My family is tired of me talking about all the cool things that robots can do at scale, like make delicious french fries. I'm excited about the growing mainstream adoption of smart technologies like robotics and autonomous systems in mission-critical industries (and food service😀). I am optimistic that the adoption of smart technology will lower carbon emissions, create safer work environments, and improve resource utilization. Despite my optimism about a better future, I can't help but think about potential security risks tied to our increasing dependence on these technologies. Trust in human and digital worlds has higher stakes than ever before, affecting physical, economic and reputational outcomes for people and companies. I have been thinking a lot about the criticality of trust in our digital world, how computers and people assess risk and how we can achieve high trust with less friction.
How critical is trust for coroporations in our increasingly digital world? Trust impacts a company’s bottom line. The level of trust that a consumer feels toward a company has a material impact on a company’s performance. In a 2022 Salsify study, 46% of consumers surveyed indicated that they are willing to pay more to buy products from a brand they trust. In its 2021 survey, “The Complexity of Trust: PwC’s Trust in US Business Survey”, PWC found that 71% of respondents said they would buy less from a business that demonstrated a breach of trust. Accenture assessed the cost of loss of trust across 7,000 companies, operating in 20 segments, and found that critical infrastructure segments of the economy like banking, utilities, travel and transportation experience greater decreases in revenue from loss of trust than other segments of the economy. As we adopt more smart technology in critical sectors like these, developing and maintaining a high trust culture is more important than ever.
From my own experience, I have observed that employees working in high trust environments are more productive; they spend less time assessing employer trust and have more goodwill toward their employers. The 2021 PWC survey referenced above, found that 71% employees said they were more likely to leave their employer if there was a breach of trust. In the technology space, the loss of key talent in areas experiencing talent shortages, like security, can have a significant business cost. Reflecting my own experience in security teams serving mission critical industries, our teams experience significant churn when stated values or customer commitments around security are not upheld in our own organization.
The opposite is true as well, when security teams see and hear stated values being upheld, these employees trust more quickly and more consistently. In the software world, we believe that “high trust, low blame” cultures (marked by comprehensive, timely and clear communication) are strongly correlated to software delivery performance and organizational performance. More recent studies have also found that high trust, low blame cultures can also result in reduced developer burn out.
High trust can be a differentiator for companies. 2020 Deloitte research indicates “trustworthy companies outperform their competitors by up to four times, and 88% of customers who highly trust a brand have bought again from that brand”. Many market leading companies have created Chief Trust Officer and associated Trust Groups expressly responsible for preserving customer trust. These groups are visible across their organizations. Trust Groups create internal governance frameworks and develop robust standards around critical areas like security, privacy, compliance and reliability. Chief Trust Officer for SAP, Elena Kvochko explained that building internal trust among teams naturally cascades to build customer trust, “What we specifically do is build a stronger, security-focused foundation for the business, which in turn builds trust with our customers”. Kvochko emphasizes that a core deliverable of trust teams is facilitating transparency with accurate and timely information.
How do we decide if an individual or organization is trustworthy? In industry and academia, the concept of trust scores is widely used. Similar to credit scores, trust scores are algorithms that use real time and historical inputs to quickly rate trustworthiness. Applications and digital transactions use trust scores to determine access and privileges granted to users or entities in a matter of milliseconds.
As individuals, we naturally run trust models in our minds, guided by our personal biases, what we observe and situational context. Our human trust scores are dynamic, continuously updated in real-time, and cumulative, taking into account historical interactions. Every action an organization or individual takes either strengthens or weakens trust. When trust ratings significantly change, people and organizations may modify the trust rating model applied, just like in the digital world. For instance, a company might lose a preferred supplier status after delivering an important out-of-spec product to a customer. When trust ratings decline, more verification is required, leading to increased friction (churn) in business or relationships. A low trust rating makes everything harder and slows forward momentum and it’s challenging and costly to recover from, to boot.
How can we achieve high trust with less friction? I want to share some thoughts on the speed of trust in the context of critical infrastructure relying on autonomous, robotic and remote technologies. Specifically, how can we assess the trustworthiness of software, hardware and service providers in this space? In the US, the federal government will require Federal suppliers to provide sofware bills of material to support greater transparency. More generally, the US government has provided guidance to software providers on the adoption of secure by design practices that reasonably secure consumers against malicious cyber actors successfully gaining access to devices, data and connected infrastructure. While these measures support improved market transparency and secure design practices, there are additional steps that buyers can take to accelerate supplier assessment and ultimately, help them assess if they can trust a supplier.
Until now, industry has relied on a relatively limited and static view of third party cybersecurity compliance certification. These certifications are completed annually through a sample based audit to assess the adequacy of an organization's internal controls and security practices. These certifications have a lot of value to consumers when assessing the maturity of a supplier’s program that has undergone audit. In our digital world, the stakes are too high to solely rely on attestations, policies and contractual requirements. In a world of continuous delivery and zero trust, annual, third party, security assessments of a supplier’s security practices provide little to no real time assurance.
Unlike static security certifications or attestations, real time security metric reporting (for example, the status of known vulnerabilities) provides more actionable data to customers than certifications based on historical behavior. Modern software management tools have built-in capability, like Github’s security overview, help developers and maintainers improve security practices and assess the safety of their dependencies in real-time. Data from this tooling can be leveraged in enterprise risk management tools to support company wide visibility into security practices for executive leadership and customers alike.
Conclusion: Maintaining high trust, whether as individuals or organizations. Practices that build and maintain trust, like accurate and timely information distribution or consistent review of key trust metrics takes commitment and prioritization. There will always be opportunity costs associated with maintaining high trust. In product organizations, addressing critical vulnerabilities can cost weeks of developer time and can impact the delivery schedule of the next highly anticipated, revenue generating release. Prioritizing trust can feel costly in resource constrained organizations, however beyond the short term, the cost of not maintaining trust among customers and employees will be insurmountable for many companies. Over the mid to long term prioritization of trust fosters better relationships, can secure future revenue growth and ultimately, contributes to a more functional/ lower friction world. Our increasingly digital world cannot be secured or grown without the prioritization of trust, despite the short term costs. The optimist in me is expecting good french fries in this high trust digital world!