5 Actionable Takeaways from Ponemon and KeyFactor’s 2020 PKI Study

I love the “Lions led by donkeys” that these surveys always throw up. Do you think that your senior management actually understand cyber risk?…:

[…] Takeaway 1: Executives Tend to Over-Estimate How Secure Their Organization Is

Perception and reality are frequently two different things — this is particularly the case regarding how PKI tasks and IT security challenges are handled. Probably the biggest takeaway that the study highlights the tremendous gap in perceptions in terms of confidence in the responses to
questions between the technical guardians within an organization and those who are among the executive leadership above them.

Source: A webinar about the findings from “The Impact of Unsecured Digital Identities study from KeyFactor and the Ponemon Institute.

“In that data alone, it showed us very significantly how the problems of managing these types of critical assets in the organization, from the practitioners to the executives, differ when asked the same questions,” Hickman said in the webinar on the study.

Their observation made them question why there’s such a difference in the landscape between these different ranks within an organization. Executives tend to be significantly more optimistic in their responses than their staff/technician counterparts — averaging 6.2 on a 1-10 scale, versus staff/technicians, who have an average confidence rating of 3.7. This is particularly true concerning issues relating to managing critical assets.

These responses demonstrate why challenges might exist within organizations — leaders think issues are being handled or resolved, and practitioners are struggling to keep up with the never-ending demands.

Actionable Recommendations for How to Resolve This Issue

As with any organization and tasks, communication is key. There needs to be clear communication and transparency about the situation. If there are deficiencies, insufficient resources, or other challenges, everyone needs to be on the same page.


Don’t sugar coat things. Be open and honest about PKI and IT security-related issues that exist within your organization. Make your leadership aware of any challenges and offer recommendations and solutions to address the issues. Most importantly: Learn to speak their language.

One suggestion from Hickman and Ponemon shared during the webinar comes from Gartner:

Security leaders that successfully reposition X.509 certificate management to a compelling business story, such as digital business and trust enablement, will increase program success by 60%, up from less than 10% today.”

Essentially, executives want to know the bottom line — costs involved and how circumstances will affect the operation and organization as a whole. Don’t speak technical mumbo-jumbo. Give them what they want while still pushing for the resources you need by changing how you frame the situation.


Listen to your experts. Listen to understand and not to reply. Recognize that they’re humans and that the industry and cyber threats are continually changing. The threats we face today aren’t necessarily the same as those we’ll face in the future. Be flexible and open to change. If you want to protect your organization, don’t put off investing in your cybersecurity infrastructure and resources until tomorrow. Commit to making those changes today.


Original article here