To truly understand security, the business should consider a new CEO or CTO

CISOs may be seeing mixed results when trying to teach company executives about the nuances of information security, but one business expert believes outcomes can be significantly improved by appointing a C-level executive focused specifically on issues of trust.

The appointment of a chief trust officer (CTO) or chief ethics officer (CEO), Accenture Security APAC managing director Jean-Marie Abi-Ghanem told CSO Australia, is emerging in some companies as a way of removing the perceptions of security as a technological solution.

Instead, such an executive would tap into the universal understanding of the importance of trust – something that 83 percent of executive respondents in a recent Accenture survey agree is critically important to the digital economy; conversely, 82 percent of respondents believe that the transition to digital also exposes them to “exponentially more risk”.

Purveyors of security, Internet of Things (IoT) and other modern technologies must therefore address trust as a key design criteria, Abi-Ghanem said, by understanding which of their products and services contain client data – and whether consumers trust them to look after that data.

“Businesses need to get that trust feedback from customers, and to succeed they must take at least one product and evaluate it at every step to see how they are dealing with trust or ethics around the data,” he explained. A chief trust or ethics officer would be tasked with building principle-based codes of conduct to reinforce those perceptions, with involvement from security specialists to ensure those controls are implemented as enforceable policies.

The executives must also frame those policies within the context of accepted standards for security and governance, with appropriate benchmarks to measure ongoing compliance. “They have to challenge decision-making when companies are dealing with data in the process,” Abi-Ghanem said. “This means challenging what informed consent means when clients give it to you, and understanding the data and how it is used within the business and its products, systems, and processes. They're looking at how to do no harm, really, and what this means at every step of the process.”

His voice is one of a growing chorus of security experts pushing for new approaches to solving a risk equation that has gained numerous additional variables in recent years. Approaching the problem with fresh eyes, from new angles, is seen as a key part of an effort that must also include a bottom-up reconciliation of business and technology activities to identify and isolate ongoing security issues. These must then be rephrased using business concepts that isolate executives from the confusing language of information-security enforcement.

Accenture is already conducting early proofs-of-concept with clients in Australia to see whether a more context-based approach to security can improve both internal compliance and the external perceptions of products and services designed to handle consumer data.

Over time, such activities can reinforce the perception of a business as being both trustworthy and ethical – and help executives restate their own commitment to security in ways that external stakeholders better appreciate.

This approach also benefits CISOs, who can work with trust and ethics officers to build out a jointly adopted, broader story to sell to the business executive – which will be particularly helpful as mooted new breach-notification laws push those executives to consider their security exposures. “The C-suite understands more and more of the subject,” Abi-Ghanem said, “and when you talk about digital trust to a C-suite, they get it. It steers the conversation away from technologies and pen testing and technie talk, and provides an easier conversation than security on its own. The key is to always, at every step of the customer journey, to consider whether trust is being enhanced or eroded.”

Join the CSO newsletter!

Error: Please check your email address.

Tags CTOsCEOInternet of Things (IoT)IT SecurityIT managementcyber security

More about APACCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts