The Multi-Cloud Mess: Why Complexity Is Killing Visibility
Herrin paints a grim but honest picture of today’s IT architecture. Most CISOs, he argues, didn’t design the environments they defend.
“Most defenders didn’t design their attack surface. They inherited it.”
In sectors like banking and insurance, mergers and acquisitions stack generations of tech debt. The average F5 customer now operates in four or more cloud environments, with 38 percent in six or more. Each cloud adds to the defender’s burden.
Herrin calls this state of operations the “ball of fire”, a tangle of legacy systems, APIs, and cloud platforms where attackers have more visibility than defenders do.
The API Abyss: It’s APIs All the Way Down
API sprawl emerged as a central theme in the episode. Herrin, formerly CTO of an API security startup, emphasized that all modern app development is now API-first.
“All modern app development is API-first. It’s APIs all the way down.”
The IDC API Security Study from November 2024 highlighted that nearly 50 percent of enterprise APIs are unmanaged or invisible to security teams. That creates a massive blind spot, especially as generative AI and agentic AI systems rely on APIs at every layer — from training to inference.
Herrin warns that without automated discovery and inventory, no amount of developer outreach or spreadsheet tracking can close the gap.
Quantum Threats and the Race Condition with China
While many security leaders focus on near-term AI challenges, Herrin urges listeners to think long-term particularly about the rise of cryptographically relevant quantum computing.
“We’re not in one race condition. We’re in parallel race conditions with China: one for AI, and one for quantum computing.”
Quantum breakthroughs could render today’s encryption obsolete overnight. That risk, often called “Q-Day,” means organizations will need to rapidly rotate all certificates, keys, and algorithms. Herrin says the worst part is not the tech, it’s the timing.
“We’re so busy fighting fires, we don’t have time to prepare for what’s important but not yet urgent.”
Resources:
● NIST Post-Quantum Cryptography Project
● Microsoft’s Advancements in Quantum Computing
The Real Problem: Manual Security in an Automated World
Herrin doesn’t mince words. Organizations still managing APIs manually or relying on outdated processes are setting themselves up to fail.
“You can’t manage your API endpoints on an Excel spreadsheet and then go ask your developers, ‘Hey, is this the same list?’ They don’t know either.”
He draws a parallel between this challenge and a deadlift:
“It’s like deadlifting 500 pounds. Simple to understand. Not easy to do.”
Security leaders need to embrace automation and take a half-step back not to slow down business, but to regain control.
Vendor Fatigue and CISO Burnout
Chuck Herrin also calls out the fatigue and FUD that plague cybersecurity vendors and conferences:
“I’ve got CISO PTSD walking around RSA. People shouting into microphones. Can I scan your badge? It’s a circus.”
He advocates for fact-based conversations rooted in operational reality, not just breach headlines or fear-driven marketing. CISOs need support, not theatrics.
Final Word: Expose Your Attack Surface on Purpose
Herrin leaves listeners with a call to action that transcends vendor preferences or buzzwords:
“Whether you use F5 or someone else, take a half step back. Get your attack surface under control. Expose it on purpose, not by accident.”
For organizations struggling to prioritize across AI, APIs, and infrastructure, this episode offers a sobering but practical perspective on how to move forward.
