The Trust Product practice leverages subjective analysis to predictably orchestrate trust at scale across a stakeholder portfolio, producing a Trust Product that enables the customer, revenue, and value journeys.
Executive Insights:
- Trust Product practice is an innovative approach to information security that shifts the strategic focus of a security practice from an internal service organization to a market-facing product organization.
- A Trust Factory is a tactical model that considers the collective output of safe systems, dataflows, actions, and processes as evidence of safety supporting value-impacting trust narratives.
- Trust Stories are comprehensive, evidence-based narrative assets that describe provable safety capabilities attesting to the proactive defense of value.
- Trust Stories communicate four points: an objective security element, a subjective safety element, a statement of control, and a duty validation.
- A Trust Product consists of provable Trust Stories and Trust Culture, driven by a comprehensive Evidence Operations capability.
A Trust Product practice is an innovative approach to information security that shifts the strategic focus of the security practice from an internal service organization to a market-facing product organization. At its core is the concept of the Trust Factory: a tactical model that considers the collective output of safe systems, dataflows, actions, and processes as evidence of safety supporting value-impacting trust narratives.
Trust narratives assist trust stakeholders who often rely on emotional reactions to evidence in their decision-making process, despite their decisions being based on objective evidence. The Trust Product practice leverages this subjective analysis process to predictably orchestrate trust at scale across the stakeholder portfolio. Organizations will typically have a combination of the required capabilities, programs, and roles to create the foundation for the Trust Factory and its reliable production in support of customer, revenue, and entity value journeys. When operational, a Trust Factory produces a Trust Product made up of Trust Stories and Trust Culture, driven by a widespread Evidence Operations capability.
The Trust Story
Trust Stories are comprehensive, evidence-based narratives that describe provable safety capabilities attesting to the proactive defense of value. It repositions existing monitoring, visibility, and response capabilities to explicitly serve trust stakeholder requirements in addition to the threat model. Depending on the role trust plays in the value journey, there may be dozens of Trust Stories related to all the ways value is defended on behalf of stakeholders (e.g., B2B software companies may be required to share twenty Trust Stories to eleven Trust Stakeholders material to the value journey as part of GTM). Regardless of industry, all Trust Stories communicate four points: an objective security element, a subjective safety element, a statement of control, and a duty validation (‘duties’ being material obligations tied to the data asset that an organization takes on as a condition of business).
The objective security element provides all relevant evidence necessary to show that the organization has effectively safeguarded the focus of the trust story from harm, theft, unauthorized access, and/or loss of value. Subjective safety is the predicted emotional response to the evaluation and acceptance of the scope and quality of objective security evidence. A statement of control is an authoritative attestation of foreseeable safety outcomes, with duty validation serving as an endorsement of the warrants and representations associated with data assets linked to the four duty sources (statute, contracts, frameworks, and insurance). Combined, a functional Trust Story can consistently and reliably resonate with trust stakeholders at a level below objective analysis. At a minimum, a data protection leader must have a Trust Story prepared to address each of the following areas of control.
| Host Control | Flow Control |
| Endpoint Anomaly Detection and Response | Continuous Compliance Monitoring |
| Mobile Device Management | 3rd Party Processing Visibility & Alerting |
| Production Anomaly Visibility & Alerting | Internet Content, Egress, and Service Flow Defense |
| Network Host Anomaly Detection and Response | Network Security Visibility & Alerting |
| Asset Control | Process Control |
| Code Security & Code Asset Governance | Compliance Audit Readiness |
| OSINT & Equal Intelligence | Contract Value Defense |
| Secrets Management | Data Safety & Controls Training |
| Social Risk Management | Evidence Analysis & Response |
| ITAM for HW, SW, Service, and Data Assets | Knowledge Operations and Processing & Business Resilience |
Trust Stories are presented as statements of control backed by objective evidence of security. This evidence typically takes the form of a program alignment statement, evidence of process documentation, evidence of procedure documentation, evidence of controls monitoring, and evidence review guidance. When consolidated with complementary narratives, the sum of all Trust Stories presents a powerful narrative that proactively addresses any value-impacting criterion a trust stakeholder may apply, thus reducing trust friction in the revenue journey, increasing business resiliency, influencing revenue velocity, and defending equity value in daily operations motions.
Trust Culture
In modern, data-native organizations, the way people work impacts the value of the data they handle. A "stakeholder safety" paradigm positions organizational information security, compliance, privacy operations and value defense into enablers and differentiators for a more agile and resilient organization. A tactical approach to trust culture begins with the acknowledgement that dataflow defense begins in the corporate mind; the primary defensive endpoint is the human brain. While many leaders agree with this sentiment in broad strokes, how many organizations are patching the corporate mind with the same rigor and cadence they patch corporate and production service fleets? According to a recent survey by the Ponemon Institute, anti-phishing training delivers an average reduction of 82% in successful phishing attacks and a reduction of 44% in overall security incidents. Another recent survey by ISACA found that organizations that have implemented information security best practices saw an average reduction in data breaches of 66-68%. Similarly, those that implemented internet self-defense measures (such as web filtering, URL blocking and dataflow defense) saw a 73% reduction in successful malicious attacks, while those with effective physical security programs reported an average reduction of 67% in successful attacks sourced to exploitation of a physical vector.
Metrics may demonstrate the efficacy of security awareness training, but the difference between general training and an integrated trust culture is significant for stakeholders' defense of value. To address this risk delta, trust and safety should be established as operational business principles, incentivizing quality decisions within data processing and emphasizing the link between trust and revenue. Everyone must "do security" in trust culture, because when humans safely navigate data-, net-, and system-flows, they create evidence of safety--the raw material of the trust story. Data protection leaders should consider replacing the term "security" with "safety" in data value-related communications with stakeholders due to the bias triggered by "security"; few businesspeople would say they can do without safety. Trust culture is based on that acknowledgement, focusing on and continuous measurement of value safety in the service of harm prevention.
Evidence Operations
Every minute of every day, evidence of safe motion is generated at both the machine and human layers of data value transformation. These motions often include ones with upside processes (business processes that directly and materially support a value-impacting outcome) outside of the direct detection of compliance-focused controls programs. Sadly, most evidence of safety is discarded in the search for security defects and anomalies, as most supplier trust validation processes today focus on the effectiveness of an organization's data controls and anomaly/defect detection rather than the ratio between control effectiveness metrics and value safety metrics. When providing a statement of control in the context of a Trust Story, that statement is underscored not only by the evidence of control but by the volume of evidence demonstrating both control effectiveness and comparative dearth of loss event activity. To do this requires rethinking what indicators data protection leaders collect and how those indicators are aligned to the value journey. With no commercial Evidence Operations platform available to natively support the production of Trust Stories, data protection leaders may elect to build their own EvidenceOps stacks (e.g., ELK) or repurpose existing commercial audit readiness/GRC/Logging tools to programmatically validate and report on safety criteria across all points relevant to stakeholders. This may include expanding existing controls frameworks with a more complete threat and safety validation model aligned to value defense and upside process enablement. As evidence of safety mounts alongside evidence of security, an irrefutable trust position can be established, acting as a relationship pillar outside of the benefits of the commercial solution.
Share this
Aligning Assurance to the Revenue Strategy
Pivoting to Trust - The Road from Service to Product
