Anna Delaney: Hello, I'm Anna Delaney. What's the current state of digital trust? And joining me to answer that question are David Samuelson, CEO of ISACA and Chris Dimitriadis, chief global strategy officer, also at ISACA, who will be sharing findings from ISACA's recently published state of digital trust survey. Great to see you both.
David Samuelson: Good to be here.
Chris Dimitriadis: Thank you.
Delaney: So David, I want to start with one of the survey's findings. Only 29% of respondents were extremely or very familiar with the term digital trust. So what are some misconceptions around digital trust that you'd like to address today?
Samuelson: Well, digital trust is a rising term in the conversation around cybersecurity. And I think the reason for that is it's bigger than cybersecurity. ISACA has a more holistic definition because digital trust requires multiple components in every organization, not only cybersecurity, but quality and availability and security and privacy are very important, but also ethics and integrity, transparency and honesty and resilience because in the long run, almost every company's a digital company today, even the small mom and pop on the corner is connected to the cloud in some way and can be compromised. And, in fact, they're at a greater risk than larger companies who don't have the resources. So understanding the holistic view, especially in our community of digital trust professionals at ISACA, we think that working together is going to create a longer-term solution than any one of these activities in the domain. So I think it's partly because it's a new term, and partly because we're trying to introduce and give meaning to this term. That is, we think it's important for the world to kind of operate in this digital trust environment.
Delaney: So Chris, what did you learn from the survey about the value of digital trust to respondents?
Dimitriadis: So one key finding of the survey is that digital trust is certainly recognized all around the world and its importance is recognized, as well. So, organizations, professionals around the world, they do understand the importance of digital trust, as far as the company or the organization's reputation is concerned about the success of the company in terms of its business goals, in terms of achieving wider stakeholder trust. And this awareness level is very positive. At the same time, though, we also identify that there is a gap between the recognition of the importance and the actions being taken right now, in our age. And this has to do primarily with the fact that collaboration between the different domains of digital trust, like cybersecurity, like assurance, or like privacy, like IT governance and IT management is very low, in order to be able to enjoy the benefits of digital trust. And another issue we have identified has to do with measurement and the lack of capability at an organizational level, but also at an ecosystem level, a digital ecosystem level, to measure digital trust and this is very troubling, but at the same time, it's a challenge. It's an opportunity in order to offer a solution that will change the situation.
Delaney: David, do you want to add anything to that? I found that dichotomy quite interesting that respondents are very aware of the value of digital trust. I think 62% recognize there'll be a decline in reputation for a poor digital trust to customer experience, yet only 23% say the organization measures the maturity of its digital trust. So we'd like your thoughts.
Samuelson: Yeah, you need to measure against something, right? You need to have a framework, which is something that we're working on to understand what good looks like. And especially in this sort of comprehensive way, we have lots of standards in the world that go deep on IT governance or risk or cybersecurity. In fact, it's become more important to people to measure that. But as these professionals tried to do their jobs in their silos, they lacked kind of the punch across the board in an organization that we think that our digital trust ecosystem framework addresses and that framework is going to help people identify where the gaps are and what to do about it - begin to understand what to do about it when they collaborate. And we're just at the beginning of this journey, but it's an important one that came from our members. I mean, ISACA has 170,000 members strung across the world in all of these domains. And as we listen to the issues that they have and the problems that they have in the workplace, these themes emerged, which is what created our concept around digital trust is that they were asking for ISACA to help kind of sort out how do we measure success in these domains together. And the result is our digital trust ecosystem framework, but we aim to try to close that gap and in the back gap of percentage of people who understand what to do here and give them the ability to start, first of all, start talking about it, understanding the problem, and then addressing problems.
Delaney: Dave, you mentioned what good looks like. What does good look like?
Samuelson: Well, it's a great question. We are defining digital trust as the confidence and the integrity of the relationships, interactions and transactions among providers and consumers within an associated digital ecosystem. And this includes the ability for people, organizations, processes, information and technology to create and maintain a trustworthy digital world. So, like I said earlier, every company is a digital company and many of them are going through digital transformation. And all of them are struggling with these cybersecurity news and security, just feeling vulnerable in this day and age because of all of that. And so, at the end of the day, good looks like trust, because their consumers need to understand that they're interacting with a company that is trustworthy in the digital space. You can walk into a neighborhood and sort of decide if you're going to go into a shop on a corner and trust whether or not this is a good neighborhood, the shop looks like it's a good place to transact and all of those things, but at the same time, because of what's been going on in the world, you might go into a doctor's office today and say, "Please give me your social security number on this piece of paper and you start to wonder, well, where's this piece of paper going to go with my social security number on it, and who's storing it? Who has access to it? Who's got the keys? Are there controls in place? Do I want to give them this information?" So I think we're more aware of all of these things. So good has to be trust in the end.
Delaney: Chris, David mentioned that all organizations are going through some sort of digital transformation. What about an organization who is on the digital trust path quite early on? What barriers might they encounter?
Dimitriadis: It's a great question. I think that David explained about the gap in between, I think the definition that David gave makes perfect sense because David refers to a digital ecosystem, right? So nowadays, we realize that organizations, even if they have started their digital transformation efforts, or they're trying to invest in digital trust, what they're meaning to understand is that they can't achieve innovation or to have a competitive advantage, or can be different. If they don't use, they don't become part of larger ecosystem. So today's emerging technologies, for example, require a much larger supply chain in order to be able to provide them to use technology as a real enabler of the business because of the speed that technologies are being adopted by several markets, right? So I think it's very important to understand that we need to have the right people within that ecosystem or the organization in order to be able to take those efforts forward and this is one of the obstacles that right now there is a gap between demand and supply. As far as the right professionals are concerned, there is a skills gap. And also there is a gap between business and technology functions in terms of the language they speak. So many times we see very high-level executives - let's say board of directors and CEOs - still in many industries, they consider digital trust, cybersecurity and related professions are still too technical for them. And behind this, I believe that the reason is that we not only need to create more awareness about the linkage between the digital ecosystem and the business terms and the business objectives, but we also need to train professionals more at the lower levels in order to be able to speak the language of executive management to be able to quantify digital trust in terms of the strategic objectives of an organization, in order to be able to explain, and not in technical jargon, but primarily with business terms in order to achieve this buy in. And when we discuss about lower budgets, or lack of buying and so on, I think it all comes down to the languages that different professionals speak within organizations. So training - I think that the common denominator is training and upskilling professionals in order to be able to collaborate better and to speak the same language in order to achieve the same target.
Samuelson: Yeah, leadership. Leadership has to be brought in for this to work. And it is a business issue, right? It's a business issue for everyone. So translating into business terms, which isn't always easy to do if you're an IT professional and you've come up through the ranks of IT or engineering, one of the skill sets you may not have is winning an argument in the boardroom or raising the flag of concern. And that, of course, there are many IT professionals that have that ability, who are leaders there, but giving more people the opportunity to connect the business issues actually helps achieve this. It's one of the most important gaps and like anything, you have to have kind of a bottom-up and a top-down approach in an organization.
Delaney: So you've mentioned leadership and training. What about tools? Are there specific tools that can help companies grow their digital capabilities? David?
Samuelson: Yeah, there are lots of tools that organizations use that come in the form of different standards and sometimes, because of regulation. And that generates tools that people are applying to check the boxes to make sure that they're complying and make sure that things are happening. But to get the biggest benefit, we first need to understand this overarching structure, I think, and realize, what I like to call the whitespace between these activities that exist in organizations, because if you can close those gaps, then you actually potentially achieve a more important resilience in digital trust. And I think that this concept of, first of all, understanding that it's a business issue, maybe reframing it as digital trust, helps all of the areas. Risk is a good example. I mean, cybersecurity is a risk issue for an organization. Risk is managed by senior management and known organization should be, but it's often delegated to a risk register or risk officer and to manage the kinds of things that organizations should be paying attention to. And if you can get the marketing department or even the HR department to be partners with you in understanding the digital trust message and connecting that to the employees of the organization, who are the frontline of the interactions with customers and are building the trust with customers, then I think you start to achieve long-term trust and resiliency around this issue. And so I feel like the tools have to extend beyond just the specific domains and into the organization little bit more. Chris, I don't know if you have more specific ideas there.
Dimitriadis: They're very well said, David. Just some examples, maybe not ideas. For example - and it depends on the size and the nature of the organization - but we have many tools, as David said, in its domain, in audit, in cybersecurity, in privacy, or when we're managing technology projects and so on. What we don't have right now is a tool that will bring everything together. For example, if an organization is focusing on time to market using agile methodologies, how do you deploy continuous auditing methodologies? How do you introduce emerging technologies like AI in order to help you out identify partners, how does this link with the cybersecurity strategy? And therefore, is this part of the enterprise risk management framework? Do we take into account privacy considerations based on the data that the organization is controlling? But most importantly, what's going on with the rest of the supply chain? Because we may have tools for organizations, but we may not have tools in order to gain more confidence about the supply chain and we will depend. And it may be cybersecurity incidents. And this is another example, we see that usually the supply chain was the main, let's say, vulnerability of the whole digital ecosystem even of a large organization, or we see that even if an incident occurs, a cyber incident occurs, still digital ecosystem may have missed basic security controls that more or less demonstrate a vulnerability in auditing, rather in cybersecurity, in order to create that confidence. So bringing everything together is very important. And that's why ISACA invested in the development of a new framework, the digital trust ecosystem framework. Maybe David, you want to say a couple of words about it?
Samuelson: Yeah, well, I've talked about it already. I think we're launching this framework, which is across the domains that we mentioned, and not surprisingly, the domains that we serve at ISACA across assurance and auditing, IT governance, risk management, privacy, cybersecurity and quality. And those domains are essential across the board, in terms of achieving digital trust. And I feel like one of the things that we need to do as an association is provide that level of best practice or what does good look like and help point people. There's lots of good work going on in each of those domains, and which is very important work. And we still need those frameworks. And we still need those experts and those tools. But it's not enough. There's something else that we need, which is across the board, that allows us to measure this kind of success for organizations and that's our aim.
Delaney: The framework can also help organizations measure the maturity of their digital trust practices, I presume?
Samuelson: Yeah, we'll get there. We have one of the things that ISACA does is measure maturity against frameworks, we have the CMMI maturity model that is part of ISACA, which measures sort of quality in an organization. And what's nice about a maturity model, as opposed to, say a checklist of whether you're complying or not, is that it talks about a journey, like how close am I to great, or if I'm adequate, at least I want to know where I am on a maturity scale, so that I know where to focus because there are a lot of effort, especially in cybersecurity, because of the world that we live in, that is happening today. And so that's great. So measure where we're at, we've got this part covered, but maybe we're weak over here, or maybe our risk isn't talking to our cyber and therefore, we've got some gaps. And we're not identifying enough for the C-suite or for the boardroom because of that. Because maybe those tools are more mature, it's just understanding where you are on the journey, which we think is important in order to figure out what to do first. So we'll be launching them, the framework, this year and next year, we're working on the maturity assessment, or the index that allows us, our community, to start to make judgments about how to use this framework and where to apply their efforts. And then, as we develop those, we can understand what solutions are required. And there's many solutions in the marketplace. And so, part of what we can do is help point to those solutions once you identify the gaps.
Delaney: Very good. Well, just final questions. You both advise organizations how can they gain the most from this survey? Chris?
Dimitriadis: Absolutely. I think that first of all, it's about awareness. In order to understand that digital trust is very far from any progress an organization may be able to do at an individual domain. So it's about progress in all of the domains at the correlated combined manner. So this important awareness in terms of the business importance and the business aspects of digital trust. But also, since we have identified the obstacles and the impeding factors for digital trust to try and take action and based on the results of the survey, start considering how upskilling and training personnel can lead into more digitally trusted ecosystem. And, of course, anything that has to do with viewing the problem more holistically, rather than in a silo. I think that's very important. Plus, finally, about the maturity assessments that David explained. I think that it's important to read the results of the survey and understand that maturity assessments are about removing uncertainty because the higher you are in maturity, the more the certainty, and this is how maturity models work: certainty of the end outcome, and that's about confidence at the end of the day, which is part of the definition of trust.
Samuelson: Yeah, and I think one of the big things from this survey is to understand that it's a business issue, not an IT issue, and that the conversation should be broader than it is today. And that's why framing it under digital trusts makes it a little bit more understandable across the board. employees. If you think about some of the most vulnerable issues - Chris talked about one being the supply chain, the other one, sometimes its employees, the weakest link in an organization might be a phishing campaign to a single employee that gets at some information you didn't want to share. But if there's understanding about how this all works, and why it's important, it's pretty basic. , it's about trust. Trust is something every business needs. Digital trust is important today, because we're all connected to the cloud. And we're all connected digitally. And it's happening so fast, it continues so fast that if you make it one person's job and it's delegated to that person and other people forget about it, if you make it everyone's job, then they understand why it's important and what role they play in achieving digital trust. And then you provide the tools to the experts who can help the organizations manage all of that.
Delaney: Very good. Well, this has been an excellent conversation. David and Chris, thank you so much for sharing your expertise and perspectives.
Samuelson: It was our pleasure, and thanks for having us, Anna.
Dimitriadis: Thanks for the opportunity.
Delaney: We've been reviewing ISACA's state of digital trust survey. For ISMG, I'm Anna Delaney.