Executive Insights
- Value Assurance is an effective practice for cultivating and communicating trust in stakeholder relationships, as it builds on already-established InfoSec activities.
- Value Assurance aligns Information Security and Compliance practices to the Revenue strategy and go-to-market motion to increase revenue velocity.
- A successful transition to Value Assurance requires business leaders to gain a better understanding of how to leverage existing trust operations.
- Leaders should view data safety not as a separate practice, but rather as a job safety program embedded in the work itself.
- Companies can create a constant flow of trust artifacts that can be prepared and communicated to trust stakeholders, allowing them to become safer, more controlled, and better focused on delivering value.
Strategic Assurance leaders recognize the critical importance of cultivating and communicating trust in stakeholder relationships, and Value Assurance is an effective method for doing so. It is a management practice for organizations that aligns the Information Security and Compliance practice to the Revenue strategy and Assurance investments to go-to-market motion that increase revenue velocity and influence valuation at equity events. It builds on already-established InfoSec practices and provides the opportunity to more clearly align to the value journey.
It goes beyond traditional InfoSec activities by expanding the security practice with a product-and-service model that minimizes trust friction in the revenue journey while creating “trust products” for all trust stakeholders. To successfully integrate Value Assurance methods into the trust practice, business leaders should gain a better understanding of how they can leverage their existing trust operations and align trust their Assurance and Revenue strategies to enable and protect value.
Complementary Leadership focuses: Journey Storytellers and Value Storytellers
A Value Assurance organization has two complementary Leadership focuses: Journey Storytellers and Value Storytellers. Journey Storytellers are the leaders responsible for generating new Value for the organization. In a modern software company, this would include the Revenue leader, the Product leader, the Marketing leader, and Customer leader, telling the Journey stories for their respective practices. These leaders are driving new business, creating and promoting new products and services (“front-end” Value), and telling the growth-oriented “journey” stories: the Customer journey, the Product journey, the Revenue journey, the Experience journey, and other strategic stories driving engagement and forward motion.
Value Storytellers are the leaders responsible for defending earned (or “back-end”) Value and enabling Journey Storytellers to reach their strategic objectives. This includes the Finance leader, the Legal leader, the CISO, the COO/VP Ops, the CIO, VP Engineering/CTO, and the People & Culture leader. These leaders defend both earned value and entity valuation in their practices, enabling agility, velocity, and efficiency in all parts of the Business through Value Stories which align all value workflows to the go-to-market motion in support of the Revenue strategy. Operations motion is Revenue motion, and Assurance leaders own a piece of the Revenue journey. 
Figure 1: Leadership Story Alignment under Value Assurance (not an org chart)
This may be a change for many organizations where Operations isn’t aligned to the Revenue mission, and where Operations practitioners must over-justify their investments due to the perception of being a cost center. When Assurance leaders adopt the Value Storyteller model, they can more clearly demonstrate how an operational motion influences a Revenue outcome.
Leaders can orient their practice for continuous review under a Trust Product model which opens continuous process defense to tactical review outside of formal audit channels to support the Trust Story. For a CISO, this approach provides a path to expand the InfoSec practice past IT boundaries where the mission itself can be reframed as a revenue investment (e.g., Assurance motion X influences Revenue outcome Y). In a modern software company, the InfoSec function can be reorganized into an Assurance function that looks like this:
Figure 2: The Value Assurance model as implemented in a subscription software company
The black bars at the bottom of the model represent the “DO Security” side of the Assurance program: Operational Security, Compliance, AppSec, Resilience, Third-Party Risk, etc. While program maturity may vary, all organizations that are making the effort to run safe data processing operations have implemented some or all of the black-bar programs.
8 Business Drivers for an Assurance Motion
The maturity of these programs often depends on how the Business understands the eight business drivers for an Assurance program not directly driven by data safety concerns. By mapping our Assurance motions to these eight drivers, Assurance leaders can better communicate the value of assurance investments.
Figure 3: The eight business drivers for Assurance motion
As the Value Assurance model treats InfoSec and Compliance evidence and outputs as stakeholder-facing Trust assets, investing in improving data safety becomes a story point in a larger Trust narrative that is forward deployed as part of the go-to-market motion. Each successfully executed trust action produces evidence that forms the basis for the Trust Story related to that control or capability.
As each Trust Stakeholder reviews the Story components (trust artifacts, evidence of safety, etc.), their specific requirement in the revenue journey will have been satisfied without a fight, fuss, or chase. It is critical that Trust Stories and trust artifacts are shared proactively and in line with the impact each Trust Stakeholder has on the value journey.
Value Assurance actively engages both tactical and operational business functions to identify trust friction in value-creating workflows and integrates data safety practices contextually. Assurance leaders take a journey-oriented approach to de-risking value workflows, treating trust friction as an opportunity to optimize value, rather than a compliance issue.
Organizations can design workflows that embed trust and safety directly within the work itself, rather than treating data safety as a separate practice. Value Assurance reimagines security training as a job safety program, to ensure the inherent value of data is never compromised as it moves through human hands. Under the Value Storyteller model, we identify who revenue actors requiring a Trust story and the Storytellers who contribute to that Trust story:
| Trust Stakeholders | Trust Storytellers |
| 1. The Customer Champion (Product voice) | 1. Assurance Leader (Trust Story / Trust Persona) |
| 2. Customer IT | 2. Revenue Leader (Customer Buying Journey) |
| 3. Customer Privacy | 3. Product Leader (Customer Solution And Capability) |
| 4. Customer Procurement | 4. Legal (Contract Value Defence) |
| 5. Customer Legal | 5. P&C (Trust Culture, CSG, And DEI) |
| 6. Customer InfoSec | 6. Customer Leader (Unified Customer Experience) |
| 7. Customer Compliance/Internal Audit | 7. Board (Equity Value Governance) |
| 8. Upstream Customer Regulator | 8. Investor Stakeholders (Equity Defense And Discount Management) |
| 9. Upstream Customer Auditor | 9. 3rd Party Auditors |
| 10. Upstream Customer Insurer | 10. Upstream Regulator |
| 11. Customer’s Customers’ Trust Stakeholders | 11. Upstream Auditor |
| 12. Upstream Insurer |
Figure 4: Example of Trust Stakeholders and Trust Storytellers in a modern Software Business
The Assurance Leader
The Assurance leader effectively becomes a “data fiduciary”, defending the interests and value of the data on behalf of its myriad stakeholders against any action which impacts its value. By democratizing value defense and recognizing the market value of trust within departmental workflows, opportunities are created for a genuine Trust & Safety culture to be integrated into all flows where value is created, enabled, or supported.
Leaders can present cross-functional Assurance activities such as contract value defense, data and workflow safety, privacy operations, supply chain governance, and social risk management as unified value defense and enablement activities through reporting outcomes in financial, unit economics, and go-to-market terms. Value stories and Risk stories can be powerful tools for driving change, as their effectiveness is heavily influenced by context and strategic alignment. It is important for Assurance leaders to understand which story to tactically share with stakeholders in order to de-risk their workflows through data safety programs. Doing so will create a constant flow of trust artifacts that can be prepared and communicated effectively to trust stakeholders, allowing companies to become safer, more controlled, and better focused on delivering value.
Share this
Run Security / Do Security for Value Assurance
Pivoting to Trust - The Road from Service to Product
