, which promises to automate many functions within the SOC and reduce the pressure on overworked humans.

Vishwa: Looking at the cybersecurity market, what do you predict will be the biggest shifts in how enterprises procure and deploy security solutions over the next three to five years?

Rik: We’ve certainly heard a lot of talk of “platformization”, whereby organizations start to buy cyber tech from a smaller number of vendors, ideally getting most of it from a single player with a “platform” that covers multiple requirements.

I personally have my doubts about the long-term success of such a trend, despite all the evangelization of the approach from very successful vendors like Palo Alto. I see enterprises still going for a “best-of-breed” approach and buying from multiple providers.

Vishwa: You have worked in financial services technology as well as journalism before cybersecurity. What transferable lessons from those fields shape how organizations should approach resilience today?

Rik: Not financial services, no. I wrote about fintech as an analyst. But yes, I was a journalist, including being a foreign correspondent, for many years, and there are obvious transferable skills: the gathering of information and its rapid interpretation (particularly if you worked in daily journalism) is one, as well as a healthy skepticism regarding the claims of vendors.

Vishwa: Threat actors are using AI-driven automation with human ingenuity, increasing attack speed and efficiency. In what areas is this forcing enterprises into constant defensive adaptation? What shifts in threat actor Tactics, Techniques, and Procedures (TTPs) do you see becoming most disruptive for enterprises over the next few years?

Rik: Indeed, I think we have only just begun to see how AI can help threat actors. Faster iteration of DDoS attacks is an obvious one, but GenAI should also make it easier and quicker to prepare advanced persistent attacks (APTs), which will reduce the barrier to entry and potentially make such attacks more prevalent than hitherto. And of course, there is the deepfake phenomenon, which again is only in its infancy.

Vishwa: How must organizations dealing with weak identity controls and fragmented detection in areas like Identity and Access Management (IAM), Extended Detection and Response (XDR), and cloud security? What would represent meaningful progress in addressing these gaps?

Rik: In IAM, they should seek a platform that can handle both human and non-human identities, as the latter are rapidly increasing to outnumber the human variety.

XDR will, like the rest of SecOps, be increasingly impacted by the incorporation of AI. Get your SecOps team trained on AI to master this trend rather than being overrun by it.

Vishwa: Based on your perspective, what should organizations prioritize now as certificate lifespans shorten and post-quantum cryptography draws closer? In addition, how should enterprises integrate automation and governance into this transition?

Rik: Look for a platform that enables crypto agility and makes post-quantum cryptography part of their platform. The certs issue and PQC should be treated as two sides of the same coin rather than separate projects, and both of them will require extensive AI-based automation to succeed.

Start talking now to your cert lifecycle management vendor, quizzing them on their plans in these areas, but also explore other alternatives from their competitors.

Vishwa: How do you see nation-state-backed adversaries shaping corporate cybersecurity strategies, particularly regarding data harvesting now for decryption in a post-quantum future?

Rik: While it is near impossible to find hard evidence of the HNDL trend you refer to in your question, it’s pretty certain that it is happening. Firstly, you should draw up a comprehensive inventory of all your cryptographic assets, determine which are the most critical, and which can be migrated to PQC algorithms. 

Those that cannot should be isolated behind a proxy server that can talk PQC to the outside world and classic encryption back to the asset.

Vishwa: What cybersecurity tools would you recommend for beginners and for more advanced practitioners?

Rik: That’s a tough question! Are you talking about Tier-1, -2, and -3 SOC analysts? I’d say a great place to start is in pen testing, learning from experienced testers to understand the adversarial mindset.