Bret Cunningham, Chief Product Officer of Zimbra, an enterprise email platform, throws some light on how firms can respond to cybersecurity threats.
Anthropic’s Mythos Preview model has helped identify more than 10,000 software vulnerabilities among its 50 partners, out of which over 60 per cent were classified as high or critical risks. How should cybersecurity and platform firms respond?
BC: Those findings tell us that the bottleneck has fundamentally shifted. For a long time, the hard part was finding vulnerabilities and AI has largely solved that. It can surface thousands of issues across dozens of systems faster than any human team ever could. The hard part now is what happens after discovery, and whether organizations can act on those vulnerabilities before someone else does.
That changes the conversation for platform firms considerably. If your remediation pipeline can’t keep pace with what your scans are surfacing, running more scans isn’t the answer, it’s just a faster way to grow your backlog. Speed is a real competitive differentiator here. Firms need to be genuinely disciplined about active maintenance, continuous patching cycles, and ongoing security education. Not as aspirational goals, but as operational realities.
A significant portion of the work is also architectural. This is where I think the industry undersells a practical truth: platforms built on open, well-vetted foundations are better positioned, not for ideological reasons, but because the math just works out differently. When source code is transparent and security communities can inspect it, the collective capacity to find and patch issues far exceeds what any single vendor can do behind closed doors. Community-driven scrutiny has always mattered. At the speed AI-assisted discovery now operates, it has become the only model that can realistically keep pace.
There’s one more piece that doesn’t get nearly enough attention: deployment friction. Vulnerabilities persist not because organizations don’t know about them, but because applying fixes in complex enterprise environments is disruptive, slow, and sometimes genuinely scary to schedule. Reducing that friction, making security updates something administrators can apply without major downtime, is as important as any detection capability. The firms that get this right are the ones treating patching as a continuous operational discipline, not a quarterly project someone has to build a business case for.
Quantum computing is predicted to be able to break encryption using Shor’s and Grover’s Algorithms, as well as the “Harvest Now, Decrypt Later” (HNDL) strategy. How should firms respond?
BC: The HNDL threat deserves serious attention right now, even though the quantum capability to exploit harvested data is still years away. That’s precisely the point. Adversaries don’t need to wait for quantum to mature. They’re collecting encrypted communications today and holding them until decryption becomes feasible. The decisions organizations make about data protection this year are directly shaping their security posture a decade from now. The window to act is open, but it won’t stay that way.
For platform firms, the honest response comes down to two things.
The first is designing for cryptographic agility rather than permanence. Hardcoding specific encryption standards into your architecture is increasingly a liability. Those standards will need to change, and the only real question is whether you’ve built a platform that can absorb that change gracefully or one that turns it into a crisis. As NIST finalizes post-quantum standards, organizations need to be able to adopt them without forcing a full infrastructure overhaul. That’s an architectural discipline you have to build in now, not retrofit later.
The second is taking a harder look at where your data actually lives and how it moves. HNDL depends on the ability to intercept and accumulate large volumes of encrypted data in transit. Organizations that maintain genuine control over their communication infrastructure—by knowing exactly where data is stored, how it moves, and who can access it—are structurally harder targets. Data sovereignty has often been framed as a compliance argument. In the context of quantum-era threats, it’s becoming a security one. That’s a conversation the industry has been slow to have, and firms that start having it now will be better positioned than those who wait for it to become urgent.
Recently, a CEO in Singapore authorized the transfer of US$36.3 million based on a voice spoof, and a commodity trader wired US$6.6 million based on an email. How do you prevent AI-assisted voice impersonation and email authentication gaps?
BC: Both cases exploited the same fundamental gap: organizations had no reliable process for verifying the legitimacy of high-stakes communications before acting on them. No system was breached. A transposed domain character and a convincing voice were enough.
That distinction matters. Most of the conversation around Business Email Compromise (BEC) focuses on detection: better filters, better spam scoring, better threat intelligence. Those things have value, but they do not directly address the problem. By the time a fraudulent instruction reaches a decision-maker and gets acted on, no filter stopped it. This means the failure happened earlier, in how the communication environment was configured and how verification was embedded into the workflow.
On email, the transposed-domain case is a textbook example of what happens when DMARC, DKIM, and SPF are either misconfigured or not enforced at the receiving end. These authentication protocols exist precisely to flag when a sending domain is not what it claims to be. They are not new, they are not expensive to implement, and yet they remain inconsistently deployed across organizations in this region, particularly in financial services and government procurement chains where the stakes are highest.
The fix for voice impersonation is procedural, not technological. High-value transfers need out-of-band verification through a pre-established, separate channel. AI-assisted voice cloning has broken one of the most instinctive trust signals we rely on, and no detection tool will fully close that gap. That is why it is important to rebuild the human process around high-stakes decisions. Urgency should never be grounds for skipping verification. If anything, feeling pressured to act fast is a signal to slow down. Organisations need to address this as a culture problem, as this is what attackers usually count on.
The pattern in the Singapore cases matches what we’re also seeing globally. Attackers are not looking for technical vulnerabilities. They are looking for trust assumptions that organizations have never examined. Closing those gaps requires treating communication infrastructure as a security question at the leadership level, not something delegated entirely to IT.