Building trust when it's at an all-time low
We live in a time where trust is at an all time low, due to a variety of factors, including socio-economic, political, health and consumer cost issues. Because of this,
businesses want to demonstrate that they are trustworthy to their
stakeholders and consumers alike.
So says Scott Bridgen, head of GRC at OneTrust, who will be presenting a keynote address at the ITWeb Governance, Risk & Compliance 2022 event, to be held on 10 February at the Maslow Hotel in Sandton, and online. The title of his talk is “The CISO's role in driving trust: Why it matters, how to define it, and what success looks like”.
Bridgen says organisations are collecting more data which comes with increased risk.
“Cyber-crime is at an all time high, with ransomware attacks and increased data breaches crippling the global economy and supply chain. To put it plainly, the increased focus on trust is a direct result of there being a lack of trust in businesses across the globe.”
The evolving role of the CISO
According to Bridgen, this erosion of trust has altered the role of the chief information security officer (CISO). “The CISO’s role is first and foremost to help their organisation build trust while keeping their customer, employee, partner, and vendor data secure.”
He says CISOs now have a unique opportunity to shift the information security office perception of being a costly business necessity to that of a value generator.
To make value generation work, CISOs must go beyond compliance with standard security and risk management frameworks and work to protect brand reputation, obtain customer loyalty, and maintain steady revenue generation.
So how should a CISO go about building trust? Bridgen says a CISO’s approach to building trust differs based on the size of a business as well as where the organisation is along their trust journey.
The increased focus on trust is a direct result of there being a lack of trust in businesses across the globe.Scott Bridgen OneTrust.
“For small to medium businesses that don't have an established trust program, it's essential to build the principles of privacy, security, and governance, risk and compliance (GRC) by design into your technology stack from the moment you begin development,” he explains.
This, he says will help the organisation establish and exhibit trust to win more business and enable revenue.
As companies grow and evolve into the enterprise landscape, the CISO's office should build out more dedicated risk management and security functions to foster ongoing trust.
“This work should go beyond risk mitigation and security assurance – to protect brand reputation, foster customer loyalty, and retain revenue.”
When it comes to measuring trust, he says there’s no one size fits all approach. “There are several metrics that businesses can leverage to better understand their trustworthiness. These include determining brand “trust scores” (or decrease in mistrust); embracing an honest approach to compliance; measuring both attestation and understanding of training; and identifying the length of sales cycles, and the CISO team’s impact.”
Other ways, he says include documenting shadow IT with policies and measurable levels of acceptability and appetite; knowing what information to share, when, whom with and, most importantly, how that information is shared; and using value-based reporting to translate traditional dashboards in to the language of the business.
Finally, Bridgen cites identifying repeat customers and annual recurring revenue; reducing employee turnover rates; documenting employee satisfaction scores; and measuring the number of data incidents or breaches.
“By measuring these metrics, organisations can gain a better understanding as to how trustworthy their customers, employees, vendors, and partners are of the business’ operations,” he ends.