Footprints on a sandy surface

A growing number of tools can now tell you where cryptography exists in your environment — which endpoints have which certificates, which libraries are in use, which algorithms show up where. That is genuinely useful. It is also, on its own, not enough.

Discovery answers “what exists.” It does not answer “what matters,” “what’s urgent,” or “what do we actually do next.” Those questions require a different kind of work — and skipping them is where most cryptographic risk programmes stall.

The gap discovery leaves behind

Imagine a scan returns several thousand findings: certificates nearing expiry, deprecated TLS versions, RSA keys below recommended lengths, algorithms flagged as quantum-vulnerable. Every one of those findings is technically accurate. None of them tells a security team where to start.

Security teams are then left to interpret thousands of findings, assess business impact, and develop migration strategies on their own — usually in a spreadsheet, usually without a clear way to connect a given certificate or algorithm to the business service it actually protects. Discovery produced data. It didn’t produce a decision.

What has to happen after discovery

Enterprise Cryptographic Exposure Management treats discovery as step one of a longer lifecycle, not the destination:

  • Inventory — turning raw findings into a living Enterprise CBOM (Cryptography Bill of Materials), not a point-in-time report that goes stale the day it’s generated.
  • Assess — evaluating cryptographic exposure using business context and recognised industry guidance, including NIST and CNSA 2.0, so a finding is understood in terms of the risk it actually represents.
  • Prioritise — focusing remediation where it delivers the greatest reduction in cryptographic exposure, rather than working through findings in the order a scanner happened to list them.
  • Transition — turning prioritisation into a practical, phased migration roadmap toward post-quantum cryptography.
  • Monitor — continuously tracking cryptographic posture, since exposure changes every time infrastructure changes.

Why “just add discovery” doesn’t solve the problem

It’s tempting to treat cryptographic discovery as a checkbox: run a scan, get a report, move on. But a report is not a programme. Without assessment, every finding looks equally urgent — which in practice means nothing gets prioritised. Without a link back to business impact, a critical certificate protecting a revenue-generating service and a low-risk internal test certificate can end up looking identical on a findings list.

This is precisely the same lesson Vulnerability Management learned a decade ago: a scanner that produces ten thousand undifferentiated findings a month doesn’t reduce risk, it just relocates the problem into someone’s inbox. The discipline that actually reduces risk is the one that connects discovery to business context, prioritisation, and a realistic remediation plan.

What this means in practice

If your organisation already has visibility into where cryptography exists, that is real progress — and it’s the right place to have started. The next question is whether that visibility is connected to anything: a prioritisation model, a migration roadmap, an owner, a deadline. If it isn’t, discovery is where the value currently stops, not where it should.

The next post in this series is aimed squarely at security leadership: five questions every CISO should be asking about quantum readiness right now, regardless of where their organisation is on this curve.

Scroll to Top