In this TechVoices conversation, I spoke with Vidya Shankaran, Field CTO at Commvault, about how AI is reshaping the threat landscape, why true cyber resilience starts with people and processes (not just tools), and why “human-in-the-loop” remains essential.
In a wide ranging conversation, we also covered what post-quantum cryptography (PQC) means in practice—including a pragmatic path to crypto agility where classical and PQC approaches coexist.
Core Takeaways
Four themes from Vidya Shankaran:
- AI has upskilled attackers: GenAI makes social engineering far more convincing and democratizes sophisticated tools, so resilience must span people, process, and technology—with humans both the weakest link and the first line of defense.
- Recovery must be designed in advance: Define your organization’s minimum viable business—the essential capabilities and data you must restore first—or risk being “shot at the knees” when an incident occurs.
- LLM poisoning is real: Adversaries can game rankings or hijack expired domains to seed bad data; without rigorous human validation, AI systems can amplify corrupted inputs and warp downstream decisions.
- Prepare for post-quantum, pragmatically: Symmetric encryption remains strong, but data-in-transit and long-dwell exfiltration face future quantum risks. Plan for crypto agility—selective adoption of NIST-advocated schemes where they matter most, while classical crypto continues elsewhere.
Key Quotes
Extended excerpts from Vidya Shankaran:
GenAI Has Upskilled the Adversary
“We’re well past the era of the obvious ‘Nigerian prince.’ Even when those messages show up today, they’re phrased with professional polish. That’s GenAI at work—democratizing powerful capabilities and dramatically elevating the quality of social engineering and other attack vectors.”
“Because of that shift, cyber resilience can’t be treated as a pure IT problem. It’s people, process, and technology together. Humans are simultaneously the weakest link and the first line of defense, so organizations have to design for that reality—not just buy more tools.”
Recovery Begins with Minimum Viable Business
“A true recovery mindset starts long before an incident. Too many organizations think technology spend alone solves resilience. It doesn’t. You must know the minimum viable capabilities your business needs to function the day after an attack.”
“Take healthcare: patient onboarding, access to EHR data—allergies, medications, treatment plans. If you can’t bring those back quickly, you’re effectively out of business. Map and prioritize those essentials now, or you’ll be making impossible tradeoffs under pressure.”
LLM Poisoning & Why Humans Must Stay in the Loop
“As organizations adopt AI, large models often rely on pre-ranked sources or snapshots. Adversaries can game those rankings—or buy expired domains and repopulate them with spurious content—to ‘poison the well.’ The result: your first AI answer could be confidently wrong.”
“That’s why a human-in-the-loop is non-negotiable. Expecting full autonomy is risky; it creates an echo chamber that warps our understanding of the world. You need human eyes validating datasets and outputs, especially where decisions have real-world consequences.”
Post-Quantum & the Path to Crypto Agility
“Symmetric encryption like AES-256 remains strong, but the bigger quantum exposure is in asymmetric crypto used for data in transit. Nation-state actors play the long game—exfiltrating encrypted data now to decrypt later when quantum becomes practical. That ‘store-now, decrypt-later’ risk is real.”
“The answer isn’t a rip-and-replace. It’s crypto agility: plan for classical and post-quantum schemes to coexist, and apply PQC—such as NIST-advocated ML-KEM for key encapsulation and ML-DSA for signatures—where it delivers the most risk reduction. Make the handshake seamless, prioritize critical systems, and ‘winterize’ your app stack ahead of the curve.”
