Rob Clyde [00:00:00]:
I do think as individuals and professionals, each of us needs to always be learning and we need to continually educate ourselves and even set goals about what we’re going to educate ourselves about. For example, set a goal to understand better what the risk is from quantum computing and how these new algorithms work and how you might be able to begin the process to move to those that won’t require education. Just as we’ve had to learn about AI, each of us.
Karissa Breen [00:00:45]:
Joining me now is Jamie Norton, board director at Osaka and Rob Clyde, crypto quantique and past O Isaka, Board chair. And today we’re discussing quantum computing and how can cyber professionals prepare. So, gentlemen, thank you for joining me and welcome.
Jamie Norton [00:01:04]:
Thanks for having us.
Rob Clyde [00:01:05]:
Thank you, Chris. It’s pleasure.
Karissa Breen [00:01:07]:
Okay, so you’ve both got a lot of pedigree in this space, a lot of background. So I’m really keen to get into this because one thing that’s interesting from a media perspective is quantum. And one thing I’m often hearing in this space and there was a gentleman out here as a client of mine and he was here from the UK and he’s like, you know, I was talking to people in Australia about xyz, but when I got to Quantum, he said people just didn’t want to hear it. So I’m really maybe curious to start there. There is a little bit of research that was conducted and I’ll read just for context and then I’ll, I’ll start with you, Jamie, but for context, Osaka recently conducted a global Quantum Computing Pulse poll among 2,600 tech professionals, finding that 95% of organizations are lack quantum computing roadmap. So let’s start right there. 95%, Jamie. That’s quite a high number.
Karissa Breen [00:01:57]:
But in saying that, like I said before, I am hearing it’s kind of like people are putting their head in the sand. They don’t want to hear it. So what are your thoughts on that? Yeah, I think.
Jamie Norton [00:02:05]:
And the survey that Cycling conducted did, did have a reasonable cohort from, from our region, from Australia. And I think it’s not surprising, I guess the result, I think Australia is well positioned from a quantum perspective. We do have quite a bit of innovation happening on that front. I think when you look at the impacts of the quantum light organizations in Australia, that’s where we’re seeing these numbers come through, where you know that that 5% are all that’s really taking steps towards addressing that at the moment. And yeah, I think that’s a factor of just the visibility of quantum and what it might bring at the moment. I think it’s a factor of all the other things that everyone’s doing. And you know, we’ve got AI and other innovations that have sort of hit us as well. So it’s just the workload, I suppose, and the to do list which is probably causing some of that as well.
Jamie Norton [00:02:45]:
And, and this sort of emerging thought bubble, I suppose, from various sectors where I’m starting to see quantum coming up a little bit more in frameworks and things like what the ACSC is doing and home affairs and some of their standards. So starting to see some more attention to it. But these numbers aren’t surprising and I think where we’re seeing that long term roadmap is just not there at the moment in our part of the region and we’re looking to hopefully get more attention on that.
Karissa Breen [00:03:07]:
And so Rob, would you agree with Jamie or what are your sort of sentiments?
Rob Clyde [00:03:10]:
Yeah, I mean, I certainly agree with Jamie. I also think this is the reality. Risk from quantum computing is something in cyber arenas that we’ve been talking about for quite some time. So there could be a bit of quantum fatigue and people just kind of not paying enough attention. But there’s kind of a corollary to the 95%. We actually only had 7% of the respondents that said they had a strong understanding of the new post quantum cryptography standards that the U.S. national Institute of Standards and Technology came out with. And once those standards, once the NIST comes out with standards, those quickly turn into global standards.
Rob Clyde [00:03:51]:
And so we now have the new cryptography standards to move to. But hardly anybody really knew much about them. And in fact 44% said they had never even heard about them. That I consider kind of the bigger risk we let have. We let kind of quantum fatigue get in the way of really understanding that now is the time to move. We’ve got a chance to really make some steps in the near future so we can be ready the risk from quantum computing.
Karissa Breen [00:04:24]:
So Rob, I’m just going to stay with you for a moment. You said now is the time to move, but isn’t everyone saying that about AI like now’s the time, AI is the time. And now we’re already like we’ve ditched AI and we’re already onto quantum.
Rob Clyde [00:04:35]:
All emerging technologies kind of have this. I mean a few years ago it was all about now is the time to move to cloud. Right. So we always have the kind of that, that call to action. And I certainly would not suggest that companies pay more attention to quantum computing than they do to AI. Nevertheless, they’re closely linked. Actually, quantum computing is likely going to be used in the future to, as a way to implement AI in certain types of. Types of AI, so they’re not totally separate.
Rob Clyde [00:05:08]:
Secondly, cool as AI, and as big a revolution as it is from a security standpoint, AI does not pose the risk of actually breaking the fundamental cybersecurity of the Internet. And so the risk is a little bit different. And really, you know, as cyber professionals, we’ve got to be able to do more than one thing at a time or we could find ourselves in deep trouble in the next few years.
Karissa Breen [00:05:35]:
So I want to keep following this. So Jamie, given your role pedigree and background in this space, Rob raised a great point around fatigue. So would you say that people, you know, we talked about, you know, the cloud area, then we had, you know, virtualization before that, cloud, et cetera. Do you think people are just sort of a little bit tired of hearing things? And then there’s people listening to this podcast going, oh, well, you know, then Rob and, and Jamie are now talking about something else I got to worry about. Do you think people just a little bit over it, would you say, especially from an Australian point of view, I mean, we are a little bit more of a reserve market, I would say, instead of like the United States. What are your thoughts around that?
Jamie Norton [00:06:11]:
We can be a little bit, I think it’s in a slightly different stage of its development to something like AI that, you know, at the moment, Quantum from a cyber lens at least sits in the, in the risk to be managed category. So it sits alongside all the other risks that CISOs and security teams are dealing with. And I think there’s, there’s a, the stats are showing, there’s a reasonable understanding of, of Quantum as a, as a concept. I guess where the stats are showing us is, is less, less well developed reaction and taking steps to address that. But, so I, I think there’s a, there’s an appreciation is probably a better word of saying what Quantum is, but it’s, it’s actually addressing those risks sort of now before, before Quantum itself is really a realized innovation in the workforce. Whereas if you take AI and that’s very sort of front and center and present, and it also means in the executive and the leadership teams and the boards, AI is very much the top of conversation and innovation and business competitive Advantage, whereas quantum as a capability isn’t quite at that level yet. So we’re more addressing risks and sort of trying to get ahead of potential impacts down the track. So I think it’s slightly different stages, but it is a risk that cyber professionals should become more aware of and educate themselves and then actually now start today to take steps to, to address that risk now rather than waiting for, you know, for the day when content becomes a lot more real and it’s actually probably too late then to, to play catch up.
Rob Clyde [00:07:29]:
Yeah, you know. You know, Jamie, I also think part of it is that for years, and Isaca actually was giving this, this same guidance we were saying until the guidance to security professionals was, until the new post quantum cryptography algorithms have been standardized and approved, our strongest recommendation was kind of a, a wait and see, monitor it, follow it closely, maybe do a bit of inventory of where you’re using encryption and where you have particularly sensitive data. But primarily it was kind of a wait and see set of guidance. And I think many have not realized that the event, the seminal event we were looking for that would change that guidance, which is the approval of those algorithms, has now occurred and it’s time now to take action.
Karissa Breen [00:08:18]:
Yeah, this is interesting. So, okay, so Jamie, you mentioned before, quantum is a concept. So when you say concept, do you just mean that at a high level people kind of understand it? Because when I’m out here talking to people on the front line, some of the most senior people, best tech and cyber professionals in the world, like people like, yeah, people are kind of getting it, although they’ve heard about it, they’ve seen it, and then they’re like, now we’ve got to focus on it. You think there’s anyone really out there that fundamentally gets it in the full fidelity or do you think it’s still early days yet?
Jamie Norton [00:08:48]:
Well, I think there’s absolutely, there’s people out there that understand it very well. And Australia has its share of, you know, quantum specialists. I think in the broader sort of cyber industry, Australia is a little bit less aware of quantum as, as a, you know, as a, as a concept. I think the broad sort of brush of quantum and the promise of, you know, exceptionally fast compute and things that go with that, I think that’s appreciated. But the intricacies of the risks posed and you know, things as Rob mentioned, like the fact that NIST has released post quantum cryptography standards, now I think that’s less understood. And so there is an education piece here as much as there is a call to action. That’s really what’s going to hold us in good service, actually being aware of what those risks are and sort of timelines of activity and where we need people to start to move towards.
Karissa Breen [00:09:33]:
I interviewed a gentleman a couple of weeks ago and he was saying he was a quantum guy and he was saying, look, still early days, we’re not sure whether quantum will be like in terms of quantum computing will become available to like, like PC, where when Bill Gates and friends rolled that out to like the everyday person. What are your thoughts on that, Rob? Do you have any insight where, what do you sort of think in terms of the whole quantum space?
Rob Clyde [00:09:56]:
So if we’re looking for the day when the average person is going to have a quantum computer in their home, we are a long ways from that. If, on the other hand, you’re looking for the day which is relevant to today’s conversation of when large organizations, governments, maybe perhaps large corporate entities or even hostile entities can afford the 10 to 100 million that a quantum computer is likely to cost and be able to leverage that to break the security of the Internet that might not be so far off. There are a few challenges that still remain before that can occur. So, so I, I wouldn’t want today’s conversation be through the lens of when will the average individual be using quantum computers? Because that is irrelevant to the risk to the Internet.
Karissa Breen [00:10:46]:
All right, so let’s move on. Now there is a stat here and we’re gonna, it’s sort of, it’s a good jumping point to talk around the stat, which is 62% of technology and cybersecurity professionals said that quantum computing could shatter current Internet encryption. So walk me through this, and this is important because when I wasn’t even this gentleman about the quantum, he did say if this happens and all the other things that we’re sort of doing in security just becomes obsolete. So I’m really keen to dive into this more. Who wants to go first?
Rob Clyde [00:11:13]:
First, let’s walk back a little. I said a little bit about the risk to the Internet, so to kind of understand how the Internet security works. So when you do banking on the Internet, buy goods on the Internet, have send emails back and forth, we all expect those things to be private and to be secured. They are today. But if you look at the mathematical principle that’s being used to do that security, it actually comes down to a fairly simple concept of the computational difficulty of factoring very large semi prime numbers. In other words, think of a prime number like 15, we can all immediately say, I can factor that the two primes that go into that semi prime of 15 are 5 and 3. But if it’s a very large prime number, think of hundreds or even more digits that are in that very large semi prime number that have been created by multiplying two large prime numbers together. That’s a difficult mathematical problem and with today’s computers it would take thousands and thousands of years to actually factor that very large semi prime.
Rob Clyde [00:12:26]:
Many years ago, a gentleman by the name of Peter Shor developed an algorithm postulating that if somebody could come up with a quantum computer, and the idea of quantum computers is not new, but the ability to actually implement them is quite new, and came up with this algorithm called Shor’s Fact Quantum Factoring Algorithm. To put it simply, with a quantum computer that implements this algorithm and it does work, it’s already been implemented at a small scale. So this isn’t theory, the algorithm actually works. All we need is a large and powerful enough quant computer and instantaneously it could break the large semi prime numbers that are used that allow you and I to communicate securely or allow you to do secure banking on the Internet. It would literally break the Internet. And the only way to fix that is to move from today’s cryptography that we use to protect the Internet to what’s called post quantum cryptographic algorithms, or pqc. Post quantum cryptography. And those algorithms have now been approved.
Rob Clyde [00:13:37]:
So we could begin the process of replacing the cryptography we use today with these newer algorithms that will not break in the face of a quantum computer.
Karissa Breen [00:13:48]:
And Jamie, do you have any sort of thoughts on that?
Jamie Norton [00:13:51]:
No, I mean, I agree with Rob is saying, I think if we take quantum as a concept, obviously there’s a, there’s a vast potential for the things that it’s going to be capable of doing across sort of broader humanity. But you know, in particular with, with that vast increase in computational power, particularly around, as Rob said, the ability to factor large primes in the case of Shor’s algorithm and break public key cryptography, I think that’s sort of at the heart of we’re concerned about. And now whilst that, you know, that could be sometime in the next five years, it could be 10 years away, no one knows for sure. It depends very much on the innovations in quantum, which obviously that’s a robust area of innovation across the world. It’s impacted by factors like nation states and defence programs and military spending, as well as private sector research and universities. So there’s a lot going on in that space. But if there’s a breakthrough, our timelines could all of a sudden compact, you know, a lot more significantly than we think. And that may not be a breakthrough in the computing aspects of quantum.
Jamie Norton [00:14:45]:
It could be a breakthrough in the direction or other areas. So there’s, there’s a lot of moving parts. And I think the other aspect potentially talk about too, is that anything that’s data that’s breached now and is effectively lost, potentially that data could be decrypted at some point in the future once quantum is a reality as well. So they have this, you know, harvest now decrypt later concept, which is, which is just another risk that we have to deal with in terms of quantum setting.
Karissa Breen [00:15:07]:
Okay, I want to get in this a little bit more. This is really interesting. Okay, so Rob, going back to you then for a moment, and there’s something as well. You said, jamie, and I’ll come back to you would be, you said, we’re in the process now to replacing. But if I just go back a step and do you think when people, you know, when the Internet started, do you think they thought, this can’t be broken, but now we’re saying we start to replace it and it’s coming in, it’s going to be shattered. To the, to my words, earlier, do you think when people started the Internet, they thought like this? And then going back to the process, how long is that process now going to take until it’s replaced?
Rob Clyde [00:15:41]:
Great questions, Carissa. So, interesting enough, when, when the Internet and the design of the Internet was first came through arpanet and we actually hadn’t figured out how to do secure transactions yet on the Internet, that came a little bit later. RSA was invented in the, in the 80s, in the late 80s, which is the algorithm using large semi primes that I was discussing earlier, which was used to implement methods to do things securely on the Internet. Interestingly enough, the Internet advent around 1993, when we really all kind of started using it, Shor’s algorithm actually came out shortly after and it made, it was a big stir. So cryptographers, in other words, the same people who were in charge of, you know, figuring algorithms to protect the Internet, knew very early on about the risk of the quantum factoring algorithm in their estimation. First of all, they, you know, they didn’t yet have new algorithms to implement. They didn’t have anything better, and we were all already down the path of implementing that. And secondly, in their estimation correctly, quantum computers were still decades away.
Rob Clyde [00:16:51]:
And so that’s kind of how we ended up where we are nist. So the effort to come up with, with, through, through NIST with the new standardized algorithms began over a decade ago. So this effort to get ready is not new. It takes a while to come up with new algorithms and test those algorithms with the top mathematicians and cryptographers in the world, which has now been done and will likely people will continue to try to break new algorithms. That’s what you try to do, of course, but we’ve been through a long, this is not a short process, a long process of coming up with these new standards. And at least in my opinion, we’re getting them in time so that we can hopefully implement them and protect the Internet and have it ready by the time quantum computers can break the Internet. Jamie correctly brought up the harvest now, decrypt later problem. So that’s an urgent need for companies to consider if their encrypted data is stolen today and it’s still sensitive many years from now when quantum computers are available, it’s quite conceivable that that data could then be decrypted quite easily.
Rob Clyde [00:18:06]:
And so that is, that’s also, you know, a real risk that we face now.
Karissa Breen [00:18:11]:
Okay, so that was the point that I wanted to go back and ask Jamie on. So going back to harvest now, decrypt later. So Jamie, what does that mean for organizations? How can they prevent this from happening?
Jamie Norton [00:18:22]:
It’s a well known kind of side impact, I guess, of where Quantum is heading is that anything that’s, that’s effectively lost now. And we know that our data as consumers and a lot of organizational data, we saw it with Qantas earlier in this week, data gets lost, it gets harvested by criminals or potentially nation states, and it tends to get aggregated as well. So these data sets don’t just get lost and stored in isolated containers. You see over time that these data sets tend to get aggregated. They get traded on the dark market, the dark web. If you look at where our data ends up, it ends up being these really big data dumps or data holdings of billions and billions of bits of data in them. And some of those could be encrypted using current technologies. And we’ve seen over years gone by that it’s a factor of cryptographic algorithms that there’s a need for longer key links or a need for change in algorithms as we go through because those algorithms get compromised and then we saw or get defeated, like triple des.
Jamie Norton [00:19:16]:
Some of our passing algorithms, like SHA1 now are no longer strong enough because they’ve been deprecated so it’s kind of an evolution, although Quantum is more a revolution, I guess, that at some point in the future, those data sets that have been lost as breached data, data sets will become quite easily decryptable if they’re currently decrypted. And so that means that passwords and all other manner of data on us personally will be much more accessible to criminals. But if firms are losing large amounts of data now and relying on encryption as a control to reduce the consequence of that, that I think is misguided because in the future that data will almost certainly be readable. It’s merely a question of the timeline it takes for that to eventuate.
Karissa Breen [00:19:55]:
Okay, so do you envision that whenever this timeline is, do you think we’re going to see an avalanche of this data being readable? Because like you said, there’s going to come a time where maybe people have been breached, they’re holding onto this data, they can just read it really quickly. Are we going to start to see that happen? And as a result of that, people are already becoming a little bit desensitized to breaches now. So what does that sort of mean then in the future?
Jamie Norton [00:20:19]:
Yeah, it’s an interesting risk to quantify, I guess, because you’ve got a combination of accepting that in order for that risk to realise, you have to have suffer a breach and you have to have your data as corporate released and what data it is, and the timeliness around that data, if it’s realized as a risk, say five years down the track, what does that data look like? But for a lot of firms, there’s still very substantial risk in that. We’re talking intellectual property, we’re talking potentially sensitive user content as well, customer content. So even five years down the track is still, there’s still substantial value in that data and substantial risk associated with it. So I think it’s for each entity or each organization to kind of decide where that risk sits for them, but I think it’s something that should actually be considered. We don’t know the timelines of Quantum, but it’s fair to say it could be in the next sort of five to 10 years. But it could actually be a lot sooner than that, it could be a little bit longer than that. So with that unknown factor, it becomes hard to manage that risk. But essentially, I think that’s part of the reason why we’re, we’re trying to advocate strongly that decision making and context matters now.
Jamie Norton [00:21:20]:
So understanding the scale of the issue now, rather than sort of kicking the can down the road and trying to make it a future problem. You know, there’s actually risks, very real risks here and now.
Karissa Breen [00:21:29]:
And Rob, do you have, do you anything to add to that?
Rob Clyde [00:21:31]:
Yeah. So you mentioned, you know, are we likely to see like a data dump as we have sometimes seen, that day definitely could come. However, I would consider the more likely initial scenario when that data is able to be decrypted will be that when nation states have. Have quant computers that are large enough to be able to do so and they are likely to be the first ones to have it. To be specific, the United States and China are working the hardest on quantum computing. And it’s. If I were to project where the most likely source of being able to read harvested data, it’s not likely to actually be criminal elements or hacker groups, it’s likely to be nation states. And most likely they probably won’t dump that data.
Rob Clyde [00:22:22]:
They’ll use that data for their own purposes. And so I think that needs to be part of the risk consideration. How comfortable are you with that data being understood by a large nation state?
Karissa Breen [00:22:38]:
Yeah, this is interesting. Now, I don’t know how much you want to. I just want to quickly touch on this because I do think this is important. So going back to your point, you know, nation states leveraging this for intelligence, do you think it’s just going to be whoever gets there first, and I say this in inverted comments and you can’t see me would be are they the people are then the going to or the country going to win the game in terms of like geopolitics? Because we’re already starting to see that with the whole race to AI and then quantum is sort of coming up closely behind it. What does that then sort of mean for geopolitics moving forward, would you say?
Rob Clyde [00:23:11]:
I think it’s going to have a huge impact and yes, I do believe this is whoever gets there first in to a certain extent wins likely be kept quiet. And you will see certain the ability to understand certain information about adversaries, even allies, even lots of data about individuals will suddenly become readily accessible. Another thing to realize about nation states and cyber breaches generally, when a nation state commits a cyber breach, they try to keep it quiet. So most of those breaches are not discovered just to kind of keep it. Add a little more of the urgency to why if we would prefer that certain data not be understood by a nation state’s government, we need to move sooner rather than later. Eventually quantum computing will get to the point where, you know, you’ll have other Hostile groups that can afford them, use them and so on. But I would predict that will be sometime after the first nation state has one. And that nation state will definitely have a global advantage.
Rob Clyde [00:24:19]:
It will be significant.
Karissa Breen [00:24:21]:
So maybe going back to just private enterprises now for a moment. And I know you said there may not be a data dump day for example, but what does this sort of mean then for private enterprises? So the nation states are leveraging it for intelligence. What are some of more of the risks then for private enterprises and will in terms of in Australia, maybe the small for you Jamie, in terms of the oai, See, what is that going to look like in terms of fines? Because I’ve been speaking to people out here in the market post all of these breaches and it’s like, well, we’re putting more money into security and technology than ever, but there’s still lots of breaches that are happening and this is just going to allow it to be even easier. Now do you have any thoughts around that?
Jamie Norton [00:24:58]:
It’s a good question. I think. Yeah, we continue to see the breach sort of landscape, if you want to call, use that term, it’s still growing and we’re still surprised by some of the vectors and even some of the, the approaches that organizations are getting breached can still be very simple in, in context of, you know, the sophistication that should be sort of sitting there in terms of the control environment against cyber attacks. So it’s an ongoing challenge and I think from a quantum perspective, I think we will see, as Rob identified, it’s the nation state aspect that’s probably driving some of this innovation. You know, competitive advantage or geopolitical advantage I suppose is what’s driving that. And we’ve seen that historically in conflicts, you know, the side with the most intelligence has a massive advantage, but that will trickle down. And I suppose there’s two aspects. There’s the trickle down aspect which will start to impact on organizations as the technology becomes more available over the years once it reaches the point of being able to decrypt quantum, decrypt data, data that’s breached using, using old decryption methodologies.
Jamie Norton [00:25:52]:
But nation states are also going to be interested in a whole range of private sector information because that, that gives them the insights they need for their intelligence gathering. So that could be intellectual property that’s, that’s obviously a highly covetable commodity, but could also be, you know, simple information on where, you know, some of the country citizens might be located in different countries where, you know, political targets. All of these things could be could be easily gathered out of private sector. If so, it’s just restricted to kind of the big governments playing amongst themselves. There’s definitely this is a broader context for the community as well. And I think we don’t know where that might lead. I suppose there’s a lot of different ways that they could manifest.
Karissa Breen [00:26:26]:
So there’s another stat here that I’m going to read out. The report also states that only 5% report having a defined quantum strategy in place. So Jamie, what would a defined strategy look like in your eyes?
Jamie Norton [00:26:41]:
And I think this is a factor of a quantum not yet reaching that level in the executive and the board levels within organizations to be something that’s really considered unlike something like AI which is very much present in those forums. So I think a strategy for me is at this point of the life cycle is nothing too sophisticated or over developed. It’s really just a strategy which would include identification of the issue and then the steps to be taken by the organization to address that and potentially a timeline as well. And again, they’re not going to be hard and fast, but at least it’s having eyes on how that discovery piece is going to be done. So how they’re going to identify where cryptographic assets are in use in the organization and then what they’re going to do about that, including things like education over a period of time. So we’re not advocating for urgency in terms of all rushing out and fixing the problem tomorrow, but it’s about having this strategy piece which identifies. Yeah, okay, we acknowledge that this is something we need to look at and here’s how we’re going to approach that. And I think that’s the piece that a strategy would bring and then also gives it visibility up in a little bit of visibility up into that executive level to start that conversation and make sure they’re aware of the risk that’s posed.
Karissa Breen [00:27:49]:
And Rob, do you have anything to add to that as well?
Rob Clyde [00:27:51]:
Yeah, no, no, I would, I would definitely agree with everything that, that Jamie just mentioned. And, and I would suggest that we are soon going to start see the advent of standards and requirements, much like we have had in the past to move to the old encryption standards. We are going to see regulations start to come out requiring the movement to the new standards. So this will start to come. You can, you can get ahead of the game now by starting to figure out where your most sensitive data is, especially data that is sensitive for a long period of time. Let me give you an easy example. Health care data, if you are young and have healthcare data about you that will be just as sensitive 40 years from now. So it’s going to be important to identify that most sensitive data, particularly data that is sensitive for longer than just a couple of years and start to put a plan together for how you’re going to re encrypt the old data with the new algorithms, the new post quantum cryptography algorithms and how you’re going to for new applications and new data, use the new algorithms for that as well.
Karissa Breen [00:29:08]:
Okay, there’s another stat here and I want to spend a little bit of time on this because I think this is a really big one. And the stat is that 52% say it will change the skills needs of businesses. So couple of things in here. Do you envision that quantum certs will become a new thing? The other where my mind goes when I ask that question is there’s a lot of people out here, whether they’re mums and dads that are not working in airspace, that are curious to understand where are the new skills, what do they look like? I think Salesforce reported earlier this year they laid off thousand plus employees as a result of it being driven by AI. So I think a lot of people out here, especially for people if they got kids that are going into university and colleges, they’re starting to ask people like myself, hey well we’re hearing that development jobs, you can’t get them anymore or they’re rare as opposed to what they used to be. So I think this is a really big one to touch on is people are starting to get worried about what are the new skills that look like. And I always say, well the new set of skills are going to be bred. Problem is I don’t have all of the data to be able to back that up.
Karissa Breen [00:30:11]:
So I’m going to be relying on both of you to talk through what does this then look like the new generation or people that are perhaps want to transfer their skills and work more in this quantum space. So Rob, I’m going to stay with you first. What are your thoughts on this?
Rob Clyde [00:30:25]:
Yeah, so. So I think this is very timely given the way that AI is affecting the the job market. First of all, we are going to need to have skills in AI. We’re already the point now where 25% of all tech jobs require an understanding of AI and that number will only increase. So number one, yes, we talked a little bit about the impact of AI, but I think all of us in technology field and technology related fields need to become more grounded in artificial intelligence. Similarly, quantum Computers are going to start to become more common and be used not in isolation, they will almost always be connected to classical computers. But to program quantum computers today and to make good use of them, in fact, even to communicate well with them requires some understanding of quantum physics more than most of us have. And so one thing to consider as, as people are looking to say, what am I going to learn when I go to college? You might consider getting a little more of a grounding in math in quantum physics, not necessarily get a PhD in them, but least get a little better understanding of them because they are coming.
Rob Clyde [00:31:41]:
And I imagine in the future that people who have an understanding of AI and a good understanding of quantum physics and a decent mathematical background are going to do very, very well. If on the other hand, you are, for example, want to become a product manager for a, I think many of those types of positions are going to become not totally eliminated, but they’re going to be consolidated. So you will have way more product managers, or I should say way more products for a single product manager. So you will, you will have them using AI and other skills to be able to get more done and you simply won’t need as many product managers as IT for instance. So I would definitely look to try to solidify your career by getting a strong grounding in what’s coming, not just what has been.
Karissa Breen [00:32:36]:
And Jamie, what, what are your thoughts or your two cents?
Jamie Norton [00:32:39]:
Yeah, I think if I, if I put my futurist hat on, I think we’re in a fascinating period of human and technology revolution. We’ve got the AI piece that’s really sort of coming into market and I still have a feeling that we’re just at the start of that journey really and where that’s going to lead. I think no one has a, has a grasp the concept fully yet, but, but it’s going to be in a very different place. I think the most of us will think over the next sort of five to 10 years and that’s already having an impact on business. You kind of have to innovate and start to use some of these things in a lot of industries. Otherwise you’re going to get, you’re going to let behind and become uncompetitive. And I think Quantum is from a broad sort of strokes perspective, perhaps not something that’s going to be felt at the coalface quite as quickly or quite as sharply initially, but I think what it will bring over time as the technology matures is incremental or an exponential, I should say, increasing the ability to do Certain things a lot quicker, you know, the compute power around it. So I think that that will bring in its own changes and challenges and could potentially layer on things like AI to give even sort of much more vast capabilities than what we’re looking at today.
Jamie Norton [00:33:40]:
So I think impact on business is almost certain and it’s going to be significant and that will impact the jobs market and what’s required from a skill set. We’re already starting to see, and I think quite rightly, that certain jobs will not be as necessary over the next five to 10 years as AI starts to take them over other jobs more in the tech space, focusing in on those technologies will become more paramount. And we’re seeing for really good AI people who really know the technologies well. They’re very much in demand at the moment, but other areas of the industry are not. But I think from a tech perspective too, as Rob pointed out, understanding quantum is not something we’re traditionally trained on. The more traditional compute models with, you know, the traditional silicon CPUs and, you know, all the associated things within the technology space that we’re strong on that today, but we don’t. Very few people have skill set in the quantum architecture. So I think that’s going to become without a doubt, very, very rich commodity in the future years, much like it is with people skilled in AI today.
Jamie Norton [00:34:35]:
So for security people, for cybersecurity people, that’s really being across all of those technology aspects. So AI now is one that security people really need to focus in on and understand how it works and how it manifests. And the same will be with Quantum. We’re going to have to really under it to be able to understand the risks and how we deal with those.
Rob Clyde [00:34:51]:
Yeah, you know, what you might add on that skills aspect, we talked a lot about some of the negative and risk that might come from Quantum, but. But Quantum does have a lot to do with AI, and the future will have a lot to do with AI. So one of the challenges we face today is that the large AI data centers require the power of a small city. And that’s why you see companies, for example, coming up with the idea of can we get like small nuclear power plants that we can use and dedicate to our data centers. That’s the kind of world we’re currently living in. Quantum computing can change that. Quantum computers have a much smaller energy footprint. And so rather than requiring the power of a small city, you might be able to do it with a thousandth of the amount of that power if you were using quantum computers.
Rob Clyde [00:35:41]:
To do much of the AI work. And quantum computers are naturally well suited to many aspects of AI. They are probabilistic in nature. AI is probabilistic in nature. They’re great at pattern matching. That’s a big part of what AI needs. So large AI companies are already looking for people who are skilled in the background needed to do quantum computing in the future.
Karissa Breen [00:36:09]:
Okay, I just want to talk on this a little bit more because I do find this really interesting. So in terms of companies or talent managers or recruitment consultants out there, are these the sort of skill sets that they really need to start in terms of talent pooling, starting to say to the companies that they’re working with, this is where we have to invest. This is where we’re heading to now? So I feel like there’s a little bit of inertia at the moment in the industry. People aren’t really sure. I think they are worried about, you know, AI taking our jobs and all those sort of things, probably because certain mainstream media outlets are positioning it that way. Where do you sort of sit with that, Rob?
Rob Clyde [00:36:46]:
Yeah, I mean, first of all, technology always impacts jobs, and there are always people that are negatively impacted. But I would suggest in general, technology has actually improved employment levels across the world. The more technologically able countries generally have higher levels of employment and productivity than those that don’t. So I wouldn’t be scared of the technology in general, and I wouldn’t look to try to slow it down because it just makes you less competitive. Having said that, I do think that as individuals and professionals, each of us needs to always be learning. We’re not just done with school after college. And we need to continually educate ourselves and even set goals about what we’re going to educate ourselves about. For example, set a goal to understand better what the risk is from quantum computing and how these new algorithms work and how you might be able to begin the process to move to those that will require education, just as we’ve had to learn about AI, each of us.
Rob Clyde [00:37:56]:
And. And so I wouldn’t get nervous about it. I would actually jump in with both feet and become engaged and really start to learn about these kind of things. And if I’m new into the job market, I would especially look at how to get educated about these types of things, But I wouldn’t spend my time worrying. I would spend my time learning.
Karissa Breen [00:38:18]:
And Jamie, did you have anything to add to that?
Jamie Norton [00:38:20]:
I agree with everything Rob said. I think there’s no doubt that technology can be disruptive in the short term. I Guess. And we’re seeing that with AI. And I think there’s, from my mind, there’s no question that it is going to disrupt certain traditional jobs, much like other technologies historically have disrupted jobs and those jobs no longer exist. But what we do find is that almost every time that happens, humans as a general will move up the value chain and perform other roles within that same sort of sphere, but at a more advanced level, whilst technology is covering off that traditional kind of more basic role. So the thing here is around change and being able to adapt and grow with change. And I know that gets harder I suppose, as you get older and obviously more concerning for some people who, you know, think the world’s changing too quickly around them.
Jamie Norton [00:39:05]:
But I think in technology that’s kind of at the heart of what we do. We, you know, AI. AI for most of us has been last five years, maybe not even that, maybe last three years. So, you know, and we’ve had to grow and adapt. And as Rob said, 25% of new tech roles now want that AI capabilities to some degree. So I think it’s going to be the same thing with Quantum. It’s going to be a step change for everyone in terms of having to step up and understand and start to use the technology. And you know, technologists will just, will just move in that direction as it comes.
Jamie Norton [00:39:31]:
So I’m not too concerned. I think what we’re seeing now a little bit also the broader macro economy is also impacting on jobs. So it’s kind of a nexus of that alongside some disruptive technologies like AI that’s causing some of the noise we see in the media. But I think there’s elements of truth in both of those, I suppose.
Karissa Breen [00:39:49]:
And so if we were to zoom out the question I’m going to ask and for each of you to answer as a way to conclude, just as a summary perhaps, how would you say we can better prepare for Quantum? So Rob, I’m going to start with you and then Jamie, you’re going to round off today’s interview.
Rob Clyde [00:40:06]:
Yeah, I would say the first, the good news is I think many are actually aware of the risk. So that’s a positive from our studies. What we don’t seem to be as prepared for is what to do about it. And fortunately we live in a world now where the new post quantum cryptography standards are out there. So learn about them, start to understand how you can take advantage of them. In many cases that means asking your vendors questions about when they’re going to implement those standards. Your software vendors, for example, your IoT vendors for devices that might be connecting to your networks. So those things we can start to do now.
Rob Clyde [00:40:48]:
I would also suggest attending sessions like this one, learning and becoming more adept at understanding Quantum and what it might mean. And of course we do have resources. ISACA does have a free checklist. We are, you know, a nonprofit that helps people get educated. We do have a free checklist that people can actually go get on our website and use that as a way to get started about next steps relative to Quantico computing.
Karissa Breen [00:41:18]:
Okay, Jamie, over to you.
Jamie Norton [00:41:20]:
I’d echo those sentiments. I think education is key. I think educating both ourselves as technology and security professionals and also helping to educate your organization where those key touch points are within the cyber area and also within the leadership teams about the risks. Not being alarmist but just providing that context about where we sit in the journey around Quantum and what it means and some of the key risks that that have sort of borne out of that. I think that strategy piece we talked about starting to build a strategy and again nothing overly complex. It’s really just identifying how you’re going to go about addressing the risks and working through the issues and challenges that the Quantum is going to bring. And in terms of where that is, it’s that discovery piece, understanding where you have more traditional sort of cryptographic algorithms, particularly public key cryptographic algorithms in your organization where that data might be stored and then beginning to look at how you transition that to post quantum photography. I think fortunately in Australia, and I imagine the US and other parts of the world are similar, we’ve done quite a lot of work on identifying where our crown jewels assets are, if you want to use that term.
Jamie Norton [00:42:25]:
And most of the time our crown jewels will either be systems that are critical or more importantly data that’s super critical to the firm. So most organizations know where they call dineries critical diaries. So, so that’s where start to lean in on where that data is and how it’s protected and how it’s cryptographic algorithms used around that data and that will I guess lend itself to them. The quick wins you could get around moving to post Quantum. And actually that’s what I’m saying, talking to your vendors and seeing if they’re actually implementing those algorithms. And I’m seeing already some vendors I’m working with have got those algorithms now built into their products.
