Digital trust overconfidence: what security teams are missing

TL;DR: The middle third of organisations are more vulnerable than they think, even when they avoid the lowest-performing group, according to DigiCert’s State of Digital Trust 2024 survey of 300 enterprise leaders. The gap is less about awareness than execution, and it now affects identity, device, software, and certificate governance alike.

NHIMG editorial — based on content published by DigiCert: Survey says: 1/3 of leaders are more vulnerable than they think

By the numbers:

• DigiCert’s State of Digital Trust 2024 survey gathered responses from 300 enterprises across North America, Europe, the Middle East, Africa, and the Asia-Pacific region.
• Enterprises that scored within the top 33% of the survey categories were classified as Digital Trust Leaders, while those in the bottom third were classed as Digital Trust Laggards.

Questions worth separating out

Q: How should security teams prove digital trust maturity instead of assuming it?

A: Security teams should tie digital trust claims to operational evidence: certificate health, device update visibility, software signing status, and incident response performance.

Q: Why do siloed trust programmes create hidden identity risk?

A: Siloed programmes let each team optimise its own control set while missing the dependencies between identity, devices, software, and cryptography.

Q: What do organisations get wrong about digital trust readiness?

A: They often mistake partial success for overall readiness.

Practitioner guidance

• Reconcile trust claims to control evidence Require each business unit to show operational proof for digital trust claims, including certificate status, device update visibility, code-signing checks, and incident response evidence.
• Unify ownership across identity-related trust surfaces Assign named owners for communications trust, device identity, software integrity, and eSignature assurance so siloed teams cannot each declare success independently.
• Treat software and device trust as governed identities Include update channels, signing keys, and connected devices in lifecycle review cycles, with explicit monitoring for tampering, expiry, and unapproved changes.

What's in the full article

DigiCert's full blog covers the survey detail this post intentionally leaves for the source:

• The survey methodology across 300 enterprise respondents in four operational trust categories.
• Leadership scoring logic for Digital Trust Leaders, middle-tier organisations, and Digital Trust Laggards.
• The survey's category-by-category findings on outages, data breaches, PQC readiness, IoT monitoring, and eSignature practices.
• The full explanation of why overconfidence is showing up in the middle third rather than only in the lowest performers.

👉 Read DigiCert's survey on why enterprise digital trust maturity is lagging →

Digital trust overconfidence: what security teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →