In the security world, we talk a lot about defense-in-depth and the various layers of security. We also discuss elements such as compliance and third-party audits. But, if you take a step back and truly examine the driving force behind all of it, you’ll find one simple yet very tangled concept: Trust. It’s the springboard to all effective relationships and the foundation on which this very industry is built. Without it, you’ve got nothing.
I’m here to introduce Red Canary’s trust function in hopes of creating an open dialogue while underscoring why it’s woven into the fabric of everything we do.
A bit about me
This summer, I joined Red Canary as the first ever Chief Trust Officer, chartered to grow trust and maintain the transparency expected of us. Previous to joining Red Canary, I ran security programs for several companies, including those in software, financial services, and most recently, in the cybersecurity space. At each of those companies the job was the same: minimize the risk of negative technology outcomes while enabling the company to move faster with confidence. I’ve had the opportunity to do this job while working to meet the requirements of internal stakeholders, board members, regulators, and customers.
I decided to join Red Canary largely because of their singular focus on being a security ally, not only to customers, but the community at-large. The emphasis on customer outcomes above all else ultimately sealed the deal.
So, why trust?
While it’s not new, you don’t see every company establish a Trust team. So why here and why now? Well, there are a few forces that are moving the world to look at trust more holistically.
Digital transformation
This often results in cloud adoption of key organizational processes and has changed the relationship between customers and their solution providers. No longer are customers buying software to install in their data center; enterprises are now engaging with vendors to run software for them in the cloud. This software increasingly includes algorithms, machine learning, and other technologies that automatically take actions without interaction from the enterprise.
The current state of integration is such that some of the most critical business decisions are made by vendors running in the cloud:
- Is that bank transfer risky?
- Should I allow that login from a new location?
- Is that purchase request from a legitimate user?
If the core transaction decisions of your business are being made by the decision-engine of one of your partners, you better be darn sure you can trust them. This goes deeper than asking if they have passed an audit—it gets to the core of their motivations.
Customer desires
Through countless security audits and assessments by customers over the years, I have come to a couple of conclusions.
- Requirements of vendors are always increasing. Customers add new audits, frameworks, and certification requirements every year. They ask more invasive questions, want more detailed evidence, and are using more third-party tools to assess the security of their vendors.
- Despite increased scrutiny and requirements, vendor risk assessment processes don’t work. They do not get to the heart of what customers want to know.
The real questions enterprises want to have answered are more fundamental, such as:
- Does the vendor have the resources, commitment, and support to create a security program that is better than the customer’s?
- How will the vendor treat its customers’ data? Is it there as a resource to be harvested by the vendor, or is it the crown jewels that must be protected?
- Is the ultimate goal of the vendor to protect its customer or increase the revenue from each customer?
But enterprises can’t come right out and ask these questions. Not with any real expectation of getting a legitimate answer.
Empty promises
On a regular basis we hear about companies that are making decisions that seem to run counter to the law, the interests of their customers, and the promises they have made. We’ve seen numerous examples of companies who have created a trust program only after they’ve broken the trust of their stakeholders. Our focus on being your security ally means the purpose of this function is to ensure we maintain your trust.
Building trust
If we can’t simply answer a few questions to earn trust, then how do we do it? It’s simple, but not easy.
Proactive transparency
This means I bring you the truth; the good, the bad and the ugly. Transparency is answering your questions honestly—proactive transparency means I seek you out to tell you bad news before you can ask. Someone who is proactively transparent with you is willing to suffer the consequence of something they could have kept hidden, in order to preserve the integrity of the relationship.
Say:Do ratio
Every time I tell you I’m going to do something, I do it or I’ll provide you with an awfully good explanation of why I can’t, in advance of the deadline. The opposite is also true. The rhythm of setting expectations and delivering becomes a virtuous cycle.
Trust at Red Canary: then and now
Red Canary’s focus has always been on seeing the best possible outcomes for our customers. We work for our customers so they can accomplish their missions without fear of cyber attacks. Doing what’s right for our customers has always been a core value for Red Canary. This shows up internally as we consider trade-offs on product investments, when we decide to publicly share our threat intelligence, and as we invest in our team to provide dedicated incident support for our customers.
We see the formal creation of a Trust team as the next step in our maturity. The formal appointment of a Chief Trust Officer takes a strongly held belief and turns it into a program that we can grow, measure and iterate over time.
My charter at Red Canary is to work across all functions and ensure that we continue to earn your trust, by being trustworthy.
A bright future
Conceptually, building trust is not complex, though it does take time, commitment, and— perhaps the toughest of all— consistency. Over the coming months, we’re going to put in the work and unpack the topic while also exploring how trust intersects with other business elements in your organization and beyond. My charter at Red Canary is to work across all functions and ensure that we continue to earn your trust, by being trustworthy. Afterall, trust is earned when words are put to action.