By Duncan Greaves, PhD, CISSP

Developing trusting relationships in online situations provides intelligence-led and useable business techniques to develop relationships to improve control, productivity, innovation, creativity, and reduce friction between teams.

Trouble with Trust

The development of trust is the engine of business and helps organizations prepare for unexpected events. Knowledge about the formation and dynamics of trust assists managers to control the debate and realize the strategic benefits of a network of collaborators. It also provides an innovative toolset with which to approach the operation of trust in extended supply chains.

Crucially, such relationships also help to embed ethical behaviors that enhance public trust and loyalty, key indicators of company health in the long term. Knowing whom to trust, and with what, has always been a difficult issue to pin down, but recent research has shed new insights into the following areas:

  • How to establish relationships online that generate trust from others.
  • Knowing how to validate and verify trustworthy credentials.
  • Designing business processes that develop the capacity to grow reliance into trust.
  • Identifying and counteracting ethical and security issues.
  • Recognizing that online trust can generate benefits for all parties.

Building Trust

Over 90% of interpersonal communication is conveyed by non-verbal cues, and many of these - like body language, presence, eye contact, and handshakes - are lost in online settings, making interpersonal trust more difficult to establish.

Trust is a relationship based on trustworthiness. As its name suggests, trustworthiness consists of the attributes that make a person or organization worthy of trust. A person (or organization) may become trusted by displaying their competencies, honesty, and benevolent concern towards other parties.

Trustworthiness symbols and signals are present all around us and are a large part of the marketing, advertising, and brand awareness of individuals and organizations. It is common to see large organizations spend millions of dollars each year reminding us of their capability, reliability, long traditions, and social concern to gain the trust needed to create relationships that move beyond simple one-off transactions. This creates a risk-taking relationship (trust) that allows the parties to grow in a collaborative fashion.

In both online and offline situations, the cues that lead to relationship formation can be falsified. Trust binds relationships, but also blinds to the pitfalls that such relationships bring. Therefore, it is necessary to validate that a potential trusted partner has the necessary characteristics and ‘cultural fit’ that signal a trust relationship is a valid option.

Validating Trustworthiness

People and organizations can claim to be things that they are not. To ensure what they are telling you is accurate, validation is a way of pre-checking that trust can be based on shared values and is a legally and officially acceptable alternative. I have previously been tasked with checking potential collaborators to uncover the true values of suppliers, taking special note of the following indicator areas:

  • Check who the ultimate beneficial owners of a company are, as these stakeholders, their governance, and associations dictate the behavior of the individuals you deal with.
  • Seek recommendations and find shared ‘weak’ ties like membership of trade associations, as these links can help to generate the stronger ties expected of trust. If possible, crosscheck these recommendations with other parties to confirm they are valid.
  • Individuals and organizations may be involved in social initiatives, environmental improvement, and corporate social responsibility. These activities speak to their values and concern for others. Ensure they reflect values that you could support.
  • A track record in supporting other projects, conferences, or groups often shows that they are actively involved in making spaces that allow others to shine and shows their benevolence and care towards those communities.
  • Check to see that their private and public statements match their values. As mentioned, this is one way that they showcase their honesty and trustworthiness.

The engagement profile over time of an individual or company speaks volumes about their motivation and willingness to grow and accept the responsibilities of being a trusted community member. It is easy to get caught out by not doing background checks and investigating red flags at the early stages. Evaluation is always subjective, so seek advice from other team members or consult a panel to establish a party’s genuine trustworthiness and values.

Verifying Trust

Verify that the expectations between the parties are aligned appropriately and backed up by the motivation towards action to make the partnership work. In my experience, some people dismiss the value of meetings without identifiable technical purpose as not being agile or delivery focused but checking and establishing the identity of others who you may rely on in future is vital work.

  • Face to face meetings allow an exchange of truths by both parties in private. This can be difficult to assess online, or in recorded live calls. If it is necessary to hold the meeting online, suspend any recording, but ensure that the meeting outcomes are truthful, with minutes taken and agreed.
  • Hold these meetings in dedicated spaces or meeting rooms, and discussions should center on the collaborative approach being sought. Seek common problem-solving ground based on values.
  • The focus should be on personalizing the relationship, anchoring it to individuals, and away from the immediacy of business transactions and working spaces.
  • Contracts give a strong motivation for parties to comply. Agreements should include actions, review periods, and performance expectations to strengthen the necessity to stick to promises.
  • One of the problems with trust is that it can be open to interpretation and does not flourish if examined too closely. Therefore, framework agreements and stepped contracts are preferable to strict control and oversight.

Always “trust but verify” the basis of any agreement before you grant control or influence to another party, to ensure that trust is well placed. It is likely that agreement is only based on those areas of common values, but having established a common ground, the processes that you follow with trusted collaborators should also be structured to build on these strengths.

Trusted Processes

To develop from transactions to trust involves closely monitoring the delegated transactions between partners, whilst allowing latitude for the questioning, discussion, and adoption of novel and innovative work practices that help to achieve positive outcomes that can adapt to dynamic situations.

  • At its heart, trust is underpinned by transactional reliability and allows trusted parties to know with a degree of confidence that their expectations will be fulfilled.
  • Small initial transactions reliably carried out go a long way towards being able to monitor compliance. Set smaller ‘indicator’ tasks that that they can be relied upon to complete and that can be evaluated.
  • These small tasks assist in implementing process controls, and there is always an element of trust involved. As we grow our expectations the roots of trust grow, as does the reputation of the people we choose.
  • In my experience, trust in people does not conflict with other initiatives such as Zero trust architectures (ZTA) or administrative privileges as they are skills and competence based and separated from the technical controls in use.

We often read about insider threats, where people in trusted positions change allegiances or re-evaluate their personal attitudes to the work they do, and trust is a part of the problem here. Where you may have doubts about the trustworthiness of others, be sure to revisit their validating and verifying points with a critical eye, or hand over to another colleague if you feel your objectivity is in question. One aim of developing longer term relationships with reliable people and organizations is an assurance that the technical and human centered aspects of security are in harmony.

Benefits

The development of healthy relationships involves putting in work and maintaining clear communication lines, but the benefits of trust are well documented. These include:

  • Enhanced system control and increased voluntary productivity and a reduced need to monitor staff and partners.
  • Increased innovation and creativity. Allowing others to contribute ideas and discussion in safe spaces allows them to have a say in strengthening your processes, trust also allows for difficult conversations.
  • Reduced internal friction. Task delegation between groups is loosely coupled and reliance on others is accepted as part of operations.
  • It enhances the reputation of both the trustee and the trustor, who benefit from the development of closer ties and improved responsiveness to unforeseen events.
  • Promotes a strong ethical stance that helps to meet the canons of ISC2.

Trust in Practice

The best recommendation for this approach comes from the recent experiences of a friend of mine, a CISSP-certified auditor at a well-known financial services company. The organization found itself at the wrong end of a sustained Distributed Denial of Service (DDoS) attack. The issues were tricky, and the attack was sustained over several days, leaving the internal security team tired and stressed. The company were able to draw on an extended team of professionals in this crisis, drawn from the ranks of collaborators, friends, allies, associates, and even competitors to patch and repair the systems before the attack was beaten.

This victory did not happen by chance. It came from months and years of background efforts that established the company as a mainstay of the local and regional business economy. It started by developing trusting relationships without ever thinking about when they might be needed.

Duncan Greaves, PhD, CISSP is a lecturer and team leader, Cybersecurity MSc (Online), at the University of York.