Shifting from InfoSec-as-Service to Trust-as-Product

Executive Insight:

• Running security like a business is more than just "Do Security" activities - it requires taking a product mindset and layering a “Run Security” strategy on top of security operations.
• Organizations that prioritize running security like a business can differentiate on Trust where other market actors decline investment or fail to adequately communicate that investment to their market.
• Evidence of safety can be identified, collected, sorted, mapped, and presented as “trust stories” aligned with customer, revenue, and value journeys.
• Assurance leaders can lead from behind through consensus building, incentive alignment, common storytelling, and integrating trust into the core go-to-market motion.
• Companies who prioritize trust strategies achieve stronger value outcomes in the mid- to long-term. 

Businesses are increasingly recognizing the critical importance of information security to their revenue strategy. The primary focus of this recognition is typically on highly visible security operations, such as audit and compliance, anomaly detection and response, third-party risk management, and code security. However, running security like a business is about much more than merely executing these activities.

Layering a “Run Security” Strategy on Top “Do Security” Operational Activities

It is also about adopting a product mindset and layering a “Run Security” strategy on top of the “Do Security” operational activities. This approach requires understanding that the Service Delivery model is not the only way for an Information Security organization to enable and defend value, and that constructing and delivering “Trust Products” to “Trust Stakeholders” provides foundational support for bolstering trust-based relationships.

Assurance leaders should think of their “Do Security” motions as providing the base material for the evidence of safety needed to build a trust story (which is an essential component of the “trust product”). Through an EvidenceOps program, evidence of safety can be identified, collected, sorted, mapped, and presented as a “trust story”.

A Trust Story 

A Trust Story is a strategic communications artifact used to communicate Trust and Safety to Trust Stakeholders demonstrating how the organizations aligns to the various “trust requirements” along the customer, revenue, and value journeys. Trust stakeholders look for trust stories to expedite these journeys. Delivering Trust from within the Product paradigm as part of the core go-to-market motion demonstrates that the business understands how Assurance enables, influences, and ultimately defends value creation. 

Organizations that prioritize running security like a business can differentiate on Trust where other market actors decline investment (if they acknowledge strategic trust at all).  The concept of running security like a business has been gaining traction in recent years. In 2019, Gartner released a report on “Security Leaders Must Act Like Business Leaders” which highlighted advantages of this approach such as improved alignment with business objectives and increased agility to respond to threats.

Additionally, Harvard Business Review reports that companies that prioritize trust strategies over technical solutions achieve stronger value outcomes in the mid- to long-term. By taking a product-driven approach to information security, organizations can ensure that the trust strategy marches in lockstep with the revenue strategy on its way to market and enhances and influences the value story for all stakeholders.

Assurance leaders can lead from behind through consensus-building, incentive alignment, common storytelling, and delivering metrics that move the needle where it matters to the business. At the highest levels, the shift from InfoSec-as-Service to Trust-as-Product follows a path similar to Figure 1 below:

1. If Trust is a material component of the customer, revenue, and/or value journeys [see footnotes], pivoting the Information Security practice to a Trust is key.
2. Shift from a Compliance to a Safety paradigm, place value-loss prevention, asset safety, and role safety at the core.
3. Implement the Value Assurance strategy to measure and communicate Assurance, Safety, and Trust outcomes strictly in revenue and value terms.
4. Value defence tactics are employed by partnering with data workers where they sit, analyzing their value workflows for value loss events, and enabling them to make better decisions about data safety.
5. Re-align Assurance operations to the 8 business drivers and report security metrics as business metrics aligned to value.
6. Collect, structure, and present evidence of safety as Trust Stories to Trust Stakeholders. Iterate. 

1. Software-as-a-Service Companies: Trust is essential for software companies that process confidential data on behalf of customers. Trust is essential for these types of organizations to operate and maintain customer loyalty. Customers must trust that their data is secure, that their transactions are handled safely, and that their confidential information is not misused or mishandled. Regulators also require software companies to be compliant with industry standards and must trust that companies are upholding those standards. The Federal Trade Commission (FTC) has issued guidance on trust principles for these types of organizations, including principles related to operations, compliance, safety, culture, and more. 
2. Banks and Financial Institutions: Trust is essential for banks and financial institutions to operate. Customers must trust that their money is safe, that their financial data is secure, and that their transactions are handled safely. Regulators also require banks to be compliant with industry standards and must trust that banks are meeting those standards. The Office of the Comptroller of the Currency (OCC) has issued guidance on trust principles for these types of institutions, including principles related to operations, compliance, safety, culture, and more.
3. Insurance Companies: Trust is essential for insurance companies to operate and maintain customer loyalty. Customers must trust that their claims are handled fairly and that their private information is secure. Regulators also require insurance companies to be compliant with industry standards and must trust that companies are meeting those standards. The National Association of Insurance Commissioners (NAIC) has issued guidance on trust principles for these types of organizations, including principles related to operations, compliance, safety, culture, and more.
4. Healthcare Providers: Trust is essential for healthcare providers to operate and provide quality care to patients. Patients must trust that their medical information is secure and private. Regulators also require healthcare providers to be compliant with industry standards and must trust that providers are complying with those standards. The Centers for Medicare & Medicaid Services (CMS) has issued guidance on trust principles for these types of organizations, including principles related to operations, compliance, safety, culture, and more.
5. Lawyers and Accountants: Trust is essential for lawyers and accountants to operate and maintain customer loyalty. Customers must trust that their confidential information is secure, that their transactions are handled safely. Regulators also require lawyers and accountants to be compliant with industry standards and must trust that these professionals are meeting those standards. The American Bar Association (ABA) has issued guidance on trust principles for lawyers, and the American Institute of CPAs (AICPA) has issued similar guidance on trust principles for accountants, including principles related to operations, compliance, safety, culture, and more.