“If you want to drive a Ferrari really fast, the most important part is the brakes,” recounts David Samuelson, CEO of ISACA. He says that when thinking about innovation, often the thing that's keeping businesses from moving quickly is a lack of safety gear, and a digital trust framework is just that.
Digital trust is a relatively new term but as David emphasises, “it's not a new thing, but a new way of talking about something that has long been important – trust in technology.” Rather, it's a holistic way of looking at the different factors that drive trust in technologies and those who wield them. But most importantly – using them to drive business goals.
According to Samuelson, “ISACA is in the business of providing best practice.” Among its claims to fame is a 170,000-strong member base around the world and its COBIT framework, which has become the de facto standard in implementing controls in technology governance – in corporations, in governments, you name it. Now, it’s tackling digital trust, and building out the framework to help companies measure and improve the level of trust in their technologies, and subsequently grow their businesses.
I had the opportunity to attend ISACA’s European Conference where hundreds of cyber and tech professionals discussed the launch of the latest framework to change the way we look at tech, and who we choose to trust with our data.
Another buzzword, or the next step in cybersecurity?
Cyber and tech professionals have been saying for years that security is not limited simply to cyber, privacy, or risk management. That it's not enough to work in their own individual silos, it has to be more horizontally discussed. The problem therein is that they lack the business vernacular to convince leadership and boards who needed to provide their backing in order for an organisation to build trust in the systems they're deploying.
And so, ISACA set to work developing a digital trust ecosystem framework.
While there are several definitions of digital trust out there, this is the one ISACA has laid out:
Digital trust is the confidence in the integrity of the relationships, interactions, and transactions among suppliers/providers and customers/consumers within an associated digital ecosystem.
The concept is relevant universally – these days, nearly every business is digital. You'll be hard-pressed to find a business that does not make use of some sort of digital tool or cloud service. Society is becoming more privacy-literate, and more discerning about where their data goes.
Samuelson shared an example from his own life:
“You go to the doctor, fill out a form with your personal information, your social security number. Where does it go? In a filing cabinet? Does it lock? Who has the keys? We didn't ask these things 20 years ago, but we start thinking about them now. And they inform our level of trust we have in the services we're being provided.”
So people are thinking about where their data goes, and as a result, which businesses they choose to trust. Hopefully, the concept of implementing digital trust ecosystem frameworks will help any company demonstrate that they can be trusted to hold, process, and protect you and your information.
To double down on its commitment to the topic, ISACA has established a Digital Trust Advisory Council. Made up of industry professionals, council members will provide guidance and thought leadership on how ISACA and the global security community can create a digital ecosystem where confidence is the norm.
Do startups need digital trust?
As Samuelson put it, “The one thing that startups need to succeed, and don't have because they don't have the many years of experience and reputation to back it up, is trust.”
Essentially, trust is a prerequisite to doing business. For a startup, implementing a series of requirements as outlined by ISACA's digital trust framework, a startup could stand to gain a leg up in the trust sphere, contributing to a competitive advantage or differentiating factor among other innovators.
The same goes for emerging technologies. Chris Dimitriadis, ISACA's Chief Global Strategy Officer, outlined that you have to have trust to attain critical mass for any meaningful technology adoption. “Trust is the key enabler of emerging technologies driving economic development. Until you have trust, in blockchain, AI, autonomous cars, etc., it can't truly take off.” And while startups are generally small and may not have dedicated Heads of Security, he recommends that startups start by building in trust-driving values from the very beginning, like privacy and risk management.
While implementing checks and balances may not be as sexy as shipping code and launching features, ISACA's CEO believes it's the foundation you need in order to hit the ground running.
“While bureaucracy, frameworks, checks, are the opposite of what an agile-minded founder wants, you won't be able to get that hockey stick growth you want without addressing digital trust. If you want to drive a Ferrari really fast, the most important part is the brakes. Because you won't drive fast if you don't have brakes that you know you can fall back on. It will accelerate your ability to move business forward.”
But as a small team, where does a startup start when it comes to implementing digital trust?
Implementing digital trust in startups – mission impossible?
The real question is – are you willing to make it a priority? Matt Chiodi, a member of ISACA’s Digital Trust Advisory Council and Chief Trust Officer at US-based security startup Cerby, says that it's entirely possible to implement digital trust as a startup. As a team of 60 people, he's been named Chief Trust Officer, because as a cyber startup, the organisation found it an important enough topic to warrant a position of its own.
In the corporate world, there's a huge disparity between the number of companies that say that trust is important (86%), vs how many have dedicated roles to it (8%). I imagine that in the startup world, that disparity is even larger. Because let's be honest – in a small and agile team, it's possible that it simply won't be a priority.
Even if you don't have the opportunity to dedicate a role to digital trust, it is possible to bake it into your strategy. Chiodi says that the way trust is practically built is through transparency, which can be done by stating your measures, processes, and certifications.
When asking Matt about the very basics of what a startup – or any company, really – should be prioritising in terms of trust and safety, Matt says that if you look at privacy and risk management, you're good. And when in doubt, make sure that you have two-factor authentication where possible, as it's one of the easiest ways to reduce risk in any organisation.
Picking up digital trust for yourself
It's never too early to start thinking about digital trust. But for those looking for more specific insights, you can take a look at ISACA's State of Digital Trust Report. By the end of the year, ISACA will be launching the Digital Trust Ecosystem Framework, which will be available to members, as well as provided to governments and organisations that ISACA works with. But never fear, in 2023 ISACA will be launching what it calls “framework lenses”, which are domain-specific perspectives on implementing the digital trust framework. So if you're a CSO, an IT auditor, a marketer, a CEO, etc., those will be coming, but you'll have to wait for a few months for them.
The conference was eye-opening in understanding the world of cybersecurity – terrifying from one perspective (like how quantum computing will effectively destroy encryption as we know it), but comforting in other ways (like learning that two-factor authentication is the easiest way to protect yourself). Most of all, learning that there is a robust community staying on the cutting edge of digital security who are constantly educating themselves.
The thought-provoking event brought together a significant number of forward-thinking leaders and, hence, a fantastic forum for big ideas and catching the latest industry trends. Evidently, the organisation goes above and beyond for their community members.
Case in point – a lovely custom rap by Mega Ran that I'll leave right here.