Security magazine sits downs with David Mahdi, Chief Strategy Officer and Chief Information Security Officer (CISO) Advisor at Sectigo. Previously, Mahdi was a Gartner analyst, advising clients and executives on topics ranging from cybersecurity, identity and access management (IAM), blockchain, PKI, Internet of Things, cloud and data security.

Mahdi discusses why enterprise security leaders must establish and maintain digital trust in today’s increasingly virtual world.

1. Security: What is the role of digital trust?   

Mahdi: Digital trust — that is, trust in machines, software, devices, and humans interacting with digital services that now power our world — needs to be established as it is now a critical requirement to conduct business securely and seamlessly. Ultimately, the goal of digital trust is to enable secure access to data, systems, and resources.


Enterprises now find themselves with a problem: the need to individually verify, onboard, and authenticate every device, user, application (software), and entity interacting with the organization’s network to ensure legitimacy, wherever the connections come from.


While many organizations have focused on implementing a zero-trust approach, it is just the first piece of a much larger puzzle to trusting the humans and machines that are at the center of their businesses.


As organizations scale to keep pace with today’s technological innovation and new hybrid work trends, it is imperative that they protect all human, non-human, and machine identities across their environment, which is why all businesses need digital trust and identity-first security to compete and operate today.


2. Security: What does identity-first security enable?   

Mahdi: Identity-first security is a term increasingly referenced by cybersecurity practitioners and leading industry analysts as a top priority for every IT security department as the post-COVID technology landscape, and threat factors have dramatically changed and continue to shift. In fact, Gartner recently identified identity-first security as a top security trend in their annual Top Security Trends report.  


At its core, identity-first security enables “the right individuals to access the right resources at the right times for the right reasons.” That means identity is now operating as the new perimeter, securing all identities — human or machine — throughout the cycle of accessing critical business assets and sensitive information.


Each access point that requires a credential needs identity verification to be unlocked, and herein lies the gap for error and data mishaps if it’s not identity-proof. As we move forward, the world will see digital certificates acting as a critical element for identity-first security for all digital businesses.   


3. Security: What risks exist in the realm of digital trust? How can enterprises establish digital trust with identity-first security?  

Mahdi: Attackers are effectively hijacking digital trust by compromising and stealing identities — either by buying leaked credentials or by socially engineering them — to target organizational issues inherent with hybrid work, human error, and shadow IT.   


To start, social engineering is a weak link when it comes to security, as even the most tech-savvy people can be tricked. Other risks to digital identities, from password theft and ransomware to bypassing multifactor authentication, prove that bad actors are finding sophisticated ways to attack digital identities in order to compromise data and other resources.


The well-covered Solarwinds digital supply chain attack, for example, involved compromising identities and manipulating privileged access, serving as a wake-up call for business leaders to protect and maintain identity infrastructures.  


An enterprise’s identity-first security strategy must include centralized control to manage the explosion of identities all requiring digital trust to access networks and resources. Identity-first security must start with flexible, cloud-first and forward digital identities.


While a myriad of human and machine identity products and services will likely be needed; many security and risk leaders are recognizing that digital certificates are critical to enabling many identity-first use cases today. Such as passwordless authentication and machine identity management. All must be enabled with an open and interoperable digital certificate platform.


Digital certificates are proven to instill digital trust in any modern-day IT environment. Issued by Certificate Authorities (CAs), they secure and authenticate human and machine identities and should include Certificate Lifecycle Management (CLM) for a new automated approach.

4. Security: Why is this critical to implement in the height of tech innovation?

Mahdi: From digitally signing emails to blockchain-enabled technologies, digital certificates underpin the security of digital identities and the digital world and are further relied on by all technologies from the oldest to the newest.


As digital transformation excels, it’s easy to forget to revisit old technologies that have been relied on for decades without re-assessing the infrastructure that will enable future-forward technologies.  


Thanks to digital transformation, the amount of human and machine identities being created is growing every day, and this number will only continue to explode. As we look ahead to the future of technology, from the metaverse and Web3 to quantum computing, organizations must take the necessary steps to validate and secure every single identity trying to access their networks.


Knowing that bad actors will take advantage of any gaps in the new perimeters and accelerate in manipulating identity as an attack surface, security experts need to have the tools in place today to outpace the identity security threats of tomorrow.