This discussion at RSAC 2026 addresses artificial intelligence adoption, cybersecurity operations and preparing for post-quantum cryptography. Mark Hughes of IBM is global managing partner for cybersecurity services and discusses balancing AI integration, autonomous security and post-quantum cryptography. Hughes draws on extensive experience leading IBM's cybersecurity services to describe how organizations reconcile fast-moving AI adoption with protection of existing estates. They outline IBM's autonomous security program, deployment of AI agents in security operations centers and the importance of governance and stakeholder alignment. Dave Vellante of theCUBE Research and Christophe Bertrand of theCUBE Research guide the conversation and probe operational implications.
Key takeaways include Hughes's advice to "do not panic, but get busy," stressing immediate governance, tooling and stakeholder engagement to accelerate detection and response. They recommend that organizations begin discovery of cryptographic inventories and pursue crypto agility now to manage post-quantum risk. Vellante and Bertrand emphasize board-level awareness and coordinated remediation across IT, risk and supply chain teams.
This session provides actionable guidance for security leaders addressing AI adoption, autonomous security, post-quantum cryptography and operational readiness. Topics include governance, detection and response, crypto inventory discovery and crypto agility.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for RSAC 2026 Conference
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC 2026 Conference.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to RSAC 2026 Conference
Please sign in with LinkedIn to continue to RSAC 2026 Conference. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Mark Hughes, IBM
This discussion at RSAC 2026 addresses artificial intelligence adoption, cybersecurity operations and preparing for post-quantum cryptography. Mark Hughes of IBM is global managing partner for cybersecurity services and discusses balancing AI integration, autonomous security and post-quantum cryptography. Hughes draws on extensive experience leading IBM's cybersecurity services to describe how organizations reconcile fast-moving AI adoption with protection of existing estates. They outline IBM's autonomous security program, deployment of AI agents in security operations centers and the importance of governance and stakeholder alignment. Dave Vellante of theCUBE Research and Christophe Bertrand of theCUBE Research guide the conversation and probe operational implications.
Key takeaways include Hughes's advice to "do not panic, but get busy," stressing immediate governance, tooling and stakeholder engagement to accelerate detection and response. They recommend that organizations begin discovery of cryptographic inventories and pursue crypto agility now to manage post-quantum risk. Vellante and Bertrand emphasize board-level awareness and coordinated remediation across IT, risk and supply chain teams.
This session provides actionable guidance for security leaders addressing AI adoption, autonomous security, post-quantum cryptography and operational readiness. Topics include governance, detection and response, crypto inventory discovery and crypto agility.
In this interview from RSAC 2026, Mark Hughes, security services leader of IBM Consulting at IBM, joins theCUBE's Dave Vellante and Christophe Bertrand to discuss why crypto agility has become an immediate priority for enterprises navigating AI adoption and the approaching post-quantum era. Hughes opens with a clear directive for CISOs: don't panic, but move fast. He explains that the same governance principles applied to cloud adoption must now be applied to AI — only faster. With 76% of executives in a recent IBM survey expressing concern about how AI is re...Read more
exploreKeep Exploring
What is the top piece of advice for CISOs trying to balance rapid AI adoption with data security, governance, and safe deployment?add
How should an organization prepare for and manage the introduction of AI technologies into the enterprise?add
How are AI and autonomous agents being used to codify expertise, improve client engagement, and accelerate accuracy and speed in managed security services—and why is this necessary given the evolving threat landscape?add
How urgently should organizations begin preparing for the impact of quantum computing on cryptography, and how should they approach becoming crypto‑agile?add
What will remediation for adopting quantum‑resistant (post‑quantum) cryptography look like, how disruptive will it be to an existing application portfolio, and what do we need to know?add
>> Welcome back to theCUBE. We're here at RSAC 2026. We're in Moscone West winding down four days of live wall-to-wall coverage. Mark Hughes is back. Mark, I feel like you're our favorite guest here in Barcelona.
Mark Hughes
>> Thank you for having us back.
Dave Vellante
>> Yesterday with CrowdStrike.
Mark Hughes
>> Great to be back here, Dave.
Dave Vellante
>> Really great to have you. You have a global perspective. You're in IBM's consulting organization focused on security services. You see in all different industries obviously the big AI wave. We talked yesterday about some of the things that clients are really pushing you. The theme this week that we've talked about on theCUBE is everybody's got to lean into AI. At the same time, they've got their existing estate that they have to protect. This is something that you guys, I'm sure, face every day with customers. What's your number one sort of piece of advice to those CISOs that are trying to make that balance?
Mark Hughes
>> My first piece of advice is don't panic. Don't panic because there's a lot that we know how to do already which is intrinsically underpins the safe use and introduction of AI into enterprises. But not withstanding the don't panic thing is get busy, and get moving very fast because I think, if we don't move quickly, we don't apply the principles that we know around data security around governance and governance that we know and understand around how we release applications and other things into production environments. The same principles apply when it comes to how we do that with AI and how you get that into the enterprise, but we need to speed up. We have to take those principles. We have to speed up. We have to put tooling in place now that can really assist. And guess what? That's a lot of AI tooling that's going to assist you that job. I think that's one angle in terms of don't panic. The second thing is threat actors are now hot on our heels. They're using AI just like we are now, and they are speeding up. And they're getting more targeted and more focused. And again, don't panic. This is about supercharging capabilities that we know a lot about. But, it is just that. Supercharging those capabilities. That means we have to be much better, much more vigilant, much speedier in terms of how we can detect and then how we can then actually accurately work out what's going on. There's a sort of dichotomy here of get busy, don't panic, but make sure you move a lot more quickly.
Dave Vellante
>> And this is not just a technology problem, obviously. I'm presuming you don't start with the technology. Where do you start with clients?
Mark Hughes
>> My first thing to them is, what are your existing ways of managing the introduction of new technology into the enterprise? What's the security programs that sit around that? Who are all the stakeholders in the enterprise? Let's think back to cloud and how cloud got introduced. Public cloud got introduced into many organizations. We're still trying to catch up in some of those areas in terms of cloud workloads and how we protect those. Let's not repeat that. And we really have no option now. We have to be better, and we have to be faster. My first piece of advice is get those stakeholders in the enterprise, get them ready, and make them understand very quickly, and get them into the place where we have to have blueprinted controls around how we're introducing AI into the enterprise foundationally built in and not as some afterthought because that is going to be very, very difficult to apply coming at it after the event.
Christophe Bertrand
>> Let me follow up on this because obviously the nature of your business is changing because of AI. You have to use AI yourselves to be able to consult, provide whatever service, and such a variety of services you provide. How is it changing for you as you engage with this message of, "Don't panic, but make quick changes,"? How do you self-leverage AI? And is it changing even the nature of your own consultancy, the people you hire, how you train them? It seems like you have essentially a double sort of thing going on here.
Mark Hughes
>> Christophe, it's a great question. I think there's many things going on all at the same time. Let's just unpack that a bit. I think the first thing is let's keep it right down at the area of how we're now engaging with clients, not just from a security perspective, but from a consult perspective. AI tooling now is really helping us supercharge what we do. We have a tool that we built, IBM Consulting Advantage, that has underbind by many different large language models that we can bring into that with our agents that we've built in that really helps us do things like engage with clients, do research, make our work, our consulting work, much more meaningful and targeted towards them. That's one aspect.
Christophe Bertrand
>> Arguably, just that part gives you best practices because you've done it yourself. Sort of your own dog food sort of scenario, right?
Mark Hughes
>> Take our what we know and do that, use AI to really make that work, really get that much closer, intimate engagement with the clients now, so we can really understand and produce stuff and speed up more quickly. I think that's one aspect of just how we make our work much more meaningful and much better, frankly, in terms of what we can do now by taking an individual who used to do that. And now they're essentially multiplied by because they can now use tools to really help them. Then I want to now drill into the security space. If I now look at the security area, which I'm responsible for, is how are we now using that AI and building agents to look at, again, those things that we know a lot about? We've managed highly complex, large-client security environments for many decades, and how we can take that knowledge, codify that knowledge, and then encapsulate it now within agents to start doing that work. Why? Yes, there's productivity. We all talk about productivity. I think, first and foremost, in accuracy, speed, how do we get to the result of where we maybe see something malicious happening more quickly in those environments that we know that our clients where they really need help. And why we need to speed up there, well, because the threat actors are speeding up. We did a recent survey. 76% of the executives we surveyed said, "We know that there's an issue in terms of how AI is changing that threat landscape," and they're concerned about how we're able to respond to that. The way to respond to that, we've worked out by building agents to do that, is with AI.
Christophe Bertrand
>> Do you see your practice merging with recovery services at some point? I mean, following this, logically, you would have to have a full spectrum.
Mark Hughes
>> It's a great question. What I actually see, our concept is what we call our autonomous security program. What I see is that we've built AI to really help in certain known areas of security. Let's think about the security operations center. We think about identity, thinking about risk and how we've now really used AI to make that work against known regulations. When you begin to stitch all that together, which is where we are now, each of those classes of agents are families in their own right at IBM. Now, we're stitching those together. And what we now see is that the ability for the security activity to be autonomous between traditional boundaries that used to be there, they're all breaking down. The agents don't think like that. They work across stuff. And most importantly, Christophe, those agents now from our autonomous security program now work into natively into the IT estate, for example. How we can now orchestrate the outcomes, working with many different vendors ... Let's not forget there's great AI there, but how do you orchestrate that across complex environments where there's often a lot of legacy where you need the remediation, you need that net result to come out, for example, into the IT stack? We can actually get the agents to tee up that remediation with a human in the loop, if necessary. Increasingly now, for some processes we're saying, no, just let the agents create the remediation natively, and so that, therefore, the result of that security activity, that now autonomous, increasingly autonomous, security activity, appears directly into an area that isn't necessarily a security area.
Dave Vellante
>> Mark, I don't think there's any debate that IBM is the leading research lab in quantum. I think there's no question about that. The question is, if I'm a practitioner, when should I be worried about quantum and post-quantum cryptography? Some today? Is it a large majority today? Who should worry about it today? When should the rest of the market? How should we gauge that with your clients? How are you speaking to them about this?
Mark Hughes
>> Right now. Right now. Immediately. If you haven't started thinking about it, think about it now. But, and here's the but, we all know that the quantum event is going to massively disrupt cryptography as we know it today. To put a bit of color on that, Shore's algorithm, ECC and traditional PKI symmetric encryption, is going to become vulnerable. And it's only one thing from quantum that we know is going to come. Of course, security comes on with the downside use case to start with. Quantum's going to offer unbelievable opportunity in terms of compute. And IBM, as you say, we're right at the forefront of that. But the reason why I say we've got to get busy with that right now is the quantum event is a compelling event. It's not a single event by any stretch of the imagination. This whole concept of how crypt is now needing to be managed in the environments that we work with with our clients is changing. The reason why I talk about that being a necessity right now is because crypt is already changing. We come back to the AI and the AI agents and how organizations are embracing AI in their environments. Well, of course, all those agents that are being deployed have crypt calls that they need to make. They have tokens that make those crypt calls. Essentially, that massive increase in necessity to organize crypt and have that available just in the context of how we're deploying AI, that's a challenge. Getting organized around cryptography now is essential, not just because of the quantum event, although that is absolutely a necessity, but you need to be doing that now, so we can get to a state of what we're describing at IBM now, crypto agility, where we move away from how we've traditionally managed crypt, which is hard-coded crypt. We don't really know where it is. It's worked, and it's worked really well for us, but that's not relevant now in today's environment. I'm saying, organizations, get busy now, not from let's replace algorithms with quantum resistant algorithms. There are some use cases for that, but that's still fairly nascent at the moment. But get busy now because understand where your crypt is. Understand how you can now get ready to have a much more crypto-agile way of approach of managing it so that in the future, when the new quantum algorithms come along, quantum-resistant algorithms, which at IBM we're very proud that we've also developed four of those quantum-resistant algorithms that you can deploy those, and then make your organization quantum crypt ready. But crypto agility starts right now today.
Dave Vellante
>> Step one is a discovery exercise. Understand my crypt portfolio. You have tools, I believe, to help do that, correct? Explain that.
Mark Hughes
>> We have tools that can do that discovery. We use AI to help do that discovery. We've built those specifically that can look into an organization, understand where the existing encrypt is, understand what might be vulnerable, and of course then couple that working with clients with, well, what are those applications and those processes, especially down through the supply chain, where the most critical processes, workflow processes, are that involve those handshakes that are required in that crypt environment? We can then begin to create an inventory, create a view of where those priorities are, and then start organizing that in a way in which we have a better understanding in an enterprise of where that is so that the necessary, then, work can be done in step two which is then actually then starting to take the remediation action. That discovery exercise and the tools that we have to do that we can start doing right away.
Dave Vellante
>> What does that remediation action look like? How disruptive is it to my existing application portfolio? What do I need to know?
Mark Hughes
>> Potentially a lot. Again, it depends if you need to then actually deploy those quantum-resistant algorithms, post-quantum-resistant algorithms, into those environments. They're much bigger. We've compressed them down quite a bit. The work we're doing in our crypt teams is incredible at IBM. I have to say we're right at the forefront of that, and we've done a lot of work to do that, but they are different. Therefore, there's a different consideration there. There's four of them at the moment. They have different utilities. There's some work that might have to be done to make those applications and other bits of the IT ecosystem that need that crypt behave differently, where upgrades and things need to be changed to make that happen. Equally, there's other techniques that we're looking at where we are going to live potentially in a transitionary hybrid world, where we're running both quantum resistant cryptography and non-quantum resistant cryptography in a world where those handshakes can still happen so that we can manage through that. What the thing that we're seeing right now is discovery step one, remediation plans based upon priority, actually is not ... It's not a single event, this. This is going to then potentially take, for some organizations, many years to work through.
Dave Vellante
>> And my last question, Christophe, is who in my organization do I need to have at the table to make sure that this gets done properly?
Mark Hughes
>> Dave, it's a great question. Christophe, you mentioned that earlier on as well. Yes, the CISO is often seen as the individual who has that in their gift, but it's absolutely right in the middle of the entire IT stack, so the CIO needs to be there, but then the risk teams need to be involved in here and those that are responsible for resilience as well. Look, we all know today what happens with certificates when the lifecycle management certificates goes wrong. This is not new to us. And we see certificate life cycles shortening, as they are already. This is something that is right here and now a challenge for us. Think now that we now have to really delve into this in a very different way from where we have been before. You need the operational IT folks, the supply chain and key suppliers, risk, and frankly, this is going to be a board-level-awareness transition because it needs that much focus. It's very disruptive-
Dave Vellante
>> Is it today at board level? I mean, is this a conversation at the board?
Mark Hughes
>> I think today, from what I see with many clients, it's a subject that boards are interested in. They're interested in, more broadly, quantum. One of the first things that comes up when they talk about quantum is what's going to happen in a post-quantum cryptography world. We don't want that to happen. We want actually boards to be talking about what the opportunity for quantum is in terms of how they grow and management in the same way that they're talking a lot about how AI can help their businesses now. And IBM, we're really focused on the benefits, but absolutely this particular use case around post-quantum cryptography is something which is getting up the agenda and needs to be considered. But ultimately, once the board understands it, it's the operational parts of the business that need to get busy to begin to find that way of discovery and remediation.
Christophe Bertrand
>> I see a massive issue with just dealing with the data. I mean, the backups. The archives. And the biggest issue is not so much, well, it could get access. There could be issues with that, but it's compliance. And compliance is a board-level conversation already today. To me, the conversation's really about there's a technology component to this. I can see the positive piece, but the defensive is you will have to comply. I expect also some regulations from governance coming up. I would imagine the European Union will be all over it, and they already are, but with some very strict mandates potentially. What's your take on that? Should they be providing guidance? Should they be involved?
Mark Hughes
>> They already are, actually, Christophe. We see NIST and the US government came out. They recently published. US cybersecurity strategy came out with some very specific guidance about timeframes of when, by 2030, 2035 ... These are the dates that are being discussed. Of course, that all depends a bit on when the actual quantum capability is going to be there to run Shore's algorithm. And of course, IBM, we're pretty well the furthest along in terms of quantum development. We know when that is, and we absolutely tie into those ... We can't say absolutely fortiva is going to be on this day, but we're aligned, and we-
Christophe Bertrand
>> The timeframe is 10 years away maximum is what you're saying?
Mark Hughes
>> No, no, no. No, no -
Christophe Bertrand
>> Or it's this decade, right?
Mark Hughes
>> In 2030, we got to see even maybe sooner where-
Christophe Bertrand
>> Five years?...
Mark Hughes
>> capability. Absolutely. When the capability is going to be there to do that. Now, the migration path for our clients is going to be over a period of time. But the simple fact that that algorithm can be executed, and that makes asymmetric encryption vulnerable, is five years out. That's why getting busy now is so, so, so important. Yes, governments are absolutely being very clear and very specific about when ... The US government has been very, very clear about that. Likewise, European Union, UK, others as well. And at IBM, we've put all that together, and that's important for our clients when we talk to them, Dave, as you said earlier on about where and how we take them through this journey, which is to say, "Hey, you're regulated in this space. This is the bits that matter to you." That in itself is something that they have to untangle a bit and just say, "Look, so when do we need to be ready?" That then helps drive the timeframe that they need to work.
Dave Vellante
>> How much activity have you heard at this event? How would you characterize the quantum discussion at RSAC? Obviously, in Barcelona, there were pieces. We participated in a roundtable with IBM, about 25 executives. And to your earlier point, they were really focused on the defense using quantum as a cybersecurity, being concerned about post-quantum cryptography. I don't feel like they had the cycles right now to think about the benefits just yet because they're trying to figure out the benefits of AI and get ROI and AI, but that will come. How would you characterize what you heard in Barcelona with what you're hearing here at RSAC?
Mark Hughes
>> It's not as top of mind as I would expect here. And I look at it actually as the event that is coming. Obviously, quantum is going to, as I said before, give us unbelievable benefit in so many ways with the compute capability that it's going to bring us. But I actually look at this compelling event that we have as almost as a gift, and a gift because getting better at managing crypt is now, as you said earlier on, Christophe, in terms of how you manage data and how you actually can move data around and deploy AI effectively, have crypt working in an agile way to really help you get the best out of AI, those AI agents that you're deploying. The gift here is that if you can exploit that now and get in a crypto-agile state in your enterprise now, that's really going to help you move on. I'm not hearing enough about that here, frankly. I think we're going to hear a lot more about that. But as I said before, that's not just about the event that is about the quantum event. It's about just getting better at managing cryptography certificates. Everything that goes around that crypt landscape, that's what foundationally needs to be better. Get that right. And I think it's going to unlock a whole load of other benefit in the organization to just become more agile, and that doesn't become a bottleneck for organizations in transforming their businesses to really embrace AI. Because we know that, I mentioned earlier on, certificates and stuff can create a problem. And they really do, even today. Getting better at managing that is a thing to do right now. And I really need more people to be talking about that.
Dave Vellante
>> That seems to be a very high priority, and that's a reasonable starting point. And there was definitely airtime at GTC last week for quantum. Actually, in the NVIDIA booth, they had a quantum chandelier. It wasn't as impressive as the IBM quantum chandelier and-
Mark Hughes
>> We've been working at it for some time -
Dave Vellante
>> You've been working at it for a while. The chip wasn't even on it. But nonetheless, there are companies out there that in addition to IBM that are doing some good work on this. It's definitely time to start thinking about this and start planning for this, taking the inventory, and getting prepared.
Mark Hughes
>> And we've got the software tools that we've built that can really help organizations run through that and deal with a world of crypt which, frankly, needs to be modernized and to make them ready to be able to use that in a post-quantum way but in a way in which can really enhance their businesses.
Dave Vellante
>> Well, listen, Mark, it's been great having you in theCUBE in both continents. We're going to have to meet in Asia and then-
Mark Hughes
>> Look forward....
Dave Vellante
>> do that.
Mark Hughes
>> There you go.
Dave Vellante
>> All right.
Mark Hughes
>> Can't wait.
Dave Vellante
>> Thank you so much for coming back.
Mark Hughes
>> Thank you.
Dave Vellante
>> Appreciate it.
Mark Hughes
>> Thanks, Christophe.
Christophe Bertrand
>> .
Dave Vellante
>> All right. Thank you for watching Dave Vellante for Christophe Bertrand. We're right back right after this short break. RSAC 2026. You're watching theCUBE.
Dave Vellante
Christophe Bertrand