Security breaches push digital trust to the fore

As digital transactions with customers, employees, suppliers, and other stakeholders grow, digital trustworthiness is set to become one of the most important enterprise-wide initiatives with the biggest potential impact (both negative and positive), even though it often has the smallest budget allocation.

“Organizations are focusing on security and privacy, but if your customers don’t trust you, they will go elsewhere,” says Mark Thomas president of Escoute Consulting, which specializes in compliance. This view is borne out in a 2022 DigiCert digital trust survey that found 84% of customers would consider switching if they lost trust in a company.

Organizations with low digital trust face not only a decline in reputation but also more cybersecurity incidents and privacy breaches, and the loss of customers and revenue. They often fail to innovate, too, according to ISACA’s State of Digital Trust 2023 survey. The global survey of 8,185 respondents — ISACA members that hold at least one of its certifications — conducted in January 2023 found enterprises need to earn that trust with every interaction and transaction because customers want to know why they should trust an organization.

Even with 59% of the respondents saying organizations with a low level of digital trust often experience more cybersecurity incidents, there’s a long way to go until digital trust becomes a priority. In its second year, the survey found that although 84% of respondents recognize digital trust is important, only two-thirds say it’s an organizational priority, indicating the real-world gap between theory and practice.

Looking ahead, 82% of the respondents in the ISACA survey expect digital trust to grow in importance in the next five years, yet only a quarter are planning to increase budget, showing there’s set to be a squeeze on resourcing.

Who owns digital trust?

While digital trust encompasses compliance, security, privacy, communications, IT, marketing and operations, it isn’t necessarily owned by a single department because it needs to be integrated at all parts of the organization, notes Thomas. When asked about the roles responsible for digital trust, 85% of the ISACA survey respondents nominated IT governance/strategy, followed by security (81%) and IT (75%). Ultimately, the board and executive suite have responsibility for something as impactful and far reaching as digital trust. However, only 19% globally say their board of directors prioritizes digital trust, and 34% say the senior leadership team is responsible.

From a regional perspective, North American respondents say senior leadership is responsible for digital trust, while other regions more often say that the board of directors is responsible. Respondents in India were more likely than those in other countries to say that individual employees are responsible for digital trust.

Although a role like chief digital trust officer exists, only 13% say their organization has a staff role dedicated to digital trust. Not surprisingly, among organizations measuring digital trust maturity, the number jumps to 38% that have a dedicated staff role. It climbs higher when the board of directors prioritizes digital trust, with 46% of those organizations having a dedicated staff role.

For CISOs and their teams, they need to be connected to all the other areas of the business where security and digital trust is concerned. While CISOs don’t necessarily own the entire digital trust piece, they have a role to play.

“Nonetheless, saying digital trust is part of everybody’s job is different to saying everybody is responsible for it,” Thomas says. He suggests that if CISOs find the board hasn’t fully come to grips with digital trust as a priority, there are ways to help those higher up understand its importance as an organization-wide priority. “Linking it to the organization’s goals and objectives, not to mention the level of risk and potential harm, will likely get the board’s attention of it’s not already in their frame of view as a priority,” he says.

Adopting a digital trust framework provides a roadmap for the organization in undertaking digital transformation and guiding measurement and metrics. Yet although 56% say it’s important, only 20% globally currently use one. There are some regional differences, with 34% of respondents from India using a framework and 24% in Asia, compared with 19% North America, 16% in Oceania, and 13% in Europe.

ISACA recently released a framework that aims to help organizations in establishing and maintaining digital trust. The goal is driving trustworthiness with customers, employees, suppliers and third parties in digital interactions for brand reputation, product quality and reliability, and ethical data usage.

A framework is not a standard, but rather a guideline that provides a repeatable way of addressing digital trust as a goal within the organization, according to Thomas, who contributed to the development of ISACA’s Digital Trust Ecosystem Framework. “It may include updating strategies and goals, looking at funding allocation among those things.”

The CISO’s role in building digital trust

As CISOs maintain their efforts on protecting organizations from cyber-attacks, all without creating unnecessary friction around normal operations, focusing on digital trust is an added challenge that requires a cohesive focus across all areas.

Digital trust needs to be integrated within the organization and isn’t necessarily owned by a single department or job title. Even so, cybersecurity, and the CISO, have an important role to play, according to the World Economic Forum’s 2022 Earning Digital Trust report, in protecting interconnectivity that support business, livelihoods of people and society generally as people’s reliance on digital interactions grows.

As governments and regulators implement stricter requirements for ensuring data privacy and security, CISOs face a renewed need to prioritize digital trust or risk fines, lawsuits, significant brand damage and revenue loss to the organization.

Thomas suggests that for CISOs digital trust could become the measurable metrics and outcome of security initiatives. “Organizations are not only secure to be compliant and protect information. The outcome of this is the trust that customers have, and that is what’s going to change the way we measure how well security is being implemented,” he says.

“If you want to ensure your customers trust you, you need to look at it as an organizational goal, or have it as a part of the strategy. So, if the goal is being secure, the outcome of that is having customer trust.”

Trust is an essential component of customer relationships, which starts well before interactions begin and needs to remain a priority at all times. It is a significant factor in driving consumers’ decisions, influencing retention, loyalty and feedback.

Stronger customer loyalty is one of the benefits of digital trust according to 55% of respondents in the ISACA survey. Strengthening digital trust requires understanding customer and stakeholder expectations and trust factors and using these to establish enterprise-wide guidelines and ensuring that everyone understands and is actively involved in efforts to foster digital trust.

Achieving digital trust must involve understanding customer trust factors and establishing digital trust as an enterprise-wide approach. Yet it’s a moving target, what consumers need for digital trust is changing as technology changes. “With emerging technology, especially recently with some of the consumerization of AI, we’re going to see a whole new set of trust concerns that consumers may have with that,” Thomas says.

Organizations are not committed to measure digital trust

Not all organizations inspire internal confidence in their digital trust stance. The survey shows there’s room for improvement in the levels of professional confidence, with only 53% of respondents very and completely confident in the digital trustworthiness of their organization. Not surprisingly, among those already measuring digital trust maturity, this confidence jumps to 81%.

Measurement of maturity is considered a standard business practice, but fewer than one in four respondents (24%) indicate their organization currently measures the maturity of its digital trust practices, even though 67% feel it is extremely or very important.

The tools for measuring the level of digital trust customers have in organizations can include customer surveys, tracking issues, customer behavior and retention, and metrics like net promoter score. Yet despite the proven importance of measurement and the abundance of tools available, overall 29% say their organizations don’t measure digital trust.

There are some regional variations, with respondents in Asia (28%) reporting the highest level of digital trust measurement, Africa (26%), North America (23%), Oceania (21%) and Europe (19%).

It shows that organizations may be secure and privacy compliant, but still find customers leaving because they may not have addressed the trust piece. With digital trust as a key metric and driver, “instead of just measuring and looking at performance indicators around security and privacy, we now have digital trust as an outcome or goal,” Thomas tells CSO.

Obstacles to attaining digital trust

As digital transformation initiatives continue, there’s an opportunity to embed digital trust in the fabric of the organization. It goes beyond compliance, requiring siloed areas to be broken down and treated as a cohesive whole. Strengthening and prioritizing digital trust needs to be a business-wide principle, encompassing access to services and information, transparency about data use and any compromises, data security and privacy, and the need to have resilient systems across, according to the survey.

For every move forward, organizations face their own set of obstacles. When it comes to obstacles to attaining digital trust, lack of skills and training is cited by 52% of respondents, above lack of leadership buy-in and alignment with enterprise goals (both 42%), lack of budget (41%), and lack of technological resources and digital trust not being a priority (both 38%).

Despite the relative lack of prioritization, there’s been some progress, with 32% saying their organization offers digital trust training to staff, and 31% indicate they completely understand how their role impacts digital trust (up from 29% and 28% respectively in the 2022 survey). Additionally, 66% say digital trust is extremely or very relevant to their job.