I attended a press panel on trust at Cisco Live on Wednesday morning. Here’s my live blog of the issue covered in the session. At the session were John Strewart, Senior VP Chief Security and Trust Officer; Mike Burgess, Telstra Chief Information Security Officer; Bret Hartman, Cisco VP and CTO; David Powel, NAB CSO; and Gary Blair, CEO of the Australian Cybersecurity Research Institute.
There has been an erosion of trust in the digital space. How do we start to rebuild trust?
This is a significant matter of global importance because crime and espionage is not new, but they happen at a scale which is unprecedented. Sony was an example of a corporation that has suffered data, but they are not the only company. But the consequences of the Sony example were that deletion of data meant they were unable to publish 3rd quarter results in Japan – this got the attention of Boards.
IT is now a dependable part of running business. Boards need to get involved when content is missing. Most businesses at the Board level don’t have a cognizance of the risk associated with loss of content and loss of information for business decision making.
Trust is essential for human relationships, customer loyalty and risk management. Trust is a finite concept in the commons. Do you trust the organisation to be transparent in the use of my data?
WEF has a good paper on cyber resiliance. Boards should consider filling out the 19 Q questionnaire. When we talk about trust we need to talk about frameworks of resiliance.
UK global cybercapacity framework is useful. Various priavcy commissioners have useful thoughts on privacy by design. But the problem is that most frameworks are way too complicated. Can’t do a tick and flick compliance solution. Need to have a best practice model where privacy and trust is considered as a standard few questions and then iterate on the design of a trsut solution. NO companies run a data driven solution – this needs to be in the automated system risk management process. (And this is where analytics needs to move down an AI model for predicting risk.) Any notion of static assurance, static trust is nonsense. More and more evidence is required to ensure continuing trust. Firms need to be constantly pulling in data and constantly proving trustworthiness.
The consequence of increasing vigilance and distrust is that the speed of business is retarded. (The question is whether we actually need/want business to be running any faster. Vigilance ensures skills for measuring trustworthiness are sustained.)
Paradox of risk management is emerging again; should we prioritise risk to the extent that we reduce the speed of business? Or do we use a risk automation process which could potentially reduce our capability to deal with consequences of breaches?
Purchasing decision are made because people ‘trust’ brands, even if that trust is misguided.
Gary Blair says that by international standards, our banks are some of the most trustworthy and secure in the world. We were the victim of early phishing scams and as a result we had to adapt our systems. So in essence we’re probably doing a reasonable job, but the job isn’t over.
WEF research notes that the more connected people are, the higher the GDP. First mover competitive advantage used to be 5-7 years, then 3-5 years, then 1-3 years. But now we are looking at a DevOps environment where you need to be constantly iterating on the operations of business to maintai any competitive advantage.
The panel talk about the responsibility of consumers to ensure they are aware of system breaches. This is crucial: if organisations are not adequately preparing their workers we will find that business will be slowed to deal with security issues.