Duncan Jones, Head of Quantum Cybersecurity at Quantinuum: “Many leaders are now recognising that quantum computers will completely reshape cybersecurity”

This is the best of times, this is the worst of times. So Charles Dickens might have started a novel about cybersecurity in 2024, where those in charge of cybersecurity must fend off all the traditional threats plus emerging ones based on generative AI. And now quantum computing is here to make matters worse – or, just maybe, better, if you listen to Duncan Jones, Head of Quantum Cybersecurity at Quantinuum.

“Over the next five years, almost every cybersecurity system will be migrated to become resilient to the quantum threat,” Duncan told us. “This is a wonderful opportunity to ensure that our systems are agile enough to cope with inevitable future changes.”

We like that positivity, but if you’re reading this from a position of responsibility – particularly if you work for a large company – then heed Duncan’s other words of advice.

“There is a finite pool of people who understand cryptography, encryption and quantum technologies well enough to develop meaningful policies and strategies for large organisations,” he said. “Smart leaders will be prioritising hiring that talent or growing it through in-house training.”

The good news for those talented people is that their skills will be increasingly needed, so keep reading to the end for Duncan’s advice to anyone looking for a job in this “recession-proof” sector.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

My name is Duncan Jones and I’m the head of cybersecurity at Quantinuum. Quantinuum is the largest integrated quantum computing company in the world, and my team helps customers strengthen cybersecurity systems with quantum technology. 

I’ve worked in cybersecurity since 2007, mostly in roles focused on cryptography and data encryption. I stumbled into the field after completing my undergraduate in Computer Science and haven’t looked back since. I found cybersecurity to be a recession-proof industry – even when the purse strings get tight, people still need data security. 

I wasn’t expecting to end up in the field of quantum cybersecurity. But it’s been thrilling to work at the absolute cutting edge of modern technology. In 2021, my team launched the first commercial product that uses a quantum computer to do something that cannot be achieved on a classical computer. I wasn’t expecting to have that on my CV. Today, our customers are using that product, Quantum Origin, to generate near-perfect random numbers, which are a critical ingredient for cybersecurity.

What are the biggest cybersecurity challenges those in leadership roles are facing?

A major challenge is the need to balance near-term reactive tactics versus the implementation of strategic and critically important long-term goals. In my industry, this is very notable around the topic of quantum cybersecurity. Many leaders are now recognising that quantum computers will completely reshape cybersecurity, both for good and for bad. Being able to prioritise resources to focus on what feels like a distant threat will be critical for being resilient in the years ahead. 

Another challenge is ensuring the right skills are being developed within organisations, particularly concerning advancing technologies such as AI or quantum computing. There is a finite pool of people who understand cryptography, encryption and quantum technologies well enough to develop meaningful policies and strategies for large organisations. Smart leaders will be prioritising hiring that talent or growing it through in-house training.

Worth a read: Whit Jackson, Vice President, VP Global M&E at Wasabi Technologies: “AI is having a massive impact on sports that cannot be overlooked”

What are some prevention strategies you believe every business should adopt?

The businesses we work with focus on a secure-by-design mindset. They recognise that cybersecurity is about defence-in-depth, ensuring each layer in a system is as strong as possible. In that sense, a strong preventative strategy involves exploring new technologies and deploying them ahead of the competition. In many cases, the goal is simply to present a harder target to attack us than someone else, ensuring that your customer data is not the data that gets stolen.  

Also critical, as we move towards an uncertain future, is building flexibility and adaptability into cryptographic systems. Over the next five years, almost every cybersecurity system will be migrated to become resilient to the quantum threat. This is a wonderful opportunity to ensure that our systems are agile enough to cope with inevitable future changes. Linking back to my first point, it also represents a once-in-a-generation opportunity to build on the strongest foundations possible. Here is an area where quantum technology, such as quantum random number generators, can help organisations harden their security against rising threats.

What role do you think governments play when it comes to cybersecurity?

They have a critical role to play when it comes to the standardisation of cryptographic algorithms and protocols. Over the last eight years, we’ve seen the US government play a crucial role in defining new cryptographic algorithms to defend against the quantum threat. This sort of work must be driven by governments because they can orchestrate the large amount of input needed for a rigorous assessment process. 

One challenge that faces governments is keeping these cryptography standards up to date as technology advances. I’ve certainly noticed in the field of quantum cybersecurity that standards often lag behind the bleeding edge of technology. Fortunately, my team has found ways to embed our advanced technology within the existing frameworks. However, a critical part of our day-to-day activities is keeping governments informed on the latest technology developments so they can inform new policies. 

Governments also play an important role in motivating organisations to take action against mid-term threats, such as the one posed by quantum computers.

Worth a read: Camellia Chan, CEO of Flexxon: “‘Generative AI is a goldmine for cybercriminals”

What’s something that has drastically changed about cybersecurity since you first got started in the field?

When I first started in cybersecurity, encryption and hardware security were unusual topics. Banks and governments were using them, but they were not often seen in a typical organisation. Over the years, encryption has spread like wildfire and recent trends, such as zero trust, have accelerated this process. Now, data is encrypted by default, and systems continually authenticate each other as part of machine-to-machine communications. 

Alongside this increase in encryption, we’ve seen new constructs emerging, such as blockchains and distributed ledger technology. Again, these topics have pushed cryptography into the minds of executives, helping to proliferate awareness throughout organisations. 

I view these changes positively, of course, but I’ve noticed our organisational processes and policies have not kept pace. Key management and cryptographic agility have suffered, and I suspect we will pay the price for this “cryptographic debt” (as I call it) in the years ahead. 

With our increasing reliance on encryption, we must have total confidence in the strength of our cryptography. In this sense, I feel positive about the future as emerging technologies, such as the quantum cybersecurity topics my team investigates, are poised to revolutionise our trust in fundamental data security.

What advice do you have for aspiring professionals wanting to work in cybersecurity?

I thoroughly recommend considering a career in cybersecurity. The importance of this field will only grow in the years ahead as attackers have access to more and more sophisticated tools. 

There is a big difference between working on the vendor side of the fence versus the practitioner side of the fence. My career has been on the vendor side, and that brings exciting opportunities to develop new products and services and to feel like you’re making a difference in the broader ecosystem. On the flip side, I sometimes envy those practitioners who take responsibility for securing large organisations and whose efforts are making a difference on a day-to-day basis. While I suspect you can leap back and forth between these camps, it might make sense to consider which appeals to you more before you commit to a cyber career. 

Technology is always changing and it’s difficult to figure out what skills will be valuable in the years ahead. However, AI is sure to replace any repetitive menial jobs within cybersecurity, so it will be important to build meaningful skills that will always be sought after. These may include developing secure code, managing and leading people, and developing policies and processes. 

Finally, I can say that I’ve enjoyed my roles most when I’ve been at the edge of the technology space. My current role at Quantinuum has been my most thrilling to date, so I certainly recommend you explore roles that are at the frontier of new technology development.