By Tim Callan, Chief Compliance Officer at Sectigo and Vice-Chair of the CA/Browser Forum

Let’s be honest: AI has been the headline act this year. It’s the rockstar of boardroom conversations and LinkedIn thought leadership. But while AI commands the spotlight, quantum computing is quietly tuning its instruments backstage. And when it steps forward, it won’t be playing backup. For CIOs, the smart move isn’t just watching the main stage — it’s preparing proactively for the moment quantum takes center stage and rewrites the rules of data protection.

Quantum computing is no longer a distant science project. NIST has already published standards for quantum-resistant algorithms and set a clear deadline: RSA and ECC, the cryptographic algorithms that protect today’s data, must be deprecated by 2030. We’re no longer talking about “forecasts;” we are talking about actual directives from government organizations to implement change. And yet, many organizations are still treating this like a future problem. The reality is that threat actors aren’t waiting. They’re collecting encrypted data now, knowing they’ll be able to decrypt it later. If we wait until quantum machines are commercially viable, we’ll be too late. The time to prepare is before the clock runs out and, unfortunately, that clock is already ticking.

For CIOs, this is an infrastructure and risk management crisis in the making. If your organization’s cryptographic infrastructure isn’t agile enough to adapt, the integrity of your digital operations and the trust they rely on could very soon be compromised.

The Quantum Threat Is Already Here

Quantum computing’s potential to disrupt global systems and the data that runs through it is not hypothetical. Attackers are already engaging in “Harvest Now, Decrypt Later” (HNDL) strategies, intercepting encrypted data today with the intent to decrypt it once quantum capabilities mature.

Recent research found that an alarming 60% of organizations are very or extremely concerned about HNDL attacks, and 59% express similar concern about “Trust Now, Forge Later” threats, where adversaries steal digitally signed documents to forge them in the future.

Despite this awareness, only 14% of organizations have conducted a full assessment of systems vulnerable to quantum attacks. Nearly half (43%) of organizations are still in a “wait and see” mode. For CIOs, this gap highlights the need for leadership: it’s not
enough to know the risks exist, you must identify which systems, applications, and data flows will still be sensitive in ten or twenty years and prioritize them for PQC migration.

Crypto Agility Is a Data Leadership Imperative

Crypto agility (the ability to rapidly identify, manage, and replace cryptographic assets) is now a core competency for IT leaders to ensure business continuity, compliance, and trust. The most immediate pressure point is SSL/TLS certificates. These certificates authenticate digital identities and secure communications across data pipelines, APIs, and partner integrations.

The CA/Browser Forum has mandated a phased reduction in certificate lifespans from 398 days today to just 47 days by 2029. The first milestone arrives in March 2026, when certificates must be renewed every six months, shrinking to near-monthly by 2029.

For CIOs, it’s not just an operational housekeeping issue. Every expired or mismanaged certificate is a potential data outage. That means application downtimes, broken integration, failed transactions and compliance violations. With less than 1 in 5 organizations prepared for monthly renewals, and only 5% fully automating their certificate management processes currently, most enterprises face serious continuity and trust risks.

The upside? Preparing for shortened certificate lifespans directly supports quantum readiness. Ninety percent of organizations recognize the overlap between certificate agility and post-quantum cryptography preparedness. By investing in automation now, CIOs can ensure uninterrupted operations today while laying a scalable foundation for future-proof cryptographic governance.

The Strategic Imperative of PQC Migration

Migrating to quantum-safe algorithms is not a plug-and-play upgrade. It’s a full-scale transformation. Ninety-eight percent of organizations expect challenges, with top barriers including system complexity, lack of expertise, and cross-team coordination. Legacy systems (many with hardcoded cryptographic functions) make this even harder.

That’s why establishing a Center of Cryptographic Excellence (CryptoCOE) is a critical first step. A CryptoCOE centralizes governance, aligns stakeholders, and drives execution. According to Gartner, by 2028 organizations with a CryptoCOE will save 50% of costs in their PQC transition compared to those without.

For CIOs, this is a natural extension of your role. Cryptography touches every layer of enterprise infrastructure. A CryptoCOE ensures that cryptographic decisions are made with full visibility into system dependencies, risk profiles and regulatory obligations.

By championing crypto agility as an infrastructure priority, CIOs can transform PQC migration from a technical project into a strategic initiative that protects the organization’s most critical assets.

The Road Ahead

The shift to 47-day certificates is a wake-up call. It marks the end of static cryptography and the beginning of a dynamic, agile era. Organizations that embrace this change will not only avoid outages and compliance failures, but they’ll be also prepared for the quantum future.

Crypto agility is both a technical capability and a leadership mandate. For CIOs, the path forward to quantum-resistant infrastructure can be clear: invest in automation, build cross-functional alignment, and treat cryptographic governance as a core pillar of enterprise resilience.

by Tom Gol, Senior Product Manager Armis

We constantly hear about a cybersecurity staffing crisis, but perhaps the real challenge isn’t a lack of people. It might just be a critical shortage of intelligent automation and actionable context for the talented teams we already have.

The Lingering Shadow of the “Talent Gap” Narrative

It’s almost a mantra in cybersecurity circles: “There’s a massive talent gap!” Conferences echo it, reports reinforce it, and CISOs often feel it acutely. This widely accepted idea suggests we simply don’t have enough skilled professionals, leading to overworked teams, burnout, and, most critically, persistent organizational risk. The default response often becomes a relentless cycle of “buy more tools, tune more tools, and staff more teams”—a cycle that feels increasingly unsustainable and inefficient.

But what if this pervasive “talent gap” is actually a clever red herring, distracting us from a more fundamental issue? We’ve grown so accustomed to the narrative of a human deficit that we often overlook a crucial truth: current technology is already capable of significantly narrowing this very gap. My strong conviction is this: the true underlying problem isn’t a shortage of available talent, but a profound and crippling gap in intelligent automation and actionable context that prevents our existing cybersecurity professionals from operating at their full potential. What’s more, advancing on the technology side now presents a demonstrably better return on investment than simply trying to out-hire the problem. Fill that gap with smarter tech, and watch the perceived talent shortage shrink.

Misdiagnosis: When More People Isn’t the Answer

For too long, the cybersecurity industry’s knee-jerk reaction to mounting threats has been to throw more human resources at the problem. Yet, the attack surface continues its relentless expansion. Threat actors become more sophisticated. And our SOCs are constantly drowning in an unfiltered deluge of alerts. This creates an overwhelming workload that even the most seasoned experts find impossible to manage effectively, often resulting in burnout and, ironically, talent attrition rather than retention.

The issue isn’t that a lack of bright minds are joining the field. It’s that those brilliant minds often find themselves mired in monotonous, low-value tasks. They’re forced to operate in a thick fog of incomplete information, constantly sifting through noise. When security teams lack clarity on exactly what assets they own, how those assets connect, what their true business criticality is, and which threats are genuinely active, even the most experienced professional struggles. Their effectiveness diminishes, not from a lack of inherent skill, but from a fundamental absence of visibility and intelligent support.

Automation and AI: The True Force Multiplier for Human Talent

The real power move against the overwhelming tide of cyber threats lies not in endless recruitment, but in the intelligent application of automation and AI. Leading industry discussions increasingly highlight that the purpose of AI in cybersecurity isn’t about wholesale human replacement. Instead, it’s about augmenting our existing staff, turning them into a far more potent force. This approach fundamentally allows organizations to scale their expertise and impact without being shackled to proportional headcount increases. Let’s unpack how this transformation plays out.

Freeing Up Human Capital from the Mundane

Imagine a security analyst whose day is consumed by hours of manual investigation, enriching alerts, triaging false positives, responding to routine questionnaires, or laboriously transitioning tickets. These are precisely the kinds of non-human, deterministic, and highly repetitive tasks ripe for intelligent automation. AI agents can seamlessly take on this soul-crushing burden, liberating human analysts. They are then free to pivot towards higher-value, creative, judgment-based, and genuinely strategic work. This transforms security teams from reactive task-runners into proactive problem-solvers. Projections suggest that common SOC tasks could become significantly more cost-efficient in the coming years due to automation—a shift that’s not merely about saving money, but about amplifying human potential.

Supercharging Productivity and Experience

Modern AI, particularly multi-agent AI and generative AI, can proactively offer smart advice on configurations, predict the root causes of complex issues, and integrate effortlessly with existing automated frameworks. This empowers security professionals, making their work not just more efficient but also more engaging and less prone to drudgery.

The Indispensable Power of Context: Lowering the “Expertise Bar”

While automation tackles the sheer volume of work, context provides the vital clarity that fundamentally reduces the need for constant, deep-seated expertise in every single scenario. When security professionals have immediate, rich, and actionable context about a vulnerability or an emerging threat, the path to intelligent prioritization and decisive action becomes remarkably clearer.

Consider the profound difference this context makes:

• Asset Context: Knowing not just that a vulnerability exists, but precisely which specific device it resides on—is it a critical production server, or an isolated, deprecated test machine?
• Business Application Context: Understanding the exact business function tied to that asset, and the tangible financial or operational impact if it were to be compromised.
• Network Context: Seeing the asset’s intricate network connections, its precise exposure level, and every potential path an attacker could take for lateral movement.
• Compensating Controls Context: Having a clear, real-time picture of which existing security controls (like network segmentation, EDRs, or Intrusion Prevention Systems) are actually in place and effectively working to mitigate the vulnerability’s risk.
• Threat Intelligence Context: Possessing real-time, “active exploit” intelligence that doesn’t just theorize, but tells you if a vulnerability is actively being exploited in the wild, or is part of a known attack campaign targeting your industry.

With this deep, multidimensional context, a significant portion of the exposure management workload can be automated. Crucially, for the tasks that still require human intervention, the “expertise bar” is dramatically lowered. My take is that for a vast majority of cases—perhaps 90% of scenarios—a security professional who isn’t a battle-hardened, 20-year veteran can still make incredibly effective decisions and significantly improve an organization’s cyber posture. This is because they are presented with clear, actionable context that naturally guides prioritization and even recommends precise actions. The result? A drastic reduction in alert noise, faster detection and response times, and a palpable easing of the burden on the entire security team.

Navigating the Human Element: Skills Evolution and Burnout

This powerful shift towards automation and AI naturally brings legitimate questions about skills erosion. Some experts prudently point out a valid risk: a significant portion of SOC teams might experience a regression in foundational analysis skills due to an over-reliance on automation. This underscores a critical truth: we must keep humans firmly in the loop. For highly autonomous SOCs, a “human-on-the-loop” approach is recommended, reserving human intervention for complex edge cases and critical exceptions.

CISOs, therefore, face an evolving mandate:

• Future-Proofing Skills: It’s less about filling historical roles and more about nurturing new competencies like prompt engineering, sophisticated AI oversight, advanced critical thinking, and strategic problem-solving.
• Combating Burnout: Beyond just tools, effective talent retention demands proactive measures to address burnout. This includes intelligent workload monitoring, smart task delegation, and genuine wellness initiatives. The ultimate goal isn’t just to fill empty seats; it’s to ensure that the people in those seats are effective, sustainable, and thriving.

A New Mindset for CISOs: Embracing the “Chief Innovation Security Officer” Role

The ongoing “talent gap” discussion should be a catalyst for CISOs to adopt a fundamentally new mindset. Instead of simply focusing on cost-cutting or the perpetual struggle of recruitment, they must evolve into “Chief Innovation Security Officers.” This means daring to rethink how work gets done, leveraging AI and automation not merely as tactical tools but as strategic enablers for scaling cybersecurity capabilities and unlocking the full potential of their existing talent. This strategic investment in technology, driven by an understanding of context, offers a superior ROI in bridging the cybersecurity “gap” compared to the increasingly futile effort to simply hire more people.

Building robust AI governance frameworks and achieving crystal-clear visibility into existing AI implementations and technical debt are crucial foundational steps. Ultimately, solving the perceived talent gap isn’t about endlessly hiring more people into an unsustainable system. It’s about empowering the talented individuals we do have—making them more efficient, more effective, and more strategically focused—through the intelligent application of automation and unparalleled context. It’s time to stop chasing a phantom gap and start truly empowering our digital defenders.

Maria-Christine Diaz, Senior Business Strategy Manager at Eastnets, explores why ISO 20022 is more than a mandate – it’s a catalyst laying the groundwork for future-proof payment services

The SWIFT-mandated migration by November 2025 is set to end MT message processing for interbank cross-border payment instructions and cash management reporting (CBPR+). Yet, according to SWIFT as of December 2024, only 33% of organisations had adopted ISO 20022 for CBPR+. It highlights a deeper issue: many organisations still see it as a technical obligation when really, the migration implications stretch far beyond protocol upgrades and format translations.

ISO 20022 is not a one-off project. It is a multi-year, cross-functional transformation program touching every part of the business. It’s a strategic opportunity and a chance to rethink how financial institutions manage payments infrastructure, compliance and customer value propositions in a rapidly evolving digital economy.

However, it demands a coordinated, business-wide response.

Why tactical fixes won’t solve strategic shifts

At its core, ISO 20022 replaces the flat, ambiguous MT messaging format with structured, contextualised data that applies across all payment types, domestic and cross-border. It allows institutions to capture and exchange richer details – from payment purpose code and country of origin to beneficiary information – with far greater quality, accuracy and completeness.

That quality creates tangible value. It promises to strengthen Straight-Through Processing (STP) efficiency and dramatically improve the effectiveness of fraud detection and anti-money laundering (AML) processes. How? By reducing the number of investigation cases and false positives that have long strained operations teams. ISO 20022 also supports regulatory focus on real-time transaction monitoring and incident transparency, something central to frameworks like the EU’s Payment Services Directive 3, the AML Directives and the Digital Operational Resilience Act (DORA).

But ISO 20022 doesn’t just support regulatory alignment, it fundamentally alters the operational risk landscape. Most institutions still rely on compliance processes and infrastructures built for MT messages, which are poorly suited to handle the granularity and structure of ISO 20022 data. And when this richer data is simply “bolted on” to legacy systems, problems quickly arise.

Many banks are pursuing a tactical fix for what is a strategic shift – it’s like trying to put a square peg into a round hole. Systems and processes were built around the limited MT format which are flat, fixed and often ambiguous. Existing rule sets designed for flat MT messages begin to break down, triggering too many false positives and overwhelming compliance teams with noise instead of insights.

To realise the full value of ISO 20022, institutions need to map how payment data flows across their organisation. This helps identify legacy workarounds, uncover operational risks and pinpoint where ISO 20022 adds complexity or unlocks new opportunity. Therefore, a comprehensive business-wide impact assessment is essential to strengthen AML, sanctions screening and fraud detection processes.

With that foundation, banks can sharpen customer insights, strengthen fraud and risk controls, and develop new value-added services. As sanctions lists and fraud rules update in near real-time, combined with financial crime compliance costs surpassing $1 trillion in 2024, the ability to act on cleaner, more contextual data has become business-critical.

Therefore, making ISO 20022 work for the business means moving beyond retrofitting and honing in on three areas that drive real transformation.

More impact than meets the eye

The real opportunity begins when ISO 20022 data is integrated into core systems, not just translated at the edges. Payments data now impacts every business line – from retail and corporate banking to capital markets and trade finance – influencing every process from front to back office.

Again, migration is not a one-off project but something that touches every part of the business, from reconciliation processes to customer-facing services. The key challenge of this transformation is knowing where the payment is, its status, without ambiguity, at any moment. Think of it like tracking an Amazon parcel delivery. To manage this, institutions need lightweight analytics tools to monitor and track payment messages in real-time across systems, to reduce reconciliation errors, manual workarounds and operational risk.

The true value lies not in seeing the information, but in using it to streamline operations, resolve issues faster and deliver better outcomes.

The path to optimised financial crime detection

As ISO 20022 fundamentally offers richer information, one of the most immediate benefits lies in financial crime prevention.

To take advantage, institutions must recalibrate financial crime systems to work with clearer, structured and contextual ISO 20022 data. This isn’t just about better information, it’s about better precision. Finetuning these systems through precise finetuning techniques to improve detection precision and strengthen risk mitigation, all while reducing and operational costs.

Take Sohar International, a bank operating in the Middle East, as an example. It reduced its false positives by 67%, helping to distinguish between legitimate and suspicious transactions, simply by optimising screening strategies and using structured ISO 20022 data. That kind of result creates space for smarter, faster decisions across the organisation, all while strengthening its AML compliance framework.

An opportunity for leaner payment processes 

Additionally, ISO 20022 presents the perfect opportunity to modernise payment infrastructures with a modular orchestration layer – a flexible, business-agnostic workflow engine that seamlessly translates and routes messages across systems. This shields core business applications from changes in formats, protocols and standards, reducing maintenance overhead and operational risk and accelerating ISO 20022 adoption without disrupting core operations.

Moreover, it enables real-time monitoring, detection and investigation of issues such as duplicate payments or delayed messages, providing transaction integrity across the entire lifecycle. Having infrastructure agility translates directly into business performance, which can lead to increased cross-jurisdiction visibility in real-time and optimised STP rates, making sure payments move securely, efficiently and in line with market expectations. .

By building this agility, financial institutions lay the groundwork to rapidly adapt to future market changes, new services and customer demands without overhauling core systems. It also provides real-time visibility and transaction integrity, making sure payments move securely, efficiently and in line with market expectations.

Unlocking the true value of ISO 20022

Treating compliance as the end goal is a strategic misstep.  So, without a coordinated business-wide transformation strategy, supported by optimised financial crime tools, a lean orchestration layer and real-time monitoring, institutions risk operational disruptions and regulatory scrutiny impacting their bottom line.

What’s ultimately at stake is more than a messaging upgrade. It’s the opportunity to reshape financial infrastructure for an era defined by sustainable growth and operational resilience.

The real value of ISO 20022 lies not in translating messages, but in transforming the business. Those who embrace the shift – not just to adopt, but to adapt – will be best positioned to unlock smarter, data-driven growth in the years ahead.