The CISO’s newest responsibility: Building trust

Trust is becoming a differentiator in the marketplace, and CISOs who seek a more strategic role in their organizations must engage the full range of stakeholders to build confidence that the organization has their best interests in mind.

Business ethics  >  Handshake extended in trust / reliability / transparency
PeopleImages / Getty Images

Kirsten Davies had a tough task: get her company’s European workers to adopt new security protocols that they feared could be used to spy on them.

Davies, who at the time was the deputy CISO of HPE, needed to get the company’s employees onboard with various new tools and policies just as the European Union was gearing up to enact the General Data Protection Regulation (GDPR), its sweeping set of privacy rules. But workers feared that the security tools could be used by the company for surveillance, and they questioned whether the security tools’ capabilities could violate their own privacy.

To tackle those concerns, Davies traveled through Europe, meeting with workers councils to lay out the risks facing the company and the importance of the tools being introduced. She started in Germany, where Davies, a native English-speaking American, used her fluency in German to build rapport.

The goal, Davies explains, was to get the workers to understand how the new tools protected them and the company, and why they were so critical. She succeeded, creating a Cyber Security Master Agreement with the German Workers Council that became a model for similar agreements across HPE’s 20-plus overseas Works Councils.

“That first-ever cybersecurity agreement let us have a trusted agreement on both sides, to say that we’re working in partnership to protect the company,” Davies says.

Davies, now senior vice president and CISO of The Estée Lauder Companies Inc., a multinational maker and marketer of numerous beauty product brands, says her experience in 2016 with those worker councils coincided with a new responsibility within the security function: convincing various constituents that they can trust the organization and its leaders to do right by them when it comes to data security and privacy.

“Trust is a bit evolutionary right now, but it’s the expectation that transactions with us are secure, stable and authentic,” Davies says.

CISOs, like CIOs, their IT counterparts, have seen their roles evolve, moving from a managerial one focused on tactical deployments to an executive position engaged in strategy. Now the CISO position is evolving even further, into one that engages the full range of organizational stakeholders – from customers and business partners to employees and board members – to build confidence that the organization has their best interests in mind when it comes to cybersecurity.

This, though, isn’t simply an esoteric discussion or philosophical exercise: CEOs believe that building and maintaining trust with their stakeholders is critical for success in the digital era. PwC found in its 21st Global CEO Survey that 87% of global CEOs say they are investing in cybersecurity to build trust with customers.

Trust, it seems, is becoming a differentiator in the marketplace.

“There will be material competitive advantage to organizations that are using data in an ethical way and protecting it and managing it in the way it should be,” says Shawn Connors, a principal in PwC’s cybersecurity and privacy practice.

The value of trust

PwC warns executives not to underestimate the need for trust in today’s digital world, nor to underestimate its value.

“If the lifeblood of the digital economy is data, its heart is digital trust—the level of confidence in people, processes, and technology to build a secure digital world,” PwC writes in its fall 2018 report, The journey to digital trust.

CISOs, of course, have been immersed in securing and protecting their organization’s systems and the data that they contain for as long as the role has existed. And enterprise executives and board members have long expected CISOs to deliver on those elements; even customers and business partners have come to expect CISOs to perform those tasks to an acceptable level.

Now, though, CISOs are facing a growing societal expectation as well, says Benjamin Wright, a Dallas-based attorney who focuses on technology law and is a senior instructor at the SANS Institute.

“Society is passing laws and implementing rules that say, ‘Here are the complex requirements we expect you to meet, and you will be punished if you don’t meet those requirements and secure this stuff,’” he says.

As a result, Wright says, the CISO role is becoming like that of the chief financial officer, and the security function as a whole has a position in the enterprise similar to that of the legal department, in that security – like financial and legal – have obligations that transcend their day-to-day responsibilities.

“I’m not saying that security team needs to be licensed like lawyers or CPAs. However, historically the enterprise rely on [those legal and financial] professionals to give them professional advice and that advice carries a lot of weight. And I believe there are many large enterprises migrating toward this professional status for the cybersecurity team because of the demands that society is placing on enterprises to address cybersecurity,” Wright says. “Society is saying, ‘Big enterprise, you have a responsibility to protect personally identifiable information and resources and that kind of thing, and if you don’t meet that responsibilities there are punishments to be paid to society.”

Society, however, is not necessarily exhibiting a blind trust of enterprise security, Wright notes. He points to a scattering of regulations that require organizations to attest that they’re addressing cybersecurity needs, such as the 2017 New York Department of Financial Services’ cybersecurity requirements for financial services companies. There’s also the Federal Trade Commission’s 2019 decision requiring Facebook CEO Mark Zuckerberg to personally certify that his company is working to protect consumer privacy, a requirement stemming from the FTC’s settlement with Facebook for its misuse of customer data in the Cambridge Analytica scandal.

Researchers, consultants and CISOs say they don’t expect all organizations will need to sign such declarations, but they do expect more such rules in the future. And they also agree that enterprise leaders will have to prove to their stakeholders that they are working hard to protect IT systems and the data they contain.

“Trust will be earned over time,” Connors adds, “by collecting only what you need, terminating it upon request, protecting it and using it ethically.”

Cultivating trust

Cultivating digital trust may be a struggle for many.

The 2018 Digital Transformation Index, a survey of 4,600 business leaders from 40-plus countries from Dell Technologies in collaboration with Intel and Vanson Bourne, found that 49% “worry their organization won't prove trustworthy in 5 years.”

The survey also found that 91% of businesses “are facing persistent barriers to digital transformation,” with data privacy and security concerns the top barrier listed – ahead of resource and skills constraints (numbers 2 and 3, respectively) as well as regulation and legislative changes and immature digital culture rounding out the top five challenges.

CISOs, however, should recognize that they have opportunities to generate trust, according to Connors, Wright and others.

They say CISOs can start within their own organizations by building relationships with their C-suite colleagues, bringing the security function into strategic discussions and engaging the board in the business terms they expect – advice that CISOs have been hearing for the past few years.

From there, Wright says CISOs can consider how they articulate their security and privacy efforts in written policies, internal messages and even public statements, noting that CISOs must now cultivate trust with not just other executives and the board but also with rank-and-file employees, business partners, consumers, regulators and society as a whole.

Connors agrees, saying: “The topic of digital trust is going to be a stronger and stronger sentiment. People want to do business with those who handle their data well, and those who don’t do that well will have some level of consequence.”

Moreover, consumers are increasingly asking questions about what organizations are doing with their data, how they’re protecting it, where they’re they using it and why they’re sharing it. CISOs would do well to add information to organizational statements and policies that respond to such inquires.

“Don’t just tell people you have policies. They want to know where their data is going. Prove to them you have the appropriate levels of controls,” Connors says, explaining that CISOs can further cultivate trust by showing that they’re not only taking steps to safeguard data within their own organizations but also working to ensure that their business partners and their partners’ partners are just as conscientious.

CISOs, though, shouldn’t feel alone in that task.

“The CISO’s role is to provide a level of confidentiality, integrity and availability,” Connors says, referencing the longstanding cybersecurity model known as the CIA triad, “but it’s not just the CISO’s responsibility. It’s about how the whole organization can establish trust.”

PwC in its digital trust report declares it a worthwhile endeavor: “Companies that show the connected world how to lead in safety, security, reliability, privacy, and data ethics will be the titans of tomorrow.”

Trust as the ‘North Star’

Many CISOs face challenges as they seek to build trust, says Brian Haugli, a partner and co-founder of the advisory firm SideChannel Security and a former CISO.

Often CISOs encounter business colleagues who still see security as an impediment to speed and business growth, Haugli says. And CISOs sometimes find that they’re not part of early-stage strategic discussions and instead are looped into initiatives in the latter stages – when security is harder to integrate.

Meanwhile, Haugli says some CISOs may not be prepared to take on task of building trust. These CISOs may not yet see themselves as business enablers, key advisors and strategic partners but rather are stuck in a version of the CISO role that’s primarily about technical oversight and a block-and-tackle security program.

Indeed, at least one survey suggests that many organizations aren’t fully embracing this notion.

The Cloudfathers: An Analysis of Cybersecurity in the Fortune 500, a study released in September 2019 from Bitglass, a cloud access security broker (CASB) vendor, looked at security-related public-facing information at Fortune 500 companies. The analysis found that 77% don’t indicate who’s responsible for their security strategy while 52% don’t have any language on their websites about how they protect consumer and partner data beyond legally required privacy notices.

On the other hand, some CISOs are already making trust the central theme of the entire security function.

Take Omar Khawaja, the CISO of Highmark Health, a national health and wellness organization. He identified trust as the epitome of what he and his security team do, and actually declared as much when in early 2019 they rewrote the security program’s mission statement to better align with the company’s strategic vision.

The old mission statement spoke about security’s three business objectives – compliance, privacy and efficiency – with those three objectives achieved by following the CIA triad.

The new vision statement reads, “Our vision is a world where people unequivocally trust their information is safe.”

“Trust really should be the North Star,” Khawaja says, explaining that he came to understand that the security team’s activities are all in support of enabling that trust.

Khawaja says he developed this recognition after he started attending more meetings with the company’s customers several years ago. Those customers were seeing a growing number of healthcare institutions hit with cyberattacks and suffering data breaches and wanted assurances that their data would be safe with Highmark Health.

“So I was walking clients through the risks of cyber, what we’re doing about them, and how they should feel as a result of what we’re doing,” Khawaja says. “I kept feeling that success in those discussions was if they felt like their information was in safe hands, and they felt that Highmark was doing a good job with their data.”

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful cybersecurity companies