Root Causes 487: Security 2030

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

April 17, 2025

Jason and I take a peek forward at what we imagine IT security looks like in 2030. Topics include PQC, ZTNA, "green zones," deep fakes, IoT, connected cars, agentic AI, blockchain, and CLM.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanSo Jason, let's talk about Security 2030.

Jason SorokoTim, in Season 2 of the Toronto series, we talked about, of course, the predictions for 2025. That was a big episode. I almost think that could have been four or five episodes, in reality. I want to do another chunky one. It's not a predictions episode. It's more of a, let's paint the picture of security and the cybersecurity world in 2030.

Tim CallanSo one obvious thing in 2030, of course, is that is NIST’s deprecation date, but I think you got more than that.

Jason SorokoThere's way more than that. But that’s the big elephant in the room for 2030. So, wow. We are going to be living in a world in 2030 where there, and we've said this before, but I'm gonna put it right at the top of this episode, operational, but insecure.

You’re going to have a ton of systems that are still running on legacy cryptographic algorithms that have been deprecated. It's going to take many more years than 2030, after 2030, to refactor those out.

Tim CallanYes. If I can jump in with a little bit of color on that, I think on the one hand, it's smart of us to look that in the eye and acknowledge that and say that that's part of the world we're living in. I worry a little bit as you and I start saying that to people that we are forgiving them for not being expedient in their migration. I want to differentiate those two. I think it's important to recognize that there are realities, that are realities. We have plans to deal with them, but don't turn this into an excuse not to do what you need to do.

Jason SorokoThis is not to let anybody off the hook. In fact, it's to make you aware that you're already on the hook. I think the problem we face in 2025 - so close to 2030 - is that there is simply not enough awareness.

In fact, I was speaking to some analysts recently who speak to a lot more people than I do. That's the nature of their job, and they are getting dismayed with how little post quantum era awareness, how little there is. Just how little awareness there is of this gigantic elephant in the room. It's not even just that, I've heard that, but it's a boogey man. It's just, what's that? PQ what? Like they’ve never heard that. We are drastically behind.

Tim CallanNot only are we drastically behind in terms of that, but I feel like you could be the most plugged in, the most PQC plugged in enterprise in the world, and you still can't do it because there's a great deal of technology support that you need that is simply not available. I can't even turn around and blame that on the technology providers, because they don't have consistent, reliable standards, and we just got the FIPS standards within the last six months. We don't have anything downstream of those. If I want to create a hardware product, a PQC compliant hardware product, I can't write a spec.

Jason SorokoCorrect. Hey, we just had Sophia Celi on talking about how there's a number of programs that haven't even started yet. One of my comments to her was, all right, well, some of these things that are happening right now really need to light a fire under certain people's butts. It's not like there's nothing to do, but this is something that has to get done, and until IETF gets through its whole process, and we make really big decisions about how we're all going to have to solve the large signature problem and other problems that are the blockers of implementing PQC quickly, that work has to get done real quick. You in the CA/Browser Forum have to get going after that soon. Then the product team that I work with on a daily basis, those folks have to start to go off and productize these things in a major way. All this is going to take time, and that isn't even, we're not even then at the point where it's like, okay, now, we got to start implementing these things. We just had a great episode we've recorded where you and I talked about how much hard learning we're going to have to do.

All the things that are going to break in the meantime. We're living in a world right now where breakages and that kind of thing is just unacceptable. It's gonna have to become acceptable, otherwise you won't just have a breakage in 2030, you're gonna have operational but insecure systems, and that's unacceptable. It's just the pace at which things are going, I just feel that it's gonna end up being an inevitable. This is something that Bruno Couillard had pointed out on one of our previous podcasts.

No, that's the elephant the room. We had to address it in terms of 2030. So I'm gonna address my notes here.

Couple terms that I was just, I loved it when you said it. It's one of these things where I want to re bring up some terms that were coined. Crypto agile native.

Tim CallanA crypto agile native. Somebody who starts their career and ideally even starts their technical education in an era where we no longer have the assumption that we're going to have a single ossified set of cryptography that we're going to use for decades at a time, rather that there is an assumption that our cryptography is ever evolving, sometimes swiftly and frequently unpredictably, and that is just the new normal.

Jason SorokoAbsolutely. We, I think you've said it a number of times now, there are people who've lived their entire career with one set of cryptographic algorithms, and never even had to think about it. While PKI became utterly ubiquitous. It's so funny when we tell people now, especially in terms of PQC, you got to go off and take inventory of your cryptographic assets.

A lot of people are like, oh, I can pretty much rhyme that off top my head. They name up, like, two or three things, and they're like, well, what about this? What about this? What about this? That's when the light bulb goes off and goes, oh, my God, this is going to take like a long time. It could take a year for me to figure out all of my cryptographic assets. That's the reality of it. Therefore, you're going to end up by 2030 I think, with a cohort, hopefully, that is the opposite. These are people who 2030 and beyond will be living in a world where swapping out cryptographic assets, swapping out cryptographic algorithms in those assets, is it's more of a normal thing. People are used to it, and that's going to be interesting by 2030.

There's another term that I think was used, and that's AI native. Because all of us came up in a oh my God, there's AI. It surprised all of us, and it changed the way all of us worked. I think that very soon, you're gonna have people who, just like, there's children who never didn't have an iPad in their hands. There's gonna be people who never worked without AI. I think in 2030 it's gonna change the room.

Tim CallanI think you're right. I think this is so early I feel like none of us understands what the post AI shaped world is going to look like. I keep going back to the internet as an example of this, like in 1995 when we got this thing called the World Wide Web, a bunch of folks said, oh, this is great. I can buy a sweater online instead of having to drive to the store. But just think about how just transformational everything we do in every aspect of our lives is as a consequence of the World Wide Web. Nobody knew what that was gonna look like in ‘95 and the same thing's gonna happen in AI. But just as today, we have plenty of internet natives, people out in the working world who can't remember a time when the Internet wasn't part of what they did.

Jason SorokoI remember Bill Gates saying that the internet was a fad. He was wrong.

Tim CallanYes. He missed on that one.

Jason SorokoAnd contrast to that, yes, you're totally right. There are a lot of people I work with, younger people than me, who never had a moment in their lives without an IP address.

Tim CallanJust as you and I grew up taking TV for granted. There was a generation before us that didn't have TVs. What is that going to mean? I don't even know how to predict that, but I think you're right, by 2030 it's going to be seismic.

Jason SorokoI would say, right now - and by the way, I do want to have another episode recorded a little later this afternoon on this topic, Tim, which is the speed at which AI is moving is probably even faster than we predicted. I want to talk about what the current state of the art is. That's what the episode is going to be. But where I'll leave it here is right now the state of the art, you need to be fairly technical to truly get the most out of AI. Because I think there's still a lot of people who think it's just like this toy, AI is a bit of a toy.

Tim CallanGetting it to propose an outline for me, or write a paragraph that I'm struggling with. How to string the words together. We all can do that. That is a very small surface level part of the power.

Jason SorokoI would say that for a little while, while AI was still very, very basic, you and I talked about prompts. We talked about prompt injections. We talked about prompts were the way that you could make AI sing and dance. I would say that things have gone way past prompt engineering and actually have gotten into you have to understand the full stack of technology underlying AI right now. Once you do that, you can actually make it do the things that it promises. The problem is that most people aren't going to go that far.

Tim CallanNow you're touching on an interesting point, which is the AI prompt. I don't know if this analogy is going to hold up, but I'll try it, and then people can scream at their monitors. The AI prompt is a little like the command line, and I think we're going to see more of the AI isn't visible to you. The AI is just making the tool you're using better.

Jason SorokoApple is taking us in that direction.

Tim CallanAnd as such, it's not really about prompt engineering for a user. That becomes a software design and software development task that then manifests itself for the user in the form of either better capabilities or better results. But it's not the user moving the levers on the AI directly.

Jason SorokoYou got it, Tim. So last word on this is, of course, and we talked about this in the predictions episode, I think by 2030 AI is also not just writing a proposal for you, it is truly agentic AI, and it is doing work. I think that a whole lot of back office workers who move forms around, might realize enterprises are going to realize those whole departments can probably benefit greatly from agentic AI.

Tim CallanWhich as you and I have discussed this from kind of the automation of IT perspective, is not about removing the people, it's about having the people do the important work that only people can do. It's removing tasks and portions that can be equally well or better performed by the machine, the genetic AI in this case, and that frees the people up for a different set of work.

Jason SorokoWe're gonna have a productivity explosion. In that sense. Because, I mean, we're still in the pre-television age of back office. Once television comes, things are going to change big time. I think in 2030 we're there. I think in 2030 our offices are going to look different in terms of the way that people are operating. It's not less people, it's people doing very different tasks. I think that a lot of what we did in the predictions episode around what's Black Hat going to look like in 2030 and I think Black Hat 2030 is all about, okay, here's how to completely hose and hack an agentic system. It's going to have to go through this era of hardening.

So let's talk about hardening. This is the next theme. Tim, what do you think? Here's the question now. What do you think about Zero Trust in 2030? Do we finally, finally, by 2030 get out of the perimeter defense mindset?

Tim CallanSo I think that's a very interesting question. I think that the answer to that is complex and nuanced. I think it's hard to completely escape from a true perimeter mindset. First of all, because why wouldn't you try to establish a perimeter, as long as you're doing defense in depth anyway. So if we've talked in the past of, don't think about it as a country. Think about it as a group of islands. Think about it as an archipelago. How do you defend the archipelago? Well, you got to defend each island, and you got to have a navy. But if you can put a wall around your archipelago, wouldn't you do that too? So to some degree, I'm not sure that the perimeter mindset doesn't have a place as long as it's used correctly.

The second thing is, I also start to imagine us falling into a world where we're still dealing with perimeters, but they're smaller perimeters. So you might say, look, I can't put a wall around the archipelago, but I sure as hell can put a wall around my yard, and I intend to. So you could start to see, I think, the bubbles get smaller, and the bubbles might still have great value there.

Jason SorokoMicro segmentation is a principle of Zero Trust.

Tim CallanAbsolutely. Think about it in terms of like, there's this common misconception in the security world of that it's an all or nothing game. If my defenses can be penetrated in any way at all, then they're valueless. No. If I have a defense that can knock out a whole bunch of attacks, shouldn't I knock out a whole bunch of attacks? If I have an event that's going to thwart 98% of attackers, I should put that in place, and I've mitigated the risk from those guys. All I've got to deal with is the 2% who get through and so, and I don't think that's exactly what you meant. What you meant was the Green Zone mindset. I've got a perimeter, and inside the perimeter there's a Green Zone. Green Zones. There are no Green Zones. Green Zones are dead. Forget about it. There are no Green Zones. That said, I still think perimeters continue to have a valuable role in your overall technology stack and your defense in depth strategy. So that's my long, meandering answer to your question.

Jason SorokoPerfect. I completely agree. There's words that I've said more times than I care to admit. You don't build a car without doors. You don't run an enterprise network without firewalls?

Tim CallanYes. Like, seriously, if you say, hey, well, perimeters are dead. Okay. Well, then I guess we'll all stop buying firewalls. Why don't you sell your stock in Palo Alto Networks?

Jason SorokoIt doesn't make any sense.

Tim CallanNobody is selling his stock in Palo Alto Networks. So we know we're still gonna do that.

Jason Soroko100%. But what needs to go away - and you nailed it perfectly - this idea of Green Zone. You should consider every network to be a hostile network.

You and I, on Season Two, talk about even your cellular data networks now, we're considered a type of Green Zone. They're not and neither is your internal network.

Tim CallanThe good news, Jay, is, and I won't say it's comprehensive and complete, but the vast majority of the work we have to do here from a technology and productization perspective, is actually in place. You got PKI. You got digital identities. You got VPNs. You got as many firewalls as you want. You have micro segmentation. You have principle of least privileges. All this stuff is there. It exists.

Jason SorokoI'm gonna fire you up in a few minutes when we record another podcast this afternoon. In Season Three of the Toronto sessions, I'm gonna fire you up, and we're gonna talk about security training. I'm gonna fire you right up. I think I just want to touch on it here. It's like part of the reason for security training is we have extremely poor locks on our doors right now. That's the reason for a lot of this training that is failing miserably. I'm hoping by 2030 there's less. I'm not super hopeful. I'm definitely not going to put a big gambling chip on that one, on that guess or that prediction, but the world has to change.

Tim CallanI think I'm gonna agree with you with a little spin on it. I think that if the contention is that we are going that direction hard by 2030, I agree. If the contention is that all the work is done, I don't agree.

Jason SorokoWell, we recorded a podcast earlier about multi good factor authentication. Getting that word out is part of the change. Because anything that passwords are underlying, and there's gonna be legacy systems past 2030 and therefore we're going to need good forms of MFA. The problem is we're not there yet. We're partially there productized, but we're not there yet in terms of people's mindsets. People are still thinking about this obsolete something you are baloney model. People have to start thinking about the difference between the various factors? But anyway, 2030, look, if we're not well underway or there, we're in trouble. That's a picture for you.

Tim CallanI agree with that.

Jason SorokoTim, 2030 deep fakes.

Tim CallanHow about 2026? I mean, I still contend that in the absence of any source to presentation, full chain of digital custody, provenance system being in place which we 100% do not have today, then you will be, by 2030 you will just need to discount the veracity of anything you see or hear, not with your own eyeballs, unless it is proven to be real, accurate and undoctored.

Jason SorokoIf you've been paying attention to our podcast, Tim and I, once in a while, have these pronouncement podcasts, and that was one of our pronouncements where we said, don't trust anything you see.

Tim CallanDigital evidence is dead.

Jason SorokoDead. I think 2030 it's just even that much more so.

Tim CallanI think it's dead today, but I think that probably the average computer using citizen has no idea that it's dead. I think by 2030 except for some people who are late to the party, we're all going to understand that it's dead.

Jason SorokoYes. That will be a turning point, but we'll be there 2030, I think.

Tim CallanWhich is going to present a lot of problems, because no one's even thinking about how to solve.

Jason SorokoBecause right now, we make so many assumptions, about what we trust and what we don't trust. That’s quicksand right now.

Tim CallanWalk into a court of law and say here’s a picture. There he is. Holding up the liquor store.

Jason SorokoImagine a future where judges, juries will look at a pic - - right now, that's the most. That's cliché. Here's a picture of the proof. Here's a video evidence. You don't believe anything anymore. You cannot.

Tim, next one. 2030, the critical, critical under investment that we have seen in IoT security means 2030 - -

Tim CallanWhat security?

Jason Soroko2030 - what security for IoT? We're talking not just IoT like a smart toaster. We're talking about automobiles which already are under siege, for being stolen left and right, even though the technology to protect them exists. The problem isn't the technology doesn't exist. The problem is critical under investment, Tim.

Tim CallanI also think in a lot of this, you have a supply chain problem. So when I'm making my IoT devices, how is it different from a PC, let's say, or a server? It's different in a few ways. One is you're frequently restricted by available memory. You're frequently restricted by available processor power. You're frequently restricted, very frequently restricted in that you can't do updates. At all. You're frequently restricted in that you have component parts that have to be able to be sourced in mass quickly from generic pools of components and all of those things and then another big driver is time to market, and then a huge driver is cost. So all of those fight against building more security than you absolutely must have into your IoT device.

So yes. If it is a remote heart surgery device, and people are literally going to die, and it's a big, giant box that costs a half a million dollars, then hell's we're going to put that in there. But for almost everything else, the answer turns out to be no. Including automobiles, which careen down the street at freeway speeds.

Jason SorokoIt takes years. People don't realize. Supply chain, design time. Like the cars that are going to come out, 2030 are already being designed right now.

Tim CallanHopefully, they're building that in now, but this is the earliest era in human history that they may have been.

Jason SorokoThe one thing that I'm gonna call right now is we're in trouble because the bad guys are gonna get better and better and better and there's no defenses.

Tim CallanWhat happens when somebody ransomwares every Toyota on the street. What happens when a nation state actor decides to shut down 15% of the automobiles in a metro area.

Jason SorokoSome of the smartest white hats in the automotive hacking space, who you are out there, Charlie Miller, etc. I was in the room when these guys were presenting on their findings, and they made it fairly clear, some of these attacks were sophisticated. There was absolutely no question about it. But once the attack was accomplished, the problem the white hat had was in mitigating the damage, because hacking one vehicle was hard. Hacking entire fleets was easy.

Tim CallanWas easy. Then, but then the one vehicle scenario. This actually is maybe scarier. I want to kill one individual. Well, if I watch you get in your car and I write down your license plate number, I may very well be able to figure out exactly which unit you are, and if I can go take over only that unit and drive you off the Golden Gate Bridge. Guess what? I just accomplished my goal.

Jason SorokoI tell you, there's a lot of these things that are cyber fraud. Then there's physical risk, which is what you've just talked about. But I think risks to privacy are something we haven't even talked about. They're colossal risks as of right now, and all three of those domains, we're going to reap the negative dividends of our mis-investment right now. It's going to be rough and 2030.

Tim CallanI agree with you. There is an IoT security reckoning coming. We've seen IoT security related incidents. I don't think we've had the big, giant, holy Mama Jama incident. I think it's coming.

Jason Soroko2025 predictions episode, I did talk about, we talked about it together, I think 2025 might be one of the Mama Jamba situations for critical infrastructure.

Tim CallanThen critical infrastructure, that's, that's just, like to say there's risk points is not describing it correctly. It's one big, giant wall of risk with tiny little points of not risk. I mean, that's just all risk.

Jason SorokoTim, there's two more to go. The last one I'm gonna have you do. Second to last, I'm gonna play it off here. Blockchain. 2030. Right now, the killer app for blockchain is cryptocurrency. We talked in the predictions episode and some other episodes we did in Season Two, talking about how the second killer app of blockchain is gonna be AI. In other words, AI is going to do tracking of itself with blockchain. In other words, here's another way of thinking about this. Agentic. Everybody. When people think AI, they think large language models. I'm talking about agentic AI that is now running your back office.

Tim CallanWhich is the more interesting and more powerful flavor.

Jason SorokoIt's the next phase of AI. It’s here. It's not, oh, it's coming. It's here now. I think a lot of how people are going to watch how a system works and have the system be honest with itself and be accountable, because back offices have to be very accountable. Well, what's a very good way of being accountable? Using a ledger. Therefore it's not just logging. There's a transactional nature to this. Think about this. The very next stage after agentic AI, if you look at the Sam Altman Open AI list is fully autonomous business AI. In other words, an AI acting as a business. Well, how do we do business? Well, we all have CFOs and finance departments.

Tim CallanSo I am reminded of some of an episode we recorded in Toronto session Season Two, where you explained this fascinating research about AIs that would lie and cheat, and these are real AIs that exists today. If you go to it and you'd say, are you cheating, it would say, no, no, I'm not cheating. While it's cheating. When you start to combine this with more capability, and you start to talk about agentic AI, and you start to talk about fully autonomous AI… that's scary.

Jason SorokoWhich is why, when I bring up the idea of keeping AI accountable, people are like AI accountability? Yes, AI accountability, Tim.

Tim CallanSo I can see where you say an indelible public record can go a long way. To bring it back to the cert world. It's kind of like certificate transparency.

Jason SorokoIt's identically the same idea.

Tim CallanYou've got that out there where these things can be viewed and observed in various ways. If an AI starts creeping outside of its normal parameters, that could be detected in real time and some kind of adjustment could be injected in to solve the problem.

Jason SorokoYour AI back office is going to be doing deals with other AI back offices. Partner networks of AI. How are we going to sort out what we did? Blockchain? Blockchains second killer app will be AI. I think by 2030 - we're there. All right. Final one, Tim, and I'm gonna let you run with this one. I'm just simply gonna ask a question. Certificate Lifecycle Management 2030.

Tim CallanCertificate Lifecycle Management 2030 is a must have. It is just like if you're not doing it, if you're doing a little homeschool project, and you're just buying certs for your thing that you're putting together for the science fair, that's different. But short of that, like every reasonable production system business and use case in the world will be using it or will be failing. Now, why is it going to be failing? A few things. Number one, because certificate lifespans are going to continue to get shorter. Number two, because certificate agility, or, sorry, crypto agility, which we kind of talk about now in an abstract and nice to have, is going to increasingly become indispensable. We're moving into an era where we understand that our crypto might be toppled at any time. Michele Mosca was talking about, even in the absence of a quantum computer, knocking out with good old fashioned, 10 gated systems, knocking out popular cryptographic systems.

Jason SorokoRSA can be deprecated tomorrow morning.

Tim CallanRSA could be deprecated tomorrow. So that's kind of the risk side. The downside side, or the impact side, everything is digital. Like if we search around through the dresser drawers and we managed to find a pair of socks in the corner, we immediately digitize them right. Everything is digital and everything is connected. So seven years ago, here's what an outage looks like. Something goes down and it's not working, and we can't do the following thing. We go and we look and we figure out why it's there, and we fix it. Today, what an outage looks like is something goes down and it's not working. We go and we look at it, and it turns out that the thing upstream isn't working. We go look at that, and it turns out because the thing upstream isn't working, and by the way, they're also spreading, because as it goes down, it's not just knocking down one stream, it's knocking down the adjacent and the adjacent. So you got these spreading, cascading failures. So the stakes are higher. It's no longer knock out one corner of the tent. You take down the whole freaking tent. So what's going to happen is it's going to become untenable from a business perspective, not to have managed automated systems in place. Now, I think those systems have to be more evolved than they are today.

So what we have today is we have good solutions for a large enterprise within a traditional CIO, centralized ITT model, but no help for the 15 person company. No help for the large holding company model. So what we need is we need to see these solutions evolve. They need to become easier. They need to go down market. They need to expand their capabilities. They need to become more interactive. So the technology providers of CLM and by the way, that includes us, so we'll hold ourselves responsible, have a lot of work we have to do before we are ready to serve the hundreds of thousands of global businesses that are going to need this by 2030.

Jason SorokoTim, give me Vegas odds on mandatory 10 day certificates or less 2030.

Tim CallanPublic certificates. Public. Let’s clarify.

Jason SorokoPublicly trusted certificates.

Tim CallanPrivate. I think by 2030 your private CA is still gonna be your own business. There's gonna be all kinds of dumb ideas. But if you want to be dumb, no one's gonna stop you.

Jason SorokoThere’s also good ideas.

Tim CallanBut if you want to be dumb, no one's gonna stop you. So mandatory 10 day public certificates by 2030 Vegas odds. I think 2030 I'm going to put the Vegas odds pretty low. I'm going to say 10%. Bump it up to 2035 and I'm going to say north of 50%.

Jason SorokoThere you go. Prepare. Because you can't be living in a world without CLM at that point. You can't with 47 either.

Tim CallanI accept that there are a lot of businesses where the existing set of CLM solutions today are suboptimal, but I think that's kind of a straightforward technology development task. It's not a question about can we. It's a question about, let's figure out what we need and figure out how to get there and prioritize it against other things and get it done. Which are two different levels of undefined. The one we're at is the easier of the two.

Jason SorokoIn terms of all of history that I've been a part of, there were some periods of time where there wasn't a lot of change and you could put your feet up on your desk and maintain a system. I think that the amount of relaxation is going to be so minimal in the next five years because there's so many areas to deal with.

Tim CallanI also think if we wind it back to your agentic AI conversation, that agentic AI and fully autonomous AI can be massive assets in this.

Jason SorokoIt’s the only way you survive. There it is. There's the big answer, Tim. The only way to survive to 2030 is to massively expand your productivity through agentic AI and understanding some of these trends we just said.

Tim CallanEeven AI assisted. So I can imagine, like this whole task of saying, I'm going to identify and automate and make sense of all of my digital systems with their incredible, heterogeneous, Byzantine, undocumented nature that might have roll out periods that literally span a period of 50 years. That like, what a great opportunity for an AI assisted project where the AI helps you find, categorize, make sense of and then act on what you found based on the conclusions you make.

Jason SorokoIf you don't do it that way - cognitive overload. It's too big for anybody's brain.

Tim CallanToo big. 100%. Just too complicated.

Jason SorokoIt's perfect for a machine.

Tim CallanSo, I can see that as a very important, very valuable use case.

Jason SorokoSo there it is. Automation in just about every corner. That's how you get through this.

Tim CallanAnd that's just the way. I mean, who said that? Oh, that was the Mandalorian. This is the way. This is the way. Like, like, like, we have to embrace automation. Don't do it stupid. Done correctly. We have to embrace automation. This is the way.

Jason SorokoThat's why I landed on CLM, Tim, because it can't be a little niche option anymore. I think you brought up a good point, which is the suboptimal offerings for the smaller guys will have to be solved.

Tim CallanFor specific niches and use cases and stuff. I can absolutely understand where you might be, if you're in government, you might say the existing solutions aren't really right for me. Or, if in various other, like there's probably plenty of them, and what will happen is we'll get them all. A good example, I think, of where we've seen this happen is in the world of digital transformation.

So if you look at digital transformation products, products like, let's say, document signing products. There's a document signing product we all know about. It's called Docusign. But there are dozens of players in the field, and what many of them have done is they've burrowed deep on a specific set of users who, for whatever reason, the general solution doesn't work, and they've built things that work for that specific set of users, and they're making a business solving what is a fairly small slice of an absolutely enormous pie. I can see something that looks like that occurring.

Jason SorokoI think that agentic AI has a piece in that as well. One of the things that we've heard, if you guys haven't heard it, look it up, niche SaaS products, of which there are, beaucoup, are probably on the list of replacement, because agentic AI will be the place to do the back office, rather than having to log into another platform. The platform will be your agentic AI platform, and it will accomplish the tasks that normally somebody would log into a niche SaaS system.

Tim CallanSo you might have an agentic AI and a CLM, and you might never interact with the CLM. That might be all API driven. You interact with the agentic AI, the agentic AI uses the API to do certificate management. That's very sensible.

Jason SorokoSo, in other words, all a CLM is - like just about any other SaaS system - is a database with some policy engines. Therefore, do you actually need the full SaaS system? The stack of a SaaS system might become obsolete, and 2030 might be the time frame.

Tim CallanAgain, probably what happens there is that, in reality, it turns out it's a complex world with lots of use cases. Some of them, yes, some of them no.

Jason Soroko100% but I would say that your standard, bog standard back office is in for a major transformation.

Tim CallanUnrecognizable. I agree.

Tim CallanThere you go. Just a little, not much, just a few small things coming.

Jason SorokoIt's gonna be a busy time.

Tim CallanIt's gonna be a busy time and and maybe we can, I think maybe let's just take one more.

I think once again, you and I have had a lot of conversations in the last year about hey guys, I think this is the new normal. We've talked about a variety of things, we’ve talked about AI and crypto agility and automation and things like that. I think maybe the one up level new normal is, you say busy times, I think that is actually the new baseline.

Jason SorokoThis acceleration is, and it's on a - -

Tim CallanIt’s on that upswing of that elliptical curve.

Jason SorokoBut anyway – 2030. Interesting. I think conceptualizing 2030, the reason we choose that date is not, of course the NIST, RSA, ECC deprecation, which will have to change so many things and to think it is now less than five years away.

Tim CallanWell, I actually think they picked, I think was it, I'm gonna say it was April 23 like there was this weird kind of just arbitrary date, so it's not quite less than five years. It's almost exactly five years away.

Jason SorokoI'll tell you what, though, by the time you're actually finished planning your plan, it will be less than five years.

Tim CallanOh, for sure. 100%. And you're gonna need all of it.

Jason SorokoYou're gonna need every minute of it.

Tim CallanAll right. So, that's it. New normal. Everything's gonna go super fast. But the good news is you have a better set of tools to help you deal with it. Extra special, including AI, and let's embrace this and lean in, rather than resist it and suffer consequences of not using what's available to us.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!