• United States



Is Trust Enough?

Jul 17, 20073 mins
CareersIdentity Management SolutionsIT Leadership

I recently read a interesting article by John C. Reece entitled: “Forget about Security and Privacy: Focus on Trust.” John’s experience as the CIO with the IRS and Time Warner are evident, and I agree with many of his points. Still, I wonder: is trust enough? 

First, let’s give credit where credit is due. John’s article is right on when he says that security (and to a lesser extent privacy) are “bad words with bad histories, evoking bad connotations with most enterprise stakeholders.”  John’s article accurately lists many challenges that CSOs face, and he notes that security spending “is certainly not perceived as an investment for winning stakeholders, sustaining excellence or achieving market leadership.”

I also agree that security is often viewed as a tax or “necessary evil” by many who think that it can’t by definition add value (unless you work for a security company). I even wrote my own rendition on this topic for CSOs and CISOs back in January 2006 entitled:  “Are You a Party Pooper: How to Upgrade Your Image with Business Clients.

Who can argue with building trust? Certainly we must earn trust daily with our customers, colleagues, staff, not to mention our spouse and kids.  I also agree with his statement, “A trust-based business model is also a natural extension of enterprises’ commitment to compliance with Sarbanes-Oxley (SOX) regulations and the transparency that results.

But … I think trust is a result. Trust is an outcome. In the same way that we put money in the bank and earn interest in return, we earn trust, when we invest in relationships and various aspects of our security and privacy programs.

As CSOs, we gain trust (and our reputation) by delivering on our promises (at a personal level) and delivering on projects within metrics (on time, on budget, etc.), stopping attacks, and generally providing the safe physical and cyber environment where the business areas rely on our dependability and where their activities can be conducted (to provide services make money, etc.)

John is right that when bad things happen, like a denial of service attack, the business wants to get “back to normal” as soon as possible. The business perceives security operations as insurance for bad situations in that case. The challenging part of this for security professionals is that some leaders may build “trust” with colleagues because they are “just lucky” that no incidents have happened under their watch. When the “planes hit the towers,” they may not be adequately prepared. In this sense, the trust-level may be misplaced by colleagues.  

Another concern I have with this “renaming of security” is that it doesn’t tell you how to get to the outcome. For example, if we say we need “trust in Iraq between all parties” that is true. But that doesn’t get you the peace that’s required to build the trust. We need the security situation to improve before we will get the trust.  I believe the same can be said for cyber and physical security and even for privacy in our enterprises.            

I think John’s article is helpful in that it points to what should be a goal – we need trust with stakeholders. However, I don’t think we can “forget about security and privacy” to get there. What are your thoughts?


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author