To truly understand security, the business should consider a new CEO or CTO

CISOs may be seeing mixed results when trying to teach company executives about the nuances of information security, but one business expert believes outcomes can be significantly improved by appointing a C-level executive focused specifically on issues of trust.

The appointment of a chief trust officer (CTO) or chief ethics officer (CEO), Accenture Security APAC managing director Jean-Marie Abi-Ghanem told CSO Australia, is emerging in some companies as a way of removing the perceptions of security as a technological solution.

Instead, such an executive would tap into the universal understanding of the importance of trust – something that 83 percent of executive respondents in a recent Accenture survey agree is critically important to the digital economy; conversely, 82 percent of respondents believe that the transition to digital also exposes them to “exponentially more risk”.

Purveyors of security, Internet of Things (IoT) and other modern technologies must therefore address trust as a key design criteria, Abi-Ghanem said, by understanding which of their products and services contain client data – and whether consumers trust them to look after that data.

“Businesses need to get that trust feedback from customers, and to succeed they must take at least one product and evaluate it at every step to see how they are dealing with trust or ethics around the data,” he explained. A chief trust or ethics officer would be tasked with building principle-based codes of conduct to reinforce those perceptions, with involvement from security specialists to ensure those controls are implemented as enforceable policies.

The executives must also frame those policies within the context of accepted standards for security and governance, with appropriate benchmarks to measure ongoing compliance. “They have to challenge decision-making when companies are dealing with data in the process,” Abi-Ghanem said. “This means challenging what informed consent means when clients give it to you, and understanding the data and how it is used within the business and its products, systems, and processes. They're looking at how to do no harm, really, and what this means at every step of the process.”

His voice is one of a growing chorus of security experts pushing for new approaches to solving a risk equation that has gained numerous additional variables in recent years. Approaching the problem with fresh eyes, from new angles, is seen as a key part of an effort that must also include a bottom-up reconciliation of business and technology activities to identify and isolate ongoing security issues. These must then be rephrased using business concepts that isolate executives from the confusing language of information-security enforcement.

Accenture is already conducting early proofs-of-concept with clients in Australia to see whether a more context-based approach to security can improve both internal compliance and the external perceptions of products and services designed to handle consumer data.

Over time, such activities can reinforce the perception of a business as being both trustworthy and ethical – and help executives restate their own commitment to security in ways that external stakeholders better appreciate.

This approach also benefits CISOs, who can work with trust and ethics officers to build out a jointly adopted, broader story to sell to the business executive – which will be particularly helpful as mooted new breach-notification laws push those executives to consider their security exposures. “The C-suite understands more and more of the subject,” Abi-Ghanem said, “and when you talk about digital trust to a C-suite, they get it. It steers the conversation away from technologies and pen testing and technie talk, and provides an easier conversation than security on its own. The key is to always, at every step of the customer journey, to consider whether trust is being enhanced or eroded.”