Lately it seems like trust is in short supply with tech-oriented businesses. It certainly doesn’t help that there have been a recent series of major breaches among security tech vendors. And the discussions about various social networks accepting political advertising haven’t exactly helped matters either. We could be witnessing a crisis of confidence in our industry, and CISOs may be forced to join the front lines of this fight.
One way to get ahead of the issue might be to anoint a Chief Trust Officer. The genesis of the title is to recognize that the role of the CISO is evolving. Corporations need a manager is focused less on talking about technical threats and more about engendering trust in the business’ systems. The CTrO, as it is abbreviated, should assure stakeholders that they have the right set of tools and systems in place.
This isn’t exactly a new idea: Tom Patterson and Bob West were appointed in that position at Unisys and CipherCloud respectively more than five years ago, and Bill Burns had held his position at Informatica for more than three years. Burns was originally their CISO and given the job to increase transparency and improve overall security and communications. Still, the title hasn’t exactly caught on: contemporary searches on job boards such as Glassdoor and Indeed find few open positions advertised. Perhaps finding a CTrO is more of an internal promotion than hiring from outside the organization. It is interesting that all the instances cited above are from the tech universe. Does that say we in IT are quicker to recognize the problem, or just that we have given it lip service?
Tom Patterson echoes a phrase that was often used by Ronald Reagan: “trust but verify.” It is a good maxim for any CTrO to keep in mind.
I spoke to Drummond Reed, who has been for three years now an actual CTrO for the security startup Evernym. “We choose that title very consciously because many companies already have Chief Security Officers, Chief Identity Officers and Chief Privacy Officers.” But at the core of all three titles is “to build and support trust. For a company like ours, which is in the business of helping businesses and individuals achieve trust through self-sovereign identity and verifiable digital credentials, it made sense to consolidate them all into a Chief Trust Officer.”
Speaking to my comment about paying lip service, Reed makes an important point: the title can’t be just an empty promise, but needs to carry some actual authority, and must be at a level that can rise above just another technology manager. The CTrO needs to understand the nature of the business and legal rules and policies that a company will follow to achieve trust with its customers, partners, employees, and other stakeholders. It is more about “elevating the importance of identity, security, and privacy within the context of an enterprise whose business really depends on trust.”
Trust is something that RSA’s President Rohit Ghai speaks often about. Corporations should “enable trust; not eradicate threats. Enable digital wellness; not eradicate digital illness.” I think this is also a good thing for CTrO’s to keep in mind as they go about their daily work lives. Ghai talks about trust as the inverse of risk: “we can enhance trust by delivering value and reducing risk,” and by that he means not just managing new digital risks, but all kinds of risks.
In addition to hiring a CTrO, perhaps it is time we also focus more on enabling and promoting trust. For that I have a suggestion: let’s start treating digital trust as a non-renewable resource. Just like the energy conservationists promote moving to more renewable energy sources, we have to do the same with promoting better trust-maintaining technologies. These include better authentication, better red team defensive strategies, and better network governance. You have seen me write about these topics in other columns over the past couple of years, but perhaps they are more compelling in this context.