Where Does Your Cryptography Live?

Ask your CISO where your cryptography lives, and how much of it they can actually account for. If they cannot answer with confidence and a quantified scope, you have a problem that predates quantum computers. According to the 2024 Entrust/Ponemon PKI and Post-Quantum Trends Study, 43% of organisations cite an inability to inventory their cryptographic assets as their top concern for post-quantum readiness. This visibility gap is not a future concern. It is an operational blind spot causing outages, compliance failures, and security incidents today.

The timing makes this particularly urgent. PCI DSS 4.0 reached its March 2025 deadline requiring documented cryptographic inventory reviews. DORA became enforceable across EU financial entities in January 2025. NIST has announced plans to deprecate traditional public-key cryptography by 2030. Yet most organisations still cannot answer a fundamental question: where does our encryption actually operate?

The scale of the visibility problem is striking. The same Entrust/Ponemon study found that only 45% of organisations report having full visibility into their cryptographic estate. Keyfactor's research reveals an even starker picture: 62% of organisations do not know how many keys and certificates they manage. This percentage has actually increased from 53% in 2021, meaning the problem is getting worse despite growing PKI investments.

Several factors drive this widening gap. Certificate deployment has surged dramatically, with 91% of organisations now deploying more certificates than ever before. The average enterprise manages over 81,000 internally trusted certificates across nine different PKI and CA solutions. Yet 38% still rely on spreadsheets and manual tracking methods. The DigiCert/Ponemon financial services study from January 2025 confirms these patterns: 51% of financial institutions are not taking inventory to identify every certificate.

The rise of cloud-native architectures, microservices, and IoT has created what security practitioners call "shadow crypto." These are cryptographic assets deployed outside central security visibility. Machine identities now outnumber human identities by staggering ratios. CyberArk reports that large organisations have 40 machine identities for every human identity, with forecasts showing a 2.4x rise over the next 12 months.

Consider where cryptography hides in a typical enterprise:

Red Hat's State of Kubernetes Security 2024 report found that nearly 9 in 10 organisations experienced Kubernetes security incidents in the past 12 months. Venafi's research shows 86% of cloud-native teams experienced at least one security incident affecting their business. The common thread is visibility: organisations cannot protect cryptographic assets they do not know exist.

Poor cryptographic visibility translates directly into operational disruption. Keyfactor's September 2025 research reveals that 86% of companies suffered at least one outage due to expired or mismanaged certificates in the past year. More alarming, 10% experience weekly outages. Organisations reporting monthly certificate outages jumped from 26% in 2022 to 67% in 2025.

The financial toll is substantial. The DigiCert Trust Pulse Survey from 2025 found that one-third of enterprises lost between $50,000 and $250,000 per certificate incident, while 18.5% reported losses exceeding $250,000. Beyond direct costs, each incident requires an average of 8 staff members and over 5 hours to resolve. High-profile 2024 incidents illustrated the stakes: the Bank of England's CHAPS payment system, processing £360 billion daily, suffered two major outages in July 2024 due to expired SSL/TLS certificates.

The logic is straightforward: you cannot fix what you cannot find. Yet organisations consistently attempt PQC migration planning without first establishing comprehensive cryptographic inventory. The DigiCert/Ponemon Post-Quantum study found only 52% are taking inventory of cryptographic keys and their characteristics, only 39% are prioritising cryptographic assets, and only 36% have determined whether their cryptographic assets reside on-premises or in the cloud.

Industry analysts have reached consensus on this sequencing. Gartner's Hype Cycle reports recommend building a cryptographic inventory now to help scope migration projects and identify critical systems. NIST's National Cybersecurity Center of Excellence has established a dedicated Cryptographic Discovery workstream. CISA's strategy documents emphasise automated cryptography discovery and inventory tools as essential for assessing PQC transition progress.

The emergence of Cryptographic Bills of Materials (CBOM) as a standardised format, now integrated into OWASP CycloneDX v1.6, provides a structured approach to this challenge. A CBOM catalogues every cryptographic algorithm, key, certificate, and protocol across your environment. It transforms the question "where does our cryptography live?" from an unsolvable mystery into a documented, auditable answer.

Understanding your cryptographic exposure is only valuable if you can act on it. ExeQuantum's PQCaaS platform helps organisations discover, remediate, and govern their cryptography, transforming a hidden technical dependency into a measurable, auditable capability.

Our Transparent approach provides complete visibility into your cryptographic inventory across cloud, on-premises, and hybrid environments. The STAC framework (Sovereign, Transparent, Agile, Compliant) ensures you maintain control over cryptographic decisions while meeting regulatory requirements from PCI DSS 4.0 to CNSA 2.0. Whether you are a financial institution preparing for DORA compliance or critical infrastructure operator planning PQC migration, ExeQuantum supports your journey to quantum-safe security that is controllable, provable, and sovereign by design.

The convergence of regulatory mandates, quantum threats, and operational realities has elevated cryptographic visibility from security hygiene to strategic imperative. Organisations that attempt compliance initiatives or PQC migration without first establishing comprehensive visibility will face the same challenges that have made certificate outages endemic: unknown assets, fragmented ownership, and reactive firefighting instead of proactive management. The question "where does your cryptography live?" is no longer optional. It is the prerequisite that enables everything else.