It’s often said that trust is hard to earn and easy to lose. It undergirds most everything we do, yet is so fragile that, without it, nothing works. This is especially true in digital economies where virtually all transactions are supported by faceless organizations that provide reliable services.
American economist and Nobel Prize Laureate Milton Friedman in his Public Broadcasting Service (PBS) video called “I, Pencil” discusses the elaborate chain of suppliers and individuals who have to unknowingly collaborate to allow for the creation and distribution of a simple pencil. Inherently in each of these links is a financial chain that requires, among other things, trust. Friedman’s videos were created in the late 1970s; one can imagine how different trust works in today’s internet age.
Banks have long understood this basic aspect of trust as a competitive advantage in their roles as intermediaries. You may have personally been inside a bank branch that was truly an architectural work of art, replete with marble columns and fine wood grain desks with gold inlays. The grandeur of these buildings was purposeful. After the stock market crash and subsequent run on the banks during the Great Depression of 1929, banks needed to instill confidence in the public. A bank that could afford to outfit its branches with such splendor surely would be a safe place to contain your family’s deposits. Contrast this with the fintechs of today that don’t exist except for an app on your phone and whose logo you only know because it’s on the card you use to pay for goods and services. The reason we give them our trust is different than the reason we trusted brick-and-mortar banks decades ago.
Which role in the organization is responsible to ensure that today’s customers have that same sense of surety we all had with brick-and-mortar businesses of years gone by? While elements of instilling this trust exist in every employee’s job description, it may be time to begin thinking about a Chief Trust Officer role that can represent concerns and provide a single point of contact for all aspects of digital trust for the board of directors. Such a role could subsume aspects of the CISO, CSO, CPO, CIO and digital transformation officer roles.
The roles of CISOs and CSOs have shifted substantially in the past decade, with reporting lines moving all over. We can expect that a substantial amount of digital trust relies on customers’ expectations around security, namely the foundational security triad of confidentially integrity and availability. If that fintech bank’s credit card didn’t work, allowed others to steal money, or had a massive data breach, it follows that the bank’s reputation would take a massive hit.
In many ways, reputation and trust go hand in hand. The way that organizations handle their customers’ trust can make or break it in the market. Take for example the currently unfolding realization that DuckDuckGo has been secretly sharing browsing data with Microsoft, something it actively said it hadn’t been doing since its creation. This is an example of an organization needing a specific person tasked with managing digital trust, inclusive of all of the security, privacy and IT operations.
Ultimately, many of the things these roles individually would be tasked with monitoring, namely security, operations and privacy risks, can roll up to a single line item on an entity’s risk register: trust. This means that there needs to be a role that has the ability to reconcile how risk acceptance in one area translates to impacts on digital trust. To borrow a security metaphor, the attack surface for an entity’s digital trust is both broad and deep. It requires the cooperation of all these functional areas to be able to have visibility into potential issues and appropriately disposition them. Given how complex the sum of these technical and operational environments are, a Chief Trust Officer would find it important to retain the services of third parties. These third parties would assist in the automated monitoring of an entity’s environment. Further, such firms could report on an entity’s cumulative trust ratings similar to how credit rating agencies are doing for other environmental, social and governance (ESG) concerns. Perhaps we are ready for the birth of the ESGT movement (adding a T for trust).
The role of the CISO and the CIO has changed considerably over the past few decades. It’s important to consider how important digital infrastructures are to the delivery of products and services to an entity’s customers. To that end, some of the changes that have been forced upon these roles could rightly be subsumed by an executive with a broader purview. Establishing and empowering a Chief Trust Officer can accomplish these goals and ensure that an organization’s greatest asset, namely its customers, has a strong voice in the boardroom.
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC
Is VP and Head of Cyber Risk methodology for BitSight, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.