Trust, Security and Assurance
(Please welcome guest blogger John Verry today).
On a near daily basis we read about data breaches that expose sensitive information and negatively impact the finances and privacy of companies and individuals alike. Clearly the efforts (as a whole) of those of us in the Information Security Community are lacking and incomplete.
Increasingly I find myself wondering “Have we failed to understand and integrate ‘trust’ into our methodologies for measuring how well an organization secures sensitive data? Or is ‘trust’ too soft and ambiguous a concept for a rigorous, technical, quantitative discipline such as Information Security?”
Leading “trust” thinkers like Green & Covey have successfully illustrated the significant value of trust in business relationships. Logically, their arguments should hold for a business relationship where one or both parties have an obligation to maintain the “security” of critical data on the other’s behalf and need “assurance” of the same.
So what is the relationship between “trust” and “security” and “assurance”? Does true assurance exist where there is no trust (even if the data is secure)? Conversely, can one (mistakenly) trust and perceive a high level of assurance where data is not truly secure? (Sadly, the answer to this rhetorical question is self evident.)
I would argue that our level of trust “magnifies” (negatively or positively) our perception of security, and therefore, the amount of (true or false) assurance that we receive. Therefore, it is critical that we base our level of trust on appropriate measures so that the assurance is indeed directly proportional to the actual level of data security.
- In those responsible for governing and maintaining the security of your data (personal and organizational trust),
- In the regulations and the “Watch Group” responsible for defining and promulgating “reasonable & appropriate” data security regulations/standards (market trust).
- In the third party that performs the necessary due diligence to attest to the company’s compliance with said standard (organizational and market trust),
Currently most organizations use some measure of trust in picking business partners by seeking independent attestation of the security level (assurance). Fundamentally, this is a great approach; however, there are three issues which often denigrate the level of assurance we receive;
- The assurance is largely defined (and constrained) by the standard to which the potential partner is aligned (we may not trust the industry watch group because its intentions are not aligned with ours and their track record is concerning); and,
- The assurance is delivered by a third party who is not sufficiently independent from the organization being assessed and/or the watch group defining the standard.
- There is insufficient standardization of the scope and rigor of the testing that should be performed as a basis for attestation (e.g., there is no standard definition of a "network penetration test").
Unfortunately by focusing “outside” we are missing a vital measure, perhaps the most critical element of trust, the trustworthiness of the individual, team, and senior management with whom we are entrusting our data. One could argue that a high (and warranted) trust in the organization can fully compensate for the three flaws cited above.
So what is the best mechanism to” measure” the trustworthiness of those responsible for securing your data? Can it be done via a tool like the “Trust Quotient”? Can we more directly measure the individuals (or organization’s) intent, capabilities, and results in a repeatable and/or semi-quantifiable manner?
Assuming so, how then do we leverage these measurements in a formal manner so that the assurance we receive is directly proportional to the actual security of our data and the likelihood that the risks associated with a third party processing our data have been mitigated to an acceptable level?
So often the process of discovery starts by yielding more questions than answers…
I think you are on to something with the identification of the factors: security, assurance, and trust. Security is usually a matter of money and execution by the company. Definitely can be addressed. Assurances usually comes from a good track record and good PR about that track record. However, as you pointed out, trust is the key factor. Without trust, the other two provide little confort. Trust will always be an issue when you are dealing with an unknown entity. The best way to improve trust in this situation is by providing a truly independent analysis of the organization. If done correctly, it shifts the trust focus from the evaluated organization to the independent third party. To reinforce that trust, the third-party must ensure there are no real or perceived conflicts of interest between them and company being analyzed.