Jason Soroko is the CTO of public key infrastructure at Sectigo, a provider of digital identity solutions such as TLS and SSL certificates.

It is the largest certificate authority – a trusted entity that provides digital certificates which verify the owner of a public cryptographic key – and has more than 700,000 customers worldwide. Founded in 1998 as Comodo CA Limited, the US firm was rebranded to Sectigo in 2018 after it was acquired by Francisco in 2017.

In this Q&A, the 13th in our weekly series, Soroko explains why it’s important to remember that humans are the ones using technology, talks balancing research and customer meetings and why creating trustworthy electronic interactions “has been among society’s most important initiatives for the past three decades”.

Rob Scammell: Tell us a bit about yourself – how did you end up in your current role?

Jason Soroko: I have held the role of CTO of PKI for Sectigo since I joined in November 2017. Before that I was the manager of security technologies at Entrust, where I coordinated the innovation, authentication and IoT.

I have worked in my industry since 1998 and built my skillset for the CTO role through years of customer contact, research and strategy roles.

2) What’s the most important thing happening in your field at the moment?

Enterprises have been transforming to become digital enterprises. The value in a product is now often derived from the data it produces. Companies that used to simply build things now also have to consider how to connect those things to other things, which now involves software and networking. Some 100-year-old companies are having to transform to become software companies, not just for operational efficiency, but for their new business models.

3) Which emerging technology do you think holds the most promise once it matures?

I’m excited about the rapid evolution of enterprise PKI offerings. In the past, enterprise IT architectures were simple, with relatively few servers owned and operated by the IT department and held in company-owned network operating centers. Today’s enterprise uses public and private cloud, DevOps, IoT devices, BYOD, and modern web applications for its mission-critical business processes. This new architectural approach has obliterated the traditional network perimeter, forcing whole new ways of thinking to protect our digital assets.

We now think in terms of the “software-defined” perimeter, a zero-trust environment in which access and permissions are controlled for each user, device, and computing task down to a fine level of granularity. This level of control requires certificate automation, visibility, and management capabilities far beyond what we needed even a few years ago.

The level of innovation occurring in certificate platforms to meet these needs is inspiring. The past two years have shown us more progress in this space than probably the previous ten. I am excited to play my part in defining and bringing to market the next generation of managed PKI solutions to address these emerging needs.

4) How do you separate hype from disruptor?

Technology that does not solve customer problems, is usually hype. A successful technology needs to solve important problems. A disruptive technology is one that few people think about, but once it’s released, it has the ability to solve problems in novel ways.

5) What’s the best bit of advice you’ve been given?

Listen to the customer. It’s easy as we investigate the potential for technology solutions to become narrowly focused on the specifics of the software and hardware and what it does. We must never lose sight of the fact that these products exist to make life better for human beings. That’s why we call them solutions. They solve problems.

So it’s essentially important, when defining roadmaps or specifying products or going through quality assurance and go-to-market procedures, to always remember those humans who will be depending on the technology. We must gather feedback from them as much as we can and use that feedback to validate our assumptions and decisions – and to change them when the feedback doesn’t align with the previous plan of action.

The State of Technology This Week

6) Where did your interest in tech come from?

I’ve always been curious about what I don’t know. Technology presented itself to me early as an essential tool for discovery and exploration. As I continued to experience technology’s power as an information source, I expanded my own knowledge and skillsets to make the most of that power.

7) What does a typical day look like for you?

In a role and industry like mine it is essential to stay current on the constant set of developments and news events that offer to change the landscape in the years to come. Therefore I must allocate time every day to learning about product advances, security vulnerabilities, technology use cases, and business processes. Some of that involves study. For some I must synthesize the new ideas I’m discovering, and much of the time I am working with my excellent colleagues to understand or implement our responses to these developments.

I fit this research into a schedule mostly taken up by customers and partners. I am actively involved in understanding engagements, customer needs, and how our solutions intersect with them.

8) What do you do to relax?

I am privileged to live in an area of natural beauty, so I try to get out into it as often as I can. I’m also very lucky that my work takes me to many interesting places around the world, so I try to enjoy them as I go there. A couple of times a year I am able to bring family with me, and that has made for some very memorable experiences.

9) Who is your tech hero?

Claude Shannon, the mathematician and cryptographer. His original thinking in information theory that led to many fundamentally important ideas in my field. In particular, his breakthrough work ‘The Mathematical Theory of Communication’ is a must-read for anyone interested in communication technology.

10) What’s the biggest technological challenge facing humanity?

In today’s digital world all forms of commerce and communication depend on security. In its absence, electronic transactions and interactions become fundamentally untrustworthy, and they cannot function. This security challenge alone has been among society’s most important initiatives for the past three decades.

Now security has only increased in complexity and importance with the addition of physical and operational systems. What we typically call Internet of Things (IoT) or connected devices have increased the types of potential attack and exponentially grown the available attack surface. And since many of these devices are dependencies for our physical safety and wellbeing (such as those involved in medicine, transportation, and utilities), the stakes are higher than ever.

Lessons learned in enterprise IT regarding authentication, authorisation, and data integrity have to be matched to operational systems knowledge of uptime and reliability. Strong identity-based authentication, coupled with strong data encryption-in-transit and encryption-at-rest technologies exist, even for devices that are severely constrained in their available memory, compute power, or other capabilities. Advanced device technologies such as bootloader and firmware code signing or embedded firewalls are key to how we accomplish strong, ubiquitous identity among our connected devices. And this identity is necessary for the secure deployment and use of these devices across all aspects of our lives.


Read more: CTO Talk: Q&A with Telesoft’s Martin Rudd