“Trust” is something of a dirty word in the world of cybersecurity. Need proof? Just run a quick Google search for “zero trust” and see how many millions of hits you get. In today’s world, trust—on its own—just isn’t in the vocabulary for most security professionals. Everyone and everything needs to be verified and authenticated, poked and prodded with continuous validation tools to make sure no unauthorized parties are accessing valuable information or moving freely throughout the network. You could use the phrase “trust but verify,” but it might be more accurate to say “verify, but don’t trust.”
This isn’t a bad thing—but it also doesn’t tell the whole story. While you don’t want to extend trust to any old identity present on a network, the truth is that trust forms the foundation of any relationship. No, it should never be automatically given, but it can certainly be earned. Today’s businesses are forming dozens—if not hundreds, or even thousands—of relationships with technology partners, cloud providers, vendors, distributors, customers, and other entities. How do those people and organizations earn trust? There is no simple answer, but compliance standards play a significant role. There can be no trust without transparency, and modern compliance helps organizations make their security practices considerably less opaque.
Why building trust is increasingly critical
Just under two years ago, the SolarWinds breach shook the cybersecurity world to its foundation. It was not the first third-party breach, nor would it be the last, but it was one of the most significant. It exemplified everything that cybersecurity experts had been warning organizations about for years: an attacker was able to infiltrate a software provider and insert malicious code into a product that was pushed out to a huge number of customers. Experts estimate that the cost to each affected company may have been as high as $12 million, while the cost to SolarWinds was significantly higher—not just in terms of financial losses, but in reputational damage and other, less quantifiable forms.
That description is a simplification, but it drives home the fact that today’s businesses don’t just need to worry about their own network security—they need to worry about the security of any individual or organizational partner that has access to their network. This has made security questionnaires increasingly common as organizations explore potential partnerships and vendor relationships. Still, it’s not always easy to capture all of the necessary information via a simple questionnaire. Today’s security systems are complex, and can vary greatly from industry to industry—let alone company to company—and not every organization has the in-house knowledge to parse the value or effectiveness of certain security tools or policies. How, then, are organizations to reliably verify whether their partners are taking the cybersecurity precautions needed to keep their networks safe?
The role of compliance
Compliance isn’t the whole solution to the problem, but it does play a major role—and while adhering to compliance standards and undergoing audits isn’t most company leaders’ idea of a good time, it does serve an incredibly valuable purpose. Those standards provide a common framework against which organizations can judge one another’s security posture in very specific ways. In fact, many standards don’t even carry regulatory weight—they are simply accepted, broadly or within certain industries, as a reasonable security baseline. This helps those within the industry hold each other accountable to certain agreed upon standards – putting those who neglect their security at a disadvantage. SOC 2, for example, gauges how well businesses protect the data they store in the cloud—something that is only becoming more important as organizations gather more data and work with more software-as-a-service (SaaS) providers.
What these frameworks provide is transparency. Organizations don’t self-report whether they meet standards like SOC 2, ISO 27001, and HIPAA—their capabilities are judged by an independent, third-party auditor. What’s more, standards like SOC 2 don’t just provide a point-in-time snapshot of security capabilities. They measure their effectiveness over time, providing a 6-month or even year-long window into the policies and tools the organization has in place and how effective they are. There is no such thing as a “SOC 2 certification.” It isn’t a box a company can check once and forget about it. It’s an attestation – a standard that needs to be continuously evaluated and re-evaluated on an annual basis in order to generate a report that validates that the trust services criteria or requirements are being met. That report clearly and easily demonstrates that the proper precautions have been taken and that they are working effectively.
This goes a long way toward building the necessary degree of trust between organizations. And in fact, some organizations even go a step further, using modern tools to provide real-time visibility into their security posture—a step which can both streamline the compliance process and provide a degree of transparency that goes above and beyond expectations. Engaging in red teaming exercises and industry-wide threat identification are also among the steps organizations can take to make their dedication to security clear. Collaboration, in particular, is becoming more commonplace, as organizations share threat intelligence with one another to help identify threats more quickly and remediate them more effectively. Membership in these initiatives is just another way to build trust.
Trust isn’t given freely—so earn it
Zero trust is popular for a reason, and no, you shouldn’t adopt a trusting attitude in your network and data access policies. But it’s important to recognize that interactions between both individuals and organizations hinge on the establishment of some level of trust. That trust cannot (or at least should not) be freely given, but there are ways to earn it.
Compliance isn’t about penalties and other punitive measures. In fact, many modern standards have no “punishment” for noncompliance beyond loss of reputation, loss of potential business—and loss of trust. In today’s threat landscape, it is critically important to understand whether a partner, vendor, or customer may be opening you up to a potentially costly cyberattack—and it’s just as important to demonstrate that you aren’t leaving them vulnerable, either. Adopting a proactive approach to compliance that continuously monitors and evaluates your security capabilities is one of the most important ways to establish proof of security and begin building the trust that serves as the foundation for a fruitful relationship.