Trust isn’t new, so why are we acting like it is?

If you’ve been paying attention over the past few months, you’ve likely noticed an uptick in the use of the word “trust” among the infosec community. Long a bedrock of other more consumer-facing industries, such as public relations and marketing, trust is fast becoming one of the hot new buzzwords sprinkled throughout pitches and presentations across our industry.

Back in March, trust made a splash at the annual RSA conference, when it was referenced numerous times by different speakers. People took notice, and it opened the flood gates for everyone else to start pontificating on the subject.

It’s interesting, however, that most discussions of trust are only forward-looking. They’re focused on elaborate ways to solve big, important future challenges, but very few touch on the actual way trust is a part of our industry today.

Focusing strictly on the idea of trust in a future context overlooks the proverbial elephant in the room. Namely, that trust isn’t new, and it isn’t limited to the future. The cybersecurity industry has just as much of a responsibility to internalize and emphasize trust today as we do tomorrow.

In cyber, nothing is ever black and white. It’s complex and messy and gray. It is as much art as it is science, because while there are technical steps and specific tools, at the end of the day, it is still an exercise in risk management. There is inherently an element of subjectivity – and trust – built into each variable that determines an organization’s cyber footprint. So, as this trendy embrace continues, let’s pause for a minute to really understand what trust is and why it deserves a bigger seat at the table – today.  

Trust is what drives everything about a business. It’s not a “nice to have.” It’s a “must have.” It doesn’t matter what business you’re in, people have to trust you enough to buy what you’re selling – product, service or expertise. People won’t do business with you unless they trust you. It’s really that simple.

When something is the foundation of your whole organization, it’s rightly considered a high-value asset. Other parts of the organization already understand that trust should be classified as such, but when your security team starts to accept it, they’re more inclined to craft incident response plans, implement security features, and develop new technologies, services and products that value and protect trust at each step.

To really understand the connection, it helps to understand where trust comes from

Trust is an intangible asset that is created through a blend of actions, words, and the resulting reputation. It’s slow to earn, quick to destroy, and everything in between is fuzzy. Trust takes time to develop. You have to actively cultivate it through every stakeholder interaction and manage it through every move your company makes – good, bad or otherwise.

That’s another reason that it’s so valuable. The care and maintenance of your reputation requires significant investments of resources – both time and money. When you see how much goes into building trust, you begin to see why protecting it is a top business priority.  

Protecting reputation, and preserving trust with your stakeholders, means making decisions and communicating those decisions in a way that takes into account the audience on the receiving end. Asking yourself what matters to them and communicating in a timely, clear and transparent way. When something goes wrong, you protect your organization’s reputation by quickly and credibly communicating the problem and taking steps to resolve it and prevent similar occurrences.

So, what role does the cybersecurity industry play in all that?

Protecting reputation and helping organizations maintain trust seems a far cry from the zero-trust environment we operate in now, but in reality, when trust is appropriately treated as a high-value business asset, it demands a place in our world.

The good news is that we’ve already taken the first steps. While trust may be a new obsession, reputation has been around awhile. It has become a standard part of any good risk assessment framework, and a key asset to be highlighted in any good incident response plan. The bad news is, we tend to stop short of actually addressing it appropriately.

When conducting a risk assessment, we rarely take a comprehensive view of reputational impact when quantifying risk. We check a box for the obvious answers, but we rarely review data types for the impact their compromise will have on organizational reputation. In developing IR plans, we prioritize compliance over reputation management, and end up with a library of notification templates that read like a legal thesis, instead of a communications plan that can effectively mitigate the risk by talking to real people.

In order to overcome these inherent disadvantages, we need to shift the way we think about trust and reputation. Rather than an intangible idea that primarily falls to someone else in the organization, we should think about them under the umbrella of resilience – a much more familiar territory.

We already value resilience as a means of ensuring valuable network assets can rebound after an event, but reputational resilience matters just as much. An organization’s reputation has to withstand an event in order for people to still trust you enough to keep doing business

with you after the dust clears. Your reputational resilience will play a role in determining the long-term impact of an incident and drive the price tag for recovery.

In the aftermath of an incident, the content and method of your communications will be closely scrutinized. Even the organizations who were trying to do it right typically just execute a communications plan that was never intended for use in a cyber context.

After an event, you should be executing a response plan that includes a communications strategy extending beyond regulatory compliance. Identifying the stakeholders whose opinion determines your reputation, and whose trust drives your business, goes well beyond legal notification requirements. Communicating with these groups clearly, honestly, and without misleading speculation has to be part of any response.

Whether we like it or not, the cybersecurity industry is firmly positioned at the nexus of technology and human interaction. Trust is fundamental to everything we do and must be treated as a critical asset to be protected. The sooner we accept that reputational resilience is a driving factor in organizational resilience, the sooner we can start to improve the way we operate.

To take meaningful steps, we should review our risk assessments and incident response plans to ensure we’ve accounted for trust at each step, and most importantly, instead of throwing around buzzwords about an uncertain future, we should embrace that trust matters now and that we have a responsibility to preserve it today.