A quick online search of “Digital Trust” results in millions of hits. Have you noticed that most of the results are about technology? I do not know about you; when I think about whether I should click on a link or buy from a particular online vendor, I wonder if I can trust the source, not the underlying technology.
It is just like when I get in my car to go someplace. When I think about getting there safely, I am not asking how the brakes were engineered or how the brake pads were manufactured. I suspect most people are more concerned about leaving late and forgetting something. When we think about safety, our thoughts go to things like traffic, weather conditions, and how the car has been running lately. We do not think about the rest of the ecosystem: the traffic controls, the checks, the balances, the enforcement mechanisms.
Why would digital trust be any different?
ISACA defines digital trust as “…the confidence in the integrity of relations,interactions and transactions among providers and consumers within an associated digital ecosystem.”
The word “technology” does not appear. Why? Technology affords an opportunity, but the value is unlocked by the people and processes married to the technology.
In all fairness, digital began as the purview of the CIO. When we say “technology,” we usually mean Information Technology (IT); it is natural for us to think of technology when we hear “digital trust.” We can also see how users get there. It is often treated as a technology issue when something goes wrong.
So, how do we build digital trust? In the same way we create other forms of value – capital allocation and governance. We align all forms of capital – dollars, people, and energy – to our business goals. Is digital trust one of your business goals? Is it at the core of the messages sent to your ecosystems by your words and actions? Like the car example, digital trust comes from a consistent pattern of behavior over time and throughout the ecosystem. If we dig into the car analogy a bit, we will see similarities to the Four Lines of Defense and the players we deal with every day in Enterprise Risk Management (ERM).
It all begins with the tone at the top. Our digital trust governance models are no different from other governance models. We create alignment, we communicate, we monitor, and we make course corrections.
What is different? The most noticeable difference between digital trust and other governance models is timing. While the underlying technology that enables digitization has existed for quite some time, it has only become significant in the past few years. COVID may have been the ultimate accelerator. Combine that with all the data breaches, ransomware, identity theft, and the nation-state warnings, and our customers, business partners, and employees are asking if we can be trusted. In practice, aren't businesses asking the same questions about our customers, business partners and employees? That is a topic for a future blog.
The less noticeable difference is the economics. The digital part of any business is growing and, generally, the most profitable part of the income statement. Data is the new oil. The World Economic Forum (WEF) estimates 60 percent of Global Gross Domestic Product (Global GDP) is from Digital. Meanwhile, recent studies show the contribution of intangible capital to overall valuation to be about half and growing. The placement of reputation on board agendas continue to rise. If you have ever worked a cyber incident, you know organizations quickly turn toward managing the reputational risk after dealing with the initial shock. Once trust is lost or reputation is damaged, it is difficult to recapture.
What is an organization to do? In principle, the answer is scary simple: the same things you do for anything else strategic. It begins with the tone at the top and requires engagement across the organization at all levels. Digital trust is not just the responsibility of IT; it requires consistent messaging from ALL parts of the business – marketing (e.g., branding), sales, legal, H.R., customer support, and all the business units globally. Most importantly, the messaging and the actions much be genuine, or it will result in suspicion, not trust.
Digital trust must be managed through checks and balances like any other strategic initiative. The multiple lines of defense we use today for risk management is an excellent model.
If we build upon the car safety (trust) example, we will start to notice similarities. We are more concerned with the actions of the other drivers than we are with our own. We built our trust largely upon observation – our driving experiences, coupled with the experiences of people we know and what we see in the news. If you think about it a bit more, in many cases, our experiences are built upon an entire governance framework about which we do not give a second thought. The ecosystem comprises manufacturers, regulators, third parties like consumer reports, law enforcement, first responders, traffic reporters, and the like.
Certain business models attract more suspicion than others. Not a surprise. Suppose you have a business model like Google or Facebook that relies on advertising or monetizing data. You will need to be particularly vigilant, mainly when incidents occur—the more transparent and genuine, the better.
The ecosystem. Your ecosystem is broadly composed of players in your control and players out of your control.
Fortunately, the ones out of your control like regulators, law enforcement, government agencies, and the like are there to increase your digital trust. Let them work for you. While it may not seem that way, they are there to provide confidence to your stakeholders. Their primary function is akin to an external auditor providing a third-party attestation.
For example, in the US, the Security and Exchange Commission’s (SEC) primary mission is to protect investors. Not getting sideways with them provides confidence. Governments all over the world are focused on managing systemic risk with efforts like General Data Protection Regulation (GDPR) and the Cyber Security Safety Review Board (CSRB).
The parts of the ecosystem under your control command a different type of attention. When it comes to digital trust, your stakeholders understand that you remain accountable for what the members of the ecosystem do. You will be held accountable for your decision – just ask organizations like Target and Capital One. Each made headlines because of something a business partner did. Third-Party Risk Management (TPRM) is on the rise for a reason.
A team sport. Digital trust is a team sport, requiring engagement throughout the organization at all levels. Digital trust also extends outside of the organization to your business partners and vendors. It is no longer the purview of IT. Fortunately, organizations have an existing framework to leverage – Governance, Risk Management, and Compliance (GRC). It all begins with the tone at the top. How do those of us lower in the organization make a difference? Simple, think globally, act locally. And, spoiler alert, in the coming months, ISACA will have a new Digital Trust Ecosystem Framework – stay tuned.