Every year we must trust our digital systems more, even as reasons not to are all around us. In 2025, vendors and customers will need to tackle digital trust head-on. Here are ten ways that we at DigiCert believe they will do so in 2025.
Jason Sabin, CTO, DigiCert further explores.
1. Post-quantum cryptography deployments will begin, and new standards will emerge
The real quantum threat is still in the future, ‘10-15 years’ according to quantum pioneer Peter Schor at DigiCert’s World Quantum Readiness Day event. But the opportunity to start doing something about it is here today. Real-world orgs will begin to test and deploy actual solutions in 2025. New PQC developments, such as the NSA’s CNSA 2.0 algorithms, will also emerge.
2. More Chief Trust Officers in 2025
As the centrality of digital trust and transparency in a heavily regulated world becomes clear, more organisations will create Chief Trust Officer (CTrOs) positions to take direct responsibility. Trust is now a key factor in customer relationships, and the CTrO will play a crucial role in building and maintaining trust with customers, partners, and regulators, ensuring that companies not only meet compliance standards but also actively foster trust as a core business asset.
3. The C2PA symbol will become common
AI deepfakes have many people justifiably scared, not least for protection of their intellectual property, including their own likenesses. The Coalition for Content Provenance and Authenticity (C2PA) has created standards with broad industry support that use PKI to produce a tamper evident record, which helps users differentiate between real and fake media.
Protected media appears with the Content Credentials icon. If content is manipulated or edited, the changes are detected, making it easier to identify deepfakes and other altered content. People will begin to see content credentials on many of the images they see online starting in 2025.
4. The need for crypto agility will become more obvious
Apple recently proposed a gradual reduction of the maximum validity for public SSL/TLS certificates to 45 days by 2027. Google has proposed a cut to 90 days, but with no set timeline. These proposals are part of a growing trend toward shorter certificate lifespans, the aim of which is to improve Internet security by reducing risks associated with longer certificate validities. No large organisation can manage their certificates manually on such a schedule, and so we predict that organisations will require more automation for web PKI.
5. Organisational tolerance for outages will end
The massive CrowdStrike outage this past summer exposed many industry problems, not just the need for better testing of updates CrowdStrike, but for improvements in all aspects of digital trust. We predict that customers will demand better from their vendors, including proof not only that their software is safe and reliable, but secure and trustworthy.
This is particularly a problem as physical barriers and the security that comes with them disappear. IoT devices are everywhere, especially in industrial settings, and over-the-air (OTA) software updates are the norm, indeed he only practical solution. How can people know that these updates are legitimate?
Transparency is the only way that systems like self-driving cars will be trusted sufficiently. It won’t be long before automakers and other IoT vendors adopt a more transparent approach to sharing the results of their security measures to give owners peace of mind. Effective in 2027, the EU Cyber Resilience Act is the first regulation with teeth to ensure that digital products adopt a more holistic approach to IoT security.
6. AI-driven phishing attacks will increase
The key to an effective phishing attack is to be convincing, and free, ubiquitous AI puts convincing phishing capabilities in the hands of anyone, anywhere. These attacks will be personalised to the target and deployed at scale. We’ve seen this already, but it will accelerate greatly in 2025, and new mechanisms will be needed to combat them.
7. Interest will increase in private PKI standards
Emerging private PKI standards, such as ASC X9, fill a market gap left by broader standards that rely on browser-based implementations.
The Accredited Standards Committee X9 focuses their security standards on the financial industry, addressing areas like data integrity and authentication.
Concentrating on heavily regulated industries like finance and healthcare can help address customer needs more directly than broad frameworks.
8. Interest in Cryptography Bills of Materials (CBOM) will grow
Software Bills of Materials (SBOM) catalogue every input to a software product and their dependencies. A variant of them, the Cryptography Bill of Materials (CBOM), which focuses on cryptographic assets and their dependencies, will become more common in 2025. Organisations are digitally signing more things, such as SBOMs. CBOMs will enhance digital trust by demonstrating the strength of cryptographic tools and standards used.
9. Certificate management in Excel will end by 2028
A survey of attendees at our World Quantum Readiness Day event showed that nearly 25% of them manage their thousands (and sometimes, tens of thousands) of certificates manually.
As famous economist, Herb Stein, once said, if something cannot go on forever, it will stop. This is the case with manual management of large-scale operations that must be repeated within weeks. These organisations will move to automated management tools.
10. Organisations will further consolidate vendors for simplification
The complexity of security issues, of the tools and techniques needed to address them, and the increasing regulation requiring that the problems be addressed, has led many organisations to lower the number of technology vendors to a smaller, more trusted group. As the complexity shows no sense of slowing, we expect the trend to continue in 2025. Prioritising fewer vendors drives efficiency, cost savings, and agility across the organisation.
This article originally appeared in the February 25 magazine issue of IoT Insider.
