Digital trust is the measure of consumer, partner and employee confidence in an organization’s ability to protect and secure data and the privacy of individuals. As data breaches become bigger and more common, digital trust can be a valuable commodity for companies that earn it, and it is starting to change the way management looks at security.
Security has traditionally been seen as a cost center. In recent years however, businesses are waking up to the idea that good security is a business enabler that can foster new services and build customer loyalty. A new report from CA Technologies, conducted by Frost & Sullivan, confirms this trend. The Global State of Online Digital Trust Survey and Index 2018 shows that taking security and privacy seriously can have a positive financial impact beyond avoiding costly breaches.
Consumers with high digital trust spend more online
“Trust is one of the things that permeates across the whole business,” says Stephen Walsh, director of security for Northern Europe, CA. “It is the bedrock of business and without it organizations are going to struggle to keep their existing customers, gain new customers or enter new markets.”
What is the role of the CSO in building trust, and how do you go about establishing trust with your organization? The CA report provides data to help answer that question. It surveyed consumers, security professionals, and business executives to establish a digital trust index for each group.
On a scale of 1 to 100, consumers scored their confidence level at 61, a “barely passing grade” according to the report. Security professionals and business executives had significantly higher indexes of 75 and 74, respectively. More important, the survey showed that consumers with a high level of digital trust spend more, with 57 percent increasing online spending over the last 12 months versus 43 percent for consumers with low trust.
More consumers prefer security over convenience
According to the CA report, 27 percent of business executives view security initiatives as having a negative return on investment (ROI). Most customers in the report (86 percent), however, said they would prefer security over convenience, and the more trust placed with a company, the more money they would be willing to spend with that organization.
Seventy-eight percent of those surveyed in the report responded that it is very important or crucial that their personally identifiable information (PII) be protected online. When choosing an online service, 86 percent indicated that a high level of data protection is a priority. The results clearly point to a growing awareness that digital data is important, and an organization’s perceived ability to protect it in a responsible manner has a direct effect on sales and customer retention and acquisition.
“Quite a lot of people in the past have viewed security as kind of an incumbent, something that you have to get over,” says Walsh. “The more boards think of security as an enabler and a way of actually acquiring new customers and new business, the better off we will be.”
The digital trust gap: Business leadership “out of touch” with customers
Even if companies understand the value of trust, many simply overestimate their own standing in their customers eyes and how they compare to the competition. The report outlined an average of a 14-point gap between the level of trust customers have in whether organizations handle personal data appropriately compared to how much organizations think they are trusted. The report claims this illustrates how “dangerously out of touch” organizations are with their customers.
Just a third of customers said their trust in organizations had increased over the last two years, compared to the 84 percent of business leaders who believe that trust has increased. Ninety percent of those business leaders claim they are very good or excellent at protecting customer data, and 93 percent say that it is a differentiator over the competition.
Considering the number of organizations that admitted a data breach in the study, this clearly does not add up. “Thinking you're great and having that false sense of security I think is extremely dangerous for an organization to say,” says Walsh. “It's a dangerous trap to fall into; security is not just a tick box exercise and the evolving threat landscape shows us that just because you're secure this year doesn't mean something else going to happen next year.”
The cost of losing trust
Likewise, the cost of losing trust can be large. Half of organizations surveyed in the report admitted having been involved in a publicly disclosed data breach, and nearly all found that the breach had a long-term negative impact to their revenues and to consumer trust. On the customer side, half said they stopped using a company’s services if it was involved in a breach and instead moved to a competitor.
“If customers see organizations who don't have that security, they're going to vote with their wallets and go somewhere else where they do have that sense of security and building up that digital trust,” says Walsh. “Thinking about it twice probably means you've lost the customer because they'll go somewhere else. If you have the perception from customers that you are doing your best to keep their data, assets, money, whatever it is, secure, that's how you build trust. The other side of that is that sometimes it can only take one breach or security issue to lose that trust you built up over a number of years with your customer base.”
The role of the CSO in building trust
While on the surface, trust might seem like a security problem and therefore fall entirely under the purview of the CSO, the reality is more nuanced. Building trust isn’t just about making the right security decisions; it’s about communicating those decisions with customers so they can see and understand how you’re protecting their data.
“Everybody on the board -- whether they're in marketing or in finance -- should be interested and responsible for jointly securing and building that trust between you as a company and your customer base,” says Walsh. Rather than being an afterthought, he says, security and trust will be much more at the forefront of customer acquisition and of customer retention. He is already starting to see security programs being run and funded outside of the CSO function.
“Some of this is about perception and attracting customers, and in some organizations, marketing or customer acquisition have been involved in increasing security posture, and also the messaging of that, and enabling customers to use that new security methodology,” says Walsh. “Is it down to the CSO to implement? They are the right one to implement, but in terms of a broader holistic view, it should be CEO all the way down.”
While the CEO needs to lead, the CSO needs to be directly involved in trust-building initiatives and in constant communication with other functions to ensure the company is consistent in how it operates and communicates.
How to build trust with customers
Building trust is no simple task. As well as doing the normal security tasks of implementing the right technologies and processes to ensure good security posture, organizations need to communicate. “Some of this is about messaging, but again if you're building that trust in your messaging and then don't do it, that trust is going to evaporate,” says Walsh.
To help build trust, he says organizations need to be upfront and transparent with their customers. They should clearly explain what they are doing with data and why, be clear what data is being collected and what it will be used for, and explain what security steps and processes are in place to ensure it remains secure.
For example, using multifactor authentication (MFA) is good security practice, but communicating why a customer is being asked to provide extra authentication during a transaction or process helps build that trust. “It’s important that a company demonstrates to their customers why they're putting extra layers of security; say 'we're doing this because' as opposed to 'we're doing this'.”
The European Union’s General Data Protection Regulation (GDPR) came into force in May of 2018. Many studies show that companies both inside and outside the EU are yet to achieve full compliance. However, if taken seriously, GDPR is an opportunity to build trust with customers and make security and privacy a major issue at the top table of the business.
“GDPR is a definite opportunity for organizations; companies who take security seriously will be the companies who build consumer or B2B trust and actually go forward,” says Walsh. “Whereas people will go after the lowest hanging fruit, and if they know all you're doing is treating GDPR as a tick box [exercise], maybe you're more vulnerable than other people who are taking this seriously.”