To build durable cybersecurity policy, companies should encourage trust-building initiatives with business partners, said Cisco trust strategy officer Anthony Grieco.
Cisco trust strategy officer Anthony Grieco spoke with TechRepublic's Dan Patterson about how organizations can improve security by building trust.
Watch the video or read their conversation:
Patterson: Humans remain the intractable cybersecurity problem. They also represent a cybersecurity potential solution ... I wonder if we could start with that premise, that trust is, and that humans are the challenge for cybersecurity and trust is one way to solve that problem.
Patterson: When a company, when an enterprise company engages with partners and other enterprise companies or even other SMB's and start ups, cybersecurity can emerge as a big, big threat to intellectual property, to potential hacking and upstream challenges. How do you encourage organizations, or how can we build trust amongst partners and encourage communication and collaboration in ways that would tamp down on hacking and other cyber problems?
Grieco: Yeah, Dan it's good to be back with you again. You know it's a really critical set of conversations that we need to be having as an industry. This notion of the role that humans play and how companies need to be thinking about cybersecurity and the role that trust plays around their business is really critical. We see so many of those companies that have traditionally not been digital companies, are now becoming and using digital technologies in ways that are transforming their businesses.
Humans are a critical component to that. I spoke to a bank the other day and it's a major bank, and they describe themselves in a few years they were going to be just a technology company with a bank logo on the outside of their building. So, this use of technology and digitalization is really transforming the business landscape and the use of and the building on the notion of trust that has been built in many of those brands for years, is a really critical component to where businesses need to go.
So we think about that and we think about the role that trust plays and we think about how digital businesses and those legacy businesses that are transforming, need to explicitly think about how security, data protection and privacy really play a foundational role in continuing to build that trust that businesses have built over the years.
Patterson: Trust is really a currency and it can accrue over time. Especially as businesses are undergoing what you describe which is digital transformation. So many companies now think of themselves as that, the bank that you described, a technology firm that happens to do their industry vertical.
What are some of the risks of trust building or after you've built trust, of eroding some of the trust equity that's been built?
Grieco: Yeah, the currency analogy and the currency of trust is, I think is a really important thing for businesses to think about. Trust is liquid, it can come and go. It can be destroyed, it can be created in the context of your customers and how it is you're thinking about these discussions. Ultimately trust must be backed by something as well. This is really foundationally what we see our customers really beginning to grapple with.
For many years in this notion of businesses have treated the digital technologies as implicitly trusted, and today more and more we see this notion of explicit trust. What we see, many times, and you talk about what the risks are around trust and the digital transformations, we see trust being destroyed when there's not the clear notion of being transparent with the customers about expectations.
Ultimately we think this notion of explicitly giving customers artifacts and evidence and reasons why they should be trusted as a third party, as a provider, as a partner, really becomes foundational to the notion of building trust, continuing to build that currency.
Ultimately fulfilling the expectations of your customers. You know, when we think about that for us, we think about it quite a bit in making sure that we're transparent with our customers about how we do security in our development processes. How we've built a culture around security data protection and privacy as it relates to the overall discussions with our company.
Ultimately we really tell our customers and encourage our customers to understand the behaviors and expectations of us as a business and look to provide evidence to build that trust. Without those things, we see customers beginning to worry. So the risks, from a business perspective are really transparent today. Today, there's friction in this market space.
SEE: Vendor management: How to build effective relationships (free PDF) (TechRepublic)
Customers are worried about this conversation, they're worried about security, they're worried about data protection, they're worried about privacy. Being proactive, from a business perspective and being transparent about how you've built trust into what you're producing and delivering from a digital perspective can give you an advantage from a business. Both to differentiate yourself and to remove that friction that's existing in the market space today.
Obviously if you fail in these fundamental areas you risk destroying the trust that you've built. The destruction of that trust is not necessarily just tied to the digital world. It can be tied to that legacy of trust that you've built across your business for many years.
Patterson: I love the idea of exchanging of artifacts or doing the things that we do just as humans that accrue trust over time, but when enterprise companies have a real concern over exchanging of intellectual property or sharing protocols and procedures that may be inappropriate to share outside of the company, how do you exchange or in what ways have you seen a good examples of companies exchanging trust artifacts or behaving in a way that will accrue trust that other companies could learn from? Even if they have these types of sensitive protocols or data.
Grieco: Yeah I think there's a tiered approach that we've taken and we've seen many take in the context of this conversation. First we think it's really important to be broadly public about the overall approach to how your building explicit trust. For us, that's talking about our secure development life cycle, or vulnerability disclosure policy.
All of those things are really broad and public facing and frankly meant to be consumed by all of our customers to help them understand the breath and depth of the things that we're doing as a company. There's next layers of things, more advanced customers may ask us more advanced questions and indeed, non-disclosure agreements and limited environments in which you display that information can be techniques that are used in many cases to help do these things.
In many cases we share for instance, testing results with our products, of how we've security tested our products. In limited environments with customers to help them build confidence in what it is we're doing as a company to implement those practices that we've talked about in our secure development life cycle and many others.
In some limited instances it may even make sense to go even deeper, into a deeper relationship, a deeper partnership with those customers that are really looking at you as a critical provider of technology and capability to them, in order to get into really deep conversations about design and architecture and many of those sorts of things.
We look at it from a risk perspective every time we do this. We look at risk as it relates to ourselves, we look at risk as it relates to all of our customers. So when we think about those trade-offs that we make in the context of exposing that information, it is really critical that we understand not only the risk to us as a company but the risks and the secondary risks to everyone of our customers when we take on these activities.
I will say though, the trend in this conversation is one that is more towards public disclosure. More towards openness and more towards transparency in all aspects of these businesses because there's such a hunger from the marketplace to really understand what's going on in this space.
SEE: Hiring kit: IT audit director (Tech Pro Research)
Patterson: I'd love to go back to what you mentioned a moment ago, as well as that hunger for transparency. So when we see a consumer facing data leaks, like what happened with Facebook and Cambridge Analytica, there is this changing of, going from implicitly trusting everything to maybe I should pull back a little bit. Although that's in the consumer space, have you seen a similar reaction in the enterprise or the B2B data space in terms of how customers think about data, data availability and changing the default motion of implicit trust true to, or implicit trust to trust building or actions that accrue trust equity over time?
Grieco: 100%. It's begun well before any of the events that you described and it's been led up to by high profile breeches that have been well documented that have really created the awareness to what businesses in particular need to be thinking about and beginning to explore when it comes to risks that they're taking around trusting implicitly in the ICT space and the connected technology space.
So the trends and the sets of questions that we get from customers is really only accelerating when it comes to complexity and depth that we're being interrogated at as a critical provider of technologies to customers.
Indeed, I think the awareness that is being raised by all of the high profile breeches and the behavior change that we see from our customers reflects the importance and awareness that we now see in the context of this discussion.
For so many years we've really though about cybersecurity as an awareness problem, I would tell you that I think this conversation that we're having around trust and explicitly being trusted as an artifact of the fact that we're no longer in the need to raise awareness to cybersecurity.
The awareness is there, the need and understanding from a customer, it can, increasingly from consumers but especially from businesses and enterprises, they all understand what they're, what they need to be, ... they all understand they need to be thinking about it.
What we see them struggling with the most today is how to effectively and efficiently address those concerns. That's again, where the notion of being proactive in the context of explicit trust is important. Putting those pieces of artifacts of data that really give the evidence to build those confidence and capabilities with those entities.
Whether it's about data as you mention, how it's protected, how it's gathered, how it's used, all of those sorts of really critical fundamental ideas around data, and more importantly and increasingly the resilience of the capabilities that are there. Are they going to be when they're under attack? Are they going to be there when you need them to be?
Those two key topics are ones that we find really actively being engaged by our customers and I do believe it is an outcropping and an outcome of many, many of the recent high profile breeches that we've seen. Not just in the past six months, but frankly building over the past five years.
- 75% of consumers won't buy your product if they don't trust you to protect their data (TechRepublic)
- How blockchain allows financial service providers to trust each other (TechRepublic)
- Businesses can't blindly trust the Microsoft cloud--or any other cloud for that matter (TechRepublic)
- How much should CXOs trust vendors when purchasing new solutions? (ZDNet)
- Can big business save us from fake news and loss of trust? (ZDNet)
- In Google we trust: But why? (ZDNet)