Every year, the Ponemon Institute surveys more than 2,500 IT leaders who are immersed in PKI management at an enterprise level. The most recent survey — issued in mid-2022 — identified a pattern seen over previous years. According to authors of the study, PKI continues growing in importance in terms of enterprise security and enablement, yet companies are struggling to achieve “PKI maturity” on a couple of fronts.
Barriers to PKI maturity: Funding and talent
Funding presents one large obstacle for most organizations. Few CFOs or other senior leaders understand what PKI is, making it difficult to build a case for securing budget. A second and more imposing obstacle, according to the survey, is a persistent shortage of skilled IT and IT security practitioners. This is a widespread problem that cuts across all markets, company sizes and regions of the world. There simply are too few workers with strong PKI management skills. That gap is creating serious challenges for CISOs and other IT leaders looking to mitigate the risks of ubiquitous cyberattacks.
So, if PKI talent isn’t readily available on the market, how do you build a team? Which tasks do you keep inside the organization and which ones do you outsource to a trusted partner? Before we dive into those questions, let’s quickly review the key roles requires for effective PKI and certificate management:
- Certificate Authority (CA) Administrator: People in this role are responsible for analyzing security data and producing reports regarding the enterprise’s system security status. They conduct system security risk assessments and penetration tests to identify vulnerabilities and implement remediation actions. They also establish security best practices and are generally responsible for the overall health of the PKI infrastructure.
- Auditor: This is the PKI team member responsible for defining which CA events and for reviewing the security log for events related to PKI management and operations.
- CA Officer: This role is responsible for managing digital certificates and cryptographic keys. This includes the important tasks of certificate issuance, renewal, revocation, issuance and deletion.
- Backup & Recovery Specialist: People in these roles are accountable for the ongoing backup and recovery of the CA database and configuration settings.
The increasing importance of digital security prompts many organizations to staff these roles internally and keep the tools that allow access to “the crown jewels” inside the organization. For most in-house approaches, companies create small and specially trained teams that manage the entire life cycle of digital certificates and keys. Responsibilities for these small but mighty teams include creating and updating security policies, ensuring the security and integrity of root signing keys, managing user registrations, and staying current on crypto standards and protocols.
Companies increasingly lean on trusted cybsersecurity partners
But because these teams are small, it’s easy for them to become overwhelmed with the time-consuming responsibilities of urgent requests to resolve lost, compromised or expired certificates. In fact, these day-to-day management responsibilities can require so much manpower that many companies end up finding a trusted outside partner to help with those tasks. This is true even when sophisticated tools are deployed for automating certificate and key management.
These PKI management challenges are magnified as organizations grow. If growth is organic — or simply involves the expansion of existing digital ecosystems — the challenge is simply a matter of volume. But in the event of mergers or acquisitions, teams likely have to take on the massive and complex task of integrating disparate architectures and platforms, which are likely using a number of PKI solutions.
This reality — coupled with the challenges of funding headcount and finding qualified candidates — is leading to more widespread use of external managed services for PKI life cycle management. Partnering with an external provider of cloud-hosted PKI infrastructure-as-a-service provides CISOs and other IT leaders with access to personnel, systems and distributed data centers that scale to meet the demands of an enterprise.
Key strategy: Hiring moldable talent
But even if an external managed service is engaged, organizations need skilled people to oversee certificates, keys and other critical elements of a digital ecosystem. Considering that (according to a 2022 ISC2 market study) there is a global cybersecurity workforce gap of 3.4 professionals, how can you even build a small team?
One answer is to shift your focus from hiring fully trained, plug-and-play talent to finding people with the right soft skills who are highly receptive to training. Instead of searching for unicorns who bring every certification and skill set to the job on day one, look for good, smart people who want to learn — and have a professional affinity for cybersecurity.
Just as it is with developers and software engineers, the technologies, standards and best practices surrounding cybersecurity are moving so fast that it’s more important to have people who are willing to learn than people who are deeply familiar with cybersecurity particulars of the moment. Given the global shortage of cybersecurity talent, it’s likely a more prudent path to hire enthusiastic and hard-working people to learn the PKI trade. Then, fill in any gaps with external partners you trust — while maintaining control over your certificates and keys.
Tips for building a successful PKI program
In addition to resolving the PKI talent gap, it also helps to build a secure and manageable PKI program. Here are some tips for that:
- Maintain good key and certificate hygiene and conduct regular scans: Know where your keys and certificates are located, how they were generated, and when they expire. Build accountability into your processes. Know precisely who has access to keys and certificates and where they are stored. Create a life cycle management process that keeps you in control.
- Built a collaborative risk management strategy: Digital security is becoming a boardroom topic, so this should be easier than in previous years. Analyze your risk profile across the entire enterprise. Include people from business units, compliance, IT, engineering and other disciplines. Make sure everyone understands the plan and knows why adhering to the processes you establish is necessary.
- Achieve a balance of strong security and excellent user experience: You could create a bullet-proof cybersecurity strategy if you didn’t have to worry about user experience. But without productive employees, engaged business partners and happy customers, you wouldn’t have anything to protect. Work closely with all user groups to explain the benefits of security and identify the security measures that both protect them and keep them engaged.
Building a strategy that incorporates these principles and focusing your hiring practices on promising talent rather than people with deep and specific knowledge will help you create a successful and sustainable security strategy in a world full of great opportunities and ubiquitous threats.