Cybersecurity — It’s All About Trust

Last year, I wrote about the importance of understanding risks in cybersecurity and the critical role of risk reduction. Recently, I’ve been reexamining and thinking about an article by the respected Frank Wang, who writes about how security needs to shift away from risk and focus on trust. This reflection has inspired me to write about how I see the concept of trust in cybersecurity.

When I read his article, it really resonated with me in a personal way. It opened my eyes, reminding me how important trust has been throughout my career, even before I started in cybersecurity. Trust has always been critical for me — I’ve always wanted to work with companies and colleagues I can rely on, and to do work that builds trust in me, the team, and the company. This view on trust has influenced my professional relationships and how I approach cybersecurity. Reading Frank’s article, I agree with his perspective on cybersecurity approaches. While it’s essential to understand and reduce risks, I agree we’ve been focusing too much on this and not enough on building trust, both internally and externally. Not only this, in trying so hard to lower risks, we might forget the main reason we’re doing it.

Forgetting about the importance of trust in our security strategy can lead to actions that ultimately backfire. To illustrate this, I’d like to present two examples where I believe this occurs within security teams.

The first example is when security teams demand urgent action on ‘critical’ vulnerabilities from other departments without providing sufficient context or realistic timelines. This approach often leads to distrust instead of collaboration. The lack of clear communication and understanding can reduce the willingness of other departments to cooperate, deteriorating their trust in the security team’s judgment.

In the second example, when employees view security measures as unnecessary obstacles, they might try to bypass these protocols. This reaction not only increases the workload for security teams but also cultivates a culture of distrust within the organization. Employees, viewing security as a risk to their project timelines and success, may hesitate to engage the security team in future projects. This unwillingness to initiate a trust relationship with the security team for new initiatives shows a more serious issue: the erosion of trust due to a perceived misalignment between security procedures and the practical needs of the employees.

The article ‘Divide and Conquer: The Role of Trust and Assurance in the Design of Secure Socio-Technical Systems’ from the 2005 Workshop on New Security Paradigms offers an exhaustive look at trust dynamics. The article shows various factors that affect how trust is signaled and perceived, and how these elements shape the relationship between a trustor and a trustee.

It highlights how an individual’s group behavior and reputation can significantly influence their actions. For example, the article notes that newcomers in an organization often mirror the security behaviors of their immediate peers, regardless of formal training. This aligns with the earlier point about employees bypassing security measures, which can cultivate a culture of distrust. In such scenarios, employees are more influenced by the general attitudes and practices within their peer group rather than official policies.

This concept of signaling trust properties aligns with the importance of effective communication, as highlighted in Frank’s article. Proper communication can be a powerful tool for signaling these contextual properties, shaping perceptions and expectations. For example, clear and timely communication about security policies and their rationale can help build a culture where security is valued and respected.

I’ve been thinking about how compliance is related to trust. At first, it might seem like compliance is a different thing, separate from trust. But actually, it’s very much connected. Laws and regulations are important for building trust between different people and groups because they make things more transparent, accountable, and fair. For example, look at the recent rules from the Securities and Exchange Commission (SEC). They require companies to tell the public about major cybersecurity incidents and give detailed yearly reports on how they manage cybersecurity risks, their strategies, and governance. The SEC put these rules in place after several incidents that affected public companies and possibly weakened trust in the financial system. These rules are not just about following laws; they are about making the financial system more trustworthy.

Furthermore, the interest in SOC2 reports reflects the relationship between compliance and trust. The purpose of this report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy, which companies use to demonstrate their commitment to these practices. While obtaining a SOC2 report is a way for companies to show stakeholders their dedication to maintaining certain standards, it’s not a guarantee against breaches. In fact, breaches at companies holding SOC2 reports can lead to questions about the effectiveness and value of these reports. This underscores the complex nature of trust in the digital world, where even recognized standards and certifications are part of an ongoing effort to establish and maintain trust.

Finally, while my focus here has been on cybersecurity, it’s clear that it’s just one piece of a much larger puzzle. This brings to mind a concept from Yuval Noah Harari in ‘Sapiens.’ Harari explains how global trade relies on trust, especially in abstract entities like currency and corporate brands. This idea not only highlights how fundamental trust is in our lives today but also underscores its crucial role in shaping the world as we know it now.