Drexel University’s Online MS in Cybersecurity
The online MS in Cybersecurity at Drexel utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training. Learn more!
Maintaining Digital Trust with Cloud-Centric Environments
Recent software reliability and cloud availability incidents events have put digital trust back in the spotlight for organizations reliant on cloud services and cloud-based updating.
If a colleague approaches you and says: “Let’s talk about cybersecurity”, what would you end up talking about? Ransomware, probably, or the latest hack on a well-known company or government agency. Maybe supply chain risk, because that has become a critical concern in the last couple of years. Or, in the case of late July 2024 when this piece was being written, global software updates going wrong.
However, has anyone ever come up to you and said: “We need to talk about digital trust”? No, they probably haven’t. If they did, would you know what they mean?
The Meaning of Digital Trust
The CIO Wiki has a great definition. “Digital trust,” it says, “is the confidence that users have in the ability of people, technology, and processes to create a secure digital world”. Pause for a moment and reflect on that, because if we think about it, achieving that level of confidence is the fundamental reason for doing cybersecurity.
Everyone reading this is likely to have come across the “CIA triad” of Confidentiality, Integrity and Availability. In cybersecurity we identify the risks that exist regarding the confidentiality, integrity and availability of our systems and then apply controls to bring those risks down to a level that the organization finds acceptable. But why?
In a business, the answer is: because if we don’t, we won’t stay in business. Again, though, we need to ask why that is. We can answer that by looking at the three primary types of impact that might happen to a company in the event of a cyber incident: legal, financial and reputational.
Financial impact is straightforward: there is a cost to recovering from a cybersecurity incident. Sometimes, that cost is not affordable – as was the case with foreign exchange company Travelex, for instance. Legal impacts – and we include regulatory issues in this category, as they’re so closely related – can come in various forms including sanctions that prevent the company trading in a particular location or even members of senior management being sent to jail (which almost happened in the case of former Uber CISO Joe Sullivan, for example). Reputational impact is best exemplified by the simple act of customers taking their business elsewhere – either by deciding not to choose you as a new supplier or by ending the contract and buying from someone else.
In the end, though, reputation is the element that shines through as the most critical. If you suffer a significant cyber attack and you can afford the cost of recovering, your reputation will still be damaged. If your CEO goes to prison, people will be wondering what other skeletons you still have in the closet. A regulatory sanction following a cyber incident will lead to people knowing that you’ve broken the rules and will make them cautious of dealing with you. If people aren’t confident that you have the right people, technology and processes to secure your digital world, and their data within it, there’s every chance they will decide not to do business with you.
Reputation Management
And if you’re having a sense of déjà vu, that’s because most of the words in that last sentence came from the definition of digital trust from a few paragraphs ago. Digital trust is essential to reputation. A dent in digital trust can have a catastrophic effect on your reputation and, consequently, can pose an existential threat to the whole organization.
All of which brings us back to the question of why we look for risks to our businesses and try to do something about them via the controls we implement: without them we can wave goodbye to any level of digital trust. Yes, an absence of controls can also lead to fines, jail and all the things we considered earlier, but as we also noted the reputational element – which can also be considered as the trust element, or the ethical element as all these things are interrelated – is critical to staying in business.
How do we measure our level of Digital Trust? Tricky, as it’s not something you can quantify, but what we can do is distinguish between right and wrong, and try to make some attempt at figuring out “how right” we’re doing something.
Staying on the Right Side of Trust
We’ve talked about fines, regulatory sanctions and the like, and they are generally measured in binary fashion: there’s a rule and if you break it, you can be punished. Driving at 40 in a 40 limit? No problem. Doing 70 in a 40? Expect a ticket if the cops see you. Very simple, unequivocal and binary.
There’s so much else you can do while driving at 40 in a 40 zone that makes you a better person. Slow a little and let someone out of a gas station and you’ll probably get a smile and a wave. Pull over to help someone whose car has broken down and the gratitude will be palpable. You’re not just doing it right; you’re doing it very right. And the same applies in cybersecurity: there is far more to life in cybersecurity than doing just enough to stay on the right side of the regulator and the law. If your staff and customers see you going over and above what’s needed, it will have a tangible positive effect on them.
And there’s an expression that sums up the result of doing cyber very right: Digital Trust.
- Our Cybersecurity Leaders Skill Builders courses tackle a number of key topics, including digital trust. Find out more here
- Find out more about the CSSLP certification
- Read our member-authored article on The Evolution of Digital Trust and IP Rights