Articles about website spoofing, cybersecurity trends, and how to protect your customers from hackers.
Founder and CTO of Allure Security and Professor of Computer Science at Columbia University.
In recent years, the C-suite has expanded with new management positions as the modern world has grown ever more complex, especially when it comes to security threats and data privacy. The growth in new C-level management provides a fisheye view of the larger economic environment in which we all live.
No longer are modern companies able to operate effectively with only CEO, CFO, COO, CRO, CTO and CIO positions. The CISO entered the mix not very many years ago to manage the increasing threats to core business functions. Security is now firmly rooted in corporate management — and thankfully so. Operating on the internet would clearly pressure companies to protect their assets from ever-increasing cyberthreats, both inside and outside the corporate perimeter. But the needs of modern corporations have continued to evolve.
The barrage of well-publicized data breaches caught the eye of regulators responding to demands from customers that they wanted their data protected from avoidable breaches of corporate networks. The C-suite needed to be vigilant regarding regulations, such as GDPR, that mandated that businesses hire a new chief privacy officer (CPO) to protect the rights of EU citizens. The CPO helps focus the attention of the corporation on the new demands of the internet economy, with the primary goal of protecting customer data from disclosure. And citizens have the fundamental right to privacy, at least within the EU, which gives them the option to have their information deleted upon demand once they terminate their relationship with a company. And since consumers can’t peer into a corporate network to ensure their data has been deleted, they have to take corporations at their word, which most folks find hard to trust.
What does trust mean to corporations today? If you ask the CISO, it means “zero trust,” a principle that’s been widely adopted after so many large-scale data breaches. Back in the analog days, perhaps trust was a given, but these days every digital action requires access rights to data and applications. Access privileges are continuously evaluated and revoked when necessary. Zero trust architectures seem sensible to avoid the consequences of successful breaches and lateral movements by adversaries within corporate networks, but it still doesn’t get at a corporation’s moral and ethical duty to their customers.
Enter the newest member of the C-suite, the chief trust officer (CTrO).
The appearance of the CTrO into corporate governance and management is a harbinger of a new business climate driven by a changing internet climate and culture driven more by accountability than previous generations. Data breaches are not mere embarrassments — they are downright costly to the fundamental value of a corporate brand. The currency? Your customers’ trust. But so are the decisions a corporation makes. Now companies must continually evaluate their business practices and decisions if they want to grow business and the trust of their customers. Profit and loss alone are no longer the measures of success when ethical business behavior has become the key element to judge the value and trustworthiness of a brand.
One might ask what the lines of responsibility are between the chief risk officer, the chief privacy officer and the new chief trust officer and how they relate to the chief information security officer. Who does what?
Most everyone understands that the CISO’s role and function is to design the security architecture and maintain the security posture, confidentiality, integrity and availability of corporate systems, so the business can function effectively. The decisions made by the CISO often impact the risk of doing business. The CRO is responsible for managing the governance of decisions that may lead to significant risk. Understanding these risks and the opportunities of these business decisions is too complex to burden the CISO with. The chief privacy officer most closely resembles the functions of the CRO, but with a singular focus on managing the risks that impinge upon privacy laws and regulations.
So what is the CTrO to do? Trust is probably the most valuable corporate brand asset in a new world economy where decisions are not based solely on profit and loss but on the seriousness of the company’s business ethics. The CISO’s role should ensure that the customer can trust the company will do what is necessary to protect their systems and their customer’s data. The CISO must also ensure the company’s partners who are granted access to corporate data maintain the highest level of trust as well.
Fundamentally, the chief trust officer must ensure the integrity of the company in an internet economy where any fault or misstep is known instantly and amplified exponentially by a relentless social media. A company today must ensure its customers can trust the company to make decisions with ethical intent and not only about the quality and value of its products. The old saying that trust is fragile, that it is hard to earn and easy to lose, is on display daily when one or another report of an unethical decision hits our browsers.
Do we run the risk of blurring the lines of responsibility among the roles of the CRO, CISO, CPO and CTrO? On the contrary, this new corporate role helps sharpen boundaries of responsibility and crisply enunciates what a modern corporate brand must do to continue assuring customers, employees, shareholders and regulators that they are in business for the long haul, that their corporate word actually means something, and that the company operates at the highest levels of integrity expected of a modern, internet-savvy corporation. Ethical business decisions are good business with important and positive societal impact.
I bet most CISOs welcome this new role in the C-suite. It is enough to manage the security posture of an increasingly complex IT infrastructure. They need others to manage the risks of operating a business in scale and manage the assurance the brand can be trusted.