Ep. 3: Why It’s Time to Trust in Digital Trust, Part 2
As consumer trust plummets, an ISACA survey shows how enterprises can rebuild it—even after a cyberattack.
Summary
In the second of a two-part series, we explore the realities of today’s digital trust landscape, and the ways enterprise leaders can turn a breach into an opportunity for stronger customer engagement.
As a global survey of business leaders and IT professionals reveals, a cyberattack alone will not necessarily damage digital trust. But the way executives respond to that event might. Deep-dive with us into the sticky issue of ethics (and other concerns surprisingly—or maybe not so surprisingly—related to cybersecurity) with experts from ISACA, the Information Systems Audit and Control Association.
HOST: Melissa Bischoping, director of endpoint security research, Tanium
GUESTS: David Samuelson, [former] CEO, ISACA; and Chris K. Dimitriadis, chief global strategy officer, ISACA
Production note: At the time of this recording, Samuelson served as ISACA’s CEO. He has since left the organization. Tracey Dedrick is currently ISACA’s interim CEO.
Show notes
Check out ISACA’s survey and resources on digital trust, and these articles in Focal Point, Tanium’s new online cyber news magazine.
- ISACA’s State of Digital Trust 2022 report
- ISACA Digital Trust Resources
- What the Tech Sector Can Learn From TikTok: Trust Is Everything
- Like “Privacy By Design,” Building Digital Trust Starts With Prioritizing Data Security
- How to Communicate Clearly (and Legally) During a Cybersecurity Crisis
Transcript
The following interview has been edited for clarity.
David Samuelson: We’re talking about digital trust, but the word trust is the key part of that. Trust is a relationship. And in a relationship, you come clean, and you try to be honest with one another. And I think that’s true with customer relationships as well.[/pullQuote]
Melissa Bischoping: Hi, I’m Melissa Bischoping, and today on Let’s Converge, we’re talking digital trust. Welcome to the second of our two-part series looking at some of the surprising findings in a new global survey on trust.
Consider these numbers: Of the more than 2,700 business and IT professionals polled around the globe, more than half (54%) said they were very or completely confident in the digital trustworthiness of their organization, yet only a quarter actually measured digital trust among their customers. Another 36% don’t measure it at all, and 41% weren’t sure.
Joining me today are David Samuelson, the CEO of ISACA, the international professional association focused on IT governance. And Chris Dimitriadis, its chief global strategy officer. We’ve been discussing ISACA’s State of Digital Trust 2022 survey.
In our last episode, we talked about how digital trust is not just trust in a brand but also trust in the online transactions we have with that brand. We covered key takeaways from ISACA’s report, including consistency. You need to build trust every day with every transaction. But what really struck me is how digital trust is dependent on more domains than you might think. We usually link trust to cybersecurity—an enterprise protects its digital assets and its customer data and customers feel protected. But other parameters play into trust—things like quality, privacy, and ethics.
Now, David, let’s go back to what you said about ethics and what that can mean for your business. The report cites that a little more than half of Americans trust tech companies to do the right thing, which is down about 19% from 2019—
Samuelson: Which is astounding. I mean, that’s astounding, right there.
Bischoping: Yeah, that’s a huge change! That’s significant in any survey, to see a 20% change. So what do you think is the cause of that decline in trust? Is this something about the threat landscape? Is this related to the changes in work from home and COVID, or what?
Samuelson: Well, yes, and many more things. Like, the pace of technological change is, has been, and will continue to be very fast. Around the corner is AI, coming in to take over activities that we have to think very carefully about—the ethics and the controls in the management of it. And then quantum, around the corner, and the use of new technologies like blockchain.
All of these things are coming at us, at everybody, at high speed. So even a bodega in New York is on the internet, on in the cloud, and connected in some way to the vulnerabilities and the positive potential that technology can bring.
So I think the decline in trust is seen because there’s a lot more happening…[He pauses briefly.]
You know, I have a watch connected to the cloud, my phone’s connected, you know, there’s so much that I don’t think about, but I’ve started to think about, and I think it’s in our consciousness more. So the more you understand the vulnerabilities, and then you see that these big breaches happen and that privacy—people’s PII [personal identifiable information]—has been compromised, and things like that. So there’s a broader public awareness and at the same time a broader technology landscape and those things are accelerating all of this. Chris, do you have more to add?
Chris Dimitriadis: Complexity as well. I think we see bigger and more complex digital ecosystems being built. And with complexity and size, the threats also emerge and become even more critical, because this value that digital technologies create and the value out of data and information is not only valuable or important to the stakeholders of the digital ecosystem but also to the adversaries.
Samuelson: And technology has superpowered the speed at which communication travels through social media. So one small thing can get around the world pretty quickly, and it’s hard to respond. And I think that’s a factor that plays pretty strongly into this trust barometer. You know, how trustworthy are we in the world now, with the way we do business?
I remember when I started banking: Did I trust that this information I was putting into a web browser, that little lock in the URL thing, was that really a strong lock? Can I trust it?
But pretty rapidly the whole banking industry changed because people were willing to give into it. And then you’d start to see some of these breaches and people maybe back off. So I think it’s all of the things that we were talking about.
Bischoping: That actually leads into my next question pretty perfectly. We’re seeing more threat actors, a lot of ransomware-as-a-service gangs, all of these things that you can’t control, as a business. All you can do is defend against and then attempt to detect and respond if and when you’re breached.
So if an organization is breached, does that immediately, you know, negate the work they’re doing in digital trust? How can they weather the breach and response period and continue to build that trust with their customers?
Samuelson: Well, transparency is a key word there: If you acknowledge and respond in an honest and ethical way and that you’re working on it and you do the right thing, that at least protects your reputation even if you can’t always protect what’s happened.
But I think that the repercussions for business, if they don’t have digital trust, will really cause a lot of these things to happen. They’re less reliant on data for decision-making. They’re losing customers. There’s more incidents. And I think transparency and honesty is the way you build trust—when you are kind of straightforward about what’s going on, and you share that you have a trusted framework in place and that you’ve done the work, that even though you had a breach, you did the work.
There’s lots to study about that. And I don’t know that any one of us has the right answer, but I think that’s part of it. Chris, what do you think?
Dimitriadis: I think you are spot-on about transparency, because at the end of the day, a breach or an incident should be expected.
When we discuss digital trust, that doesn’t mean that prevention will be 100% effective or performing according to the expectations of the stakeholders. And this is because of the complexity, but also the sophistication of the attacks.
I think that [businesses] should assume a breach [will occur at some point in the future] and then try to work around [that] in order to establish digital trust with transparency, as David said, but also through the appropriate detection response and recovery processes and mechanisms in order to prove in practice that the digital trust is a commitment for the organization.
Bischoping: Chris, you took the words right out of my mouth. I think we have a very similar philosophy on this.
I often tell people that I don’t necessarily lose trust in a company because they were breached or because there was an attack—especially as connected as we are, and as every business is digital in some way, shape or form. I lose trust in a company when they try to cover it up or when they’re not forthcoming with what they’re doing to remediate the situation or when they don’t respond to their customers or have that empathy that this does affect their customer base. This can affect people’s livelihoods. I think that’s important.
Samuelson: Yeah, it’s very important. We’re talking about digital trust, but the word trust is the key part of that. Trust is a relationship. And in a relationship, you come clean, and you try to be honest with one another. And I think that’s true with customer relationships as well.
Bischoping: Let’s go back briefly to the survey. Was there anything in the survey that you found really surprising or unexpected? We already talked about the huge change in how people perceive trust in America, but was there anything else?
Dimitriadis: One point of surprise from the survey is that there is a lack of maturity in understanding the target or the end goal of digital trust. This is a very, very important first step for the digital trust community worldwide. What people are very eager to learn is how to implement digital trust because digital trust is not in place yet.
So that’s a very positive result: People recognize the importance of digital trust and they’re eager to communicate the message all around the world in order to get things moving forward.
Bischoping: It sounds like then it’s not a lack of awareness; it’s not even a reluctance. It really is just a lack of frameworks and really that tooling and understanding, as the concept of digital trust becomes more widespread.
Samuelson: I’d like to add that it’s not so much a surprise as a reinforcement that we need to collaborate, we need to do this together, and that it’s a business issue. It’s not the domain of the cybersecurity expert in your firm, even if you have one. Many don’t. It is working together to understand that we’re in a new era of commerce, a new era of business, and that it’s a digital one, and it’s going to continue to be complex and new for many people.
So we have to be always learning, always improving, and I think things like frameworks and assessments will all help organizations figure out, what can I do today?
It seems overwhelming, not knowing where to start. And I think questions like that are where a lot of organizations are when they pick up the newspaper and say, I wonder if this is gonna happen to us tomorrow. And the professionals we serve are telling us that the kind of help ISACA needs to give is to create some level of best practice across these domains to actually integrate the solution into a digital trust solution. So that’s where our focus has been.
Bischoping: I do want to touch back once again on what you said about building those relationships in the business. Pretty much anytime I get an opportunity to do a presentation or anything, I talk about breaking down silos. Because you, as the security practitioner or as someone in compliance or audit, you have visibility into so many different aspects of the business.
Are you actually going and having conversations with the people who own those business processes to understand how they’re using technology and what their work actually looks like? Would that play into building trust, the way you envision it?
Samuelson: Absolutely. And it’s in this survey. I think you can see that people are concerned about this, but they don’t see sufficient leadership or collaboration. If you want to make progress, it’s gonna require, you know, reaching across to your colleagues in making something happen.
Any organization—and I’ve been in several, but I’ve been in ISACA for the last three and a half years—every organization has vulnerability around the organization based on how people understand the concept of trust. And so that’s why I mentioned HR or marketing or even the developers, you know, if you wanna have trust, you should build it in at the beginning. You should have privacy by design, you should have security by design. And those concepts are slowly coming into being, like DevSecOps is becoming more and more the right way to do things because it builds that in up front.
I think as the organization understands how a digital organization operates, they start to apply these techniques and collaborate.
Bischoping: Awesome. Well, as we get toward the end of our time together, is there anything that I haven’t asked so far that you think our listeners should know about Digital Trust or what they should start thinking about to get ahead of this in their organization?
Samuelson: Chris, I’m gonna let you start.
Dimitriadis: One point I would like to make is that we have really created very sophisticated cybersecurity approaches and technologies and systems, yet most of the incidents are caused by very simple and basic omissions in cybersecurity. And this notion of collaboration, as you very well described it, Melissa, and as David explained it as well, is key in order to try something different around cybersecurity.
We can’t really use the same means to solve a problem that we weren’t able to solve in the past. So that’s why we believe digital trust is so innovative in terms of offering an alternative approach to an existing problem. To think a little bit differently.
And again, it’s very important from a business perspective as well. And it’s also recognized by several different regulations that are being developed around the world where we see the need for alternative approaches in cybersecurity. Because no matter how much we extend our expertise and our capability vertically in cybersecurity, if we don’t go horizontally, we’re not gonna solve the problem.
Samuelson: I was going to amplify a point you made about regulations. As I said, every company’s a digital company. And every country is thinking about this right now. And if you can elevate the conversation to a digital trust conversation and not simply a control conversation, then I think regulations are going to help us with that collaboration.
That’s easier said than done, but we spend a lot of time, Chris and I in particular, with government agencies and working with regulatory bodies to try to understand what’s necessary to actually raise the conversation to this digital trust level. And I think it can be very impactful or successful.
Bischoping: I couldn’t agree more. You know, there are things that I’m passionate about, but until recently I didn’t use the word digital trust to encompass that mindset of building relationships, of creating that culture of security from the ground up. And that that starts from the development, you know, the onboarding of new employees, like the culture of security and trust has to be something that runs through every piece of your environment and is seen as important.
I come from a background in manufacturing and oil and gas where safety is king, where safety violations are absolutely, like, you cannot put someone’s safety and life at risk. And when you start talking about trust and security as being as essential as safety to the longevity of your business, I think people really get it. Just like safety for us was something that existed in every action we took, I think trust has to exist in every action you take.
Samuelson: Yeah. I think it really works. And it brings the conversation to the right level and starts to address some of these softer, undescribed things that are so important to people like you who have had to actually do that work and struggled with it. So hopefully we can be helpful.
We have a lot of resources on our website around digital trust that people can read about. And as we launch the framework later this year and start looking at how to measure maturity, we want to be a resource to those of you out there who are digital trust professionals trying to make this world a safer place to do digital trust business.
Bischoping: Perfect. I’ll go ahead and get the address and everything that we can post with the show notes. That was my next question, actually, is where can they go for more resources and information, and you answered that right away, so thank you. Chris and David, I think we’re going to wrap up, but I appreciate both of your time today and I really appreciate the conversation on Digital Trust.
Samuelson: So did we. It’s our pleasure. Thank you so much.
Dimitriadis: A real pleasure. Thank you. Thanks for the opportunity.
Bischoping: I’ve been talking with David Samuelson, the CEO of ISACA, and Chris Dimitriadis, its chief global strategy officer.
If you’d like to read more about their 2022 Global Survey on Digital Trust, check out the link in the show notes. Or you can learn more on the subject on Tanium’s new online cyber news magazine at Tanium.com. To hear more conversations with top security leaders,make sure to subscribe to Let’s Converge on your favorite podcast app, such as Apple Podcasts and Spotify. If you like this episode, please give us a five-star rating.
Thanks for listening, and we look forward to sharing more cyber insights on the next episode of Let’s Converge.
Hosts & Guests
Chris K. Dimitriadis
Chris K. Dimitriadis, Ph.D., CISA, CISM, CRISC, is chief global strategy officer at ISACA. An international authority in cybersecurity, Dimitriadis provides thought leadership in digital trust and helps develop strategies for ISACA members, who hail from more than 180 countries.
David Samuelson
At the time of this podcast recording, David Samuelson was the CEO of ISACA (Information Systems Audit and Control Association), the international professional association focused on IT governance. After leaving ISACA, Samuelson founded Pinpoint Learning, an executive advisory and consulting firm based in Seattle.
Melissa Bischoping
Melissa Bischoping is Director, Endpoint Security Research at Tanium. Presenter, author, and cyber SME, she offers guidance on attack behaviors and emerging threats.