The Black Hat Files

How CISOs Can Prepare for the Quantum Computing Threat

Black Hat Middle East & Africa Season 1 Episode 4

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 20:52

Quantum computing used to feel like a future problem. Now it is close enough that security leaders are being asked what they are doing about it today.

In the fourth episode of The Black Hat Files, host Richard Dean sits down with Margarita Rivera, SVP, Global CISO at Carnival Corporation, and Marcos Marrero, Chief Information Security Officer at H.I.G. Capital, to unpack how CISOs can prepare for the quantum computing threat.

The conversation goes straight to the questions organisations are now facing.

How do you prepare for a threat that is still emerging, but already changing the way security teams think?
What does quantum-resistant security actually require from teams, vendors and leadership?
And why is compliance alone not enough when risk keeps moving?

Drawing on their experience leading security across hospitality and financial services, Rivera and Marrero explore why CISOs need to move from reactive thinking to proactive preparedness.

From quantum-resistant cryptography to the leadership shift from compliance to culture, this episode looks at what it takes to build organisations that can think ahead, adapt faster and make cyber risk part of everyday decision-making.

SPEAKER_00

Humans can be the weakest link. Humans can be your greatest asset. You know, in the US, the workforce really is split 50-50 between male and female. And in technology and in cyber, that's about 20%. That's nowhere near where we need to be from a technology perspective or from a cyber perspective.

SPEAKER_02

It is unfortunately a male-dominated industry. It cannot stay a male-dominated industry if we want to keep evolving. To Margarita's point, the diversity and even really the neurodiversity, because women do think differently and do see things from a different mindset versus males, brings a lot of enhancements to the field that can very much help keep us not just keep pace, but really push us forward to evolving.

SPEAKER_01

Hey there and welcome to the latest episode of the Black Hat Files, a behind-the-scenes look at the world of cybersecurity. My name's Richard. And I'm delighted to say it is a special Miami edition of the Black Hat Files. Let's welcome our guest today. First of all, Margarita Rivera, Global Chief Information Security Officer, Carnival Corporation in Miami. Hey Margarita.

SPEAKER_00

Hello there, Miami edition. Wow. Now you know it's going to be a fun podcast.

SPEAKER_01

I was going to say Miami Vice. It would have been a cliche. Perhaps inappropriate. But also from Miami, Marcos Merrero, Chief Information Security Officer at H I G Capital. How are you, Marcus? I'm doing well. And it may be a caliente podcast. Okay.

SPEAKER_00

He doesn't speak Spanish.

SPEAKER_01

I've been spanol, por favor. Well, you see? Yes, he does.

SPEAKER_00

A little bit, a little bit.

SPEAKER_01

Let's stick to English. Okay. Absolutely. But it's good to have you both here, but you do know each other from the kind of the you say there's a bit of a CISO Miami Mafia.

SPEAKER_00

Absolutely. And that Miami Mafia, because that sounds, you know, a little dark there. But yeah, there's definitely a CISO community in Miami, which Marcos and I are a part of leading and, you know, really helping to grow and network and do activities and development for our community. So we know each other from there.

SPEAKER_01

Okay, cool. I've insulted you twice now, Vice and Mafia. So I'm going to stick the straight and narrow. Now you are good, you are fine, upstanding people, but you are not the bad guys. You are the good guys.

SPEAKER_00

We protect.

SPEAKER_01

You do protect. So let's talk a little bit about, first of all, you're in Miami, but we're here in Riyadh, Saudi Arabia, for Black Hat Middle Eastern Africa 2025. My question to you, Margarita, first of all, is about events. You go to quite a lot of events. You're selective about the ones you go to. What separates, from your perspective, the good from the great events that are one, the ones that are worth going to, the ones that are worth going back to?

SPEAKER_00

Sure. So I would say Black Hat MEA has ruined it for all of us, but in a good way. This is definitely one that you want to attend. It's very different. The great events have great speakers, have great content, really have a lot of thought that's put into the quality of the information that's going to be shared and the dynamics of the personalities that are going to come together in panels and who's available from vendors and partners. And really, Black Hat has been just amazing here in Riyadh, Saudi Arabia. You have the top of the top, and you have folks from all over the world. It's truly a blend of such diverse culture and thought. It's been incredible. I mean, those events that typically you want to stay away from don't put in the amount of detail that we've seen here this week. And I'm actually very sad that it's coming to an end. Um it's gonna be very hard for me to go to any event after this.

SPEAKER_01

Kind words. Uh Marcos, your your perspective, again, you've been to a lot of these events. What for you is the secret source that makes you think, yeah, it's worth me getting on a plane? It's worth that effort to go there.

SPEAKER_02

So I'll add two things to the content piece, which is the logistics and the organization of the event, plus also but also the the curated, I guess, aspect of the content, plus also the individuals that are attending. This is now in my top three. Just like Margarita said, it is one that I will look forward to attending because every single day has been insightful. You've learned something new, you've seen a topic that maybe you have not seen before at any other conference or any other event. So those would be the three main areas that I say will definitely separates Black Hat uh Mia from all the other ones.

SPEAKER_01

Okay, well let's look at the substance, some of the things that have been uh discussed over the past three days or so. AI, certainly, that is the here and now, but more and more talk about quantum computing. Be prepared for quantum computing. What's your take, Mother Rita?

SPEAKER_00

So definitely, be prepared. Um I think it's one of the things that we see the most in our industry where our folks are more reactive rather than proactive. And even with AI, that has been around for such a long time, uh at the onset of what we're seeing now, the momentum, everything at breakneck speed, we're seeing that the security community is still somewhat trying to catch up from a security perspective. And we know quantum computing is here, it's coming, it's been gonna become more proliferal, more pervasive, just like we see AI. And we really have to be more proactive in the way that we look at that. So a lot of the sessions that we've had here throughout this week has really talked about, you know, quantum computing and how do you prepare and how do you become that forward-thinking CISO and security practitioner. So you start building in those practices. So you start thinking about the controls. So you start thinking how that relates to your organization. So I love the fact that we are being proactive in our thought process because historically we've been a very reactive type of industry where something new comes out, it disrupts, and we're trying to catch up. When we know that the threat actors, they're being very proactive in their way of how they're going to leverage and use these new groundbreaking disruptive technologies in order to affect organizations.

SPEAKER_01

Quantum computing does scare. Well, quantum computing doesn't scare me. The bad guys getting quantum computing does scare me. Um and Marcus looking at your world, uh, HIG, it's uh finance company, $70 billion, I think, assets under management. And one of the big threats that uh that quantum computing potentially holds is cryptography, breaking passwords in very, very simple terms. I I worry about that. Am I right to worry or am I overly concerned?

SPEAKER_02

You are all in all you're right to worry about it. And it's funny, and I smiled when you said uh quantum, because that is literally off of the keynote that I just came off of, the one topic or technology that we are not talking about as an industry. Um, I've spent the better part of about the last two years continuously talking about quantum. My internal team uh from security operations are working on quantum computing resistant cryptography because the world will change once quantum computing enters the private sector. Let's make no mistake about it. Nation states have access to it now. Absolutely. But when it becomes democratized and it's now available to the public, that is when we're gonna start seeing a lot of bigger problems because all of the data hoarding out of all the data breaches over the last 10 years is now gonna be data that you can read and data that becomes actionable to threat actors and also to intelligence agencies.

SPEAKER_01

Well, that reminds me, Margarita River, to pick up on that, of something you wrote on LinkedIn recently. You said we talk a lot about threat actors leveling up, but honestly, so are CISOs.

SPEAKER_00

You have no choice in this industry. I mean, as CISOs technologists in general, you have to be continuously learning, continuously growing, continuously preparing yourself. Because as I mentioned before, technology is changing quite quickly, and learning and being able to thwart attacks is going to take folks that are willing to put in the time to learn and to grow and to prepare themselves and their teams. I think one of the things that we're facing as CISOs today is the upskilling of our teams. You know, we can't approach security with 10-year-old tactics or 10-year-old approaches or mindsets. We have to continue to evolve. It's what I love the most about this industry. And you're seeing a lot of CISOs take the time to develop themselves and to develop their teams to be able to prepare for things like quantum computing and other technology.

SPEAKER_01

How do you prepare for quantum computing? It's a question to both of you because it is a very cutting-edge technology. CISOs cannot be expected to have in-depth knowledge of precisely how quantum computing works. I guess that's not the point. So, what resources do you use? Who do you work with? Do you work with universities, for example? Do you work with industry bodies? Question to both of you.

SPEAKER_02

I'd say it's a combination of all of them. Um you have to work, number one, as an organization, and you're wanting to become quantum resistant, work with your vendors. Because at the end of the day, all of all of your vendors and your service providers have implemented some level of quantum or on some level of cryptography that is not quantum resistant. So you need to upgrade all of that or all of that cryptography protocols that you utilize to become quantum resistant. But to understand quantum computing at its real fundamental level, and I agree with you, it is a very complex topic when you start talking about qubits and whatnot, definitely the research community, universities, and also your local bodies within countries. So NIST in the US, for example, has a lot of materials and a lot of resources that really lays out quantum computing in layman's terms.

SPEAKER_00

Correct. I completely agree with Marcos. I mean, there's a wealth of information that is out there. And obviously, the foundation of it being on encryption, having folks on your team that are well-versed and understanding that it's kind of taking that to like the next layer, the next level. So partnering definitely with network communities, with universities, with peers. I mean, coming to events like this and hearing from other thought leaders and how they're approaching things like quantum computing and how they're leveling up really does help that growth curve.

SPEAKER_01

How are the vendors doing? You mentioned vendors mark us. How are they doing in creating quantum resistant solutions? Can I ask you for maybe it's unfair to ask you for a uh what grade would you give them? I'm gonna ask you. You don't have to up and say, what grade would you give them? Let's ask. Okay, what grade would you give them?

SPEAKER_02

Probably somewhere around the D minus, to be honest with you. Wow. Um I've started asking vendors over the last eight to nine months, what quantum computing uh controls or uh tactics have you implemented within your platforms to shift the cryptography that is not too towards quantum resistant, and I get blank stairs. Wait, wait, what? Well, what's but Okay, conversation's over. If that's the first answer you give me. However, there are a few vendors, and I will not name exactly which one, that are at the forefront of quantum computing. So they've been getting an ARP report. Oh, they've been getting an A plus in my book. Okay, because they are forward-looking, forward thinking, and they're coming to me before I even ask them.

SPEAKER_00

I completely agree. I mean, you have some that again are very proactive, but most tend to lag behind. They don't see it as an immediate problem. There is, again, this boom around AI security and really putting in the guardrails and the observability and controls around it. Not as much focus on quantum, but those that are are doing it well.

SPEAKER_01

Okay, well, let me flip the question around. Sure. When you go to your chief finance officers and ask for budget to be signed off to pay for this, let's take your A plus uh vendor, who you're not gonna name, but fair enough. Uh I'm sure they charge a significant fee for what for what they do. They're very good at it. If I can name them, I will name them. Not sure if we can or cannot, um, but they are definitely A plus in my book. But pilot, sorry. But they will charge a fee for that, and you've got to go to the you and people like you have got to go to the finance department, the CFO, and say, okay, we've got to be quantum resistant. It's not here yet, but it's there in the future, and it's gonna cost X million dollars. And the CFO goes, but this is a theoretical threat. It's not really the bad guys haven't got this now. Do I really need to spend this money now, Marcos?

SPEAKER_02

Are you sure you'd sign off on this? Yes, because I'm sorry, this A plus vendor is coming to me with the evidence that I'm taking to my CFO showing here's why you need to do this stuff. This is not theoretical anymore. This is happening. It's just it's so expensive to be able to utilize quantum computing that it's not available to the masses. That's the problem.

SPEAKER_01

Let's talk about some other things. Leadership shift from compliance to culture was an interesting piece I read by you, Marcos, on LinkedIn. You said there needs to be a leadership uh shift within your industry, within CSERs and and others part of the ecosystem, from compliance to culture. What do you mean by that and why is it important?

SPEAKER_02

So compliance has always been a check the box exercise. I need to have XYZ, so I need to buy ABC that's gonna take care of XYZ. That does not make us secure. At the end of the day, risk is a moving target, risk is ever evolving, risk is something that is not it's not something you can uh find a solution for by just buying XYZ or whatnot. That is what um compliance really takes you towards. So when you shift toward culture, where everyone is in a risk mindset within your organization, then that's when you start moving away from compliance and to a cultural risk shift. So now risk becomes something that's at the forefront of all your individuals. I say that I have the largest organ or the largest department in the entire organization. Every single employee works for me. And I get upstairs and looks like what are you talking about? Yeah, every single employee is a human firewall for me. Every single employee is at the front lines of all of the emails that come in, all of the messages, all of the potential cyber risks that they can be dealing with. So when you shift your culture toward having cyber risk at the forefront, you become much stronger as an organization.

SPEAKER_01

You guys know each other well through the Miami community. And I'm wondering if very different industries. The hospitality industry with Carnival, the financial services industry with HIG, very different. What are the differences and what are the similarities in what you do, would you say?

SPEAKER_00

So I always say that from a cybersecurity perspective, we're not quite that different. I mean, when you look behind everything, what we're trying to do is very similar. Our foundations are similar. You know, we're all having to tackle identity, we're having to tackle observability, we're having to tackle security operations, engineering, architecture, artificial intelligence. That's all the same. I think that we have to get a little bit more creative, depending on your industry. I mean, you're in a very regulated industry, financial services. My first decade of my career was in financial services, so it's very near and dear to my heart. But I'm in hospitality where people want to have fun, and security can be seen as a blocker to fun. So I have to be incredibly creative in terms of the approach that I have with cybersecurity within my organization, especially because I am essentially securing floating cities. I mean, I have 94 floating cities across the globe, and we are tackling all kinds of different things from restaurants to hotels to medical to the operational technology. That's where the differences I think come in. What are your thoughts?

SPEAKER_02

Agreed. We all have the same base level of threats and risks that we need to address. It's no different across any other industry. Then as you go up that ladder, then it becomes a bit more specialized in each area. Margarita has ships she has to secure. I have portfolio companies that I need to secure. And these portfolio companies can be in any industry. You name it, we own it.

SPEAKER_01

But it's interesting to go back to your point, Marcus, about everybody in the organization works for me. Given what you are at HIG, I would imagine a relatively small workforce. That's typically the case with alternative asset managers, which which I think I'm right in describing you as. However, with carnival hospitality industry, you've got massive workforces, and we often hear the cliche, or journalists like me use the cliche, humans are the weakest link in any security chain. You've just got different HR issues there, I guess.

SPEAKER_00

Absolutely. I mean, it's definitely a different approach and a different driver, but nonetheless equally as important. So humans can be the weakest link, humans can be your greatest asset. It really all depends on the job that we're doing, you know, with our teams, to provide security awareness, to make everybody understand their responsibility and making that culture pervasive throughout everything that we do.

SPEAKER_01

Finally, before we wrap up, let me ask you about the role of women in this industry. I've been lucky here at Black Hat Middle Eastern Africa 2025 to meet a number of very powerful women in very senior CISO positions, where whether here in Saudi Arabia or in Europe or in the United States, and there's there's yourself as well. And perhaps that's giving me a false impression that women play a very prominent role in this industry. You say it's about 22-0%, Margarita.

SPEAKER_00

That's correct. So what I love about being here at Black Hat is definitely being able to see all my women peers, very strong executives in the cyberspace. I remember when I started 22 years ago, uh, I was the only woman in a room. And now to see much more is great. But it's nowhere near where it needs to be. You know, in the US, the workforce really is split 50-50 between male and female. And in technology and in cyber, that's about 20%. That's nowhere near where we need to be from a technology perspective or from a cyber perspective. So it's very encouraging to come here and see uh everything that's being done in order to really help extend information and knowledge and growth to other women. Uh, the first thing I did when I got here uh the other day was go to the women in Saudi Arabia group. I was so proud to spend time talking to those women that are growing and really helping get the word out. And they're really helping to grow an industry that needs more women in it. That's the reality. Women think differently, they function differently. Marcos and I were actually talking about that during our drive yesterday. There's so much value to that cognitive difference because we are built different and it complements our male counterparts.

SPEAKER_02

Marcos, you're nodding. It is unfortunately a male-dominated industry. And um, it cannot stay a male-dominated industry if we want to keep evolving. To Margarita's point, the diversity and even really the neurodiversity, because women do think differently and do see things things from a different mindset versus males, brings a lot of enhancements to the field that can very much help keep us, not just keep pace, but really push us forward to evolving as threats continue evolving, and that all at the end of the day puts us in a good place.

SPEAKER_01

So, Marcos, your your one line to summarize Black Hat MEA here in Riyadh 2025.

SPEAKER_02

One line that summarizes Black Hat MEA Saudi Arabia 2025 will be innovative and refreshing. Why do you say that? Innovative because of the level of caliber of individuals and content, but refreshing because it's not the same content and the same caliber of the other conferences we're used to attending.

SPEAKER_01

This is much better.

SPEAKER_00

So one line to really summarize Black Hat MAA here in Saudi Arabia is definitely collaboration, forward thinking, and innovation.

SPEAKER_01

Why do you say that?

SPEAKER_00

It brought together so many folks from all over the world to work together, to think together, to plan together, and that's incredible. That's really where you get true innovation, is where you have diverse ways of thinking coming together in one place and really being able to collaborate together holistically.

SPEAKER_01

We are gonna wrap this up now. We're speaking here in Saudi Arabia, Riyadh, December 2025. We're recording this at the conclusion of Black Hat Middle East and Africa for 2025. Crystal balls 2026, 30 seconds, each of you. What's gonna keep you busiest in 2026, Margarita first?

SPEAKER_00

Uh definitely genetic AI security. I think we're gonna see a lot more proliferation. And preparedness for quantum computing is definitely on the docket.

SPEAKER_02

Marcus, same question. So, same answer, just flipped quantum computing first, because we've already initiated that project, but then also trying to hoard all of the AI folks in the organization that just want to run off with AI because it's gonna solve all the world's problems.

SPEAKER_01

It's been an absolute pleasure talking to both of you. Thank you very much indeed for bringing a little piece of Miami to read in Saudi Arabia this week. My thanks to, first of all, Margarita Rivera, Global Chief Information Security Officer at Carnival Corporation. Thank you. And to Marcos Morero, Chief Information Security Officer, H I G Capital. Thanks for your time. Thank you. Or should I say gracias?

SPEAKER_00

Gracias.

SPEAKER_01

That is it for this edition of the Black Hat Files. We will be back with more. Thanks for joining us.