Podcast
Root Causes 520: How Prepared Are IT Teams for 47-day Certificates?
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
August 20, 2025
Sectigo has released the results of its 2025 State of Crypto Agility report which surveyed IT professionals in charge of certificates to measure their readiness and preparation for 47-day SSL/TLS maximum certificate term. We go over the results.
Podcast Transcript
Tim CallanSo, Jason, Sectigo recently made an announcement, which is the results of a fairly sizable research project that we did. And what we did was we commissioned a survey through Omdia research, who is an analyst firm, to look at enterprises and their understanding and their attitudes and their plans toward a couple very important upcoming changes to the certificate landscape. And we are, of course, talking about the reduction of term for TLS certificates down to eventually to 47 days. And we're also talking about the migration to PQC. So both of these topics were surveyed with a pretty good end value, 272 participants, from US and Europe and RW or North America, Europe and RW, from enterprises of 1000 employees and up. And these are IT decision makers.
Jason SorokoGreat. It's 1000 employees and up. These are not small companies. These are legit companies. This is good. These are people who definitely need to be aware of these things. I'm going to take a guess, Tim. I mean, I have taken a peek at some of this. However, I will tell you honestly what my response would have been and I'm so glad that this survey exists because you and I can sit in Ivory Tower and we're amazing at that. But I would have guessed 47 days has come a long way. Shortening civic lifespans has come a long way in terms of awareness overall. Post-quantum is still nascent in understanding. But anyway, let's get into it.Tim CallanI think we'll see what that says. I'll offer another thing is, whatever it turns out to be in terms of post-quantum, imagine what it would have looked like a year earlier. But, but we'll return to that. You and I talked about chunking this up, Jason, was it's a big survey. There's a lot to discuss. So what we're going to do in this episode is we are really going to focus on the results around the march to 47 days.
And that will be what we cover here. And then we'll ask our listeners to join us again in a future episode where we'll discuss the results for PQC. Does that sound good?
Jason SorokoThat's fantastic.Tim CallanAll right. So with it, let's dive in. Question one. And I think what I want to do here, Jason, is read the question in its entirety, verbatim, and then give the results with the percentages just straight through. And then let's talk about it and the significance of it, and then let's move on to the next question. Does that work?
Jason SorokoLet’s do it. Perfect.Tim CallanSo first one. Question one - Which best describes your organization's understanding and tracking of public SSL/TLS certificates currently in use. And there are four results that got any at all. There were more than four possibilities. There are four that got results. They are - number one - We have a complete, up to date inventory of all public SSL/ TLS certificates. That is what I'd call the highest results. That is a 28%. Little over one quarter.Next. We have a partial inventory, but some certificates may be unknown. That is 33%. Almost exactly a third.
Next. We are not sure how many certificates we have or where they're used. That is 13%.
And then lastly, we rely on manual tracking or informal methods - 26%.
So I got a few but react, Jason, react.
Jason SorokoAt the very highest, we got a complete handle on everything. That was around 20-something percent.Tim Callan28%.Jason SorokoI don't believe that number. I don't believe that number.Tim CallanI don’t either. I was gonna say this but let’s hit it now, because you opened the door. I think this is very clearly accurate in terms of indicating what they believe is the case. I think it would be interesting if we could somehow look into a crystal ball and get the real factual knowledge, because I bet you, we would find that there's a gap between people's perceived level of understanding and their actual level of understanding. And the reason I think this is because I've just talked to a lot of companies, as have you, and one of the stories that is universal is the discovery of additional certificates that we did not think were in deployment.Jason SorokoAnd Tim, as soon as you start talking about certificates that are beyond like, that is true just for publicly trusted certificates. As soon as you enter any other realm, it starts to - -Tim CallanIt gets worse.Jason SorokoAnd I'll tell you something. Here's what's very interesting. The larger the company I've spoken to, the more that they're aware of what they don't know, to some degree. And so I find that - -Tim CallanIt’s almost like a Dunning-Kruger effect. If you have a designated team that's a designated PKI team, and it's what they do all day, every day, they know perfectly well that there's stuff going on that they don't see. If you get somebody who's doing this kind of as a sideline, and they have a bigger IT job, and it's got less of their attention, they can fall into the trap of believing that they know everything that's happening, because they don't have either the expertise or just the time in or the information to realize that they don't.Jason SorokoPrecisely. Which is why, Tim, I'm going to flip this on its head. That very last number you quoted saying, look, we're completely manual.Tim Callan26%. Yes.Jason SorokoI believe that number, but I believe everybody who answered that question that way, I think that number probably is a little higher, but I will believe everybody who answered that way. That's a very honest answer.Tim CallanAnd then in the middle, we've got, we're not sure how many certificates we have or where they're used, and we have a partial inventory, but some certificates may be unknown, I mean, this is all a matter of degrees. This all sits on a spectrum. But if you lump those two together, you're at almost half of your 46%. And that strikes me as probably the norm for most organizations, which is, look, we're partially implemented. We're not complete cavemen. We are doing what we can, but it's a hard and tractable problem, and no, it is certainly not universally solved.
Jason SorokoFascinating. It's great to see the actual response.Tim CallanLet's move on. That was only question one. We got a lot to cover. Let's move on to question two. “How confident are you that your organization is tracking all certificates, even rogue certificates.” Ready for this one?Jason SorokoLet's hear it.Tim CallanSo extremely confident - 13%. Very confident - 17%.
Moderately confident - 37%.
Slightly confident - 33%.
And not at all confident - 0%.
So what do you think of that?
Jason SorokoI think that this one sounds a little more honest in the sense that the we've got it all covered, was only 13%.Tim CallanThere's some recognition. There's some recognition that they're not unknown. I think the 0% not at all confident, is kind of reflective of what we discussed on the last one, which is that's probably unfairly low. And I think maybe we got a little bit of that same I don't know what I don't know going on here as well. But even if we took these at face value, it would show that there's a lot of recognition out there that this is a potential problem area, and I'm encouraged by that. I'm glad there's a lot of that recognition. I'm less worried about a global enterprise IT community that knows that this is a problem that needs solving than about a global enterprise IT community that thinks this is a problem that's solved.
Jason SorokoPerfect answer. I think humility is what's important here, and I think that's mostly what we've seen in that answer.Tim CallanQuestion three. So I'm gonna do something. Let me read it. Question three. New industry guidelines will reduce the maximum validity period of public SSL/TLS certificates to just 47 days by 2029. Were you previously aware of this change? Now we screened for IT decision makers in the certificate management space.So these are people in the certificate world. This isn't a survey of just random IT professionals or random enterprise employees. So let's understand that. I want to give you that color, and with that, I'm going to invite both you and the listeners to take a second and guess at what you think. It's a simple yes/no question. No other options. Yes or no. Take a guess at what percentage you think said that yes, they were aware of the ballot to reduce, or the guidelines to reduce maximum validity down to 47 days.
Jason SorokoThat profile you just defined to me, should be 100% but I would say is probably closer to a half to two thirds.Tim CallanYou'll be encouraged. It's 94%.Jason SorokoThere you go. There you go.Tim CallanWhich I think is great. You can't get 100% on anything. You can survey a million people and ask them if they have elbows, and someone's gonna say, no. You just can't get 100%. So 94% is very high. And in the surveying world that is kind of tantamount to 100%. That is extremely high. Again, I'm encouraged. I think part of what we've been worried about is the IT community being caught flat- footed on this, which is part of why we've been so vocal about this. And I've been traveling around to cities throughout North America. You have been to. Talking to enterprise, the people in charge of certificates of enterprises, just telling them hey, look, this is happening, and you have to have a plan. I'm very encouraged to see this number be this high, and it's good because it means it at least increases the likelihood that appropriate action is taken on time.
Jason SorokoGeez, that also makes me hopeful for the next episode where we talk about PQC. So that's good, Tim. Thank you.Tim CallanQuestion four. “How prepared is your organization to transition toward renewing all public TLS/SSL certificates on a monthly basis to satisfy this requirement? So how prepared are you to transition to monthly certificates? So here's the results. Very prepared. We already have automated systems in place to manage monthly renewals - 19%.
Somewhat prepared. We have plans or partial automation in progress to manage monthly renewals - 40%.
Not very prepared. We will rely mostly on manual processes to manage monthly renewals - 40%.
Not prepared. We have no current plan or process to manage monthly renewals - 1%.
So what do you think of that?
Jason Soroko40% say we're going to go manual.Tim Callan40% say we will mostly rely on manual processes.Jason SorokoHave fun, folks. Let me. Let me. I'm going to double click and profile that answer. That's an influential, probably a higher ranked Linux administrator who's saying I'm going to keep doing my job and I'm not going to automate my job away. And we've tried to speak to that profile to say it's wrong. Don't do that. Don't do that.
Tim CallanThat could be. I’d be interested in doing a cut of this based on role, because we got roles in the screener, and I didn't do that cut. I didn't think of that, Jason. And I can't do it now because we're recording, but maybe in a future episode, if there's something interesting there, I'll deep dive on it on our off time and if it turns out it's the same for everybody, but if it does turn out there's different, then let's come back in a future episode and examine that, because that's an interesting hypothesis.Jason SorokoBut I think more interestingly, even just to answer the direct response to the question here, I think that the 40-something percent that were planning - I think that was your number - that's good. I mean, I was really pleased by that. I think the 13% that say that they're good to go, hey, that's great. But that low number probably shows that most people just aren't there yet. And let's not forget the 30-day part of the question is on purpose, because a 47-day certificate probably should be renewed every 30 days with 17 days grace. So that's why the question was asked.
Tim CallanAbsolutely. So I think I agree with you that the 19% who say they're good to go, that's awesome. I will color that with the answers of a couple previous questions, and say that's excellent. But if you consider yourself in that fifth of people who are ready to go, what I'm going to encourage you to do - I think it's great that you've done that prep work - what I'm going to encourage you to do is put some serious energy into finding gaps. Because I will bet you there are gaps that have not been considered and that you might not be aware of, that are not good to go, and this is your opportunity to clear out those white spaces so that when that date arrives, you're actually truly good to go. But it's encouraging to see that more than half, 60%, nearly two thirds, 59%, seem to have put some effort into preparing for a fast cadence of regular renewal in an automated fashion.
Jason SorokoExactly, Tim. What I'd like to figure out, if I had the magic wand to wave, I think exactly what you're saying. I would like to know three things. I would like to know how much misunderstanding there is of people who answered, we're good to go. I would like to know, number two, how many people who answered, we're going to go manual, and we think we can survive that, number two, and who the profile of that is. And then I think overall number three, it is, there is, I think, because of the way things were screened, an overall bias towards a very high percentage of awareness and a very high awareness, therefore to say, now that you've mentioned it, I'm going to make a plan.
And so, there it is.
Tim CallanWell, I think one of the things you always do with these survey instruments is you have to realize that to some degree, the answers to questions can be aspirational. So it's just like when you survey people, you'll find that they always over report their height and their income.Jason SorokoSure.Tim CallanAnd it's because they want to be taller and they want to make more money.Jason SorokoSure. Of course.Tim CallanAnd so, you see a similar thing here, I think, with surveys like this. People will tend to overreport their preparedness a little bit, and you have to just kind of build that into how you interpret the results. It shouldn't be radically off, but it should be a little off, and that's because of what you said. They're reading this and they're thinking in their mind, got to do that and that colors their answer to this question.Jason SorokoExactly, but, I think you're right. I think I think all this is, I'm going to call it encouraging. I think that's what I'm seeing so far in the answers.Tim CallanI agree.Question five. “How concerned are you about the impact of 47 day certificate lifespans on your organization?”
Extremely concerned - 21%.
Very concerned - 31%.
Moderately concerned - 26%.
Slightly concerned - 17%.
And not at all concerned - 4%.
Jason SorokoThat's a lot of concern, Tim. Over half say, like plenty o concern.Tim CallanYes, exactly. So this is interesting, isn't it. This shows that, in general, there's a very large percentage of people who aren't really like – that don't feel ready. And when you compare that to earlier results, they're almost a mirror. Like, 52% saying extremely concerned or not very concerned, as opposed to slightly concerned and not all concerned, is 4% and 70%. Well, that's 21. 4% plus 17% is 21. We go back to the last question, the percent of people who said they were very prepared was 19%. So it's almost the same number. They're almost mirror images of each other.Jason SorokoIt’s interesting. I would love to see how those answers were grouped by people. That would be a very fascinating thing to look at. I think, Tim, this is very consistent anecdotally. I know you've been in front of a pile of people. The people I'm in front of when I mention 47 days, when I mentioned six days, like six day certs, or like when I just say the words, never mind I'm not foisting it on them. I just say the word. They wince, as if it's like, my god, I don't know what I would do with that. And you can see the concern right on the person's face. And so I think this answer is consistent with what you and I see anecdotally.Tim CallanI agree with that. We do you see that anecdotally? The other interesting thing that I've noticed in conversations, though, is there is this recognition that once you automate anyway, once you're automated, that monthly is not really worse than every six months. So I literally remember a recent conversation I had with someone from a global 2000 company, and he said, you know what? We're not gonna go to a six-month cadence on these things. We're gonna go straight to monthly, because everything that's automated is just gonna go straight to monthly. Because why not? And I say, good on you.
I mean, this concern, I think, connects a lot with those parts of the organization where either that automation isn't in place, the manual management is still going on, or where they don't feel that it's proven reliable, universally applied.
Jason SorokoTim, I’ll give you one more quip before we go to the next question, which is, those folks who said that they had all of their rogue certs figured out, they're going to find out in an awful hurry when we get to 47 day or less, at least a shortened certificate lifespan, they will have much less time to have grace with a rogue certificate that's for sure.Tim CallanAbsolutely. And let's hope, again, that the folks who are at the point where all their official certs are at least are already accounted for. You've got some energy to find the other certs. Like, good for you. Why don't you put your energy into that. And so that when that day does roll around, it actually isn't a problem. Now, the other thing I'll add on this, Jason, is the step down process, as it was originally designed by Apple, was designed to some degree to mitigate that problem, because you're going to go down to six months, and then you're going to go down to three months. So once we're on a three month cadence, a lot of these things are going to be blowing up anyway, and we'll be finding them and bringing them, corralling them, so that by the time we get to one month certs, hopefully, ideally, the majority of them have been discovered and dealt with.
All right. Next question, question six, which automation methods or platforms does your organization currently use for certificate management? This is a pick all. So pick many. Pick as many as you want. So we'll just see the relative popularity of these things.
So certificate lifecycle management - CLM platform - 67%.
ACME - automated certificate management environment - 58%.
Homegrown or custom built automation - 57%. That's a high number.
IT Service Management, IDSM platform - 45%. Which is actually a surprisingly high number to me.
SCEP - simple certificate enrollment protocol - 41%.
And EST - enrollment over secure transport - 33%.
Then there was another category. Nobody gave us anything in the other category, and then none of these 1%.
So 99% are using at least one of these solutions. And those are the percentage of the total who picked those things. So thoughts and observations?
Jason SorokoThis question absolutely helps to define the bias towards a cohort of population that actually knows what they're doing. So that's good, but I think, though, that this might not show what the world looks like for the majority and for everyone.Tim CallanWell, and also, they picked at least one of these. So only 67% are using CLM, which means a third of them aren't by their own reporting. Um, those third are going to have a hard time of it. 58% are using ACME, which means that almost half aren't, by their own reporting, using it at all. So that means no automatic deployment and installation. So, there are still like even by these reports, big gaps.Jason SorokoSo I think we're at the point right now where I can synthesize a little bit Tim, very low pickup on discovery as a whole, which means there are people using what they call a CLM, and don't have discovery. I tell you, my own little anecdotal survey of the world with regards to ACME, were 50/50, like, several years ago. You're, telling me that this answer is only slightly above that. And, CLM, without ACME, okay, yes, that does exist, but interesting.Tim CallanYou lose a lot of the benefit. Now, the other one I want to call out in particular is homegrown or custom built automation - 57%. Okay. So, you get to maintain that kids. So as there are changes like shortening of certificate lifespans, like PQC, part of this group of respondents is that they now have a roadmap item. They have an engineering task to ensure that they modify their custom automation solution to match the changing industry requirements. And that becomes another failure point. That's another risk point. Is that that doesn't get done or it doesn't get on time, or it doesn't get done correctly.Jason SorokoI know one particular fairly large customer who's quite risk averse, who has a mostly homegrown system, and the fragility of that system is starting to show itself. And in fact, with PQC, it's really showing itself. So, there have been some clever ways of doing things. And again, I think this comes down to sometimes even a fundamental misunderstanding of what constitutes actual CLM. And maybe Tim, one of these days, we're going to have to readdress our five-year-old episode on the pillars of CLM.Tim CallanI think that's a valid point, Jason, is what do you mean when you say CLM? And there's only so much you can do in a survey. You've got to kind of be comfortable with this sort of challenge. But yes, when you think CLM and Respondent number 176 thinks CLM, 176 if you’re listening, nothing against you. Love you. But are you guys thinking the same thing?Jason SorokoAnd the answer is just absolutely no way. There's very little uniform understanding of what these things are, and that's okay. I'm actually really glad, though, Tim, that the answer that came back, like more than half of you doing something homegrown, is just the understanding that what you're doing is homegrown is to me, an advancement compared to what I would have thought. Because some people like I think, I actually think that the question was asked about as well as it could have been asked, and that answer about the homegrown is the one that, to me, is most interesting.Tim CallanThat's interesting. I think I agree with you. All right, moving on.Moving on. Question seven, what percentage of your organization's SSL/ TLS certificates are automated for each of the following tasks? Now this is a mean. So let me explain how this works. Each individual respondent gives a number between 0% and 100% of what percentage of their certificates are automated, and then we take those numbers and we do a mean average of them. So doesn't exactly necessarily affect the mean average of the total certificates, because someone with a lot of certificates gets calculated the same as someone's fewer certificate, but again, best you can do in an instrument like this. So with that, let's look at what are these mean averages. Okay, so again, what percentage of your organization's SSL/TLS certificates are automated for each of the following tasks.
The first one, renewing certificates - 52.5%. I'll drop off the 52%.
Deploying certificates - 33%.
Performing domain control validation. We might want to return to why that matters here - 32%.
Provisioning certificates for new applications or services - 31%.
And revoking and otherwise managing certificates - 27%.
Jason SorokoRight off the top, you guys have homework to do if those are anywhere near accurate answers.Tim CallanEverything is low.Jason SorokoEverything is very low. And what I find interesting is such high answers in some questions. And then this one to me, brought it probably closer to reality even for a group of people who are highly aware of 47-day. People who were probably screened. It sounds like whoever screened for the survey, screened extremely well, and this might be the closest to reality.Tim CallanWe did not screen. There was no screener question about awareness of 47 day to be clear. There were screener questions, though, about you are a decision maker for certificates in your organization of 1000 employees or more.Jason SorokoI would say it's like a perfect Venn diagram overlap over are you aware of 47 day? Because to me, that should be 100%. But we got our answer. It was 90 something percent. So this answer, right here, the way that you were framing the question, I was starting to not like it until I heard the answers and I was like, oh, this is actually probably much closer to reality for that group of people.
Tim CallanI think so. And, there's big gaps. I mean, we kind of said the positives, but we could flip it. We could say what percentage of your certificates are not automated. And what would those numbers be? 48%, 77%. Or 67%. 48%, 67%, 68%, 69%.
Jason SorokoWell, Tim, the last category, which was the ability to automate revocation, that was really low. How do you have 67% of you have, or whatever it was, a 60 something percent have CLM, and yet you don't have a revocation automation. Then you don't have CLM. You don't have CLM.Tim CallanAbsolutely. Or you have CLM but it only works on a relatively small subset of your certificates.Jason SorokoThere you go. There you go.Tim CallanSo, I can't know this, but when I looked at those two because I thought about the same thing, Jason. When I looked at those two questions in conjunction, and my first thought was, how these numbers don't match up, what I wonder is, are we looking at a lot of people who do have CLM that they use for some of their certificates?Jason SorokoHere's my gut feel. I could be totally wrong. I bet you that's only a third. I bet you for most of them, they just don't understand what CLM is.Tim CallanThey interpret it differently than we do. So these numbers, like, no matter how you look at it, we’ve got a gap on these numbers and the other thing that's interesting here is automated renewal, in the absence of deployment, DCV and provisioning, that's literally just getting the cert. That means you have a cron job that orders a cert, and the cert arrives in your mailbox. That could be a subscription service. If I signed up for a subscription service with a public CA, I could answer yes to that first question, and I have no automation at all.Jason SorokoTim, here's what's going through my head. 50 something percent of you said you had ACME. But again, as you said, Tim, so then that means you're not using ACME for - -Tim CallanI think it means they’re using ACME for just a small portion of their service. I think they’re using some ACME so they say yes because we asked, are you using ACME? They said I'm using ACME. We didn't say are using ACME on 100% of their certs, because it turns out there's a bunch of their certs where they're not using ACME. And so that's your gap. That's what you've got to be working on fixing, Mr. Listener, so that as we get closer to the actual date, that you'll be prepared for it.Jason SorokoI wasn't liking this question, but now it really frames everything well. So this was a good one.Tim CallanAll right. Question eight, will you increase automation in certificate management because of shorter certificate lifespans? Yes. 69%.Jason SorokoGood answer.Tim CallanMaybe/considering it - 26%. Already fully automated - 5%.
No - 0%.
I'm not at all surprised.
Jason SorokoIn fact, if you were to say, Jay, gut feel write down numbers, my numbers would have been just like you almost right on top of these. So, I tell you what, though, here's the theme that's coming out, Tim, and we're not done doing this survey yet. My god, you guys have so much homework to do. So much homework to do.
Tim CallanBut I'm really encouraged by this one, because at least they're saying we know we've got to do it.Jason SorokoWe know we've got the homework.Tim CallanWe know we've got to do it. Which is great, and also it's great. This is not do you want to. This is a will you increase, and that wording was specific.Will you increase automation? One of the things, again, this is more anecdotal, but having talked to a lot of people for a long time, I talked to a lot of the certificate managers in organizations who say, listen, I want to increase my technology investment and what happens is, I'm competing for roadmap and budget with other things.
Jason SorokoOf course.Tim CallanAnd so they're not necessarily doing everything that they recognize would be in the institution's best interest. This is about not desire, but expectation. And the expectation across the board, 95% of respondents have an expectation that they're going to increase their level of automation.Jason SorokoFantastic. Extremely encouraging. And there's a big lift ahead for everybody. So that's the answer that’s coming through really clear, right now.Tim CallanAll right. Question nine, it's easier to do this visually, so I'm gonna explain how I'm gonna do this. I'll read the question. Question mine, to what degree are the following obstacles in your organization's adoption of automated certificate management? To what degree are the following obstacles in your organization's adoption of automated certificate management? And then there's 1, 2, 3, 4, 5, 6, 7, 8 choices and for each of these choices, they have five. They're on a five point scale. Critical obstacle is five. Significant obstacle is four. Moderate obstacle is three. Slight obstacle is two, and not an obstacle at all is one.So normally, under these circumstances, we would either look at the top one critical or the top two critical and significant. And so why don't I just roll down the top two results, and we'll see a sense for what these are.
So security concerns. Top two is 56%.
Compliance or audit constraints. Top two is 63%.
Budget. Top two is 45%.
Uncertainty about vendor tools or solutions. Top two is 40%.
Integration concerns. Top two is 54%.
Competing roadmap items. Top two is 57%.
Job security - one you talked about - top two is 27%.
And awareness of alternatives. Top two is 21%.
So the biggest ones are in order. Compliance or audit constraints, followed by competing roadmap items, then integration concerns, then security concerns, and then there's kind of a gap, and then they've got a bunch that are much smaller - budget, uncertainty about vendor tools or solutions, job security and awareness of alternatives. So what do you think of that?
Jason SorokoI think that's fairly reasonable. It's funny, I always look at where security sits and it almost tells me that, these are very operational type people who will never put that at the top of their list. And that's perfectly fine for this answer. I'm encouraged that the budget one wasn't at the top.Tim CallanYes, me too. Budget was not. Competing roadmap items, though, was.Jason SorokoI'm hearing that more and more, Tim. I'm hearing that more and more, which is, if my CFO handed me a bigger check for the next two quarters, three quarters, for a budget, I wouldn't know what to do with it, because I'm already fully tapped.Tim CallanI wouldn't be able to implement it. I mean, that's been a theme, geez, that's been a theme for the last 30 years. The IT skills gap is perpetual.Jason SorokoAbsolutely. And I think it may be getting worse, which is crazy. but it's true. I think it just is. So Tim, as interesting as that question is, I'm not shocked by anything. It's just good, interesting data.Tim CallanI agree. None of this really shocked me either. Compliance and audit constraints being the highest one I probably didn't expect, but they all kind of cluster together. Compliance and audit constraints, competing roadmap, integration concerns and security concerns are all pretty close to each other. So it's like there's a batch and then everything else is down below it. And those are kind of what we hear.
Jason SorokoVery interesting.Tim CallanAnd then the last question for this segment is actually crossing over into PQC. So here's the question, to what degree do you see overlap in your organization's preparedness for 47 day public SSL/TLS certificates and post-quantum cryptography. Are you ready? Do you want to think of it in your mind and take a guess before I say?
Jason SorokoI think once a person is asked it that way, I think that people will end up realizing, oh, geez, it's related in a way. I mean, there's obviously different things I have to do, different activities I have to do for PQC, but on the other hand, certificate lifecycle management gets you a lot of the way. And I think the way that people have been answering questions so far on the survey, I think this group of people is smart enough to know that these are really related issues.Tim CallanI think you're exactly right. The other thing to be aware of is, one of the things we did is we didn't want to get a whole bunch of, I don't know, for the PQC portion of the survey. So one of the screening questions was to confirm that they are aware of the PQC changes that are coming. So, in that sense, they were screened. Anybody who said PQ what got screened out. So be aware of that.Jason SorokoThat's huge. That's huge. I got to tell you that after my own experiences at CISO conferences, or on stage gaging awareness, I was told by analysts that I would see very, very low awareness. I didn't quite believe it. I now believe it. Extremely low awareness.Tim CallanEven though it's been all over the news. Even though you can't swing your arm without knocking over a reporter who's asking you about PQC.Jason SorokoTim, I was on the phone this morning.Tim CallanOnce again, reporters, I love you. Wouldn't knock you over, but go on. Go on, Jay.Jason SorokoNo, no, no, no, precisely, Tim. Tim, you and I have been talking about this for five and a half years.Tim CallanWe have been. All right. So here's our answers. Do you want to start at the high end? Let's start at the high end.Jason SorokoLet's do it.Tim CallanThey are exactly the same.Jason SorokoThat’s what I wanted to hear.Tim Callan9%. Significant overlap - 38%.
Moderate overlap - 34%.
Slight overlap - 10%.
No overlap whatsoever - 8%.
Don't know - 2%.
So if you kind of batch the bottom three together, we got 20% who don't see a lot of overlap. The remaining 80% say it's moderate, significant or complete overlap. I don't agree. I don't agree on the complete overlap for what's worth?
Jason SorokoNo.Tim CallanI think those people are giving it too much credit. There is not complete overlap. However, significant or moderate, I both think are fair ways to describe the amount of overlap. It's a meaningful amount of overlap either way. And as we see, 71% of survey respondents see it that way.Jason SorokoI think for this cohort of the population, I think that's a good answer. It’s where I would have answered. So that's good, Tim. Right on.Tim CallanSo this has already been kind of a lengthy episode, and we've only touched the march to 47 days, and there's a lot more coming with PQC, so why don't we go ahead and put a punctuation mark on this one for the moment. Let me say one thing that there is a full report available from Sectigo on the Sectigo website. You can see the charts for yourself. There's charts for every question. There's an analysis. The big takeaways are reported. So if this is an interesting topic, and if it's hard, sometimes it's hard to get numbers like this when someone's just saying them, you can go get the actual charts from the report. It's much easier to look at and make sense of them. And if you're interested in this, I'll encourage you to do this. Also encourage you to check back in, because very soon we're going to have an episode where we're going to go over the PQC results.Jason SorokoCan't wait for it, Tim. Great stuff.Tim CallanThank you, Jason.Jason SorokoThank you.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
