The Entropy Podcast

Francis Gorman

Hosted by Francis Gorman, The Entropy Podcast brings together intelligence community veterans, post-quantum cryptography pioneers, CISOs, business leaders, and frontline practitioners for unfiltered conversations on the threats, complexity, and geopolitics shaping our world. Past guests include former senior CIA officers, leading cryptographers, digital forensics experts, and security and technology leaders from across financial services, critical infrastructure, and government, voices rarely heard together in one place. Each episode goes beyond headlines to explore how cyber risk, emerging technology, and geopolitical instability are reshaping the way organisations operate, compete, and defend themselves. Expect candid insight on quantum risk, nation-state threats, AI, espionage, financial crime, business resilience, and the human dimensions of leadership. Designed for CISOs, board members, founders, technologists, policy thinkers, and the professionally curious, Entropy sits at the intersection of business, technology, and cybersecurity a space for genuine conversations with unique minds, the kind that don’t fit neatly into a press release. The name Entropy reflects the growing complexity and unpredictability of the systems we depend on, and the discipline required to lead through them. Disclaimer: The views and opinions expressed on The Entropy Podcast are those of the host and guests in their personal capacity and do not represent the views, positions, or policies of their respective employers, affiliated organisations, or any government body. Guest appearances do not constitute endorsement by the host, and the host’s commentary does not constitute endorsement of guests’ views. Content is provided for informational and educational purposes only and does not constitute professional, legal, financial, or security advice. One of the topics I cover a lot on this show is post quantum readiness, I believe awareness of this emerging technology is key for a safer world into the future. To support this awareness I have built a free resource to help you explore the world of quantum and learn as you go. You can find it here: www.postquantumready.com Buy Our Swag: We now have some slick new swag you can purchase through our Esty store. https://theentropypodcast.etsy.com   Watch and Subscribe You can also watch full episodes and exclusive content on our YouTube channel:www.youtube.com/@TheEntropyPodcast Achievements The Entropy Podcast delivered strong chart performance throughout 2025, demonstrating consistent international reach and listener engagement. Regularly ranked within the Top 20 Technology podcasts in Ireland.Achieved a Top 25 placement in the United States Technology charts, holding the position for one week.Charted internationally across multiple markets, including Israel, Belgium, and the United Kingdom. This performance reflects sustained global interest and growing recognition across key podcast markets. Audio Quality Notice Some episodes may feature minor variations in audio quality due to remote recording environments and external factors. We continuously strive to deliver the highest possible audio standards and appreciate your understanding.

  1. Harvest Now, Litigate Later Quantum Exposure with Darren Bender

    1d ago

    Harvest Now, Litigate Later Quantum Exposure with Darren Bender

    In this episode of the Entropy Podcast, Francis Gorman sits down with Darren Bender, a Texas-based attorney, chief legal officer, and co-founder working at the intersection of law, IT, and post-quantum cryptography. The conversation explores a question many boards, legal teams, and security leaders are only beginning to face: when quantum computers threaten today’s encryption, who becomes liable for doing nothing? Darren breaks down post-quantum negligence in practical terms, explaining why “we didn’t know” may not be a credible defence for much longer. From Harvest Now, Decrypt Later attacks to board minutes, data shelf life, migration timelines, DORA compliance, procurement decisions, and third-party liability, this episode reframes quantum readiness as more than a technical challenge. It is a governance issue. A legal exposure issue. A fiduciary duty issue. And potentially, a future courtroom issue. Key Takeaways Post-quantum cryptography is no longer just a cybersecurity concern; it is becoming a boardroom and legal risk conversation.Organisations may need to show how they assessed quantum risk, prioritised critical data, and documented informed decisions.Board minutes, governance records, risk assessments, cryptographic inventories, and migration plans could become central evidence in future litigation.“Cryptographic procrastination” may become difficult to defend if organisations knew about the risk but chose not to act.The Mosca theorem helps boards think about whether their data shelf life plus migration time exceeds the timeline for a cryptographically relevant quantum computer.The Learned Hand formula offers a legal lens for comparing the burden of prevention against the probability and magnitude of future harm.Financial services, healthcare, energy, and critical infrastructure may be among the first sectors exposed to post-quantum liability.DORA and similar regulatory frameworks may create either a defensive treasure trove or a litigation minefield, depending on the quality of the paper trail.Supply-chain liability will be complex, with SaaS providers, cloud providers, HSM vendors, certificate authorities, and customers all potentially pulled into the same dispute.Procurement teams should start asking not just whether vendors are secure today, but whether they can support post-quantum migration tomorrow.Soundbytes “Quantum risk is moving from the server room to the boardroom.” “Harvest Now, Decrypt Later may become Harvest Now, Litigate Later.” “The question is not just whether encryption breaks. It is who knew, who acted, and who documented the decision.” “In a future lawsuit, the paper trail may matter as much as the technology.” “Cryptographic procrastination is not a strategy.” “Doing nothing may be the most expensive decision a board ever makes.” “Post-quantum readiness is not a light switch. It is a long fuse with a big boom at the end.” “If your data still has value when quantum arrives, your risk clock has already started.” “DORA can be a treasure trove or a minefield. It depends what your records show.” “Your vendors may hold the keys, but your organisation may still hold the liability.” “Quantum readiness is no longer just about algorithms. It is about governance, accountability, and foreseeable harm.” “The courtroom may become the place where quantum risk finally gets priced.”

    45 min
  2. When AI, Crypto, and Quantum Collide with Dinesh Nagarajan

    Jul 5

    When AI, Crypto, and Quantum Collide with Dinesh Nagarajan

    In this episode, Francis Gorman speaks with Dinesh Nagarajan, Global Partner with IBM Consulting Cybersecurity Services and IBM’s global lead for data and AI security and quantum-safe security, about the collision of three major enterprise shifts: AI adoption, cryptographic modernisation, and post-quantum readiness. Dinesh argues that AI will likely be the most consequential transformation because securing AI at enterprise scale depends on trust, and that trust ultimately depends on cryptography.  The conversation explores why many organisations still treat AI security, cryptography, and quantum readiness as separate programmes, even though they are becoming deeply interconnected. Dinesh explains that AI has captured attention from the boardroom to engineering teams in a way few previous technology waves have, which gives it momentum, budget, and organisational visibility. But that same momentum creates risk if security, cryptographic resilience, and post-quantum planning are not built into transformation programmes early.  The discussion then moves into sovereign AI, geopolitical dependency, and the enterprise risk of building core workflows on platforms that may become unavailable due to political, regulatory, or commercial decisions. Dinesh frames this as a strategic consideration for businesses, especially when AI tools become central to software development, automation, and competitive advantage.  The second half of the episode focuses on post-quantum cryptography. Dinesh outlines how organisations should approach quantum readiness: start with awareness, assess exposure from the board level down, establish a centralised programme or centre of excellence, and embed post-quantum requirements into procurement, legal, supply chain, architecture, and existing digital transformation initiatives. His core message is that PQC is not a one-off technical remediation exercise; it is a multi-year business transformation that must be governed as a strategic risk.  Key takeaways AI security is becoming a cryptography problem AI at enterprise scale requires mechanisms to validate, verify, and trust agents, applications, and workflows. That trust layer depends on cryptography. AI, crypto modernisation, and quantum readiness cannot stay separate Many organisations currently treat them as three different programmes, but Dinesh expects them to converge quickly as AI infrastructure becomes dependent on cryptographic trust. AI has unusual organisational momentum Unlike previous technology waves, AI has captured attention from the C-suite down to engineers. That visibility can help fund and accelerate security work, including parts of the post-quantum journey. Sovereign AI is becoming a serious boardroom issue Enterprises need to consider what happens when a critical AI platform is restricted, withdrawn, or affected by geopolitical decisions. Quantum readiness is not just an IT issue PQC affects contracts, procurement, suppliers, cloud strategy, infrastructure, applications, data, and long-term transformation plans. Boards need business-risk language, not cryptography language Dinesh’s recommendation is to frame quantum exposure as strategic risk: revenue disruption, transformation risk, cost escalation, technical debt, and operational fragility. The first move is not scanning; it is understanding exposure Crypto inventory matters, but Dinesh argues the starting point should be a top-down view of how exposed the business model is to quantum-related disruption. A centralised PQC capability is essential Organisations need a programme team or centre of excellence that can create awareness, set direction, advise functions, and coordinate action across the enterprise. Existing transformation programmes should pay the “quantum tax” Rather than spinning up everything from scratch, organisations should embed PQC requirements into cloud migrations, digital modernisation, procurement cycles, and supplier renewals. PQC is a five-to-six-year journey for many enterprises Dinesh describes quantum readiness as a long-running transformation, not a vulnerability patching exercise. Soundbites These are polished for promotion and clips rather than strict verbatim transcript pulls. “AI security is ultimately a trust problem and trust still comes back to cryptography.” “The organisations that treat AI, crypto, and quantum as separate programmes are going to feel the collision later.” “AI has done something unusual: it has captured the imagination of the boardroom and the engineer at the same time.” “If every employee is going to use AI, then cryptography has to scale to that same level of adoption.” “Post-quantum readiness is not a technology change. It is a business transformation.” “The board does not need a lecture on algorithms. It needs to understand exposure, disruption, and strategic risk.”

    35 min
  3. Is Your Cyber Recovery Plan Just Fiction? with Francesco Chiarini

    Jul 1

    Is Your Cyber Recovery Plan Just Fiction? with Francesco Chiarini

    In this episode of the Entropy Podcast, Francis Gorman speaks with Francesco Chiarini about why cyber resilience must go far beyond traditional cybersecurity, backups, and compliance checklists. Francesco breaks down the uncomfortable reality that many organisations are not as recoverable as they think. From ransomware spreading at scale to compromised identity systems, encrypted tooling, failed assumptions, and board-level misunderstandings, this conversation explores what really happens when the worst-case cyber scenario becomes real. The discussion covers cyber resilience versus cybersecurity, APT-grade attacks, out-of-band communications, crisis operating models, data vaulting, DORA, recovery planning, minimum viable organisations, and why resilience has to be designed before disaster strikes. This is a direct, practical conversation about building organisations that can continue operating when the normal playbook no longer works. Key Takeaways Cyber resilience is not the same as cybersecurity. Cybersecurity focuses heavily on prevention and protection; cyber resilience asks whether the organisation can still operate, recover, and adapt when prevention fails. Backups alone do not equal resilience. Francesco warns that recovery depends on architecture, governance, people, tooling, identity, sequencing, and validated operating models not just stored copies of data. Organisations need to stress-test their assumptions of recoverability. If Active Directory, communications, patching tools, or recovery platforms are compromised, the real question is: what still works? Boards often misunderstand resilience as a technology problem. Francesco argues that technology matters, but cyber resilience also requires clear accountability, capability maturity, skilled teams, and rehearsed decision-making. Cyber recovery investment is often too low. Many organisations spend heavily on prevention, detection, and protection, while underinvesting in recovery capabilities and last-resort operating models. Data vaulting and isolated recovery are essential, but incomplete on their own. They must sit inside a wider cyber resilience strategy that includes threat modelling, minimum viable operations, interoperability, deception, and recovery sequencing. Soundbytes “Your cyber recovery plan is only real if it still works when everything around it has failed.” “Backups are not resilience. They are only one piece of the survival plan.” “The worst time to design recovery is during the incident.” “Cyber resilience starts where cybersecurity assumptions break.” “If your identity stack, tooling, and communications are gone, what still works?” “Being compliant does not mean being resilient.” “Recovery is not just a technology problem. It is an organisational capability.” “Most companies know how to prevent. Far fewer know how to restart.”

    41 min
  4. Why Artificial Intelligence Needs a Mother with Lucy Batley

    Jun 28

    Why Artificial Intelligence Needs a Mother with Lucy Batley

    In this episode of The Entropy Podcast, Francis Gorman sits down with Lucy Batley AI strategist, speaker, and founder of Traction Industries, named number eight in the UK's Top 100 Digital Leaders in AI in 2025 (recognised at the House of Lords). With a 30-year career spanning the birth of the internet designing for David Bowie, Audi, Barclays and the Manic Street Preachers Lucy now helps organisations adopt AI strategically, with strong governance and real business value. This is a conversation about why most AI investment fails to deliver, why the real barrier sits in the boardroom rather than the technology, and why the rush to deploy AI agents without securing the underlying data is heading for a reckoning. Lucy also introduces Mother, her new venture building AI on quantum-resilient infrastructure and makes the case that the most underestimated risk isn't superintelligence, but our growing dependency on the tools themselves. Key Takeaways AI is a leadership problem, not a technology problem. The organisations that win aren't the ones with the biggest budgets they're the ones whose leaders have the foresight to grasp how fundamental this shift is.Start with the human problem, not the tool. Most organisations don't even understand their own workflow processes. Design thinking and relentless questioning surface the real issue which is often smaller and easier to fix than anyone expected.ROI comes from strategy, not spend. One case study: six "AI colleagues" deployed for ~£500k returned ~£6.5M in ten months driven by an opportunity spotted in a workshop, not the technology itself.Security can't be an afterthought. Homegrown AI agents going into organisations without secured data are a backlash waiting to happen. Secure by design from day one.Quantum changes the game. With "harvest now, decrypt later" already underway and ~300 quantum computers in existence, quantum isn't theory. Mother's approach moves from algorithms and code to mathematics and physics protecting data without touching it.The real risk is dependency. Societies don't collapse because technology gets clever they collapse because they forget how dependent they've become.Stay human. AI has no experience, no conscience, and no emotion. The advantage lies in the things that make us human and using the tools to amplify them. Soundbites "Artificial intelligence is not a technology problem, it's a leadership problem." "It's a technology so profound that everything else is going to have to be redesigned around it." "Forget about the technology — what human problems are you trying to solve?" "Societies rarely collapse because a technology becomes clever. They collapse because they become vulnerable." "Artificial intelligence needs a mother. It needs protecting." "We're moving away from algorithms and code to mathematics and physics. It's a completely different beast." "Good leader, good organisation. Bad leadership, absolute chaos." "We're literally in the toddler stage."

    39 min
  5. Strategic Compression with David Murrin

    Jun 14

    Strategic Compression with David Murrin

    Geopolitical forecaster and strategist David Murrin joins Francis Gorman to argue that the world isn't experiencing ordinary volatility it's in the middle of a deep, structural transition between great powers. Drawing on his "Five Stages of Empire" framework, David lays out why he believes America's decline began after 9/11, why China is rising into the vacuum, and why he sees the next decade as a period of unavoidable escalation. The conversation ranges across the war in Ukraine, the Iran nuclear question, the battle for the Pacific, the hollowing-out of Western military capability, and the subtler war being fought through economics, infiltration, and influence. It closes on Ireland's exposure as a neutral state and David's blunt verdict that there is "nowhere to hide." Key Takeaways David's "Five Stages of Empire" model frames how nations regionalise, fight a civil war, expand, peak, and decline and where he places the West today.His view that American power entered structural decline after 9/11, with China rising to fill the vacuum.The concept of "strategic compression" why rising powers are forced to act not when they choose, but when the window around them starts to close.Why he sees Ukraine and Iran as conflicts enabled and shaped by China, used as testing grounds for systems and tactics.His argument that Western societies are being degraded from within through long-running influence operations targeting domestic politics.A stark assessment of UK military readiness, and why he believes adaptability not hardware alone decides who survives modern conflict.What all of this means for a small, neutral, strategically significant state like Ireland.Soundbites "Nature absolutely abhors a vacuum. It hates it.""It's as if we're playing draughts and the Chinese are playing three-dimensional chess.""The timing of hegemonic conflicts is never at the choosing of the hegemon.""There are no neutral countries in its story, so there are no places to hide.""Stand up and be counted." Note: This episode contains forecasting and personal analysis that is, by nature, speculative and at times contested. These are David Murrin's own views, shared to open debate rather than to state fact.

    41 min
  6. The World's First Hackocracy With Geoff White

    Jun 1

    The World's First Hackocracy With Geoff White

    In this episode of The Entropy Podcast, Francis Gorman sits down with British investigative journalist, author and BBC podcaster Geoff White to go inside the world of organised cybercrime and the regimes that increasingly depend on it. Geoff has spent years embedded in the underbelly of the cyber economy, from ransomware syndicates to state-sponsored hacking operations, and he brings a working journalist's eye to questions most security professionals only ever see from the defender's side. The conversation opens by dismantling the hoodie-in-a-basement myth: ransomware groups like Conti are run as businesses, with HR functions, payroll, performance management, customer support teams, and an obsession with professional polish. Geoff walks through what the leaked Conti messages reveal about how these organisations think of themselves including the striking self-description of their work as "postpaid penetration testing." The conversation then turns to North Korea, where Geoff lays out the case for what he calls a "hackocracy" — a regime increasingly funded by computer hacking. Drawing on US government estimates and his own analysis, he explains how cryptocurrency theft is keeping the North Korean state afloat, why sanctions are losing their bite, and why this should worry anyone who relies on the global supply chains that pass through the Korean peninsula. Francis and Geoff also dig into the moral and practical reality of the "don't pay the ransom" position, the weaknesses that still let attackers in, and the systemic role of money laundering as the unspoken second half of every major cybercrime story. The episode closes on the most timely thread: AI as an inherently deceptive technology. Geoff makes the case that systems like ChatGPT are designed from the ground up to fool users into thinking they're human and that this design philosophy has serious implications for the next generation of social engineering attacks. The conversation ends with a frank exchange on Anthropic's recent walk-back of its core safety commitments and what it signals about the industry's direction. Key Takeaways Ransomware gangs run themselves as businesses, not basements. The economics of ransomware are extraordinary. Money laundering is half the story. North Korea is becoming a hackocracy. A national ban on ransom payments would work eventually. .Humans are still the attack surface and AI makes that worse.Soundbites  "In order to earn the kind of money that Conti was earning, the average Russian would have had to work for 400 years. So in a single ransom, you can make not just your life's money, but the money for the life of all of your family around you as well." — Geoff White   "Within the next five to ten years, North Korea could become the world's first hackocracy — a regime entirely funded by computer hacking." — Geoff White   "Our world is not being run by lovely rational AI. It's human beings who are deciding what happens." — Geoff White

    38 min

About

Hosted by Francis Gorman, The Entropy Podcast brings together intelligence community veterans, post-quantum cryptography pioneers, CISOs, business leaders, and frontline practitioners for unfiltered conversations on the threats, complexity, and geopolitics shaping our world. Past guests include former senior CIA officers, leading cryptographers, digital forensics experts, and security and technology leaders from across financial services, critical infrastructure, and government, voices rarely heard together in one place. Each episode goes beyond headlines to explore how cyber risk, emerging technology, and geopolitical instability are reshaping the way organisations operate, compete, and defend themselves. Expect candid insight on quantum risk, nation-state threats, AI, espionage, financial crime, business resilience, and the human dimensions of leadership. Designed for CISOs, board members, founders, technologists, policy thinkers, and the professionally curious, Entropy sits at the intersection of business, technology, and cybersecurity a space for genuine conversations with unique minds, the kind that don’t fit neatly into a press release. The name Entropy reflects the growing complexity and unpredictability of the systems we depend on, and the discipline required to lead through them. Disclaimer: The views and opinions expressed on The Entropy Podcast are those of the host and guests in their personal capacity and do not represent the views, positions, or policies of their respective employers, affiliated organisations, or any government body. Guest appearances do not constitute endorsement by the host, and the host’s commentary does not constitute endorsement of guests’ views. Content is provided for informational and educational purposes only and does not constitute professional, legal, financial, or security advice. One of the topics I cover a lot on this show is post quantum readiness, I believe awareness of this emerging technology is key for a safer world into the future. To support this awareness I have built a free resource to help you explore the world of quantum and learn as you go. You can find it here: www.postquantumready.com Buy Our Swag: We now have some slick new swag you can purchase through our Esty store. https://theentropypodcast.etsy.com   Watch and Subscribe You can also watch full episodes and exclusive content on our YouTube channel:www.youtube.com/@TheEntropyPodcast Achievements The Entropy Podcast delivered strong chart performance throughout 2025, demonstrating consistent international reach and listener engagement. Regularly ranked within the Top 20 Technology podcasts in Ireland.Achieved a Top 25 placement in the United States Technology charts, holding the position for one week.Charted internationally across multiple markets, including Israel, Belgium, and the United Kingdom. This performance reflects sustained global interest and growing recognition across key podcast markets. Audio Quality Notice Some episodes may feature minor variations in audio quality due to remote recording environments and external factors. We continuously strive to deliver the highest possible audio standards and appreciate your understanding.

You Might Also Like