Chris Dimitriadis is one of those people who you just know has a lot of information at his fingertips. After 20 years of working with ISACA, the world's leading association for security professionals, he has been part of the movement bringing digital trust to the forefront of the security industry. He also holds three patents, and has done his PhD on the combination of game theory and cybersecurity.
I met Chris at ISACA’s European Conference in Rome, where he shared the future of digital trust and its implications on society, governments, and startups.
Why are we talking about digital trust?
Digital trust is more or less the key enabler of success. Without trust, no organisation, corporation, government, or individual can be successful, no matter the digital ecosystem or innovation that is built up around them. That's because trust is about stakeholders – in acquiring new customers and retaining existing ones, it is critical to have confidence in the operation of technologies or the digital ecosystem. This is very important for success because without trust it's very easy to fail in this endeavour.
How did we get to the concept of digital trust? And why is ISACA tackling it?
ISACA started almost 50 years ago in the domain of IT audit, and back then the need was more or less to provide assurance of the newly emerging digital systems and computers. Shortly after, ISACA started focusing on other domains – cyber security, risk management, governance and more recently, privacy.
Back in 1996, ISACA came out with the notion of governance of technology, called COBIT. Since then, it has been used as the de facto standard to implement controls of the governance of technology within a corporation, public entity, or ecosystem. ISACA later acquired a tool called CMMI born by Carnegie Mellon University and applied for the US Department of Defense (DoD) – a framework measuring the maturity of those who wanted to provide their services to the government. The higher the maturity, the lower the uncertainty of the endeavour.
If you put those efforts together, coupled with input from our 165,000+ dedicated members from around the world, you arrive at the notion of digital trust.
ISACA will be launching a digital trust ecosystem framework that organisations can follow and implement. But can small and agile teams, like startups, implement it?
The framework is industry and organisational size-agnostic. The principles of digital trust, bringing together all of those domains – cybersecurity, audit, privacy, governance of technology, and quality – can be adopted by businesses of any size, and we've designed the framework in a way that puts a focus on the interaction of people, process, technology, and organisation from a systemic point of view, irrespective of size.
The effort of implementing the framework may be much larger as the organisation's size increases, but it doesn't mean that it's hard to implement at a small one. So small organisations can focus on embedding those principles and follow the systemic approach on the journey to achieving digital trust.
Can you give us an idea of what that “systemic approach” looks like in practice?
It's about primarily understanding and measuring the interactions between people, processes, technology, and organisation.
Systemic thinking is all about realising that the more effective you are in those interactions, the more effective the organisation is as a whole. If you fail in one of those elements, you realise that your performance overall is minimised.
Also, it gives us the ability to correlate and combine different professions in order to avoid overlaps and achieve efficiencies and effectiveness. In the example of cybersecurity, you can't really say that you are successful in cyber if there is no adequate audit function to provide assurance. Or you can't be successful in cyber if the function running, say, a digital transformation project, is not taking cybersecurity into account. Because then cyber security isn't embedded, and at the end of the day it fails.
Or another example, you can't really say you have a great cybersecurity program in place if there is no understanding of the technologies that are included in the digital ecosystem, especially emerging technologies, such as AI. Nobody can claim that this professional or group of functions can be effective in cybersecurity if there is no understanding of how AI works. You can't audit, protect, perform risk assessment, or apply privacy on a technology that you don't understand. That's why it's extremely important, not only for organisations but for an individual’s career progression.
With these systems and framework, we create more holistic professionals that can contribute to the ecosystem.
When will the digital trust ecosystem framework be available?
We will launch an ebook preview for a smaller group, including those who participated in the framework’s public exposure period, before the end of the year - we will announce the date soon. A full digital framework experience will be available to the public in 2023.
At the end of the day, our goal is to have an increased impact on digital trust – we're a non-profit organisation, we certainly need to fund those projects, but digital trust is extremely important and the plan is to spread the word and share the digital trust ecosystem framework with the widest possible audience.
From next year we'll be creating what we call lenses, or points of view. Meaning the cybersecurity lens will be a view of the model that cybersecurity professionals can use. The audit view will be a different view of the same model that IT audit professionals can use, and so on.
How should digital trust be approached by those just learning about the concept?
First, read the framework.
Startups should focus on digital trust. Startups are trying to be different, they're trying to convince stakeholders of their value, they're trying to grow, and fast. This is how startups operate these days. Trust is a key differentiator in terms of customer acquisition, brand differentiation, and stakeholder confidence.
Because startups need funding, which requires trust.
ISACA has just opened its first European office in Dublin. How will this new office change ISACA's presence in Europe?
This is a historic milestone for ISACA. We’ve had a European presence since 1979 through our 45 chapters in the region. For reference, chapters are the local communities and the people who are helping ISACA grow its impact in the countries, and are helping their local environment grow and improve.
This European entity will help those 45 chapters coordinate amongst themselves through a commonly agreed-upon strategy. It's also about helping them with several services and addressing their needs.
Equally important, it will also contribute to increasing ISACA's voice and impact on local governments. Because there's an advocacy aspect as well – we're trying to advocate for what we believe is right in digital trust in the EC (European Commission) or governments across a wider European region. We believe it's important to have a louder voice, and the office is about that.
So we're not new in Europe, but we're investing more in Europe to see how we can further help the jurisdiction grow.
You hold three patents. What are they about?
I did a lot of research in the past, and those have to do with transactional integrity and game design, because I used to work for the gaming sector. My PhD is a combination of game theory and cybersecurity–there's this concept that you need to combine ideas from different industries to create something new. And it's pretty similar to what ISACA's trying to do with digital trust–combining different ideas from different domains in order to create something new like digital trust.
What is the future of digital trust, and what's next for ISACA?
We hope to deliver the Digital Trust Ecosystem Framework to as wide an audience as possible. We will do so through collaboration with various international and governmental organisations, through our members who can make use of the framework in their own organisations, and a series of educational workshops.
ISACA will continue to serve its 165,000+ members, provide them with the agency to achieve the best results in their careers through making use of the various frameworks and educational opportunities, and build a more trustworthy digital world.