Article

Cloud & Cybersecurity

Splunk’s Field CTO on Prioritising Quantum & its Challenges

By Maya Derrick

May 07, 2025

undefined mins

Share this article

Prioritise Us on Google

Share this article

Prioritise Us on Google

Kirsty Paine, Field CTO at Splunk, shares how CISOs face mounting pressure to future-proof security as quantum computing threatens current encryption

As quantum computing rapidly advances, Chief Information Security Officers (CISOs) face unprecedented challenges in safeguarding their organisations.

With average tenures often under three years, maintaining momentum on long-term quantum security initiatives can often be difficult for businesses.

However, the urgency to prepare for post-quantum cryptography (PQC) is growing, especially with significant government investments signaling a new era of cybersecurity threats.

Off the back of World Quantum Day last month, Kirsty Paine, Field CTO at Splunk, explores how CISOs and boards can navigate these challenges — balancing evolving standards, ensuring continuity and embedding quantum readiness into risk management to protect critical data and infrastructure before “Q Day” arrives.

Please introduce yourself and your role and in your own words, as well as Splunk and its place in the technology and cybersecurity spaces.

My name is Kirsty Paine and I’m a Field CTO for Splunk, based in Geneva, covering the EMEA region.

My specialism in cyber security stems from my background in mathematics, spanning cryptography and data, which broadened into a more general view in how organisations are securing themselves today — both on the infosec and operational security sides.

Splunk is a data platform that allows users to find answers to problems. If you have an incident — in IT, security or engineering — you just want to find the issue and remediate it quickly, if automation hasn’t already done it for you.

At heart, Splunk allows you to see data in a useful way and take action on it to improve your organisation’s resilience.

It’s the core of many SOCs and the backbone of IT departments: detecting issues, allowing easy investigation and enabling the best response — and quickly.

Talk to me about the risks around the short average tenure of CISOs. How can organisations ensure continuity and momentum despite this hurdle?

The average tenure of a CISO is short — typically between 18 months and three years — and that creates a challenge for long-term initiatives like quantum-readiness.

Every time a new CISO comes in, there’s often a shift in priorities, which can stall or fragment efforts that require long-term focus, like post-quantum cryptography.

Take the UK’s 10-year quantum cryptography strategy, for example. It’s ambitious — and rightly so — but frequent CISO turnover can make it hard to maintain the momentum these strategies need.

One way of tackling this may be to embed quantum-readiness into cross-functional teams, so progress doesn’t hinge on one individual. Ultimately, the industry hasn’t settled on an answer to this specific issue, but I suspect it will work itself out organically.

What practical steps can boards take to maintain oversight and prioritise quantum security initiatives, especially as board members typically serve longer than CISOs?

Boards are uniquely positioned to provide continuity, and that matters. Their longer tenure means they can keep post-quantum security on the agenda.

The first step? Appoint someone on the board who truly understands the quantum threat. Give them ownership of the issue — your quantum champion. That person can help ensure strategic focus doesn’t drift over time.

Next, quantum-readiness needs to be part of the broader risk management framework. That means regular updates on progress, challenges, and emerging threats — not just once a year, but as part of ongoing board discussions.

A strong governance structure helps ensure accountability, especially as we approach “Q Day,” whenever that may be.

Boards must lead the charge, making sure the organisation stays ahead of the curve and not caught off guard.

With the UK government’s recent £121m (US$161.5m) investment in quantum technologies, what immediate actions should organisations take to start preparing for post-quantum cryptography now, rather than waiting for standards to mature?

The UK government’s £121m investment in quantum technologies sends a clear signal: the potential is huge and it’s not decades away anymore — clock is ticking on quantum readiness.

Start by identifying your most at-risk assets — data that requires long-term confidentiality and systems that rely on public-key cryptography.

These should be the top priority for post-quantum protection.

Similarly, you can de-prioritise systems reaching end-of-life and data which has a short retention period before deletion.

You can also reduce exposure now by using ephemeral, per-session encryption keys.

For symmetric encryption like AES, make sure you’re using at least 128-bit keys to strengthen your defences against any potential quantum-powered attacks.

Timing is key here. I often talk about the “Goldilocks zone” — you don’t want to move too early and risk interoperability issues, but waiting too long increases your exposure.

A phased approach, aligned with the maturity of standards and your business needs, is the smart play. Planning is key.

What are the biggest risks if organisations delay migration to post-quantum cryptography (PQC)? How can they balance the need for swift action with the uncertainties around evolving PQC standards?

The main risk is being unprepared. If quantum computing arrives faster than expected, you could find yourself scrambling to rip out and replace your cryptographic infrastructure under pressure. That’s expensive, disruptive and risky.

But jumping in too early isn’t great either. PQC implementations are still evolving and early adoption could lead to integration and compatibility headaches.

The answer lies in a phased, risk-based approach. Plan migration for the systems and data most vulnerable to quantum threats — like anything that uses public-key cryptography or holds data that needs to stay secure for the long haul.

Keep an eye on the standards as they develop, and engage with the PQC community to stay informed.

There’s no need to panic — but there is a need to plan.

Start building your migration strategy now. Worrying about which PQC algorithm to choose while leaving critical assets unprotected is like arguing over the canapés on the Titanic.

Focus on what really matters and take the first steps before the iceberg is in sight.

Explore the latest edition of Technology Magazine and be part of the conversation at our global conference series, Tech & AI LIVE.

Discover all our upcoming events and secure your tickets today.

Technology Magazine is a BizClik brand

Splunk’s Field CTO on Prioritising Quantum & its Challenges

Please introduce yourself and your role and in your own words, as well as Splunk and its place in the technology and cybersecurity spaces.

Talk to me about the risks around the short average tenure of CISOs. How can organisations ensure continuity and momentum despite this hurdle?

What practical steps can boards take to maintain oversight and prioritise quantum security initiatives, especially as board members typically serve longer than CISOs?

With the UK government’s recent £121m (US$161.5m) investment in quantum technologies, what immediate actions should organisations take to start preparing for post-quantum cryptography now, rather than waiting for standards to mature?

What are the biggest risks if organisations delay migration to post-quantum cryptography (PQC)? How can they balance the need for swift action with the uncertainties around evolving PQC standards?

Company portals

Cisco Systems

Splunk

Tags