What is digital trust? How CSOs can help drive business

Digital trust is the measure of consumer, partner and employee confidence in an organization’s ability to protect and secure data and the privacy of individuals. As data breaches become bigger and more common, digital trust can be a valuable commodity for companies that earn it, and it is starting to change the way management looks at security.

Security has traditionally been seen as a cost center. In recent years however, businesses are waking up to the idea that good security is a business enabler that can foster new services and build customer loyalty. A new report from CA Technologies, conducted by Frost & Sullivan, confirms this trend. The Global State of Online Digital Trust Survey and Index 2018 shows that taking security and privacy seriously can have a positive financial impact beyond avoiding costly breaches.

Consumers with high digital trust spend more online

“Trust is one of the things that permeates across the whole business,” says Stephen Walsh, director of security for Northern Europe, CA. “It is the bedrock of business and without it organizations are going to struggle to keep their existing customers, gain new customers or enter new markets.”

What is the role of the CSO in building trust, and how do you go about establishing trust with your organization? The CA report provides data to help answer that question. It surveyed consumers, security professionals, and business executives to establish a digital trust index for each group.

On a scale of 1 to 100, consumers scored their confidence level at 61, a “barely passing grade” according to the report. Security professionals and business executives had significantly higher indexes of 75 and 74, respectively. More important, the survey showed that consumers with a high level of digital trust spend more, with 57 percent increasing online spending over the last 12 months versus 43 percent for consumers with low trust.

More consumers prefer security over convenience  

According to the CA report, 27 percent of business executives view security initiatives as having a negative return on investment (ROI). Most customers in the report (86 percent), however, said they would prefer security over convenience, and the more trust placed with a company, the more money they would be willing to spend with that organization.

Seventy-eight percent of those surveyed in the report responded that it is very important or crucial that their personally identifiable information (PII) be protected online. When choosing an online service, 86 percent indicated that a high level of data protection is a priority. The results clearly point to a growing awareness that digital data is important, and an organization’s perceived ability to protect it in a responsible manner has a direct effect on sales and customer retention and acquisition.

“Quite a lot of people in the past have viewed security as kind of an incumbent, something that you have to get over,” says Walsh. “The more boards think of security as an enabler and a way of actually acquiring new customers and new business, the better off we will be.”

The digital trust gap: Business leadership “out of touch” with customers

Even if companies understand the value of trust, many simply overestimate their own standing in their customers eyes and how they compare to the competition. The report outlined an average of a 14-point gap between the level of trust customers have in whether organizations handle personal data appropriately compared to how much organizations think they are trusted. The report claims this illustrates how “dangerously out of touch” organizations are with their customers.

Just a third of customers said their trust in organizations had increased over the last two years, compared to the 84 percent of business leaders who believe that trust has increased. Ninety percent of those business leaders claim they are very good or excellent at protecting customer data, and 93 percent say that it is a differentiator over the competition.

Considering the number of organizations that admitted a data breach in the study, this clearly does not add up. “Thinking you’re great and having that false sense of security I think is extremely dangerous for an organization to say,” says Walsh. “It’s a dangerous trap to fall into; security is not just a tick box exercise and the evolving threat landscape shows us that just because you’re secure this year doesn’t mean something else going to happen next year.”

The cost of losing trust

Likewise, the cost of losing trust can be large. Half of organizations surveyed in the report admitted having been involved in a publicly disclosed data breach, and nearly all found that the breach had a long-term negative impact to their revenues and to consumer trust. On the customer side, half said they stopped using a company’s services if it was involved in a breach and instead moved to a competitor.

“If customers see organizations who don’t have that security, they’re going to vote with their wallets and go somewhere else where they do have that sense of security and building up that digital trust,” says Walsh. “Thinking about it twice probably means you’ve lost the customer because they’ll go somewhere else. If you have the perception from customers that you are doing your best to keep their data, assets, money, whatever it is, secure, that’s how you build trust. The other side of that is that sometimes it can only take one breach or security issue to lose that trust you built up over a number of years with your customer base.”

The role of the CSO in building trust

While on the surface, trust might seem like a security problem and therefore fall entirely under the purview of the CSO, the reality is more nuanced. Building trust isn’t just about making the right security decisions; it’s about communicating those decisions with customers so they can see and understand how you’re protecting their data.

“Everybody on the board — whether they’re in marketing or in finance — should be interested and responsible for jointly securing and building that trust between you as a company and your customer base,” says Walsh. Rather than being an afterthought, he says, security and trust will be much more at the forefront of customer acquisition and of customer retention. He is already starting to see security programs being run and funded outside of the CSO function.

“Some of this is about perception and attracting customers, and in some organizations, marketing or customer acquisition have been involved in increasing security posture, and also the messaging of that, and enabling customers to use that new security methodology,” says Walsh. “Is it down to the CSO to implement? They are the right one to implement, but in terms of a broader holistic view, it should be CEO all the way down.”

While the CEO needs to lead, the CSO needs to be directly involved in trust-building initiatives and in constant communication with other functions to ensure the company is consistent in how it operates and communicates.

How to build trust with customers

Building trust is no simple task. As well as doing the normal security tasks of implementing the right technologies and processes to ensure good security posture, organizations need to communicate. “Some of this is about messaging, but again if you’re building that trust in your messaging and then don’t do it, that trust is going to evaporate,” says Walsh.

To help build trust, he says organizations need to be upfront and transparent with their customers. They should clearly explain what they are doing with data and why, be clear what data is being collected and what it will be used for, and explain what security steps and processes are in place to ensure it remains secure.

For example, using multifactor authentication (MFA) is good security practice, but communicating why a customer is being asked to provide extra authentication during a transaction or process helps build that trust. “It’s important that a company demonstrates to their customers why they’re putting extra layers of security; say ‘we’re doing this because’ as opposed to ‘we’re doing this’.”

The European Union’s General Data Protection Regulation (GDPR) came into force in May of 2018. Many studies show that companies both inside and outside the EU are yet to achieve full compliance. However, if taken seriously, GDPR is an opportunity to build trust with customers and make security and privacy a major issue at the top table of the business.  

“GDPR is a definite opportunity for organizations; companies who take security seriously will be the companies who build consumer or B2B trust and actually go forward,” says Walsh. “Whereas people will go after the lowest hanging fruit, and if they know all you’re doing is treating GDPR as a tick box [exercise], maybe you’re more vulnerable than other people who are taking this seriously.”

10 best practices to build digital trust

In late October, professional services firm PwC released its Digital Trust Insights report, based on a survey of 3,000 business leaders worldwide. From that data, PwC compiled the following list of ten opportunities for organizations to manage risk, comply with privacy regulations, and build trust in a digital business environment.

1. Engage security experts at the beginning of digital transformation projects

While more than 90 percent of survey respondents with digital transformation projects include security or privacy stakeholders, only 53 percent involved them from the start. The report recommends a security and privacy by design approach to digital transformation, citing that the “sprawling connectivity among personal devices, governments, businesses, and industrial equipment is fueling exponential growth in cyber and privacy risks.”

2. Upgrade talent and leadership teams

PwC’s survey showed that most businesses are not fully confident in their security and privacy workforce. Only 38 percent said they were “very comfortable” with the sufficiency of those teams. The report recommends doing an organizational risk assessment around talent and skill gaps, and committing to putting the right people in clearly defined cybersecurity, privacy and data ethics roles.

3. Raise workforce awareness and accountability around cybersecurity and privacy

Only 34 percent of respondents said they had employee security awareness training programs. The report encourages businesses to prioritize employee awareness of security and privacy issues and how they can affect business objectives. Clear policies around data governance and access to IT assets should accompany those efforts.

4. Improve communication and engagement with boards of directors

Although most respondents say their boards are informed of cyber and privacy risk strategies, only 27 percent believed the boards had adequate reporting on metrics in both areas. PwC recommends that organizations identify the types of measures that are obtainable and can be measured now. Make sure those metrics address the needs of the stakeholders. Communicate clearly to the board any external factors that might affect security or privacy risk.

5. Tie security to business goals

The survey identified a disconnect between business objectives and information security strategy. Only 23 percent of respondents said they plan to invest in aligning the two. PwC believes organizations can align business and security by embedding cybersecurity into new products or services, conducting risk and regulatory compliance assessments, conducting cybersecurity framework assessments, and refreshing cybersecurity strategies and plans.

6. Build lasting trust around data

Of all companies worth $100 million or more, only about half make significant investments in data governance according to the survey. Only 40 percent of respondents are “very comfortable” they have identified their most valuable and sensitive data assets. The report recommends implementing data governance programs that take both the value and sensitivity of the data into account. It also suggests managing risk through the entire data lifecycle.

7. Boost cyber resilience

Less than half of medium- to large-sized companies said they were building resilience to cyberattacks and other disruptive events. Only about half of them are confident that resilience has been adequately tested. Becoming cyber resilient requires an understanding of the company’s risk appetite around core business processes. The report suggests taking the differing views of risk that each key stakeholder (CEO, CFO, CIO, etc.) might have. It also recommends monitoring the evolving threat landscape and the technology infrastructure in place to enable high availability, disaster recovery and data integrity.

8. Know your enemies

Each organization should know where their most likely threats are coming from. According to the survey, financial services firms are more worried about state-sponsored hackers (33 percent), which consumer-focused businesses see garden-variety cybercriminals as a key threat (50 percent). However, only 31 percent of respondents said they were confident they’ve identified which parties might attack their digital assets. PwC recommends staying abreast of threat intelligence reports and to study your risk and threat landscape in the context of that intelligence.

9. Be proactive in compliance

Staying informed and in compliance with all the global privacy and data protection regulations is a big challenge. Forty-one percent of respondents said it was a challenge just to be aware of the regulations that affect them. The report emphasizes the need to focus on awareness of new legislation. It also recommends companies take an integrated approach to compliance rather than a siloed one, meaning business should operate to the highest regulatory standard across all the jurisdictions it operates in.

10. Keep pace with innovation

New technology creates new risk. With the internet of things (IoT), for example, only 39 percent of respondents were confident they had adequate “digital trust” controls in place to manage security, privacy and data ethics. PwC recommends organization prioritize the development of digital trust controls. Companies should also stay abreast of security research around newer technologies like IoT and artificial intelligence.