What is digital trust and why is it a board discussion?
Simple: 73% of people believe that trust supports customer loyalty and 57% say that trust leads to revenue growth. Additionally, research in reputational risk reveals that cybersecurity events can cause customers to stop purchasing from an enterprise that experienced an event. Can you name a company that does not want less churn and more revenue?
ISACA’s State of Digital Trust 2022 survey shows significant gaps between what enterprises are doing and what is needed to be thought of as a leader in digital trust. These gaps get in the way of organizations being trusted in the digital ecosystem. ISACA noted that many organizations are still in the early stages of digital transformation, affording them the opportunity to incorporate digital trust principles in their strategy from the beginning to leapfrog the competition.
ISACA defines digital trust as “…the confidence in the integrity of the relationships, interactions and transactions among providers and consumers within an associated digital ecosystem. This includes the ability of people, organizations, processes, information, and technology to create and maintain a trustworthy digital world.”
What exactly does that mean?:
- Digital trust is not only about the reality of the situation but also how people feel.
- Integrity of relationships is more about values, not the traditional definition of “security.”
- Digital trust is about the entire ecosystem, not the disparate parts. Digital trust requires engagement across the entire enterprise, as well as external stakeholders.
- Traditional IT-related disciplines like security, privacy, risk, assurance, quality and governance form the basis of digital trust but in themselves are NOT sufficient.
- Ethics, transparency and accountability play an essential role that can be easily overlooked.
- Digital trust is highly dependent on the less tangible aspects of an organization like culture, brand, product quality, data ethics and reliability.
Stakeholders not only need to feel good about what you do day to day, but they also need to feel good about how you will behave when things go awry. Cyber incidents and data breaches are good examples. What you do with their data day to day is an even better example. Eyes are on companies in the aftermath of cyber incidents and breaches, but do you sell their data when nobody is looking? People must feel good enough about you to believe you will act in their best interest both when the pressure is on and when nobody is looking.
The Evolving Role of the Board
All things digital are now a board discussion, just like the cybersecurity issues that come with them. Folding cyber risk into traditional governance, risk management and compliance (GRC) practices goes a long way toward achieving your digital trust objectives.
Historically, anything digital has been deemed the purview of IT. Business models are now digitally driven. The World Economic Forum estimates 60% of the Global Domestic Product (GDP) is from digital, and the National Bureau of Economic Research (NBER) estimates corporate valuation are largely driven by intangible assets. Given the significance to the long-term viability of the organization, it is irresponsible to rely on IT alone.
In the United States, the National Association of Corporate Directors (NACD) explains that boards have two primary responsibilities—to oversee management and to advise management. According to the United Kingdom Institute of Directors (IoD), boards have a responsibility to ensure the prosperity of an enterprise. It is clear, with the significance of digital in our world, digital trust must be an ongoing board consideration. In this context, it is curious to note that ISACA’s State of Digital Trust research showed that only 28% of respondents believe the board is ultimately responsible, while 36% believes the senior leadership team is responsible.
At its essence, the board is responsible for value creation at reasonable risk. Establishing digital trust is essential to both sides of the equation. Many of the mechanics are straightforward. The tougher questions often center around capital allocation – people and financial. The other challenge is how to manage the complexity. That is where frameworks like FAIR and ISACA’s Digital Trust Ecosystem Framework (DTEF) play a role.
The Role of Cyber Risk Quantification (CRQ)
Intangibles are challenging to quantify and communicate in a universal way. It is kind of like trying to grab smoke. Once something is quantified, it is far easier to fold into our existing GRC practices, fostering better decision making and thereby creating a better balance between the business, operational and risk-based realities.
Having grown up in IT, cyber risk reporting is often filled with technical jargon and visually appealing but confusing metrics. After all, when it was purely the domain of the technical workforce, that was their native tongue. Now that digital trust is the purview of a much larger audience, the language and practices must evolve to something universally recognized.
The field of cyber risk quantification (CRQ) began from a need to bridge that very gap at least a decade ago. CRQ is no longer considered a leading-edge best practice, but a necessity for the modern enterprise. One of the most widely talked about models is the Factor Analysis of Information Risk (FAIR). FAIR is specifically designed to quantify value at risk (VaR) for cybersecurity and operational risk, forming the basis for digital trust. According to the FAIR Institute, the model is in use by about half of the Global 1000.
Boards have reported the use of FAIR provides an organized means through which to identify the value of assets, the design of probable loss scenarios, and providing a means to allocate capital to get the most bang for the buck. Some boards have reported FAIR has been useful in demonstrating to objective third parties, like regulators, that they have been prudent in managing digital risk.
Reputational loss is widely considered the largest impact from a cyber incident. Unfortunately, reliable statistics are not yet available, but anecdotal evidence supports the popular belief. It is widely believed that CRQ techniques will only become more useful as the data become available.
Quantifying and presenting cybersecurity risk in financial terms serves multiple governance objectives, each of which influences the choice of risk treatment. The ability of the board to appropriately ensure the company has the proper level of cyber resilience requires an understanding of an adverse event but also the total cost of controls, ranging from the mundane to worst-case scenarios. Scenario-based exercises combined with CRQ techniques, like FAIR, provide an objective means to assess materiality, and the most appropriate capital allocation. The allocation of too little capital leaves you exposed, while too much wastes capital that can be better applied other places. Determining the cost of a control is almost always the easy part. Determining the cost of an incident in the digital world is tough. Looking beyond three to five years, the likelihood of a digital incident quickly approaches 100%.
The ability to properly present cybersecurity risk to the board is paramount and needs to be communicated in business terms. The key is not only the language but also a focus on what is important to the board. An understanding of how cash flows through the business and how technology facilitates the creation of new revenue streams is most valuable. If you can establish a taxonomy of cyber incidents and how they affect those flows, perfect. The absolute best-case scenario is if you can do this in an objective and quantifiable way.
The Emergence of DTEF
To its credit, ISACA has taken on this challenge by developing the Digital Trust Ecosystem Framework. DTEF helps organizations develop a holistic approach by dealing with the complexities and nuances necessary to reap the rewards of digital trust.
Historically, security professionals have been very accustomed to dealing with the classic dimensions of People, Process and Technology. Let’s face it, historically technology has played the largest role. After all, it is the technology that puts us on the digital battlefield. It is the adversary’s weapon of choice. It is therefore natural for us to turn to technology for our defense. But digital trust is different because perceptions and the intangible play a far greater role than they have before.
Customers are making buying decisions based on the level of trust they have in sellers. Investors are doing the same with their investing decisions. Vendors are evaluating trust more than they ever have when deciding who to do business with. If you doubt this, just look at the amount of attention Environmental, Social and Governance (ESG) gets in the news.
The DTEF addresses this by transforming the traditional triad into a three-dimensional pyramid of People, Process, Technology, and Organization, while making digital trust the next evolution of digital transformation. Digital transformation changed business and operational models. Digital trust extends that further into experiences and increased confidence. You can easily see how digital trust is an essential element of your ESG strategy.
DTEF has its roots in systems thinking. Why? Simple. Modern enterprises are more nuanced than ever. Layer on the ever-increasing web of stakeholders outside of our direct control. Vendors, suppliers and trading partners are key to our value creation that is highly dependent on a complex network of events, relationships, technologies, processes and people interacting in expected and unexpected ways.
By using a holistic approach focused on the relationship between the parts instead of the components themselves, it enables organizations to consider the implications of their decisions and manage risk more comprehensively.
How does the DTEF do this? By treating People, Process, Technology and Organization as nodes in a three-dimensional pyramid. We look at the edges (domains) that join them:
- Culture
- Human Factors
- Emergence
- Enabling & Support
- Direct & Monitor
These domains are flexible, expanding and contracting, reflecting the primary influencers and tensions between the nodes.
A Matter of Long-Term Viability
Digital and the cybersecurity concerns that comes with it are a board conversation. Consumers, vendors, partners, and investors are clearly asking themselves how much they can trust your organization. It is only natural for boards to be asking themselves how to leverage this opportunity to ensure the long-term viability of the organization and to guarantee a healthy share price.
Every board is – or should be – concerned with the organization’s reputation, and the integration with the digital world plays an increasingly prominent role in that reputation. It all starts with the tone from the top. Engagement across the organization, not just in IT, is absolutely essential. From there, enterprises can turn the dials of regular governance practices. The DTEF is a great framework to help implement your digital trust strategy and will be the subject of future articles.
Editor’s note: Learn about ISACA’s new Digital Trust Ecosystem Framework (DTEF) in an exclusive webinar preview for ISACA members.