Podcast
Trust.ID Talk: The Digital Certificate and Identity Security Podcast
Hosted by GMO GlobalSign Limited · EN
As digital threats intensify and compliance requirements grow more demanding, Trust.ID Talk is your critical source for mastering digital identity and PKI management. Brought to you by GlobalSign, this podcast targets the real-world challenges faced by IT security leaders, cybersecurity managers, and tech executives in industries like finance, healthcare, education, government and insurance.
Each episode offers a front-row seat to conversations with industry pioneers, thought leaders, and subject-matter experts. Together, we address critical issues like crypto-agility, the Google 90-day certificate mandate, the growing demand for certificate automation, and the ever-evolving compliance landscape. With a focus on practical, actionable insights, Trust.ID Talk provides the clarity and solutions you need to tackle today’s cybersecurity risks head-on.
From navigating short-lived certificates to preparing for quantum-safe cryptography, Trust.ID Talk equips you with the knowledge and tools needed to stay secure, agile, and prepared for what’s next.
19episodes
Episodes
Newest firstAll episodes
Why SPF, DKIM, DMARC, and BIMI Matter More Than Ever with Brian Westnedge
2d ago00:14:51Tap to summarizeIn this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Steve Hall is joined by Brian Westnedge, VP of Alliances & Partnerships at Red Sift, to unpack the fundamentals of email authentication, from SPF, DKIM, and DMARC to the visual trust indicators offered by BIMI, VMCs, and CMCs.What You’ll Learn:How to implement the email authentication stackWhy DMARC enforcement is your gateway to brand protection and inbox placementThe difference between Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs)How BIMI and visual trust indicators combat AI-generated phishingWhy email remains the primary attack vector despite being decades oldBrian Westnedge is an email security expert and VP of Alliances & Partnerships at Red Sift, specializing in email authentication protocols and domain security. With extensive knowledge of SPF, DKIM, DMARC, and BIMI implementations, Brian brings practical expertise in helping organizations of all sizes strengthen their email security posture.If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.Episode Chapters:[00:00] Intro[00:54] Email's Biggest Blind Spot[01:57] Email Authentication 101[03:21] From Best Practice to Mandate[04:43] AI Is Making Phishing Emails Almost Impossible to Spot[07:15] VMC vs. CMC[08:39] Email Security for Every Organization[11:13] The Future of Email Security[13:37] The One Piece of Tech Brian Can't Live WithoutEpisode Resources:Brian Westnedge on LinkedInRed Sift WebsiteGlobalSign WebsiteView and Integrate WebsiteTrust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →
The Biggest Shake-Up in PKI in 30 Years: What Google’s MTC Proposal Means for You
May 700:13:37Tap to summarizeThis episode is sponsored by Keeper Security, the #1-rated password manager that is easy to use and protects every user on every device from cybercriminals. To receive 50% off personal and family plans visit https://keepersecurity.partnerlinks.io/kem9pq2bma2tIn this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson welcomes back Arvid Vermote, Chief Information Security Officer (CISO) at GlobalSign, to discuss Google’s groundbreaking announcement on Merkle Tree Certificates for post-quantum cryptography and why your organization needs to start preparing now.What You’ll Learn:How Merkle Tree certificates solve the 14-kilobyte TLS handshake problemWhy crypto agility and automation are non-negotiable survival skillsHow to build a complete cryptographic bill of materialsThe critical gap in non-browser TLS toolingHow CAs are preparing with new hierarchies and technical overhaulsArvid Vermote is the Chief Information Security Officer (CISO) at GlobalSign, where he leads the company’s global security, compliance, governance, and privacy strategy, ensuring that products and operations meet industry and regulatory standards while aligning with business objectives. Before joining GlobalSign, Arvid served as a Senior Manager at EY, where he delivered cybersecurity advisory services across EMEIA, co-led the Belgian Cybersecurity and Privacy practice, and was recognized as a global expert in PKI ecosystems and risk management.If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.YouTube Chapters:[00:00] Intro[00:25] The Size Problem with Post-Quantum Certificates[02:23] A Clear Vision for the Future of TLS[03:23] 2027 Root Program, 2028 Production Certificates[04:55] The Cryptographic Bill of Materials[06:22] Proof of Concept Already Underway[07:37] Automation Is Non-Negotiable[09:35] Non-Browser Tools and IoT[11:27] The CA/Browser Forum’s RoleEpisode Resources:Arvid Vermote on LinkedInGlobalSign WebsiteView and Integrate WebsiteKey Takeaways:[00:25] The Size Problem with Post-Quantum CertificatesPost-quantum cryptography algorithms inflate TLS certificate exchanges from one kilobyte to 14, making it untenable for billions of daily transactions. Google, Cloudflare, and others have proposed Merkle Tree Certificates (MTCs), which replace traditional full chain-of-trust exchanges with verification against a CA-signed Merkle tree, dramatically cutting payload size and removing the biggest barrier to deploying post-quantum certificates at scale.[03:23] 2027 Root Program, 2028 Production CertificatesGoogle plans to launch its ML-KEM-based root program by 2027, with post-quantum certificates expected in production by 2028. For organizations, this doesn’t change planning timelines, but it does replace uncertainty with clarity. The certificate of the future is no longer a question mark; the direction is becoming concrete. Over the next two years, organizations should ensure their web server infrastructure can support post-quantum certificates. The stakes are straightforward: once browsers begin enforcing these standards, sites that can't serve compatible certificates will fail to establish secure connections, effectively losing visitors.[07:37] Automation Is Non-NegotiableThe transition to Multi-Trust Certificates demands major preparation. CAs must build and audit new trust hierarchies while adapting to a fundamentally different technical approach to validation and signing. For businesses, the message is simple: automation is no longer optional. Google’s proposed MTC root program will only accept ACME-based issuance with short-lived certificates of ten days or less. Organizations without internal automation should partner with a provider that can ensure timely certificate replacement at scale.Quotes:“Rather than building the chain to the root, it will check whether it's embedded into a Merkle Tree that is signed by the CA itself. And doing it that way, it strongly reduces not only the size of the CA part and the certificate part on the TLS handshake, but it also improves the performance.”“It will be in the sense that it will allow people to use quantum resistance certificates in a production ready state because nobody really knows how it was going to work because of the TLS change size that I just explained that would be too big.”“Google is looking to operate its real MTC based route program, which would be a different route program compared to traditional TLS certificates by 2027. By 2028, we will already be seeing these certificates in production and actually customers being able to configure those types of certificates being searched from that web service.”“What we will likely see now is that if the standards will evolve, the TLS baseline requirements will be adopted to make sure that this new type of certificate and all the requirements around it will be captured within so that CAs can be audited against it.”Trust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →
The RSA Roundup: Email, Certificates, and Code Signing in the AI Era
Apr 2300:09:15Tap to summarizeIn this special episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson hands the mic to Matthew Dorrington and John Murray as they roam the RSA Conference show floor, capturing insights on email security, certificate lifecycle management, and code signing with security leaders from Red Sift, AppViewX, Thinkst Canary, Pangolin, and SignPath.What You’ll Learn:How to transition email security from perimeter defense to identity-centric strategyWhy certificate lifetime compression demands immediate automationHow post-quantum cryptography readiness begins todayThe critical relationship between code signing and supply chain securityWhy AI introduces both trust and uncertainty in security operationsIf you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.YouTube Chapters:[00:00] Intro[00:39] Email as a Zero-Trust Channel[02:48] Automating Thousands of Certificates[04:02] Getting Started with ACME[04:41] Shrinking Certificate Lifetimes[06:31] Preparing Infrastructure for Post-Quantum[07:14] Code Signing in the Supply Chain Era[08:21] Michelle’s Closing ThoughtsEpisode Resources:Matthew Dorrington on LinkedInJohn Murray on LinkedInRed Sift WebsiteThinkst Canary WebsiteAppViewX WebsiteACME WebsitePangolin WebsiteSignPath WebsiteMichelle Davidson on LinkedInGlobalSign WebsiteKey Takeaways:[00:39] Email as a Zero-Trust ChannelEmail has fundamentally evolved, and security leaders can no longer treat it as a filtering problem solved at the network edge. It’s now core to identity and zero-trust strategy, backed by modern standards that hyperscalers, regulators, and thousands of organizations have already adopted, bringing visible benefits like verified logos in consumer inboxes. Leaders who haven’t benchmarked themselves against their peers or kept up with current email standards should act now, because most real-world breaches still begin with a phishing email that escalates into lateral movement.[02:48] Automating Thousands of CertificatesAs SSL certificate lifespans shrink, dropping from 200 days in 2026 to just 47 days by 2028, manual management has become untenable. Industry leaders managing thousands of certificates are unanimous: automation via protocols like ACME is the only viable path forward. With renewal frequency set to increase nearly eightfold and machine identities growing exponentially, spreadsheet-based tracking invites the kind of systemic failures that bring entire systems down from a single missed renewal. Businesses should rethink certificate management holistically, adopt ACME-compatible tooling, and begin preparing for post-quantum cryptography now, as quantum-relevant threats to RSA and ECC move from theoretical to imminent.[07:14] Code Signing in the Supply Chain EraThe code signing industry faces two converging pressures: the probabilistic nature of AI-driven security, which undermines the deterministic guarantees enterprises depend on, and the looming transition to post-quantum cryptography. Equally critical is a mindset shift. Incidents like SolarWinds showed that a compromised signature amplifies rather than contains damage, making it essential to position code signing within a holistic view of the entire software development and delivery pipeline as one piece of a broader supply chain security strategy.Quotes:“Email security's transitioning from this filtering black box set at the edge of the network to something that's quite fundamental to their identity and zero trust plus strategy.”“Certificates validity is growing shorter year over year, with public CA vendors forced to issue 200-day certificates in 2026, going down to 100 days in 2027, and 47 days in the following year.”“You want to reimagine the way that you are doing certificate management across your landscape. The number of machine identities using certificates and keys are growing exponentially. With new compliance mandated, you cannot truly grow this manually, The only way to innovate and scale to these newer standards is to basically automate.”“The biggest challenge to everything right now seems to be AI. It's helping a lot, but it's also worrying people a lot. One of the challenges is to get deterministic security over all the heuristics that AI basically makes us face.”“Code signing is no longer an isolated thing that everybody is considering in isolation. It's part of a larger supply chain problem and solution.”Trust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →
Cybersecurity Fails When Communication Fails with Jeffrey Brown
Apr 200:15:36Tap to summarizeIn this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Jeffrey Brown, Chief Security Advisor for Financial Services at Microsoft, to discuss why tailored messaging across organizational levels is critical, how AI can simplify complex security concepts, and the key strategies to build genuine understanding among employees, executives, and boards.What You’ll Learn:Why CISOs must speak multiple ‘languages’ across an organizationHow to eliminate complexity without sacrificing accuracyThe inventory-first approach to post-quantum readinessHow AI can act as a powerful communication partnerWhy relevance drives engagement and security complianceJeffrey Brown is a Chief Security Advisor for Financial Services at Microsoft, an Author, and NACD-certified boardroom director, recognized for his expertise in cybersecurity communication, risk management, and organizational security strategy. With a background in application security and project management, Jeffrey brings a unique perspective on translating complex security concepts for diverse stakeholder audiences, from frontline employees to C-suite executives and board members.If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.YouTube Chapters:[00:00] Intro[00:59] The Communication Challenge in Cybersecurity[03:18] Resource Constraints vs. Resourcefulness in Security Teams[06:11] How AI Can Help Improve Cybersecurity Communication[09:14] Preparing for the Quantum Computing Security Era[11:21] Why Cybersecurity Always Starts with Inventory[12:23] The Right Way to Educate Employees About Cybersecurity[14:34] The One Tech Jeffrey Can’t Live WithoutEpisode Resources:Jeffrey Brown on LinkedInMicrosoft WebsiteThe Security Leader’s Communication PlaybookLeading the Digital Workforce BookMichelle Davidson on LinkedInGlobalSign WebsiteTrust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →
Why are 50% of women leaving tech by 35? Closing the Gender Gap with Sophie Creese
Mar 500:12:55Tap to summarizeIn this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Sophie Creese, Founder of MotherBoard and Co-founder of HeyFlow, to tackle one of tech’s most urgent and misunderstood challenges: why are 50% of women leaving the industry by age 35?What You’ll Learn:Why the 50% attrition rate is a business problemHow to diagnose blind spots in your female talent lifecycleThe critical role the manager's life experience plays in employee supportWhy the return-to-work period is a make-or-break momentHow to shift from reactive support to proactive planningSophie Creese is the Founder of MotherBoard and Co-founder of HeyFlow, known for her expertise in gender diversity, talent retention, and organizational culture within the tech industry. With a background in scaling technology businesses, she has identified and addressed critical gaps in how organizations support female talent across their lifecycle, particularly during reproductive life moments.If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.YouTube Chapters:[00:00] Intro[00:54] The 50% Drop-Off by Age 35[02:09] The Hidden Career Lag[03:34] Culture vs. Policy[05:36] The £3 Billion Productivity Gap[08:14] Post-Maternity: The Hardest Time to Advocate for Yourself[11:00] The Importance of Re-Onboarding[13:01] The Tech Sophie Can’t Live WithoutEpisode Resources:Sophie Creese on LinkedInHeyFlow WebsiteMotherBoard WebsiteMichelle Davidson on LinkedInGlobalSign WebsiteKey Takeaways:[00:42] The 50% Drop-Off by Age 35Nearly 50% of women leave the tech industry by age 35, a trend that reveals a systemic business failure, not a personal choice. Sophie launched MotherBoard in 2020 to spotlight this overlooked crisis and reframe it as a commercial risk impacting innovation, security, and long-term growth. Building on that mission, she later founded HeyFlow, a startup that partners with large organizations to address the structural blind spots in the female talent lifecycle.[08:21] Post-Maternity: The Hardest Time to Advocate for YourselfReturning from maternity leave is one of the most underestimated career inflection points, and too often, the burden is placed solely on mothers to figure it out. While women should absolutely pursue opportunities that energize them and ignore external judgment, the real responsibility sits with organizations. It is not enough to ask, ‘What do you need?’ when many returning mothers are still navigating new identities and may not yet know the answer. Employers must proactively design structured support, offer clear options, plan before leave begins, and remove systemic barriers that affect reintegration and growth.[11:12] The Importance of Re-OnboardingToo many senior women return from maternity leave to find their confidence shaken, their roles reshaped, and their value quietly questioned. The issue is poor reintegration. In fast-moving organizations, six to twelve months away can mean new leadership, new priorities, and new teams. Expecting women to simply ‘slot back in’ is unrealistic and damaging. They need intentional re-onboarding, clear role planning, visible support, and growth opportunities. Research consistently shows women aren’t leaving because they became mothers; they’re leaving because their organizations failed to support them.Quotes:“Businesses need to look at everything from an entire talent life cycle perspective and really understand where these bottlenecks are. If they're wanting to improve the attraction, then there needs to be fundamentals improved within the business.”“One of my bugbears, I really feel that this responsibility is on the organization, not just on the individuals. So although for moms, I would say go for it. If you've got an opportunity and you feel you're ready to be able to dive back in, dive back in. And don't worry about what other people think.”“It is the most difficult thing to advocate for yourself post maternity and to state what you need when you don't know yourself at that point what you need. So as an employer, it's your responsibility to be able to offer options.”“I set up MotherBoard as an answer to a problem that wasn't being discussed, which is why are so many women leaving the tech industry by age 35? Statistically, it's around fifty percent, and that's a global problem.”Trust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →
How is Q-Day Already Rewriting the Rules of Digital Trust? With Arvid Vermote
Feb 500:15:14Tap to summarizeIn this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson welcomes back Arvid Vermote, Chief Information Security Officer (CISO) at GlobalSign, to break down what post-quantum computing really means for organizations today.What You’ll Learn:How post-quantum cryptography affects TLS in two very different waysWhat ‘harvest now, decrypt later’ means and why it creates immediate riskThe critical role of TLS 1.3 in enabling post-quantum readinessWhy certificate agility is becoming essential as certificate lifetime shrinks and cryptographic change acceleratesWhat challenges post-quantum certificates introduceArvid Vermote is the Chief Information Security Officer (CISO) at GlobalSign, where he leads the company’s global security, compliance, governance, and privacy strategy, ensuring that products and operations meet industry and regulatory standards while aligning with business objectives. Before joining GlobalSign, Arvid served as a Senior Manager at EY, where he delivered cybersecurity advisory services across EMEIA, co-led the Belgian Cybersecurity and Privacy practice, and was recognized as a global expert in PKI ecosystems and risk management.If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.YouTube Chapters:[00:00] Intro[00:51] Why Quantum Readiness Starts with TLS 1.3[06:53] What Organizations Can Do Right Now[09:38] Shorter Certificate Lifetimes and Crypto Agility[11:07] The Role of NIST and the CA/Browser Forum[13:28] Hybrid Certificates as a Bridge StrategyEpisode Resources:Arvid Vermote on LinkedInGlobalSign WebsiteView and Integrate WebsiteKey Takeaways:[00:51] Why Quantum Readiness Starts with TLS 1.3The most urgent quantum risk today is key exchange. Post-quantum cryptography matters first in the TLS handshake, where “harvest now, decrypt later” attacks put long-lived data at risk, and the only viable path forward is TLS 1.3. Yet roughly 40% of internet traffic still isn’t there, creating a real readiness gap. By contrast, post-quantum certificates and PKI are a longer-term challenge: they require new standards, browser support, HSM certification, and solutions to a major size problem that could strain the internet itself. Enterprises should prioritize migrating to TLS 1.3 now, while the ecosystem works through the heavy lifting needed to make certificates quantum-safe later.[06:53] What Organizations Can Do Right NowPreparing for “harvest now, decrypt later” threats starts with getting the fundamentals right today. Organizations should already be running TLS 1.3 across all exposed services, but that alone isn’t enough. True readiness requires cryptographic visibility and agility: a complete cryptographic bill of materials that inventories certificates, TLS versions, algorithms, endpoints, and the underlying software stack. Post-quantum security is a two-part problem. Both the certificate layer and the TLS handshake/key exchange must support post-quantum algorithms.[09:38] Shorter Certificate Lifetimes and Crypto AgilityShortening certificate lifespans, CA distrust incidents, and the accelerating threat of post-quantum cryptography all point to the same conclusion: crypto agility is no longer optional. Organizations that failed to automate and modernize certificate management have already paid the price when mass revocations hit, and replacements couldn’t happen fast enough. This moment should give CISOs and CIOs the leverage they need to secure board support, move beyond reactive firefighting, and invest in systems that enable fast certificate rotation, seamless cryptographic change, and long-term resilience.Quotes:“I think the certificate agility should have been done a few years ago. I just hope that this combination of recent incidents, the certificate reduction, and the looming threat of the post quantum encryption or the post quantum computers will be enough for CISOs and CIOs to go to the board and finally get that funding to invest into crypto agility.”“First of all, we need to untangle first or first related to post-quantum cryptography and quantum computing. Everyone seems to toss or coin that term to everything that relates to cryptography. But actually, there are two separate areas of it. And depending on that, the timing is more pressing, and the risks are bigger for enterprises.”“Before the certificate authorities like GlobalSign can actually issue certificates that are post quantum resistant, there's a lot of work that needs to be done.”Trust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →
AI, Post-Quantum and Digital ID – is Security at a Turning Point? With Michelle Davidson and Steve Hall
Dec 1100:25:05Tap to summarizeIn this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, hosts Michelle Davidson and Steve Hall, reflect on 2025’s biggest cybersecurity shifts and what these changes mean for organizations in 2026. Alexander Byrne, Director of Compliance at Thrive, Olivier Ruff, Cyber Security Lead and CTO at RNTrust Group, and Jane Frankland, CEO of KnewStart also make a reappearance to discuss their top predictions and insights for 2026.What You’ll Learn:Why March 2026 is your critical inflection pointHow Harvest now, decrypt later attacks create urgency around post-quantum cryptographyThe competitive imperative of AI adoption in 2026Third-party risk and availability resilience emerge as the overlooked pillar of securityThe practical cost-benefit framework for security investmentIf you enjoyed this episode, make sure to subscribe, rate and review on Apple Podcasts, Spotify and YouTube Podcasts, instructions on how to do this are here.YouTube Chapters:[00:00] Intro[01:09] The Countdown is On[03:17] Why Agility in Certificate Management Starts Now[07:53] Digital Identity in Focus[12:25] Predictions for 2026[17:04] The Cost of Complacency[19:49] The Trust Equation[21:52] Favorite Gadgets of 2025[22:50] 2026 Expert Forecasts[31:14] Closing ThoughtsEpisode Resources:Michelle Davidson on LinkedInSteve Hall on LinkedInJane Frankland’s WebsiteAlexander Byrne on LinkedInOlivier Ruff on LinkedInGlobalSign WebsiteTrust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →
Why should your next business strategy start with compliance? In conversation with Alexander Byrne
Nov 1300:17:35Tap to summarizeIn this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Alexander Byrne, Director of Compliance at Thrive, to discuss how organizations can leverage compliance as a competitive advantage rather than viewing it simply as a regulatory burden to enhance their tech stack and accelerate business growth.What You’ll Learn:How to distinguish between security and compliance requirements while ensuring both are effectively addressedWhy using industry standards like NIST CSF provides a practical starting point for building compliance frameworksThe strategic approach to evaluating your organization's compliance needs based on business growth and market expansionHow to avoid the common pitfall of over-documenting policies and instead create clear, actionable compliance guidelinesWhy compliance programs must be tailored to your specific organization rather than relying on generic templatesThe emerging role of compliance in quantum computing readiness and AI regulationAlexander Byrne is the Director of Compliance at Thrive, where he specializes in transforming complex regulatory requirements into strategic business advantages. With vast experience in compliance and cybersecurity frameworks, Alexander brings valuable insights into how organizations can evolve beyond checkbox compliance to create robust, business-accelerating security programs. His expertise spans multiple jurisdictions and regulatory frameworks, including NIST standards, financial services compliance, and emerging technological challenges like quantum computing and AI regulations.If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.YouTube Chapters:[00:00] Intro[01:17] Why Many Still See Compliance as a Cost Center[03:57] The Distinction Between Compliance and Cybersecurity Maturity[06:20] First Steps for Compliance Newbies[09:04] Quantum and AI[11:20] Strategic Compliance Starts with a Vision[13:58] Do More Policies Mean Better Compliance?[15:34] Favorite Tech ToolEpisode Resources:Alexander Byrne on LinkedInThrive WebsiteKey Takeaways:[03:57] The Distinction Between Compliance and Cybersecurity MaturityJust because you’re compliant doesn’t mean you’re secure. Alexander breaks it down simply: compliance is about ticking boxes, but true security means deeply understanding those boxes and verifying they’re actually checked. For example, knowing you need encryption is one thing. However, knowing where, how, and why to apply it is where real protection kicks in. Business leaders don’t need to be tech wizards, but they do need to ask the right questions, demand proof, and treat vendor claims with healthy skepticism.[06:20] First Steps for Compliance NewbiesIf you’re new to compliance, don’t get stuck in analysis paralysis. Start with an industry-standard framework, such as the NIST Cybersecurity Framework (CSF). It’s structured, clear, and helps you identify what applies to your business and what doesn’t. You don’t have to do it all at once. Treat it like a menu: pick what’s relevant, assess where you stand, and then prioritize improvements based on your budget and capacity.[11:20] Strategic Compliance Starts with a VisionIf you want to strengthen your company’s compliance posture, don’t start with the tech. Start with the strategy. Ask leadership about their 3-year vision: are you expanding into new markets, industries, or client types? Knowing where the business is headed helps compliance teams anticipate regulations, like GDPR or CMMC, before they become urgent. Once your basics are covered, invest smartly in tech upgrades.Quotes:“I think that compliance really can be a business accelerator, especially in our current landscape where we're in a much more technological and digital world.”“Compliance and security are not the same thing. You can be compliant without being secure, you could be secure without being compliant with something.”“For compliance programs to be successful, they need to work for, but also with the business.”“If you're sitting at the beginning of your compliance journey, either as somebody practicing or at your company, I think the best course of action is to go for an industry standard.”Trust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →
From Firefighting to Strategizing IT Security with Giles Thornton
Oct 900:16:06Tap to summarizeIn this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Giles Thornton, Head of Information Security at The Premier League, to explore why security teams feel like they’re constantly firefighting and how to break free. Giles shares insights into security perfectionism and compliance overload, and how security leaders can manage a lack of strategic breathing room driving burnout across the industry.What You’ll Learn:How to balance security perfectionism with practical implementationWhy compliance shouldn't be confused with security, and how to move beyond checkbox exercises to meaningful risk managementThe importance of brutal prioritization in security leadershipHow to effectively automate security operations while maintaining human oversight and trustWhy building human relationships and trust networks is crucial for modern security programsThe emerging challenges of AI governance and quantum encryption, and how to prepare for future security landscapesGiles is a seasoned cybersecurity executive with vast experience in strategic security leadership and risk management. With a background in military service and enterprise security, he brings a unique perspective to addressing modern cybersecurity challenges. Currently working in a forward-leaning tech environment, Giles specializes in developing practical security strategies that balance compliance requirements with real-world security effectiveness.If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.YouTube Chapters:[00:00] Intro[00:43] The Culture of “Never Enough Security”[01:42] Do Breaches Stem from Lack of Strategy?[03:44] Perfect vs. Good[08:01] Burnout and Cybersecurity Career Path[10:01] From Firefighting to Proactive Security[11:44] Automation and AI: Hype vs. Reality[12:58] Building Digital Trust[15:38] The Power of “So What?”[17:56] The 47-Day TLS Shift[28:21] Top Concerns: AI and Quantum[33:20] The Nudge Theory in Cybersecurity Training[35:36] The Myth of Eliminating Risk[37:25] Tech Giles Can’t Live WithoutEpisode Resources:Giles Thornton on LinkedInThe Premier League WebsiteKey Takeaways:[01:42] Do Breaches Stem from Lack of Strategy?Most breaches boil down to a lack of strategy and the unavoidable human element. While businesses often stay stuck in tactical firefighting mode just to “keep the lights on,” this short-term mindset leaves them exposed. Taking even a brief tactical pause to align security plans with business goals can prevent countless risks, but it requires courage, discipline, and leadership to prioritize long-term strategy over immediate pressures.[10:01] From Firefighting to Proactive SecurityMoving from constant firefighting to a proactive security strategy starts with brutal prioritization and bringing your whole organization along for the ride. That means being honest about what your team can realistically handle, setting clear expectations with executives, and refusing to juggle every risk at once. Without this discipline, you’ll either burn out or kick today’s problems down the road for “future you” to deal with. [33:20] The Nudge Theory in Cybersecurity TrainingCybersecurity awareness isn’t built on long, one-size-fits-all compliance training; it’s about short, targeted nudges that fit the person, the role, and the situation. By breaking training down into tiny, specific prompts, teams are more likely to make the right choices, avoid mistakes, and actually enjoy a smoother user experience. The lesson? Keep it brief, relevant, and proactive, because prevention beats “we told you so” every time.Quotes:“Security's quite often a game of not being the slowest person in the race. Just start running and doing some security puts you ahead of the vast majority of others.”“Compliance has its own function and purpose, but thinking that you have effectively applied risk management because you've complied with the tick list is not the same thing.”“You need to review the risk and take reasonable action. Making people maintain a 100% rate for compliance purposes is a way for burnout.”“The human relationship aspect of security is quite often overlooked. There's a real requirement in security to be perceived as confident, competent and to put that persona out to the business.”Trust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →
Who Decides the Internet’s Trust Rules? Inside the CA/B Forum with Arvid Vermote
Sep 1100:16:01Tap to summarizeIn this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Arvid Vermote, Chief Information Security Officer (CISO) at GlobalSign, to dive into the Certificate Authority/Browser Forum (CA/B Forum), the decision-making body behind the rules that keep the internet's trust backbone secure and how the decision was made for SSL/TLS certificate validity periods to reduce to 47 days by 2029.Trust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so
Transcribe →