CyberTech Top Voice Interview: Tim Callan, Chief Compliance Officer at Sectigo

Welcome to the CyberTechnology Top Voice Interview Series!

In our latest CyberTech Top Voice series episode #17, we have Sectigo’s recent updates related to the launch of Sectigo PQC Labs and the public SSL/ TLS certificate lifecycles. With compliance and digital security playing a crucial role in protecting organizations from emerging threats, we found a cyber tech game-changer in Sectigo’s Certificate Lifecycle Management (CLM) solution. We sat down with Tim Callan, Chief Compliance Officer at Sectigo to gather his views on the shifting dynamics of compliance, certificate lifecycle management, and post-quantum cryptography. In this discussion, he explores the growing convergence of CCO and CISO roles, the impact of shorter SSL/TLS certificate lifespans, and how businesses can prepare for the next era of cryptographic security.

With Sectigo’s recent acquisition of Entrust’s public certificate business, Tim also highlights how the company is strengthening its leadership in digital trust. Stay ahead of cybersecurity trends with expert insights on automation, compliance, and quantum readiness. Here’s more into the episode #17 of CyberTech Top Voice interview series with Tim Callan.

Hi Tim, welcome to the CyberTech Top Voice interview series. Let’s start with our most popular segment: “If the Chief Compliance Officer role was a novel/ TV/movie character, which one would you pick and why?”

James Tiberius Kirk – most of my life I really wanted to be Captain Kirk.  However, there’s to it more than that.  Captain Kirk not only is the operational leader of the Enterprise, but he also ultimately is responsible to uphold the principles of Starfleet, including the Prime Directive.  Doing so requires close understanding of these principles and how to execute them along with rigorous commitment to doing things right.

What is the difference between a CCO and a CISO? How have these roles evolved, and converged in recent years?

There are some major differences between both those roles, in particular here at Sectigo. Our CISO is responsible for protecting our organization’s information systems and data from cyber threats while my role as chief compliance officer revolves around ensuring we – as a trusted Certificate Authority (CA) – adhere to compliance rules and guidelines set forth by outside industry standards bodies like the CA/Browser Forum and ETSI.

However, in a broader sense, the roles have increasingly converged due to the growing intersection of cyber risk and regulatory compliance. The collaboration greatly enhances an organization’s ability to manage cyber threats and compliance requirements more effectively, ensuring a cohesive approach to risk management. It also ultimately allows for quicker responses to emerging threats and mitigates any type of business disruption.

Recommended CyberTech Interview: Fintech’s Digital Fortress Under Attack: Cybersecurity Challenges in 2025

Sectigo recently announced the acquisition of the Entrust public certificate business. Can you expand on that some more?

It’s really a transformative milestone not only for our business but in a way the industry. Besides being able to offer our certificate lifecycle management solutions to a broader customer base, we are also reinforcing our leadership in delivering trusted digital security solutions that address the industry’s evolving needs such as shorter certificate lifespans and post-quantum cryptography readiness. The acquisition ultimately strengthens our vision of being the trusted partner for protecting digital infrastructures worldwide.

Currently, the lifespan of certificates is approximately 400 days. But now, companies like Google and Apple are advocating for much shorter terms, with Apple proposing to reduce lifespans to just 47 days over the next three years. How would Apple’s proposed shift to 47-day SSL certificate validity periods impact organizations?

Reducing the duration of certificate lifespans offers several key advantages to the WebPKI, such as enhanced security, improved cryptographic agility, and a tighter connection between certificate ownership and domain control.

In fact, we just endorsed Apple’s official ballot submission to the CA/Browser forum on this topic. If accepted, this change will also increase the operational burden on organizations, requiring them to renew certificates approximately every 6 weeks.

To manage this increased workload, companies will need to invest in robust automation tools and Certificate Lifecycle Management (CLM) solutions.

Ultimately, the shift underscores the importance of adopting efficient, automated processes to maintain compliance and security standards. It’s this push for automation that is really going to help organizations with their eventual transitions to become quantum-ready. 

 What are the potential benefits and challenges associated with the push towards shorter validity periods for SSL/TLS certificates, and how can organizations adapt to this shift?

Shorter SSL/TLS certificate validity periods offer several benefits, including enhanced security by reducing risks like private key compromise and misissuance and promoting cryptographic agility. They also encourage automation, streamline renewal processes, and align certificate ownership with domain control. However, the increased renewal frequency poses challenges, such as higher administrative overhead and the risk of human error.

Organizations can adapt by investing in robust automation tools and CLM solutions to manage the increased workload and ensure seamless certificate management. This proactive approach will help organizations maintain compliance and security standards while minimizing disruptions. Embracing shorter lifespans is essential for staying ahead of evolving cybersecurity threats and future-proofing systems for the quantum era.

Does this shift to shorter certificate lifespans in any way help organizations prepare for the next era of post-quantum cryptography (PQC)?

Definitely.

This is why the term cryptographic agility becomes important. Crypto agility is crucial in today’s fast-evolving digital environment, where new technologies, algorithms, and security challenges require constant adaptation. This need for agility will become even more critical as we approach the PQC era, with the potential for rapid algorithm deprecation. IT professionals can no longer rely on the same cryptographic strategies. Shorter certificate lifespans promote cryptographic agility by speeding up the adoption of stronger algorithms and ensuring compliance with evolving security standards.

For example, the deprecation of SHA-1 was delayed significantly when certificate lifespans were as long as three years. In the uncertain post-quantum era, shorter certificates can help mitigate delays in adopting advanced solutions.

Longer certificate lifespans, on the other hand, tend to encourage complacency. Many businesses and enterprises may not proactively adopt improved cryptographic standards or security practices until forced by certificate expirations to seek stronger certificates through renewal.

Read More: CyberTech Top Voice: Interview with Fenix24’s Heath Renfrow

What is your top prediction for the cybersecurity market in 2025? 

In 2025, we can expect a wave of official statements from the most forward-thinking vendors regarding their PQC capabilities. These announcements will not signify the immediate availability of PQC solutions but rather a pledge to transition towards PQC standards by 2026.

With organizations like NIST finalizing PQC deadlines, vendors will need to show their preparedness to implement these standards and help customers transition smoothly. These announcements will serve several strategic purposes, highlighting vendors’ market leadership and differentiation, reinforcing their proactive stance on cybersecurity. By doing so, they are aiming to build customer confidence and ensure compliance with upcoming regulations.

Tag a leader in the cybersecurity industry or an influencer you would like to invite to a CyberTech Top Voice interview roundtable discussion. 

Bruno Couillard, CEO and co-founder at Crypto4A, the industry’s first quantum-safe Hardware Security Modules.

LinkedIn: https://www.linkedin.com/in/brunocouillard/

Thank you, Tim, for speaking to us. We look forward to having you again at CyberTech Insights.

To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com