A question of trust

Trust is the foundation for many of our relationships, both in our personal and business life. Trust is one of the strongest elements supporting a relationship and helps it survive the toughest of challenges, but it can also be one of the most brittle parts, easily broken beyond repair. Building up trust can take years, and losing it can sometimes take mere seconds.

In information security, trust is a cornerstone in all that we do. We trust the technology we use to help defend our systems, we trust our staff to comply with policies and not to fall victim to phishing emails, we trust those we appoint to manage our sensitive data not to divulge it to others, we trust our business partners to take the necessary steps to protect information we share with them, and we trust our governments to provide a safe business environment and to protect our rights.

The recent revelations by former NSA employee Edward Snowden that the US government has been snooping on the Internet traffic of innocent people and placing bugs in the embassies of the European Union highlights the damage caused by breaking the trust. As a result of these allegations, the EU has suspended trade talks with the US and has also threatened to suspend any data sharing with the US.

The above revelations have not come as a surprise to many in our industry. However, it has brought the whole issue of trust to the fore. Many businesses are now thinking twice about engaging with cloud service providers, especially US based ones.

Others are now looking with distrust at the operating systems, software, and hardware they use. And, of course, Edward Snowden’s actions have highlighted the insider threat and how much can employees with privileged access to key data and systems be trusted.

When we examine the different elements that we need to trust in order to enable our organizations conduct business securely, we can only conclude that there are many links in that “chain of trust”.

Like any chain, the chain of trust is only as strong as its weakest link. For most organizations that chain will be made up of the software and hardware their systems run on, providers who provide them with services such hosting, telecoms and support, partner companies and their staff, companies to which they outsource some of their work, the users in the organization, and even government(s).

The above list highlights just some of the various entities that organizations have to trust in other to operate securely. After all, if they trust nobody then they will not be able to function. This is where we as security professionals come into play. Our role is to ensure that the levels of trust our organizations require are provided and maintained. Yet, in many cases we fail to achieve this goal. I believe part of that problem is that we have not allowed the business to build their complete trust in us and in how we provide solutions to the business.

Typically – and very often for good and genuine reasons – the information security function in many organizations is viewed as blocking business or delaying projects and business initiatives. This results in the common scenario where security is often the last to know about a new IT or business initiative and then has to scramble to provide security input against a looming business deadline. In many cases this means systems go live to meet a business deadline with security issues still outstanding. Promises that these issues will be addressed in the future are always made, but are never fulfilled.

Building trust into relationships takes time and effort. It requires constant communication between both parties to ensure they understand each other’s viewpoints and positions, as well as honest engagement from each party when it comes to outlining their expectations from the relationship. Needless to say, trust is built by delivering on what is promised.

We need to be better at engaging with those outside of security, both technical and non-technical. We need to improve our understanding of their requirements and our ability to demonstrate what is required in order to do business securely. We need to accept and realize that security is not a technical issue but a business one. As such, we should realize that it is the business that decides what to do based on the trusted advice it gets from us.

When I make the above argument I often get the response “Why should we have to understand the business? The business should make more efforts in understanding our requirements”. If we take this approach, we rely on the other party to take the initiative to open the dialogue to start building that trust. If they don’t, security will always be our responsibility and likewise all security breaches and failures will be ours, too.

Building a strong relationship based on trust is a long journey. Someone has to take the first step so others can follow. Let’s reach out to the business, and try to better understand what they are trying to achieve and learn how best to be a trusted advisor.

Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for a number of innovative information security companies. He has addressed a number of major conferences, he wrote the book ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute’s weekly SANS NewsBites.