We've had many evolutions in the security industry and we will continue for the forceable future. One such change that’s occurring is how we see ourselves in context to the overall business. Some organizations are implementing that change, not just in the title, in the very identity of the security organization itself. The term "Trust” is starting to be used for those more forward thinking organizations as that concept and expectation grows. As one of those individuals and organizations, I wanted to talk a bit on what it means and why. Simply put, “Trust" is a goal and destination for how to engage and meet our customers’ expectations. There are two main aspects to any model one would want to use. The first is the theoretical definition and the second is the applied nature of that theory. Two very different aspects that need to be considered and developed.
There is a building process in the definition of “Trust”. To start we can look at a simple basic model relative to the customers' expectations. "Trust is the demonstrable ability to execute on what we say we do consistently over time.” This is a good model of what Trust is but the application of Trust goes much deeper. Next we need to look at the parties in question. With that we need to apply human nature to it which applies the concept of the unspoken contract. In any relationship there are two “contracts”, the explicitly spoken one and the unspoken psychological one. The Psychological contract is one where unspoken expectations are there and relative to that party. In the defining of Trust we should strive to define these unspoken expectations to ensure the overall concept of Trust is aligned with our customers. This changes the description of “Trust" to be “Trust is the ability to demonstrably achieve our customer's expectations on what we say consistently over time”. This change forces the conversation on what the unspoken expectations are and make them known to both parties. Where this definition of “Trust” is very customer specific, the same concept can and should be applied to all other parties such as employees, vendors, suppliers, etc.
To do this we need to establish some Trust expectation “beliefs":
- Transparent - Providers are an extension of the customer's enterprise and should be open and transparent accordingly
- Integrated - Providers are a “spoke in the wheel” of our customer’s security tool ecosystem and as a result they are expected to integrate accordingly
- Proactive & Alignment - Providers are an extension of the customer’s security team’s mission which is the defense against threats. As a result the Provider must strive to advance the security strategy as opposed to placing the onus on the customer to demand
To drive an applied Trust capability, the main actors in that model need to be detailed. This brings up Customer, Partner Ecosystem and the Organization itself. These main actors drive the overall aspect of our actions in applying the above concepts.
Probably the most important of the actors is the customer itself. Since we are talking about Trust it’s the security, privacy and compliance functions of the customer we are targeting. The spoken and unspoken contract covers some main expectations. We can detail some of the core expectations out that help guide our applied model.
- Embed security into the core of the product and service
- Drive security solutions as opposed to creating new ones
- Support and enable an easy integration into the overall security ecosystem
- The product or service is functioning and available when expected
This drives certain expectations of the Organization itself. We can break them into three main areas.
First, we need to place the concepts of security, compliance and privacy into the forward looking solutioning of the service itself. This simple expectation dramatically changes the Organizations view on feature and functionality prioritization. Instead of reactive based on customers’ demands it’s a strategic and proactive drive to the security problems of the customer themselves. As a result, it drives solutions that customers couldn’t even expect or demand.
In addition, it drives a tighter involvement of the security customer themselves to better understand their existing problems, industry viewpoints, security vendor ecosystem usage and more. This can be facilitated through Trust advisory boards, customer survey’s and more. The main objective is to have a deeper and more meaningful conversation with the security organizations to better solution them.
To meet our customers needs we need to prove to them we are actually meeting them. This encapsulates the concept of Transparency where we demonstrate the execution. The manifestation of this is not limited to just producing certifications and audit compliance but to a much deeper level. The ability of the Organization customers’ to understand deep security issues and incidents and more becomes the discussion. The ability to be transparent as if the Organization was part of the customer’s organization. Providing realtime availability stats, customer penetration testing, providing audit reports and more are all examples of this deeper transparency.
To enable a security program today it’s more than just a single application providing security. From the customers perspective it’s the protection of all of their content and transactions regardless of where they are. To this point, the Organization is a spoke in the customers’ security wheel. With that the Organization needs to integrate with the security solutions of that customer as opposed to not. In the legacy world the integration of solutions was firmly placed on the customer. In the new model that integration responsibility is taken off of the customer and placed on the service provider, or Organization. This drives the Organization to have two things. The first is a platform centric approach to allow for the integration of other solutions. Second is a proactive partnership program that monitors and engages the security vendor ecosystem to quickly drive integrations prior to customer demand.
This security partner ecosystem also has another layer to it. Where the on premise controls are clearly known, implemented and integrated by the customer, only the basic controls are known in the new security model. This places a new requirement on the Organization where they should not only drive a partnership program but also educate the potential and existing customers as to what the control solutions are. This drives the Organization into a stronger leadership role to define their control ownership and expertise but also drive the entire security industry’s ecosystem solutions to the customer.
Finally, the Provider itself is brought into the discussion. In addition to enabling and supporting the Customer and Partner Ecosystem as stated above, it’s embodying the core security capabilities of that product or service into the solution itself. We take, as a base case, the implementation of a security model that drives to ensure customer and corporate data is protected from threats based on a risk appetite. The real question is "what is done in addition to this?". To realize the three beliefs stated above we need to migrate the historically back-office functions of security, privacy and compliance and drive them into the front-office. Simply put, we need to make Trust a competitive differentiator for the business itself. This is critically important to ensure the prioritization and culture change is realized at the core of of the Organization itself.
- Product / Service Differentiation - If the Provider is an extension of the Customer's then the Trust model needs to drive the solution as such. This starts from the Organization's product / service strategy, which strives to solve customer's security problems, and moves out to customer engagement, etc.
- Customer Engagement - The ability to have a conversation with customers is much larger than what occurs in a sales cycle. To drive Trust within a company and to the customer additional mechanisms need to take place. The establishment of an advisory board, security feature surveys, customer service issue reviews, etc. All of these mechanisms are driven to understand the customer's security organization's challenges and desires. With that the application of solutions to the Organization's product / service.
While we have undergone many maturation and evolution phases in the security industry over the past forty years, we will continue to have them as we move forward. The current maturation of Trust allows the deep prioritization and proactive efforts of Organizations to make back-office functions drivers of the business. To do this we need to take a wide view of the customer, industry and ourselves to realize the benefit.