At the time of this writing, there is a huge news story about possible cheating in the world of international chess.1 Claims of cheating in chess are not exactly new. So why is this particular story so prominent? There are several reasons. First, one of the parties in the scandal is the reigning world champion, and he is the one leveling the cheating charge. Second, the one being accused has been caught cheating before. It is the second reason that is of particular interest because it has to do with trust. This individual has broken trust before. He has damaged his own reputation, having been caught cheating. As a result, people are more accepting that he cheated this time around, even though no proof has been presented and no method has been suggested, other than one that would typically be found in less-than-reputable news magazines. If the accused were a chess grandmaster who had never been shown to have cheated, likely more people in the world of chess would have demanded tangible proof of the cheating claim.
Trust, from an organizational perspective, is crucial to success. However, the nature of trust is shifting. More and more, transactions happen digitally. In some cases, relationships between organizations may be solely digital, with no physical interaction required in this era of digital signatures and the like. If an organization should violate trust in some way, news of that violation can fly immediately to everyone connected digitally, meaning an organization can acquire a tarnished reputation incredibly quickly. Therefore, trust, and especially digital trust, is critical. Digital trust is simply trust in a digital context. But the root word in that phrase, "trust," represents a nebulous concept. What defines and comprises trust? What about digital trust? Are there ways to improve the digital trust in our organizations? Are there methods to measure the trustworthiness of other organizations?
Can Digital Trust Be Measured?
I do believe that trust, and especially digital trust, can be defined and measured. Back in 1998–1999, when I was a young officer in the US Air Force serving as a project manager on commercial IT contracts, one of the key questions that plagued us was, "How do we measure a vendor’s reputation to deliver on a contract?" We were asking that question because we had recently faced a situation in which one of our vendors for a key contract stopped shipping orders due to the company’s acquisition by a larger organization. We had another vendor that also stopped shipping orders not only on our contracts, but on some contracts for sister agencies. We decided then that it was a good idea to apply a "measuring stick" based on vendor performance. Ideally, this would be across the entirety of the US Department of Defense. Even back then, we were starting to define the criteria by which vendors could be measured.
Recently, I was having a similar conversation with my organization’s third-party vendor management personnel. They were evaluating artificial intelligence (AI) products designed to help with IT vendor risk management. There is simply too much information to process nowadays. As a result, AI is being touted more and more to fill the gap.2 If AI is involved, that means we do have ways to model or measure a vendor’s reputation.
Digital Trust Is Not Just About Cybersecurity
Naturally, an organization’s cybersecurity posture is a factor in overall digital trust. We want to keep the bad actors out and/or minimize their impact. That is what cybersecurity is for, and it is important to the overall success of an organization. After all, if an organization’s cybersecurity posture is viewed as weak, or worse, it will affect the bottom line. A good example is the impact on profits for Target in 2014 after its highly publicized breach.3 Poor cybersecurity equals poor reputation equals poor digital trust.
By increasing digital trustworthiness in individual organizations, we can expect the overall digital ecosystem to improve as well.
However, if you think about where IT vendor management is going, cybersecurity is just one of several factors third-party management professionals must consider. After all, an organization might have one of the world’s best cybersecurity practices, but if it is terrible at shipping quality products, most organizations will rate it as an unacceptable business partner and it will develop a poor reputation. In short, the organization’s digital trust rating will be near the bottom even with an incredible cybersecurity posture.
A Digital Trust Ecosystem Framework
ISACA® has developed a framework for digital trust, called the Digital Trust Ecosystem Framework (DTEF). It is safe to say that ISACA believes digital trust is critical in today’s modern digital environment.4 The DTEF is a means of identifying what organizations should focus on with regard to digital trust. For instance, here is the DTEF sets forth a common working definition of digital trust:
Digital trust is the confidence in the integrity of the relationships, interactions and transactions among providers and consumers within an associated digital ecosystem. This includes the ability of people, organizations, processes, information and technology to create and maintain a trustworthy digital world.5
Crucial to the framework is its definition of ecosystem. In the DTEF, a digital trust ecosystem is made up of:
- Relationships
- Relationship mediums (i.e., how those relationships are conducted)
- Activities (i.e., what an organization does digitally)
- Stakeholders (i.e., customers, suppliers, peers)
- An organization’s ethics, reputation and privacy
Of course, there is much more detail within each of those five areas.
We Have to Implement Yet Another Framework?
In short, no. The DTEF is designed to encapsulate what goes into an organization’s digital trust posture. Is the organization operating securely online? Is it handling data, especially sensitive and private data, in an ethical way? Is it collecting just the data it needs to operate, or is it capturing more than it should? Is the organization conducting its relationships with peers in a generally acceptable manner? Does the organization produce quality products? How does the organization treat its customers?
Like other frameworks, the DTEF is designed to function as scaffolding to help an organization meet certain expectations. In the case of the DTEF, the expectation and goal is a trustworthy digital ecosystem. The framework itself does not get an organization there—the people, processes and core values of the organization do. Even if an organization does not formally adopt the DTEF, the organization can look at the DTEF as another tool to help better define and improve its digital trustworthiness. By increasing digital trustworthiness in individual organizations, we can expect the overall digital ecosystem to improve as well. That should be our overall goal, after all. I personally want a digital landscape where my transactions are safe and trustworthy. I want to interact with organizations that adhere to the same ideals. I would harbor a guess that most people feel likewise.
Where We Go From Here
Digital trust is crucial as we continue the shift to digital transactions, digital interactions and a heavier digital experience. There are a great many bad actors who seek to harm this digital ecosystem, but we need to think beyond them. We must look at how our own organizations stack up on the digital trust scale. We also have to consider what level of trust we can put in organizations we interact with digitally. This is about overall digital reputation, a paradigm shift from the industry focus on cybersecurity to counter bad actors. Cybersecurity is critical to overall reputation, but it is not the only factor.
Given that digital trust is an abstract concept, we do need to define it as clearly as possible. We also need some means of determining how trustworthy an organization is in the digital ecosystem. ISACA has a framework to help with that, but this is about more than a framework. The focus and overall goal is for a trustworthy digital world. Going forward, in this column we will focus on that goal as we delve into issues, events and components that affect digital trust and the digital ecosystem.
Endnotes
1 Kumar, A.; "Inside the Chess Cheating Scandal and the Fight for the Soul of the Game," ESPN, 6 October 2022. https://www.espn.com/espn/story/_/id/34736588/inside-chess-cheating-scandal-fight-soul-game
2 Dambrot, J.; "Streamlining Third-Party Risk Management With AI," KPMG, 2021, https://advisory.kpmg.us/blog/2021/streamline-third-party-risk-ai.html
3 Harris, E. A.; "Data Breach Hurts Profit at Target," The New York Times, 26 February 2014, https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html
4 ISACA®, "Empowering IT Professionals to Advance Digital Trust," USA, 2022, https://www.isaca.org/digital-trust
5 ISACA, Digital Trust Ecosystem Framework: Introduction and Approach, USA, 2022, https://www.isaca.org/digital-trust
K. BRIAN KELLEY | CISA, CDPSE, CSPO, MCSE, SECURITY+
Is an columnist and author focusing primarily on Microsoft SQL Server and Windows security. He currently serves as a data architect and an independent infrastructure/security architect concentrating on Active Directory, SQL Server and Windows Server. He has served in a myriad of other positions, including senior database administrator, data warehouse architect, web developer, incident response team lead and project manager. Kelley has spoken at 24 Hours of PASS, IT/Dev Connections, SQLConnections, the TechnoSecurity and Forensics Investigation Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays, Code Camps and user groups.