Why cybersecurity teams are central to organizational trust

How can your organization's security team help foster trust among customers and shareholders? A new book explores the complex imperative of trust-building
2 readers like this.

In their new book, The Four Factors of Trust, Deloitte LLP principals Ashley Reichheld and Amelia Dunlop adopt Harvard professor Sandra Sucher’s definition of trust as our willingness to be vulnerable to the actions of others because we believe they have good intentions and will behave well toward us.

They go on to enumerate four factors underlying trust: demonstrating intent through being transparent and human and demonstrating competence by being capable and reliable.

Cybersecurity is a central aspect of trust. The authors argue that “Cybersecurity teams play a critical role in fostering trust across a spectrum of stakeholder groups. Customers and workers expect their information to be secure and their privacy to be respected. Business partners and investors demand high levels of security.”

This is a significant reason security is such a hot topic, not just within IT departments but in the boardroom. It was the top IT funding priority in Red Hat’s 2023 Global Tech Outlook report and was the hot topic at a wide range of IT events last autumn.

3 key roles for building trust

The authors highlight a three-pronged challenge that security teams face when building trust.

Customers

The first relates to customers and, specifically, the data associated with them.

Customers can be divided regarding how they feel about data being used to customize experiences and possibly provide helpful information. For example, the authors found that 68 percent of respondents in a survey found it helpful when a brand they regularly shopped with provided them with alerts when an item went on sale. But 11 percent found the same thing creepy. And more than half thought it was creepy if they thought it was because a voice assistant was listening.

[ Also read 7 security articles every CIO should read in 2023. ]

The authors argue that “organizations should also make informed choices about what data to gather and what not to. Cyber teams play a critical role in guiding colleagues in marketing and experience about the risks associated with data collection, and which data itself may present the greatest risk relative to the value of the data.”

Workforce

An organization’s workforce also plays into the trust customers place in it.

Insider threats to data held by a company are probably the most prominent risk. Indeed, the authors note that “In a recent WSJ [Wall Street Journal] study, 67 percent of cybersecurity professionals surveyed said they were concerned about malicious employees.”

However, it may not be malice but a simple mistake. The authors write that “most breaches are due to human error, not malicious intent. Researchers from Stanford University and Tessian, a cybersecurity firm, found that approximately 88 percent of all data breaches are caused by an employee mistake.” As with many aspects of IT operations, if the system allows simple misconfiguration or other errors to cause a serious failure, it usually makes sense to examine the process before blaming the employee.

Partners

Finally, no business is an island; it depends on many partners (whether formal business partners or some other relationship) – a fact highlighted by the widespread supply chain challenges across many industries over the past couple of years.

The security of software supply chains – which is to say, dependencies on upstream libraries and other code used by organizations in their software – is a topic of considerable focus today up to and including from the U.S. executive branch. It’s still arguably not getting the attention it deserves, though. The aforementioned 2023 Global Tech Outlook report found that, among the funding priorities within security, third-party or supply chain risk management came in at the very bottom, with just 12 percent of survey respondents saying it was a top priority.

"Organizations are accountable for safeguarding information and share a responsibility to respond and manage broader network threats in near real-time."

Deb Golden, who leads Deloitte’s U.S. Cyber and Strategic Risk practice, told the authors that there needs to be more scrutiny over supply chains. “Organizations are accountable for safeguarding information and share a responsibility to respond and manage broader network threats in near real-time,” she said. “This presents a daunting challenge and severe risk for organizations. However, for those organizations that do this well, there is also an incredible opportunity to build and bolster trust.”

4 key principles for building trust

The authors also outline four basic principles for building trust through cyber.

Prevention

The first is to consider prevention aspirational – but not always realistic. They quote Mike Hughes, the Chief Information and Security Officer (CISO) at outdoor retailer REI, as promoting a belt-and-suspenders approach. He said that increasingly “organizations are adding ‘detect and defend’ to the mantra of ‘prevent and protect.’ The two strategies work in concert. No prevention program will be perfect, which is why organizations will always need a detect and defend program as well.”

Enablement

A second principle places IT security in a role about enabling rather than the blocker it’s often seemed to development teams and others in the past. The authors argue “a partnership between marketing (which generally determines what data to collect) and cyber (which guarantees privacy, security, and compliance) is required to deliver a safe, seamless experience to customers and other stakeholders. CISOs enable data owners (CMO/CXO and others) to achieve their strategy safely and comply with regulations by providing expertise early in their processes.”

Data collection

The third comes back to data collection: What are you collecting, what are you doing with it, and do I have a choice about whether it’s collected?

This is a tricky area. The authors acknowledge that informing users “does not mean a ten-page legal document designed to protect an organization’s interests.” It’s also the case that defaults are extremely powerful. As a result, “Organizations should recognize this pattern and carefully consider strategies, such as opt-in and opt-out.”

Human error

Finally, to reiterate, people make mistakes. So you have to plan for human error. The authors write that human error comes with cyber territory. “While technology can do a lot to help reduce cyber risk, addressing fundamentally human factors is both important and very challenging. Organizations can earn trust and promote desired behavior from workers by establishing ‘best intent’ defaults that enable them to do their work with a minimal chance to expose data in the wrong places,” they add.

Ultimately, building trust is an economic imperative for organizations. Cybersecurity – including safeguarding data – is far from the only factor that plays into the degree to which your customers trust you. However, between increasingly sophisticated attacks, regulatory scrutiny, and greater customer awareness, data breaches and other aspects of cybersecurity have emerged as table stakes for a trusted brand.

[ New research from Harvard Business Review Analytic Services identifies four focus areas for CIOs as they seek more flexibility, resilience, and momentum for digital transformation. Download the report now. ]

Gordon Haff is Technology Evangelist at Red Hat where he works on product strategy, writes about trends and technologies, and is a frequent speaker at customer and industry events on topics including DevOps, IoT, cloud computing, containers, and next-generation application architectures.