Thursday, March 27, 2014

Trust but…

Is the Chief Trust Officer becoming the key hire in today’s best companies?

The acquisition of social media scoring company Klout by social media enterprise company Lithium for $200 million dollars today (3/27/2014) raises a security question in my mind that has implications much broader than how this particular deal turns out.

I‘ve been invited to join Klout over the past couple of years, first by my friends (who didn’t realize they were inviting me), and later directly by Klout with come on’s like “Your Klout Score has Risen.” I’ve never clicked on them, or joined the Klout community, as I didn’t have a good appreciation of their security or privacy direction and commitment. That’s not to say it’s either good or bad, but just that it wasn’t conveyed as good, and the absence of good is bad. So when I saw the acquisition announcement this morning, I flipped over to the Lithium page, and checked out their corporate officers. They’ve got Chief Executive, Operations, Community, Customer, Scientist, & Product officers, but no Chief Trust Officer.

Looking further on their site, they list a solid group of security measures they take, which is admirable. But as I’ve experienced throughout my career, the bad guys will find six ways from Sunday to drive in between pockets of good countermeasures and rob you blind. Having a corporate officer that is committed to the security and privacy of clients is fast becoming a key differentiator in consumer-centric companies.

Cloud company CipherCloud recently named Bob West as their Chief Trust Officer. This is a great move both for CipherCloud as a company, but more importantly for their current and future customers. Customers want to be ensured that someone they trust is looking out for them. Customers don’t want to read your privacy policies, or evaluate if your application security controls are sufficient to meet your threats, or decide if the ever popular 256 bit encryption is the best choice (or even meaningful). They want to trust a person. And a Chief Trust Officer is that person.

Chief Trust Officers have un-impeachable security credentials, are well versed and current on the who/what/why/how of threats, have strong ties to law enforcement for event mitigation, understand the balance between protection and recovery, and the difference between compliance and security, are well versed on the emerging security technologies now available to solve previously difficult issues, and do their best work directly with customers under the bright lights of public scrutiny, not in the shadows of security. Your Chief Trust Officer should speak 'customer' as well as they do security, privacy, technology, and compliance.

In my book Mapping Security, I wrote a few years ago about the evolution from Chief Security Officer to Chief Risk Officer, and how industries like Energy and countries like Israel were early adopters. But ‘Risk’ still focuses on the negative aspects of security, where as ‘Trust’ embodies what good security has become today. Security is an enabler for business, and Trust is it’s engine. When consumers read about governments, criminals, hackers, advertisers, and hactivists trying to invade their privacy, and big name brands like Target and Niemans and Google not able to protect them, having a tangible trust link will make the business difference between success and failure.

As companies evolve and are looking to maximize every nuance of their social media, viral marketing, advanced advertising, and positive branding for their growth, they would be well advised to broaden their boardroom to include a Chief Trust Officer. Compliance and security are no longer enough to attract today’s consumer—they need to trust you.

No comments: