Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Digital trust overconfidence: what security teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: The middle third of organisations are more vulnerable than they think, even when they avoid the lowest-performing group, according to DigiCert’s State of Digital Trust 2024 survey of 300 enterprise leaders. The gap is less about awareness than execution, and it now affects identity, device, software, and certificate governance alike.

NHIMG editorial — based on content published by DigiCert: Survey says: 1/3 of leaders are more vulnerable than they think

By the numbers:

  • DigiCert’s State of Digital Trust 2024 survey gathered responses from 300 enterprises across North America, Europe, the Middle East, Africa, and the Asia-Pacific region.
  • Enterprises that scored within the top 33% of the survey categories were classified as Digital Trust Leaders, while those in the bottom third were classed as Digital Trust Laggards.

Questions worth separating out

Q: How should security teams prove digital trust maturity instead of assuming it?

A: Security teams should tie digital trust claims to operational evidence: certificate health, device update visibility, software signing status, and incident response performance.

Q: Why do siloed trust programmes create hidden identity risk?

A: Siloed programmes let each team optimise its own control set while missing the dependencies between identity, devices, software, and cryptography.

Q: What do organisations get wrong about digital trust readiness?

A: They often mistake partial success for overall readiness.

Practitioner guidance

  • Reconcile trust claims to control evidence Require each business unit to show operational proof for digital trust claims, including certificate status, device update visibility, code-signing checks, and incident response evidence.
  • Unify ownership across identity-related trust surfaces Assign named owners for communications trust, device identity, software integrity, and eSignature assurance so siloed teams cannot each declare success independently.
  • Treat software and device trust as governed identities Include update channels, signing keys, and connected devices in lifecycle review cycles, with explicit monitoring for tampering, expiry, and unapproved changes.

What's in the full article

DigiCert's full blog covers the survey detail this post intentionally leaves for the source:

  • The survey methodology across 300 enterprise respondents in four operational trust categories.
  • Leadership scoring logic for Digital Trust Leaders, middle-tier organisations, and Digital Trust Laggards.
  • The survey's category-by-category findings on outages, data breaches, PQC readiness, IoT monitoring, and eSignature practices.
  • The full explanation of why overconfidence is showing up in the middle third rather than only in the lowest performers.

👉 Read DigiCert's survey on why enterprise digital trust maturity is lagging →

Digital trust overconfidence: what security teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Overconfidence is the governance failure, not just a cultural problem. DigiCert’s survey shows a middle third of enterprises that are not at the bottom of the pack but still materially exposed. That is the classic failure mode of partial maturity: controls exist, yet leadership reads them as assurance rather than coverage. The practitioner lesson is that digital trust must be measured by end-to-end control integrity, not by internal optimism.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, which shows that identity risk often persists well after teams believe it has been addressed.

A question worth separating out:

Q: How can organisations prioritise trust improvements without overloading teams?

A: Start with the controls most likely to break the chain of assurance: certificate lifecycle, device identity monitoring, code-signing discipline, and incident response measurement. Then fold those into a single governance cycle so teams are not operating separate improvement plans. That approach gives leaders a clearer risk view and a realistic execution path.

👉 Read our full editorial: Digital trust overconfidence is leaving enterprise controls exposed



   
ReplyQuote
Share: