If you\u2019ve been paying attention over the past few months, you\u2019ve likely noticed an uptick in the use of the word \u201ctrust\u201d among the infosec community. Long a bedrock of other more consumer-facing industries, such as public relations and marketing, trust is fast becoming one of the hot new buzzwords sprinkled throughout pitches and presentations across our industry.Back in March, trust made a splash at the annual RSA conference, when it was referenced numerous times by different speakers. People took notice, and it opened the flood gates for everyone else to start pontificating on the subject.It\u2019s interesting, however, that most discussions of trust are only forward-looking. They\u2019re focused on elaborate ways to solve big, important future challenges, but very few touch on the actual way trust is a part of our industry today.Focusing strictly on the idea of trust in a future context overlooks the proverbial elephant in the room. Namely, that trust isn\u2019t new, and it isn\u2019t limited to the future. The cybersecurity industry has just as much of a responsibility to internalize and emphasize trust today as we do tomorrow.In cyber, nothing is ever black and white. It\u2019s complex and messy and gray. It is as much art as it is science, because while there are technical steps and specific tools, at the end of the day, it is still an exercise in risk management. There is inherently an element of subjectivity \u2013 and trust \u2013 built into each variable that determines an organization\u2019s cyber footprint. So, as this trendy embrace continues, let\u2019s pause for a minute to really understand what trust is and why it deserves a bigger seat at the table \u2013 today. \u00a0Trust is what drives everything about a business. It\u2019s not a \u201cnice to have.\u201d It\u2019s a \u201cmust have.\u201d It doesn\u2019t matter what business you\u2019re in, people have to trust you enough to buy what you\u2019re selling \u2013 product, service or expertise. People won\u2019t do business with you unless they trust you. It\u2019s really that simple.When something is the foundation of your whole organization, it\u2019s rightly considered a high-value asset. Other parts of the organization already understand that trust should be classified as such, but when your security team starts to accept it, they\u2019re more inclined to craft incident response plans, implement security features, and develop new technologies, services and products that value and protect trust at each step.To really understand the connection, it helps to understand where trust comes fromTrust is an intangible asset that is created through a blend of actions, words, and the resulting reputation. It\u2019s slow to earn, quick to destroy, and everything in between is fuzzy. Trust takes time to develop. You have to actively cultivate it through every stakeholder interaction and manage it through every move your company makes \u2013 good, bad or otherwise.That\u2019s another reason that it\u2019s so valuable. The care and maintenance of your reputation requires significant investments of resources \u2013 both time and money. When you see how much goes into building trust, you begin to see why protecting it is a top business priority. \u00a0Protecting reputation, and preserving trust with your stakeholders, means making decisions and communicating those decisions in a way that takes into account the audience on the receiving end. Asking yourself what matters to them and communicating in a timely, clear and transparent way. When something goes wrong, you protect your organization\u2019s reputation by quickly and credibly communicating the problem and taking steps to resolve it and prevent similar occurrences.So, what role does the cybersecurity industry play in all that?Protecting reputation and helping organizations maintain trust seems a far cry from the zero-trust environment we operate in now, but in reality, when trust is appropriately treated as a high-value business asset, it demands a place in our world.The good news is that we\u2019ve already taken the first steps. While trust may be a new obsession, reputation has been around awhile. It has become a standard part of any good risk assessment framework, and a key asset to be highlighted in any good incident response plan. The bad news is, we tend to stop short of actually addressing it appropriately.When conducting a risk assessment, we rarely take a comprehensive view of reputational impact when quantifying risk. We check a box for the obvious answers, but we rarely review data types for the impact their compromise will have on organizational reputation. In developing IR plans, we prioritize compliance over reputation management, and end up with a library of notification templates that read like a legal thesis, instead of a communications plan that can effectively mitigate the risk by talking to real people.In order to overcome these inherent disadvantages, we need to shift the way we think about trust and reputation. Rather than an intangible idea that primarily falls to someone else in the organization, we should think about them under the umbrella of resilience \u2013 a much more familiar territory.We already value resilience as a means of ensuring valuable network assets can rebound after an event, but reputational resilience matters just as much. An organization\u2019s reputation has to withstand an event in order for people to still trust you enough to keep doing businesswith you after the dust clears. Your reputational resilience will play a role in determining the long-term impact of an incident and drive the price tag for recovery.In the aftermath of an incident, the content and method of your communications will be closely scrutinized. Even the organizations who were trying to do it right typically just execute a communications plan that was never intended for use in a cyber context.After an event, you should be executing a response plan that includes a communications strategy extending beyond regulatory compliance. Identifying the stakeholders whose opinion determines your reputation, and whose trust drives your business, goes well beyond legal notification requirements. Communicating with these groups clearly, honestly, and without misleading speculation has to be part of any response.Whether we like it or not, the cybersecurity industry is firmly positioned at the nexus of technology and human interaction. Trust is fundamental to everything we do and must be treated as a critical asset to be protected. The sooner we accept that reputational resilience is a driving factor in organizational resilience, the sooner we can start to improve the way we operate.To take meaningful steps, we should review our risk assessments and incident response plans to ensure we\u2019ve accounted for trust at each step, and most importantly, instead of throwing around buzzwords about an uncertain future, we should embrace that trust matters now and that we have a responsibility to preserve it today.