Is Trust Enough?

I recently read a interesting article by John C. Reece entitled: “Forget about Security and Privacy: Focus on Trust.” John’s experience as the CIO with the IRS and Time Warner are evident, and I agree with many of his points. Still, I wonder: is trust enough? 

First, let’s give credit where credit is due. John’s article is right on when he says that security (and to a lesser extent privacy) are “bad words with bad histories, evoking bad connotations with most enterprise stakeholders.”  John’s article accurately lists many challenges that CSOs face, and he notes that security spending “is certainly not perceived as an investment for winning stakeholders, sustaining excellence or achieving market leadership.”

I also agree that security is often viewed as a tax or “necessary evil” by many who think that it can’t by definition add value (unless you work for a security company). I even wrote my own rendition on this topic for CSOs and CISOs back in January 2006 entitled:  “Are You a Party Pooper: How to Upgrade Your Image with Business Clients.”

Who can argue with building trust? Certainly we must earn trust daily with our customers, colleagues, staff, not to mention our spouse and kids.  I also agree with his statement, “A trust-based business model is also a natural extension of enterprises’ commitment to compliance with Sarbanes-Oxley (SOX) regulations and the transparency that results.

But … I think trust is a result. Trust is an outcome. In the same way that we put money in the bank and earn interest in return, we earn trust, when we invest in relationships and various aspects of our security and privacy programs.

As CSOs, we gain trust (and our reputation) by delivering on our promises (at a personal level) and delivering on projects within metrics (on time, on budget, etc.), stopping attacks, and generally providing the safe physical and cyber environment where the business areas rely on our dependability and where their activities can be conducted (to provide services make money, etc.)

John is right that when bad things happen, like a denial of service attack, the business wants to get “back to normal” as soon as possible. The business perceives security operations as insurance for bad situations in that case. The challenging part of this for security professionals is that some leaders may build “trust” with colleagues because they are “just lucky” that no incidents have happened under their watch. When the “planes hit the towers,” they may not be adequately prepared. In this sense, the trust-level may be misplaced by colleagues.  

Another concern I have with this “renaming of security” is that it doesn’t tell you how to get to the outcome. For example, if we say we need “trust in Iraq between all parties” that is true. But that doesn’t get you the peace that’s required to build the trust. We need the security situation to improve before we will get the trust.  I believe the same can be said for cyber and physical security and even for privacy in our enterprises.            

I think John’s article is helpful in that it points to what should be a goal – we need trust with stakeholders. However, I don’t think we can “forget about security and privacy” to get there. What are your thoughts?