CISO Hot Takes on MCP, PQC, and Data Center Attacks
00:00:05:02 - 00:00:33:18
Joel Moses
Hello everyone, and welcome to Pop Goes the Stack, the podcast where new ideas get stress tested before they hit your backlog. Coming to you from F5 AppWorld 2026 in Las Vegas. I'm Joel Moses, and I'm playing host today for this episode on Lori's behalf, and we're going to get right into it right now. Now, what do you get when you mix the spicy mélange of tech snark that Pop Goes the Stack is known for, with the sage wisdom and earnest guidance of our cybersecurity guest?
00:00:33:20 - 00:00:58:10
Joel Moses
Well, we're going to find out. We don't know either, but we're game to try. So, join us now as we welcome F5 Field CISO Chuck Herrin to the hot seat for what I can only guess will be sage snark and earnest spiciness. Chuck is not only an F5 colleague, he's a 20 year security industry veteran who has, shall we say, done his time in the rock 'em sock 'em world of financial services and the host of the Global CISO podcast.
00:00:58:11 - 00:00:59:05
Joel Moses
Welcome, Chuck.
00:00:59:06 - 00:01:00:07
Chuck Herrin
Thanks very much, Joel. It's great to be here.
00:01:00:07 - 00:01:25:07
Joel Moses
So let's set a topic and do some hot seat, shall we?
Chuck Herrin
Let's do it.
Joel Moses
I recently saw a statement about MCP losing value for agentic AI relative to simply using CLI.
Chuck Herrin
Yeah.
Joel Moses
I imagine as a security professional, you probably have an opinion about shelling out in order to run something for control, rather than using a tool interface with an authenticator, right?
00:01:25:11 - 00:01:29:09
Chuck Herrin
Yes, absolutely.
Joel Moses
So what should people be aware of?
00:01:29:11 - 00:01:53:09
Chuck Herrin
The unpredictability of what is going to happen if we do that? I mean, MCP was already pretty wild West, honestly. I mean, the later versions had some OAuth alignment. It's not completely, you know, without any guardrails or structure.
Joel Moses
Right.
Chuck Herrin
But it's happening so fast and the autonomy is happening so fast. You know, ever since January in particular, we've seen this explosion in completely autonomous AI.
00:01:53:11 - 00:02:14:01
Chuck Herrin
And the AI agents are largely dictating how they interact with each other in a lot of ways, right. So I think that the challenge with this is going to be it may be the way to move fast and get a lot of things done, but observability, understanding, predictability, that's going to be really much more challenging. And humans just simply can't keep up with, you know, with what's happened.
00:02:14:01 - 00:02:21:11
Joel Moses
Yeah. I can't tell you how squidgy it makes me feel to edit a soul.md file
Chuck Herrin
Yeah.
Joel Moses
for an autonomous agent.
00:02:21:13 - 00:02:24:06
Chuck Herrin
You are a hopeful chat bot, don't destroy production.
Joel Moses
Exactly, exactly.
00:02:24:06 - 00:02:28:23
Joel Moses
And you are not an evil person.
Chuck Herrin
Right.
Joel Moses
You're good enough, you're smart enough, and gosh darn it...
00:02:29:00 - 00:02:29:21
Chuck Herrin
People like you. That's exactly it.
00:02:29:22 - 00:02:40:19
Joel Moses
Anyway, what do you think people can do in order to kind of assuage their fears or mitigate things? What can they do to help, you know, achieve goals in AI safety?
00:02:40:19 - 00:03:00:17
Chuck Herrin
It's a great question. And so with respect to what I talk about with a lot of technology leaders as we do our roundtables around the world and so forth and so on, my guidance is generally, fear is a useful short term emotion for processing immediate threats. It is not a great input for long term strategic, you know, how are you going to run your companies.
00:03:00:19 - 00:03:24:00
Chuck Herrin
And what we see and what we know, having been in technology for a long time, is anybody that uses fear to sell to you will instill dependance to keep you as a customer. And so with AI in general, empowerment is the sales pitch, dependency is the business model. So the companies that are really being successful are really reorganizing their entire organizations differently.
00:03:24:05 - 00:03:50:08
Chuck Herrin
They're not bolting on AI to an existing corporate structure. That's not going to deliver the value that they want. But a lot of companies are already laying off people citing AI. I think that that short term sort of step one: do AI, step three: profit is missing a lot.
Joel Moses
Yeah.
Chuck Herrin
Where leaders are caught, and employees are caught, between what I call FOMO and FOBO. The executive suite is focused on fear of missing out.
00:03:50:09 - 00:04:14:21
Joel Moses
Yeah.
Chuck Herrin
And the employees are struggling with fear of becoming obsolete. FOMO vs FOBO.
Joel Moses
Sure.
Chuck Herrin
And so until we really square those and take the human factor into account of what are we actually asking our people to do, we're going to see a lot of unforeseen consequences. And companies aren't really thinking through too, if you lay off a whole bunch of people, what do you think the AI companies are going to do to your costs in three years?
00:04:14:23 - 00:04:41:15
Chuck Herrin
Right. So, the problem with this race condition, what I'm calling this global race condition that we're in, is fear and greed normally are countervailing forces.
Joel Moses
Yeah.
Chuck Herrin
When you look at like the Bitcoin prices, the fear and greed index.
Joel Moses
Yeah.
Chuck Herrin
Right now they're locked together. And fear is not a healthy place to make strategic decisions from.
Joel Moses
Right.
Chuck Herrin
So my advice to executives is just calm down, take a breath and think about what your actual company goals are.
Joel Moses
Gotcha.
Chuck Herrin
And then build towards that.
00:04:41:21 - 00:05:04:14
Joel Moses
Understood. So essentially your guidance is not fight or flight, but dig in and take a bite.
Chuck Herrin
Yeah, right.
Joel Moses
Okay. Fantastic. Alright, so let's shift topics because I know you are a super passionate person about the topic of post-quantum cryptography
Chuck Herrin
Indeed.
Joel Moses
and what importance that holds for security professionals in particular. You know, the question I have for you
00:05:04:14 - 00:05:06:05
Chuck Herrin
I almost destroyed the booth, sorry.
00:05:06:07 - 00:05:28:01
Joel Moses
Oh, I know it's a rock 'em, sock 'em topic, isn't it? So, the question I have for you is: what do you think the, it doesn't seem like there are a lot of, shall we say, executives that are cognizant of, or really taking the threat, seriously. You know, we see shallow programs to discover key material.
00:05:28:03 - 00:05:41:10
Joel Moses
I know of almost no customers who really conduct cohesive inventories of key material
Chuck Herrin
Right.
Joel Moses
and connect those to value of data stored behind the cryptography. What's the root man? What's going on?
00:05:41:10 - 00:06:00:18
Chuck Herrin
It's an interesting question because, you know, those of us who live and breathe technology and, you know, amateur cryptographers or at least interested in it, we see this coming. It's been coming for a long time. And I think that because the topic is really technical--you know, post-quantum cryptography is not something most people talk about across the dinner table.
00:06:00:20 - 00:06:17:10
Chuck Herrin
And it's also been cast as a future thing--a 2035 thing--and that came from roughly 2015-2016, when yeah, about 20 years. I think a lot of people see that and they hear that and they think, okay, it's an esoteric thing that's not core to my business, and it's going to be sometime in the future.
00:06:17:12 - 00:06:26:13
Chuck Herrin
And I think that gives people an out.
Joel Moses
Okay.
Chuck Herrin
When the average tenure of a CISO for example, is somewhere between 18 and 30 months, that's the next guy's problem.
00:06:26:16 - 00:06:27:12
Joel Moses
Oh boy.
00:06:27:14 - 00:06:28:11
Chuck Herrin
You know, and
00:06:28:11 - 00:06:30:18
Joel Moses
"Kick it down the road" is not really a security plan though is it.
00:06:30:18 - 00:06:47:19
Chuck Herrin
Well, and honestly, when you think of allocation of resources, if your house is on fire, it's not a great time to build, you know, to write building codes. Right, put out the fire. And so having been a CISO now a half a dozen times, generally it looks something like you open the hood, you scream, you slam down the hood and you go to the bar.
00:06:47:21 - 00:06:58:01
Chuck Herrin
Right, CISOs have other urgent things to worry about. So something that feels esoteric and 5 or 10 years down the road,
Joel Moses
Right.
Chuck Herrin
it's just not top of mind. Unfortunately, I don't think it's actually 5 or 10 years down the road.
00:06:58:07 - 00:07:05:18
Joel Moses
So I think CISOs are cognizant that this is a particular threat. What can the CISO do to move this from esoteric to top of mind?
00:07:05:18 - 00:07:28:23
Chuck Herrin
It's a great question. I think two things. One, I think we do ourselves a little bit of a disservice. And I'm totally guilty of this, of getting into the weeds and the nerdery and talking about, you know, the number of noisy qubits versus the number of logical qubits, and ion laser, and we get into the tech and people's eyes glaze over. And it misses the larger point of, when you really boil it down,
00:07:29:01 - 00:07:43:13
Chuck Herrin
our cryptography today is based on really hard math. Technology is coming soon, whether it's AI, quantum computing, or some mix of the two that can solve this really hard math problem. So we're going to have to change the way that we protect our secrets.
00:07:43:13 - 00:07:52:17
Joel Moses
If suddenly a hard problem becomes super easy overnight and all your dollars are stored behind the easy thing, what is the ramifications?
00:07:52:19 - 00:08:10:19
Chuck Herrin
Exactly. And what people aren't thinking about is things like the harvest now decrypt later type of attacks. And that's, the analogy that I use with that sometimes is like a time-delay safe in a pharmacy. If I steal the time-delay safe on Tuesday and it's going to open Friday at eight, I don't have access to it now, but I will.
00:08:10:21 - 00:08:23:10
Chuck Herrin
And so if what you're storing in that safe needs to be protected past Friday, you've got a today problem.
Joel Moses
Right.
Chuck Herrin
And so whether Q-Day is in 2027-2028, which is kind of what I'm predicting, or 2035
00:08:23:12 - 00:08:24:14
Joel Moses
Ooo, that's a spicy one.
00:08:24:14 - 00:08:36:06
Chuck Herrin
It is. But in reality, if you're regulated Q-Day for you is 2030, because that's when your regulators say that you have to be ready for it.
Joel Moes
Right.
Chuck Herrin
So you may as well treat it that way now. And that's like 40 minutes from now. Right? It's 2026.
00:08:36:06 - 00:08:37:02
Joel Moses
Tick tok, tick tok.
00:08:37:04 - 00:08:46:10
Chuck Herrin
So regardless if you need to keep your secrets for 20 or 30 or 50 years, you can't do it with a five or a ten year algorithm. It's a today problem.
00:08:46:12 - 00:08:55:04
Joel Moses
What's some practical advice for security professionals who really want to get started on this? Where do they begin getting their arms around the problem?
00:08:55:04 - 00:09:13:06
Chuck Herrin
I recommend two things. One, establish somebody whose job it is. This is not going to be a side project for security. And most security teams don't know the answers to the questions anyway. Where are all your cryptographic assets? Where are your keys? Where are your...a lot of security teams don't know that. And the second thing is treat it like a business continuity exercise.
00:09:13:08 - 00:09:30:23
Chuck Herrin
If you have a business continuity plan, a disaster recovery plan, you've already identified your key assets. Your runbooks, your recovery plans should have maps of where all your stuff is. It should. If you don't have that, you need to do that right now because we're in a very uncertain geopolitical time.
Joel Moses
Yeah.
Chuck Herrin
You should, like resiliency has got to be job one.
00:09:30:23 - 00:09:49:09
Chuck Herrin
These things, really they're not separate topics. If you want to continue to operate, and one of the guys from one of the big banks, and I'll leave the name of the bank out for privacy of one of those Chatham House Rule sessions. But a smaller bank was asking one of the mega banks, "We don't have the resources you guys do to have a quantum staff.
00:09:49:09 - 00:09:54:15
Chuck Herrin
You know, what are we supposed to do?"
Joel Moses
Right.
Chuck Herrin
And the guy on stage said, "well, you may not get to be a bank anymore."
00:09:54:16 - 00:09:56:13
Joel Moses
Oh, rough.
00:09:56:14 - 00:10:12:02
Chuck Herrin
And it wasn't a vendor saying that, it was on the big banks.
Joel Moses
Wow.
Chuck Herrin
It's like, "Look, you can't keep your secrets, you can't be a bank. What do you think you do?
Joel Moses
Yeah.
Chuck Herrin
So it's kind of not my problem."
Joel Moses
Wow, that's amazing.
Chuck Herrin
But in the last session that I attended on this, I actually had to do it virtually because I had a cold.
00:10:12:04 - 00:10:32:12
Chuck Herrin
But, the challenge now from these leading companies, these leading major banks that do have the PhDs on staff, we've gone beyond the technical challenge. And they put up a big slide of all the standards bodies and all of the different, like, this is the problem now.
Joel Moses
Yeah.
Chuck Herrin
It's: whose standards do you follow? How do you measure compliance?
00:10:32:12 - 00:10:48:15
Chuck Herrin
It's the people, the organizational, it's the various working groups that vendors may or may not be involved in.
Joel Moses
Got it.
Chuck Herrin
It's all that human stuff that's becoming challenging now.
Joel Moses
I see.
Chuck Herrin
The technology has been, you know, at least the first set of algorithms, as you all know
Joel Moses
Yeah.
Chuck Herrin
it's been, you know, we're coming up on a year and a half, two years.
Joel Moes
We are.
00:10:48:16 - 00:10:51:02
Chuck Herrin
Right, that's not really new anymore.
00:10:51:04 - 00:11:09:21
Joel Moses
So to kind of unpack that and unravel that. The advice would be, start somewhere.
Chuck Herrin
Yeah.
Joel Moses
Right. Find what you already have that allocates or assesses value to things that you run and then start your inventory and attach that to it. And you're right, a BCP plan would be a good place to start for that.
00:11:09:21 - 00:11:11:09
Joel Moses
That's a really interesting point.
00:11:11:10 - 00:11:33:05
Chuck Herrin
Treat it as a BCP exercise. And don't overlook your supply chain.
Joel Moses
Okay. Excellent.
Chuck Herrin
So if you are a regulated entity--telecom, bank, or whatever--you can't say that you're quantum ready until your critical suppliers are.
Joel Moses
Got it.
Chuck Herrin
And so let's say that you're running a big IoT/OT, you know, footprint medical or oil fuel, you know, telemetry or whatever.
00:11:33:07 - 00:11:35:00
Chuck Herrin
A lot of those devices don't have upgrade paths.
00:11:35:00 - 00:11:35:18
Joel Moses
Right.
00:11:35:20 - 00:11:47:00
Chuck Herrin
So you're going to need a year or two to source, to pressure your vendors, to get things in place, to test.
Joel Moses
Okay.
Chuck Herrin
You're going to need some runway. You're not going to be early for this.
Joel Moses
Right.
00:11:47:01 - 00:12:12:00
Joel Moses
Alright, third and it looks like it's going to probably be final topic jump. But I want to get to this because I think it's interesting. We saw something recently that is a absolutely brand new thing that CISOs now have to worry about.
Chuck Herrin
Yep.
Joel Moses
And that is targeting of critical data center infrastructure.
Chuck Herrin
Yep.
Joel Moses
Can you tell us a little bit more about that?
00:12:12:02 - 00:12:16:23
Chuck Herrin
Yeah. For the first time, we've seen data centers in both the UAE and Bahrain, actively targeted.
00:12:17:01 - 00:12:18:04
Joel Moses
Because they are data centers?
00:12:18:08 - 00:12:27:18
Chuck Herrin
Because they are data centers. Right. So the circle looks like: AI runs in these data centers, AI is being used for military campaigns and targeting and so forth.
00:12:27:18 - 00:12:28:15
Joel Moses
That's the rationale.
00:12:28:15 - 00:12:44:05
Chuck Herrin
Right? So, and it turns out the cloud isn't what the cloud vendors want CISOs to believe. Like, oh, it's in the cloud, it's... No, they actually are buildings with addresses and they can be bombed. And this is the first time we've actually seen kinetic attacks against
00:12:44:07 - 00:13:08:09
Joel Moses
Yeah, and of course.
Chuck Herrin
this type of civilian infrastructure.
Joel Moses
Exactly. And because there are cloud environments hosted in there, the collateral damage, the systems that aren't specifically being targeted, but they're just happened to share the same facility. That's a really interesting concept. And it's yet another thing that you have to add to the CISOs list of things to worry about. Now, it strikes me, though, there's something at play here that's diametrically opposed.
00:13:08:11 - 00:13:22:07
Joel Moses
So we have things like data sovereignty, where data needs to land in a particular region and because the law says that it should. But in that region, if your data center infrastructure is at risk, is data sovereignty putting you at risk?
00:13:22:12 - 00:13:44:21
Chuck Herrin
Right. It's a great question. Right, you're necessarily constraining yourself to where your options are
Joel Moses
Wow.
Chuck Herrin
and your adversaries understand that.
Joel Moses
Yeah.
Chuck Herrin
And that's where I think that one of the things that we're talking a lot with colleagues in Europe and other F5 engineers now are things like fully homomorphic encryption, where in the future uses the same lattice-based crypto as PQC, but it's not vulnerable to side-channel attacks.
00:13:44:23 - 00:14:06:05
Chuck Herrin
And you can do things like potentially, you know, coordinate on work between the U.S. and European allies, or even adversaries,
Joel Moses
Yeah.
Chuck Herrin
and not have to reveal your secrets. And actually have the data safely, you know, present wherever you keep it. Now, the overhead for that is pretty high, but it's falling. And there's definitely a future for that.
00:14:06:09 - 00:14:19:15
Joel Moses
Okay. So what, practically speaking, what can people do? What can the CISO do to help plan for and prepare for things like this? I mean, there's really nothing they can do to prevent the target from being laid on them.
00:14:19:20 - 00:14:20:01
Chuck Herrin
Yeah, that's correct.
00:14:20:01 - 00:14:22:11
Joel Moses
So what should they do?
00:14:22:13 - 00:14:43:23
Chuck Herrin
I think, you know, the importance of the basics matters now more than ever. And I sound a little bit like a broken record, but 90% of being good at cybersecurity is just doing the basics really well. So understanding your assets, where's your stuff? Who has access? Like most companies unfortunately, that I talked to, you know, all around the world, how many API endpoints do you expose to the outside world?
00:14:44:00 - 00:15:08:09
Chuck Herrin
They can't tell you plus or minus 5000. And so it really comes back to resiliency, understanding where your stuff is, and doing things with intention. And what my recommendation is, actually, for a good use case for AI, I know it's not what you asked, but what can you do?
Joel Moses
Sure.
Chuck Herrin
If you've got an AI initiative at your company and let's say that you're working at a bank and you've done seven acquisitions, that means you've got 7 or 8 different generations of technology.
00:15:08:11 - 00:15:20:16
Chuck Herrin
Figure out how to use AI to get rid of your technology debt. That's what's slowing you down. That's what's making your attack surface so much broader than it needs to be. If you want to move fast in the world of AI, you need to be nimble.
00:15:20:16 - 00:15:21:19
Chuck Herrin
you need to be nimble.
Joel Moses
Take the elephant off your back.
00:15:21:19 - 00:15:41:01
Chuck Herrin
Exactly. Use the technology now to get rid of that. Unshackle yourself from this legacy world,
Joel Moses
Okay.
Chuck Herrin
and you'll at least be able to compete. You may not be, you know, you're still an established organization; Greenfields with node, none of that dependencies are going to have an advantage.
Joel Moses
Right.
Chuck Herrin
But you don't have to shackle yourself to the 1970s technology that's still running your mainframe.
00:15:41:06 - 00:15:56:12
Joel Moses
Gotcha. All right. Now, we're ticking down but I want to ask you one last thing.
Chuck Herrin
Sure.
Joel Moses
We're here at App World 2026 here in Vegas. Tell me something. What is the most surprising thing a customer told you at the show?
00:15:56:14 - 00:16:00:18
Chuck Herrin
Ooh.
00:16:00:20 - 00:16:05:20
Chuck Herrin
The most surprising thing a customer told me? Umm.
00:16:05:22 - 00:16:10:01
Joel Moses
If nothing surprised you, I mean, you're a CISO; you're paid not to be surprised.
00:16:10:01 - 00:16:28:01
Chuck Herrin
That's actually a really hard question. I've heard a lot of insightful things from our customers. And I'm going to have to, yeah, I'm going to have to call a mulligan on that one. I, nothing jumps out at me. I, like I really haven't been surprised. I have
Joel Moses
That's right folks. You heard it
Chuck Herrin
I have been encouraged.
00:16:28:03 - 00:16:31:00
Joel Moses
You heard it here first. Nothing surprises Chuck.
00:16:31:01 - 00:16:37:08
Chuck Herrin
It's not that I'm, yeah, it's like I just can't think of anything particularly poignant. So, yeah, great question. You stumped me.
00:16:37:10 - 00:16:54:10
Joel Moses
Excellent. Should have prepped you for that one in advance.
Chuck Herrin
That's okay, it's all good.
Joel Moses
Unfortunately, that is a wrap for Pop Goes the Stack. A big thanks to Chuck for all the interesting conversation. And if the conversation sharpened your threat model, be sure to hit subscribe. We'll keep bringing the hallway track to all the hard problems.
Creators and Guests
