Let's face it, our entire digital economy and infrastructure is held together by one thing: trust. We trust that our systems will be responsive when we need them. We trust that services and APIs will be secure, well-tested, and available when called in our own apps. We trust that the data coming into our analytics systems is the right data and that it is accurate. We trust that cloud providers continually engage in best practices to keep our data and transactions safe. We trust that our vendors are making the right business decisions, so they will be around a year from now.
So, Trust as a Service is probably the most important As-a-Service offering there is. The term is coined by Fred McClimans, analyst with HfS, an analyst firm known for its focus on the sourcing industry, who says enterprises and vendors aren't doing enough to assure that trust -- especially when it comes to security.
The problem, McClimans explains in a recent post, is enterprises "are still often thinking of security from a tech-only perspective."
The Trust as a Service paradigm goes well beyond technological fixes -- such as firewalls, malware protection, Security Event and Information Management (SIEM), Data Loss Prevention (DLP), Identity Access Management (IAM), app and device security, though these are important, he states. "Security isn't about securing assets, it's about creating trusted assets that can be leveraged in the market."
Digital enterprises, mixing it up with digitized consumers in a digital economy, need, more than ever, to build their business on the trust element.
The emphasis on digital experience is "less personal, and perhaps a bit more fragile," he opines. "Enterprises today face risk both to their internal assets as well as to their greatest asset, their customers. Hacks and data theft - especially personal consumer data - ruin that customer experience, and decrease the level of trust."
The consequences to the business are severe, McClimans adds. "If your online or digital brand isn't trusted by the consumer, they'll easily go elsewhere." That applies to B2B engagements just as much as it does to B2C.
The key is to look at security as a way to build and leverage trusted assets, versus as a way to protect assets. "Security can't afford to be an afterthought; it really needs to be thought of as a transformational enabler of a better, more trusted, business," he states. He makes the following recommendations:
- Elevate "the responsibility for overall corporate risk and security management as close to the CEO and board as possible," McClimans advises. "Many of the security-related improvements and initiatives that need to be discussed go beyond the scope of a CISO."
- Expand the corproate security architecture "to include coordination, if not oversight, of ecosystem partners."
- Shift from a "'prevent all breaches' to a 'minimize breaches and control risk' approach."
- In provider relationships, seek greater "contractual flexibility, a greater level of actionable innovation, and a closer review of international privacy policies, something that delves into the role of security with regard to personal privacy and data rights."
- Explore emerging physical/digital approaches to security, such as "biometrics and access control systems." These "help provide a trusted environment, but today they're separate from the digital security grid, unless they've been included as IoT devices. But the future of security services will require providers to start to leverage these devices to provide both contextual awareness of threats and help seal off threat venues."
- "User education be significantly strengthened, to the point of bringing users in as collaborate security partners to help build a more trusted digital ecosystem."
The reason we put our money in banks is because they are very good at delivering Trust as a Service. (Not to mention government backing, but that's another story.) If anything, the entire financial industry is a trust industry. The IT industry is a trust industry as well, and with the rise of cloud, APIs and big data services, enterprises depend more than ever on the due diligence of others.
To expand on McCliman's thesis, Trust as a Service needs to be more than security. Trust is also pertinent to handing over your assets, processes or applications to a provider, and trusting that they don't do anything that will disrupt your business -- that they stay in business themselves, that they don't decide to change their business model midstream, or don't gouge you with price increases at a time when you can't afford to break the engagement. Also, Trust as a Service means someone will be there to provide information or guidance when they experience a glitch or systems outage, and that they take full responsibility for the consequences of such outages.
Trustworthiness is golden, and this is a consideration that needs to go to the top of the stack of any business technology engagement.