Google Quantum AI just published the most significant quantum threat assessment the blockchain space has ever seen (https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf). Here's why you should take it seriously — and what to do about it. JOEL VAN DYK APRIL 2026 ~7 MIN READ Let me be direct. I have spent close to three decades as a security architect at some of the world's largest financial institutions — JPMorgan, DTCC, LSEG, State Street. My fo

The Shift in Quantum Risk Perception This Isn’t a Physics Breakthrough Coming from the physics world, what strikes me is the headline number—~10,000 qubits to break RSA or ECC—is being treated as a breakthrough in quantum capability. It isn’t. The underlying physics has still remained the same. No breakthroughs there. What this paper actually represents is a compression of assumptions. The result depends on a stack of conditions aligning: Scalable quantum LDPC error correctio

We are no longer debating if quantum advantage is possible—we are now observing the first hints of it and where it begins to matter. Why This Pulls Q-Day Forward There’s a critical misunderstanding in how many organizations think about Q-Day. They treat it as a fixed point in time—a moment when a machine suddenly becomes powerful enough to break RSA or ECC. In reality, Q-Day is the outcome of multiple accelerating curves: Qubit stability and error correction

For decades, we operated under relatively stable assumptions. RSA and ECC were “good enough,” and the threat horizon for breaking them required either massive computational breakthroughs or exotic nation-state resources. Quantum computing changes that equation — not because it has already broken public-key cryptography at scale, but because it introduces structural uncertainty. Shor’s algorithm permanently altered our threat model for RSA and elliptic curve systems. PQC was b

Most enterprise security environments still suffer from the same disease: security logic is scattered, duplicated, and inconsistently enforced across applications, platforms, and teams. One app checks group membership one way. Another hard-codes roles in config files. A third implements its own token parsing, its own policy logic, and its own edge cases. This is how you get drift. This is how you get gaps. And this is how you end up with “surprise” access paths no one can fu

In cybersecurity, it has become almost a reflexive mantra: we need quantitative risk management . I agree—but often for very different reasons than those usually given. Before we can talk about models, Monte Carlo simulations, FAIR analyses, or loss exceedance curves, we need to confront a more basic problem. We have not calibrated our detectors. I came to cybersecurity through experimental physics. In that world, measurement is everything—but measurement without calibration

In today’s digital landscape, security isn’t just a checkbox on a compliance list. It’s the backbone of trust, especially for organisations handling sensitive data like financial institutions and event organisers. If you’re serious about protecting your assets and reputation, optimising your security architecture is non-negotiable. But what does that really mean? How do you go beyond the basics and build a system that’s both resilient and adaptable? Let’s dive in. Why an Opti

Understanding Security Architecture Security architecture is not merely about technology choices. It involves creating a holistic strategy that aligns security capabilities with business objectives, risk tolerance, regulatory requirements, and operational realities. Think of it as the blueprint for how all the pieces fit together. Without this blueprint, an organization may invest significant time and money in isolated security efforts that fail to contribute to meaningful r

About 10+ years ago, one of my fellow enterprise architects came to me and said, "Joel, would your opinion on the cloud change if I cloud...

When Heathrow Airport’s check-in systems went dark this week (September 2025) (see, for instance, https://www.capacitymedia.com/article-c...

I spent a good amount of time reading the two versions of the Presidential Executive Order on Cybersecurity 14144 from the Biden...

The image features a bold, red "ASK" sign, emphasizing the importance of inquiry and curiosity in the realm of artificial intelligence....

Another day, another 14 point program inspired by a consulting company with project management to make a large checklist of controls that...

Security is a continuous process of adjustment and improvement as the threat environment changes. I recently read an article in CPO...

Many times in my decades of Cybersecurity I’ve been in a place where the Cybersecurity Program is in the skids. The CISO leans over the...

Risk Controls Compliance and Risk Reduction are 2 fundamental concepts in CyberSecurity. You can have the first without a lot of the 2nd,...

It’s spring (officially anyway), and everyone trots out the organizational article, who should the CISO report to? Besides being fun,...

For the first article of the year I wanted to take a big picture approach. It’s often been said that the Cybersecurity department...

I often hear this in meetings where we discuss risk. “Are you comfortable?” I always feel like answering: yes, I’m working from home,...

One of the things you regularly get involved in as a CyberSec practitioner (sometimes several times a day) is an implementation of a...