In this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson welcomes back Arvid Vermote, Chief Information Security Officer (CISO) at GlobalSign, to break down what post-quantum computing really means for organizations today.

What You’ll Learn:

How post-quantum cryptography affects TLS in two very different ways
What ‘harvest now, decrypt later’ means and why it creates immediate risk

The critical role of TLS 1.3 in enabling post-quantum readiness
Why certificate agility is becoming essential as certificate lifetime shrinks and cryptographic change accelerates

What challenges post-quantum certificates introduce

Arvid Vermote is the Chief Information Security Officer (CISO) at GlobalSign, where he leads the company’s global security, compliance, governance, and privacy strategy, ensuring that products and operations meet industry and regulatory standards while aligning with business objectives. Before joining GlobalSign, Arvid served as a Senior Manager at EY, where he delivered cybersecurity advisory services across EMEIA, co-led the Belgian Cybersecurity and Privacy practice, and was recognized as a global expert in PKI ecosystems and risk management.

If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.

YouTube Chapters:

[00:00] Intro

[00:51] Why Quantum Readiness Starts with TLS 1.3
[06:53] What Organizations Can Do Right Now

[09:38] Shorter Certificate Lifetimes and Crypto Agility

[11:07] The Role of NIST and the CA/Browser Forum

[13:28] Hybrid Certificates as a Bridge Strategy

Episode Resources:

Arvid Vermote on LinkedIn
GlobalSign Website

View and Integrate Website

Key Takeaways:

[00:51] Why Quantum Readiness Starts with TLS 1.3

The most urgent quantum risk today is key exchange. Post-quantum cryptography matters first in the TLS handshake, where “harvest now, decrypt later” attacks put long-lived data at risk, and the only viable path forward is TLS 1.3. Yet roughly 40% of internet traffic still isn’t there, creating a real readiness gap. By contrast, post-quantum certificates and PKI are a longer-term challenge: they require new standards, browser support, HSM certification, and solutions to a major size problem that could strain the internet itself. Enterprises should prioritize migrating to TLS 1.3 now, while the ecosystem works through the heavy lifting needed to make certificates quantum-safe later.

[06:53] What Organizations Can Do Right Now

Preparing for “harvest now, decrypt later” threats starts with getting the fundamentals right today. Organizations should already be running TLS 1.3 across all exposed services, but that alone isn’t enough. True readiness requires cryptographic visibility and agility: a complete cryptographic bill of materials that inventories certificates, TLS versions, algorithms, endpoints, and the underlying software stack. Post-quantum security is a two-part problem. Both the certificate layer and the TLS handshake/key exchange must support post-quantum algorithms.

[09:38] Shorter Certificate Lifetimes and Crypto Agility

Shortening certificate lifespans, CA distrust incidents, and the accelerating threat of post-quantum cryptography all point to the same conclusion: crypto agility is no longer optional. Organizations that failed to automate and modernize certificate management have already paid the price when mass revocations hit, and replacements couldn’t happen fast enough. This moment should give CISOs and CIOs the leverage they need to secure board support, move beyond reactive firefighting, and invest in systems that enable fast certificate rotation, seamless cryptographic change, and long-term resilience.

Quotes:

“I think the certificate agility should have been done a few years ago. I just hope that this combination of recent incidents, the certificate reduction, and the looming threat of the post quantum encryption or the post quantum computers will be enough for CISOs and CIOs to go to the board and finally get that funding to invest into crypto agility.”
“First of all, we need to untangle first or first related to post-quantum cryptography and quantum computing. Everyone seems to toss or coin that term to everything that relates to cryptography. But actually, there are two separate areas of it. And depending on that, the timing is more pressing, and the risks are bigger for enterprises.”
“Before the certificate authorities like GlobalSign can actually issue certificates that are post quantum resistant, there's a lot of work that needs to be done.”