Asking cybersecurity leaders to open up about trust is an intriguing concept. Even in as decidedly offline an environment as a discussion around a dining table, simply by turning up everyone was tacitly accepting that they could trust their fellow attendees. Throw into the mix that it’s a RANT roundtable, held under the Chatham House Rule, but with a journalist there to write about it, and clearly the whole premise was going to be under fire from the moment everyone took their seat. Yet an atmosphere of professional curiosity, mutual responsibility and robust inquiry helped ensure a fascinating, and remarkably open, conversation flowed freely.
“Trusted organisations really have an advantage, and that’s how a lot of CEOs and organisations are being measured,” Mike Chessa, senior global director at OneTrust, the event’s sponsors, began. Building that trust is one challenge: how to measure it – and who gets to do the measuring; and against what yardsticks – quickly emerged as key questions.
“We’ve heard introductions from everybody; we’ve received invitations to come in this evening. But what’s verifiable about the trustworthiness of this room?” one of the CISOs, CTOs and senior security specialists sat at the table asked. “Forget digital trust: what’s the essence of trust, and how would we actually establish it physically?”
“Your trust environment is dependent on what your customer environment is, who you’re working with, who you connect to,” another senior security leader pointed out. “If you’ve got a global organisation and you are dealing with money, your risk and your threat profile is higher because people internally want to nick your cash and people externally want to nick your cash. Working in government, your crown jewels are information, so [the threat is] not normally internally, it’s normally externally.”
This, they argued, raises an interesting conundrum, and an apparent contradiction. Issues around trust become more pronounced and the risks that would be presented by a breakdown in a trusted relationship appear to be increasingly perilous: yet the processes by which that trust is assessed and established have tended to become compliance-related, box-ticking exercises. This is particularly the case with third-party suppliers, where compliance often involves them self-accrediting their trustworthiness, with little chance of any kind of a check or audit. A more effective and useful set of measurements would appear to be vital: but what shape might that take, and how would anyone begin to quantify it in a way that could be verifiable?
“I think that’s where the complexity is,” another specialist suggested. “We talk about, ‘Oh, digital trust – let’s start measuring it.’ We’re trying to convert some subjective impressions and expectations with some quantitative measures. I think it’s an absolutely massive problem.”
And it’s a problem that, as Craig Rice – the CEO of the Cyber Defence Alliance, who co-hosted the event at the invitation of OneTrust and RANT – explained, involves trying to measure things that can’t very easily be measured. A possible solution, he said, involves “a series of overlapping trusts”, each of which will be flawed, but in different ways: so that, when deployed together, getting past them becomes, if not impossible, then at least prohibitively difficult.
“But some of those trust indicators are not in the digital domain,” he said. “They’re about people, they’re about reliability, they’re about suitably qualified and experienced personnel. Have I done this before? Am I competent, or am I just bluffing it?”
OneTrust’s Chessa sees these issues as central.
“Something I’m very passionate about, and that I’ve been trying to solve with a couple of different tech companies, is this whole concept of helping GRC [governance, regulation, compliance] practitioners, or the whole organisation, go execute on something that they don’t necessarily know how to do,” he said. “The typical things I see get in the way of other organisations [are] people and processes: people working in silos, and then not having the expertise and the capability to execute their vision.”
These are questions for the business to examine internally, and with regard to its suppliers and subcontractors: but there are also issues of trust in the relationship with customers and users – not just ones of verifying the identity of a customer before granting them access to systems, but of building and maintaining trustworthiness for the business in the marketplace. These are perhaps even less quantifiable or measurable, but may be even more critical.
“Everyone’s looking at this from a B2B [business-to-business] and employee trust [perspective],” another attendee said. “For us, if we lose a certain percentage of our customer base, we go out of business. So how do we build customer trust? It’s about being proactive with communication [and] it’s not just a one-time thing. It’s continuous, iterative messaging.”
What this may ultimately mean, Rice said, is IT and security specialists either interacting with psychologists and PR professionals, or acquiring enough competence in those disciplines to be able to incorporate elements of them into their work. No small ask.
While individuals within particular businesses or entities may feel they could do with additional tools or competencies, there was a widespread consensus around the table that enhancing trust mechanisms was more about an organisation’s collective mindset and approach than rooted in technical capabilities. From maps that can help ensure a thorough understanding of where key data reside so as to help better defend them, to building resilience after reaching an acceptance that systems will be breached, the issues are less digital and more organic and cognitive. And they begin at the centre, spreading out through the organisation and on to customers, rather than starting at the edges and moving in.
“For me, it all comes back to people,” one senior security leader summed up. “I have a team, and my goal is to build a trust relationship with them so that they feel empowered to make the right calls, to do the right work, to deliver the quality within the organisation that’s going to bring in what we need. I trust them to go out and talk to the stakeholders, to bring them the information, under my diligent watchful eye.”