The Entropy Podcast

In this episode of The Entropy Podcast, Francis Gorman sits down with British investigative journalist, author and BBC podcaster Geoff White to go inside the world of organised cybercrime and the regimes that increasingly depend on it.
Geoff has spent years embedded in the underbelly of the cyber economy, from ransomware syndicates to state-sponsored hacking operations, and he brings a working journalist's eye to questions most security professionals only ever see from the defender's side. The conversation opens by dismantling the hoodie-in-a-basement myth: ransomware groups like Conti are run as businesses, with HR functions, payroll, performance management, customer support teams, and an obsession with professional polish. Geoff walks through what the leaked Conti messages reveal about how these organisations think of themselves including the striking self-description of their work as "postpaid penetration testing."
The conversation then turns to North Korea, where Geoff lays out the case for what he calls a "hackocracy" — a regime increasingly funded by computer hacking. Drawing on US government estimates and his own analysis, he explains how cryptocurrency theft is keeping the North Korean state afloat, why sanctions are losing their bite, and why this should worry anyone who relies on the global supply chains that pass through the Korean peninsula. Francis and Geoff also dig into the moral and practical reality of the "don't pay the ransom" position, the weaknesses that still let attackers in, and the systemic role of money laundering as the unspoken second half of every major cybercrime story.
The episode closes on the most timely thread: AI as an inherently deceptive technology. Geoff makes the case that systems like ChatGPT are designed from the ground up to fool users into thinking they're human and that this design philosophy has serious implications for the next generation of social engineering attacks. The conversation ends with a frank exchange on Anthropic's recent walk-back of its core safety commitments and what it signals about the industry's direction.
Key Takeaways
Ransomware gangs run themselves as businesses, not basements. 
The economics of ransomware are extraordinary. 
Money laundering is half the story. 
North Korea is becoming a hackocracy. 
A national ban on ransom payments would work eventually. .
Humans are still the attack surface and AI makes that worse.
Soundbites
 "In order to earn the kind of money that Conti was earning, the average Russian would have had to work for 400 years. So in a single ransom, you can make not just your life's money, but the money for the life of all of your family around you as well." — Geoff White 
 "Within the next five to ten years, North Korea could become the world's first hackocracy — a regime entirely funded by computer hacking." — Geoff White 
 "Our world is not being run by lovely rational AI. It's human beings who are deciding what happens." — Geoff White

In this episode of The Entropy Podcast, Francis Gorman speaks with Adam McElroy, CTO at Eclypses, about cybersecurity, storytelling, AI, post-quantum readiness, and the evolving role of security leadership. Adam argues that modern cyber leaders must move beyond technical reporting and learn to communicate risk in ways boards and executives can act on.
The conversation explores why security decisions in large enterprises take time, how AI is accelerating existing technical debt and governance gaps, and why quantum risk is no longer something organizations can comfortably defer. Adam frames post-quantum readiness as a generational risk comparable to Y2K: manageable if organizations plan early, potentially damaging if they procrastinate.
A central theme is that cybersecurity is no longer just a technology problem. It is a business resilience issue involving boards, executives, architects, regulators, CISOs, CIOs, CTOs, and risk leaders. Adam also challenges the industry’s reliance on perimeter defence, arguing that organizations need to think more seriously about making data unusable if it is exfiltrated. 
Key Takeaways
Storytelling is now a core cybersecurity leadership skill.
Cybersecurity is business, not a separate technology function.
AI has exposed existing technical debt faster than expected.
Zero Trust is still valid, but there is no silver bullet.
 Organizations should assume breach and protect the data itself.
“Harvest now, decrypt later” is a present-day risk.
Quantum procrastination is becoming indefensible.
The CISO cannot carry cyber risk alone.
 AI adoption needs policy, education, and discipline.
 
Soundbytes
"There is no such thing as business and technology. It’s all business at the end of the day."
“AI wasn’t built to be secure, it was built to be amazing.” 
“The CISO cannot protect the organization by themselves.” 
 “The dashboard will never be green in my world.”

In this episode of Entropy, Francis Gorman speaks with Louise Davey, executive leader, transformation architect, and author of Quantum How, about why quantum readiness has to move beyond the technology function and into the boardroom.
Louise argues that post-quantum cryptography is no longer just a cryptography, standards, or cybersecurity discussion. It is an enterprise governance and transformation challenge that affects digital trust, operational resilience, fiduciary duty, regulatory exposure, insurance, systemic financial risk, and long-term business viability.
The conversation explores why boards and executive leaders often struggle to act on quantum risk, not because the threat is unclear, but because it is poorly communicated. Louise explains how quantum risk breaks traditional risk models: it is time-shifted, has unclear ownership, spans the entire digital infrastructure layer, and reaches far beyond any single technology team.
The episode also covers the real-world consequences of unreadiness, from harvest-now-decrypt-later exposure to operational technology, financial services, elevators, pacemakers, insurance risk, liquidity impact, and corporate survival. But the conversation is not only about risk. Louise also makes the case that quantum readiness can be used as a once-in-a-generation transformation opportunity to reduce technical debt, strengthen governance, improve enterprise intelligence, and create lasting organisational value.
Takeaways:
1. Quantum readiness is now a boardroom issue.
Louise makes the case that post-quantum security has moved beyond the technical layer. It now belongs in enterprise governance, risk management, transformation strategy, and board oversight.
2. The communication gap is one of the biggest blockers.
The people who understand the quantum threat are often technologists, while the people who control funding, risk appetite, and enterprise priorities are boards and executives. The challenge is translating the issue into language decision-makers can act on.
3. Traditional risk models do not handle quantum risk well.
Quantum risk does not fit neatly into standard operational risk taxonomies. It is time-shifted, systemic, infrastructure-level, and difficult to assign to a single owner.
4. Digital trust may be the real asset at risk.
The episode repeatedly comes back to trust. Cryptography underpins authentication, authorisation, privacy, financial transactions, customer confidence, and the resilience of modern digital business.
5. Harvest-now-decrypt-later is already a live issue.
Louise stresses that quantum risk is not purely future-facing. Sensitive data may already be exposed if adversaries are collecting encrypted information today to decrypt later.
6. Boards need to understand their fiduciary exposure.
If boards are made aware of the scale of the risk and still fail to act, the issue becomes one of governance failure and fiduciary responsibility.
7. This is bigger than IT and cybersecurity.
Quantum risk affects financial services, insurance, operational technology, manufacturing, logistics, public safety, and the physical systems connected to digital infrastructure.
and many more....
SoundBytes:
“The people who understand the problem often are not the people who own the decision.”
“Quantum risk challenges the way organisations think about ownership, accountability, and authority.”
“Digital trust does not belong to one function. It belongs to the organisation as a whole.”
“The board is the only place high enough to own a risk of this scale.”
“This is not just about avoiding risk. Done properly, quantum readiness can create long-term enterprise value.”

This episode focuses on what real cyber strategy looks like versus the outdated “framework + gap analysis” approach. Leonard McAuliffe PWC explains that most organizations confuse activity with strategy focusing on compliance, maturity scores, and annual plans instead of aligning cybersecurity to actual business risk.
The conversation reframes cyber strategy as a business-aligned, risk-driven, continuously evolving discipline. It emphasizes understanding stakeholder priorities, mapping real threats to controls, and treating strategy as a living system that adapts to AI, geopolitics, and changing attack surfaces.
Takeaways:
1. Most “Cyber Strategies” Aren’t Strategies
 They’re annual roadmaps or compliance exercises 
 Built around frameworks (NIST, ISO) instead of business risk 
 Improve maturity—but don’t necessarily reduce real risk 
2. Strategy Must Start With the Business
 Engage CEO, CFO, CIO, CRO—not just security teams 
 Understand risk appetite and critical processes 
 Align to IT, digital, and AI strategies 
3. Focus on Risk → Threats → Controls (Not Maturity Scores)
 Define key cyber risks (e.g., business disruption) 
 Map threat scenarios (e.g., ransomware via phishing) 
 Link to controls and measure effectiveness 
4. Strategy is a Living System
 Must evolve with:  AI 
 Threat intelligence 
 Regulatory changes 
 Business shifts 

5. Prioritization = Risk + Cost Trade-Off
 You can’t do everything 
 Decisions must be explicit:  What risk are we accepting? 
 What exposure remains? 

6. Regulation Shouldn’t Drive Strategy
 Constantly reacting to new regs derails focus 
 Instead:  Build a strong master control framework 
 Map regulations onto it 

Soundbites: 
 “Most cyber strategies look good on paper but don’t manage real risk.” 
 “You’re improving maturity, not reducing risk.” 
 “Cyber can’t operate in a bubble it has to enable the business.” 
 “If you don’t fund it, you’re accepting the risk. It’s that simple.” 
 “Boards don’t care about maturity levels they care about real threats.”

In this episode of The Entropy Podcast, Glenn Carle a former CIA clandestine officer with over two decades of experience breaks down how intelligence agencies think, operate, and influence outcomes over the long term.
Drawing on real-world tradecraft, Glenn explains how vulnerabilities are identified, how influence is cultivated, and how narratives are seeded and amplified over time. The conversation explores the growing tension between intelligence institutions and political power, the risks facing democratic systems, and how modern geopolitics is increasingly shaped by information warfare and perception management.
The discussion also ventures into controversial territory examining the possibility of long-term influence operations at the highest levels of power while highlighting the difference between evidence, interpretation, and hypothesis.
This is a conversation about how power actually works beneath the surface and what happens when institutions designed to protect truth are put under pressure.
Takeaways:
Intelligence is about patterns, not events
Influence is often long-term and indirect
Vulnerability ≠ control
Institutions are under pressure
Information warfare shapes reality
The line between analysis and speculation matters
SoundBytes:
“In intelligence, there are no coincidences only patterns you haven’t understood yet.”
“You don’t recruit someone in a moment you shape them over time.”
“Every strength can become a vulnerability in the right context.”
“If telling the truth costs you your job, the system stops working.”
“You don’t need the truth you need enough repetition to make something feel true.”
“The most effective operations are the ones no one notices—until it’s too late.”
“Understanding how something could happen is not the same as proving that it did.”
This conversation explores complex and often controversial geopolitical themes from the perspective of a former intelligence officer. Some views expressed particularly around long-term intelligence operations and political influence reflect interpretation and professional judgement rather than independently verified public conclusions. Listeners are encouraged to engage critically and consult additional sources where appropriate.