• United States



by Michael Dortch

Verifiable Trust: The Ultimate Business Value of IT

May 09, 20059 mins
CSO and CISOData and Information Security

Robert Frances Group believes IT has, to date, justifiably focused on issues such as ROI and risk mitigation, but that these issues are subsidiary to the ultimate business value of IT to the enterprise. That value is enablement of verifiable trust, of IT and of the business at large. IT executives should expand their focus to embrace not only the threats that constitute risks, but the opportunities represented by the goal of verifiable trust.

Business Imperatives:

  • Every business transaction involves varying degrees of trust, which in turn must be verifiable on demand. Since IT resources support almost all business transactions, IT is ideally positioned to help enterprises mitigate risk and enable verifiable trust. Risk mitigation is a key concern of all executives, both within and beyond IT. However, a focus on risks and threats may be inadequate to enable IT to deliver maximum benefits to the business. IT executives should seek to expand, then flip the risk mitigation script by including a focus on enablement of verifiable trust, in the enterprise’s IT resources and in the enterprise at large as a business partner. This approach can help IT to identify and achieve additional business benefits and further improve IT-business alignment and enterprise elasticity.
  • ROI (along with what RFG calls “return on value,” or ROV) are frequently sought, often elusive metrics for assessing the value of IT to the business. A focus on enablement of verifiable trust can lead to more opportunities for IT to deliver ROI and ROV, which can help IT to improve its perceived business value and alignment with the business. IT executives should look for specific opportunities and initiatives that can showcase additional ROI and/or ROV via enablement of verifiable trust, in IT resources, business transactions, or both.
  • Issues such as risk mitigation are sometimes addressed tactically, an approach that risks deviation from larger architectural imperatives. IT executives should view enablement of verifiable trust as architectural in scope, and ensure that every IT initiative acknowledges and incorporates elements intended to further this important IT and business goal.

RFG believes the primary goal of most enterprise IT and business initiatives is increased enterprise elasticity. Enterprise elasticity is the ability to contract, flex, and grow as appropriate in response to changing business or technological conditions without disrupting operations. (See the RFG Educational Asset Enterprise Elasticity.) In addition, RFG believes enterprise elasticity is a primary prerequisite for something both highly desirable and potentially very valuable to any enterprise enablement of verifiable trust.

It can be argued, often very effectively, that every business and IT initiative is driven by desires for specific functionality, profit, or both. However, it can also be argued that there are other elements worthy of consideration and potentially able to enhance pursuit of these common and important goals. RFG believes trust and enablement of its verification represent two such elements, as well as significant opportunities for IT.

Every single human and business-related initiative, interaction, and transaction has a common element a minimum basic requirement of trust. When a customer places an order with an enterprise, the customer trusts the enterprise to be what it says it is, and to deliver the requested item at the stated price. The enterprise, in turn, must be able to trust that the customer is who he or she professes to be, that the order is real, and that the payment method selected involves no fraud. Both the customer and the enterprise, in turn, must trust every contributor to the value chain that results in the very existence of the desired item, to some extent.

IT depends upon trust to be successful as well. The entire enterprise must be able to trust the IT resources upon which it depends to conduct business. At enterprises where IT is viewed negatively, the cause is often, at its heart, an actual or perceived violation of that trust.

IT executives, in turn, must be able to trust the quality of information obtained from management solutions, and of the analysis of that data provided by both tools and colleagues. Furthermore, the ability of IT to support business users and initiatives successfully is directly affected by the trustworthiness of information about business and user needs and related information.

Clearly, trust is essential for the smooth, successful operation of an IT department or an enterprise. However, trust without verification is not trust, but faith and faith, while valuable, is insufficient justification for business or IT initiatives. Thus, IT must enable the tenet expressed by Ronald Reagan, when, as president of the United States, he translated an old Russian proverb: “Trust, but verify.”

Verifiable Trust and Risk Mitigation

In many ways, from an IT perspective, verifiable trust is a complement to risk mitigation and management. The more effective the efforts of IT teams to mitigate technological and business risks, the more opportunities there are for enabling verifiable trust. IT executives should realize that this can create opportunities for IT to present its efforts more as enablers of positive actions and perceptions and less as suspicion-driven gate-keepers. Also, while every enterprise wants to mitigate risk, not all perceive enablement of verifiable trust as the competitive advantage it can be.

IT executives should seek out and exploit opportunities to use enablement of verifiable trust to frame, “market,” and “sell” IT initiatives across their enterprises. While the distinctions between verifiable trust and risk mitigation are intangible and difficult to quantify, the potential benefits to the perception of IT are too great to ignore. In many cases, it may take only some careful rewording of extant descriptions to make verifiable trust enablement a part of key IT initiatives.

Paths Toward Enabling Verifiable Trust

Several specific IT initiatives represent opportunities for IT to position itself as an enabler of verifiable trust. Access and identity management solutions that include robust auditing features, for example, help verify the trust placed in those given access to enterprise IT resources.

Some simple steps can mitigate risk and foster greater trust among users of an enterprise’s IT resources, at little to no additional cost. Examples include immediately replacing all default user IDs and passwords, and forbidding IDs or passwords based on local sports teams or users’ birthdays. Such steps can help IT demonstrate to auditors, customers, internal users, and senior management that the enterprise cares about its information and user privacy, and is doing all it can to protect both. IT executives should look for similar opportunities to begin demonstrating and delivering the business value of verifiable trust while seeking to protect their enterprises and IT resources from unauthorized access.

Tools for management of enterprise intellectual property (IP) also enable higher levels of trust by reassuring authors, editors, and other users of said property about its bona fides and how it has been manipulated. Especially given intensified focus on regulatory compliance and governance, management of enterprise IP across its entire life cycle represents a prime and fertile opportunity for casting IT initiatives and solutions as enablers of verifiable trust. Specific regulations, such as the Sarbanes-Oxley Act of 2002 (SOX) and regulation-driven auditing requirements, all but explicitly require IT to enable verifiable trust.

Moreover, the results of many such efforts can be easily measured in terms of fines and penalties paid or avoided. IT executives should make verifiable trust a significant element of every initiative related to enterprise content, document, information, IP, and records management and security.

Outsourcing management is yet another area in which IT can showcase its efforts and intentions to enable verifiable trust. Outsourcing raises and intensifies multiple issues and questions, ranging from quality and service level management to adherence with local regulations and relevant cultural customs. IT executives should strive to ensure that every candidate outsourcing initiative reflect careful consideration of issues related to verifiable trust. These and related issues can be more challenging and less obvious across multiple remote physical and/or cultural borders.

Enablement of Verifiable Trust: Critical Success Factors

The above are only some examples of areas within which IT executives and their teams can pursue enablement of verifiable trust at their enterprises. Paths and priorities chosen will likely vary widely depending on specific enterprise requirements and characteristics. However, there are two elements on which every effort to enable verifiable trust depends comprehensive IT infrastructure management and effective policies, practices, and procedures.

Comprehensive, integrated, and timely knowledge about the IT infrastructure, the key applications and services it supports, and the interdependencies affecting them are absolutely critical in general. They are essential to success with initiatives ranging from disaster recovery and business continuity (DR/BC) to implementation of services-oriented architectures (SOAs) and so-called “business services management” (BSM). IT executives must ensure that their environments are architected to deliver such infrastructure knowledge on demand, and to continue to do so even after changes to the IT infrastructure or business goals.

IT executives must also architect their management practices such that they are constantly focused on enablement of verifiable trust, as well as upon risk mitigation and delivery of other business benefits. To be optimally successful, IT executives must ensure that this architectural focus be pervasive, touching policies and procedures ranging from management of support desk trouble tickets to that of best practices themselves. This means that all key policies, practices, and procedures must be reviewed regularly, with all subject to change or retirement in response to changing conditions among the elements managed by such practices.

As first said by abolitionist Wendell Phillips and widely attributed to Thomas Jefferson, “eternal vigilance is the price of liberty.” Similarly, IT executives should recognize that enablement of verifiable trust is not free. For example, IT may need to do “walkthroughs” of software code produced by outsourcers, to ensure those developers did not deviate from corporate requirements and include security vulnerabilities such as trap doors in their work. Such steps may represent efforts not perceived as necessary with code produced by local, internal employees. However, when viewed architecturally and holistically, such investments may be easier to justify when enablement of verifiable trust is added to their actual and perceived business value.

RFG believes IT executives and their teams, as well as their enterprises, could benefit significantly by expanding the focus of IT initiatives to include enablement of verifiable trust. The criticality of trust to the success of almost every IT and business initiative means that enablement of verifiable trust should be a business benefit obvious to almost any observer or participant, once presented effectively. IT executives should work closely with their IT colleagues, non-IT counterparts and constituents, and trusted vendors, to begin recasting IT architectures at their enterprises to embrace this admittedly high-minded but nonetheless essential and achievable goal.

RFG analyst Michael Dortch wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Mr. Dortch.