Time to dig into the RSAC Conference notes. It was only three years ago that vendors were warning of Q-day, the day quantum computers could break current encryption, filled the pages of technology publications and even general news outlets. Those warnings are much more muted this year. What happened?
Primarily, the work of NIST solved the issue in setting new standards for encryption. All the post-quantum computing companies, like PQShield and SandboxAQ, are offering encryption products that are more alike than they are different and all are doing good business providing tools and services. We seem to be more than ready for the dreaded Q-Day.
Then, again, the progress on creating an encryption-breaking quantum computer is maddeningly slow. The industry still insists 2029 is the Q day ETA, and it will break military-grade encryption in one week… on a single document. Assuming a nation state that has such a computer has stolen 20,000 encrypted documents, it would take 38 years to decrypt them all. But the number of stolen encrypted documents, although inestimable, is probably orders of magnitude higher. So reality mutes the projections of potential disaster.
Premium Membership Required
You must be a Premium member to access this content.
Anthropic’s announcement of Mythos threw a lot of FUD into the cybersecurity market without significant third-party validation of its abilities. Is that FUD justified, another legal form of extortion designed to get security budget dollars, or just another weird marketing ploy? Maybe more to the point, is it a sheep in wolf’s clothing?
Mythos does not address encryption, identity or social engineering, representing most of the issues of cybersecurity, It just deals with vulnerabilities in code development. That might negatively impact the cloud-native application protection platform (CNAPP) sector but, at the same time, the tool is only being offered to Fortune 100 companies. Meanwhile, there are hundreds of thousands of large, medium and small enterprises that won’t get it, at least anytime soon unless they steal it.
Cybersecurity companies tend to target large enterprises because, that’s where all the money is. supposedly. They may be missing a lucrative bet and a solution to AI-generated attacks.
In 2025, Comcast issued a report that said 95% of all cyber breaches began with someone in an organization clicking on a malicious link. It wasn’t a brilliant hacker breaking through military grade encryption, or a rogue LLM from a major AI platform discovering backdoors. It was someone not paying attention to the warning signs.
Security training is supposed to reduce that by making users more aware of those signs. That is being tested by AI-generated phishing programs massively increasing the number of attempts. A Hoxhunt survey estimated Ai has caused a 14X increase in phishing attempts in the past year.
Stopping the inevitable
The question is, with cybersecurity hitting a $328 billion market size, why is it getting worse?
Benny Czarny, CEO of OPSWAT, answers that question in a new book, “Upside Down Cybersecurity” that just came out. “The reality is that the market is not adopting this technology or it’s underlying concept fast enough.”
To be accurate, Czarny is talking about OPSWAT’s content disarm and reconstruction (CDR) technology, but based on talks with dozens of CEOs and CISOs at the RSAC Conference in April, the same complaint is made by every company in cybersecurity.
Essentially, the customers that haven’t bought into a cybersecurity service or tool is stupid. They don’t say that for publication, but they do say it. They may be missing another reason. Cybersecurity companies don’t know how to sell their products and services to the people that most need them. Conversations with customers at RSAC back that up.
Untapped SMB market
A 2022 McKinsey survey showed small to medium businesses (SMBs) represent a total market of $1.5 trillion to $2.0 trillion. That market is generally ignored in favor of Fortune 1000 companies. Moreover, the survey noted that current commercial solutions do not meet needs of SMBs and mid-market companies.
(It should be noted that McKinsey’s numbers are based on an erroneous 1998 report on the cost of the cybercrime that was overstated by a factor of between 5 and 10 times the actual number. Official total of cybercrime total less than $1 trillion, making the total available market need at less than that.)
That’s a meaningful response to Czarney’s complaint. OPSWAT’s focus is on big infrastructure. Their pricing is not transparent because, as the saying goes, “if you have to ask, you can’t afford it.” That limits OPSWAT’s market to less than 150 customers and, as he said, they are making a good living off of it. OPSWAT and the majority of the industry are still, however, leaving billions of dollars on the table.
There is evidence that better training makes a difference. Security behavior-change programs, as opposed to traditional awareness model, employees recognized and reported social engineering attacks with a 6x improvement in 6 months, and reduced the number of malicious clicks by 87%, according to a recent report by Hoxhunt. The key, however, may be providing services that block malicious links or alert users to potential danger and with little to no cost to an organization. Encouragingly enough, there are services that do exactly that.
Security at $500/month
DNSFilter processes about 170 billion DNS queries daily, blocking 200 million categorized threats. That’s millions of phishing campaigns failing to reach targets That's significant volume. They also claim to block threats an average of 10 days faster than traditional threat feeds. Significantly, their pricing model starts at $240 a year, for up to 20 users up to a minimum of $1080 per year for a large enterprise. This easily fits into the Cyber Protection Magazine Security Under $500 a Month classification.
Cloud-native application protection platforms (CNAPP) emerged as an industry niche around 2021, when Gartner coined the term to describe to consolidate cloud‑security capabilities under a single term. The niche evolved as organizations adopted cloud-native technologies and needed integrated security solutions.
In short, CNAPP providers consolidate security and compliance into a unified platform to prevent misconfigurations as compliance requirements evolve. It provides real-time detection and response to threats across cloud workloads. It scans code under development for vulnerabilities preventing runtime issues. CNAPP follows and protects cloud-native applications from development to production.
Now it sounds like subscribing to a CNAPP tool set is an easy decision for application developers. That’s the easiest decision. It gets harder going forward.
California this year launched an online site to put teeth into the 2023 California Delete Act. It could be the most powerful privacy tool consumers have ever had. It could also create havoc for the data broker and social media industries.
On January 1, the California Delete Request and Opt-out Platform (DROP) is an online tool allowing residents to remove and opt out of data collection. On the site, consumers enter personal identifiers, including phone numbers and email addresses currently in use. After submit the request, data brokers must process the deletion request within 45 days. The starting date, August 1, 2026, gives brokers the time to establish internal processes. People requesting the deletions can check their DROP status after that date to see if your data was deleted. They can add more information about themselves at any time. New data can take up to 90 days to process.
California’s Delete Act was a step forward, but lacked the mechanism to allow consumers to easily get their data removed. Instead of a single place, they contacted every company they knew carried their data and submitted a letter requesting deletion. But they had to know where that data was to issue a request, and they would never know if it had ever been deleted. The state also now offers a website allowing residents to know how many data brokers are collecting data.
The AI industry appears to be reaching a crossroads that will determine its future in the next two years. The only clear outcome is it will not be what it is now, nor what it is predicted to be.
Most doomsayers and cheerleaders largely agree on a single vision: The technology will destroy hundreds of thousands of jobs. Wealthy investors and captains of industry consider that a good thing and mumble about universal income legislation and Star-Trekkian futures. White-color workers and unions see the future less optimistically. But cooler heads see a precarious future. Those cooler heads include Anthropic’s Claude, OpenAI’s Chat GPT, and X.ai’s Grok. Cyber Protection Magazine talked to all three, and they all came up with four likely scenarios that may be brewing even as this article is read.
A security breach or a major AI system collapse.
Technical plateau causing diminishing returns on scalability.
Strict regulatory legislation that stifles innovation and makes development too expensive to pursue.
A significant economic downturn or massive market correction drying up capital investment.
Vibe coding (using LLMs to create computer code) was all the rage when 2025 began. By June, the bloom had fallen off the rose. Companies offering platforms and tools for the practice saw dramatic downturns in users. What happened? Evidence points to the traditional market practice of targeting early tech adopters.
Vibe coding was largely sold as a mean of improving efficiency professional coders and, as is their wont, professionals loved it for eliminating what they considered grunt work. But as the fad gained traction in the coding community, there was little evidence that it made coding any better, Rather, it made it possibly worse.
Illusions of efficiency
New studies showed any improvements in coding efficiency were illusions. While the coders assumed the tools made them as much as 50% more efficient, the reality is it made them, on average 19% slower. There were multiple reasons for the drag on efficiency. For one, professional coders know something about the issues of security, compliance, and quality control. LLCs don’t and neither do people without coding experience.
The Cybersecurity Information Sharing Act (CISA) of 2015 expired January 30, 2026. Whether that means anything is debatable.
The 10-year old act facilitates sharing cyber threat information between the government and private sector organizations. Many security experts are unimpressed by how the act performed. Chaim Mazal, Chief AI and Security Officer at Gigamon said wasn’t a two-way street. Most of the sharing was done by private companies. There was little data shared by the government. As a result. Participation in the program cratered in the last two years.
“Allowing the law to lapse gives us the opportunity to reinvigorate the bidirectional transfer of information,” he predicted.
As the world stumbles head on into deglobalization we predict national sovereign clouds will replace international access to data. That is good news for in-country corporations and for security companies in specific fields. It may not be so good for large multinational tech firms and people living in authoritarian countries. It may also mean the end of the World Wide Web.
Sovereign clouds used to be referred as proprietary clouds to keep intellectual property (IP) secure. National sovereign clouds today are used to control access to citizens private data. For big tech, multiple governments require organizations to comply with data protection laws requiring specific data residency and management practices. National sovereign clouds facilitate that within the country but create significant complexity for multinational operations. Even within a specific politico-economic bloc like the EU, there are different regulations within the bloc for data security.
In a recent blog post, Cory Doctorow summed up the current business climate caused by geopolitical shifts, "There's finally political space to stop worrying about tariffs and reconsider anti-circumvention laws, to create disenshittification nations that stage raids on the most valuable lines of business of the most profitable companies in world history – Big Tech."
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
