Trust is part of our daily lives. Its what gets us to work in the morning and its what keeps our society from going insane. That car in the lane next to me on the freeway this morning, I trusted it not to swerve into my lane and cause me to go careening off into the guardrail. But, did I trust the car or the driver? How is trust created and are we using regulations and money to buy customer trust?
On Tuesday July 17th, the Deputy Attorney General made remarks at the Corporate Fraud Task Force, in which he said.
"For the past five years, the Task Force has worked to restore public confidence and trust in the American business community." Deputy Attorney General Paul J. McNulty, July 17th, 2007
What does this have to do with information security?
McNulty's quote refers to Sarbanes Oxley and other regulatory matters put in place since the "Enron and WorldCom" fallout. While he does pointedly say business community, he still talks of business as an entity capable of trust. Many of us like to think we trust an organization, a business or some concrete entity. Regulation does not drive trust in a business, it aids in ensuring that people do the right thing. Further, the people for whom in we really should be questioning our trust are the auditors. Adherence to regulation can, today, only be fully measured by a human. It is the auditor for whom has the job to rate compliance.
The point(s)
The crux of this discussion of trust is that businesses and consumers have since come to define their trust in another company based on regulations and frameworks. The first thing we ask for from any potential vendor is their latest audit findings (SAS70, SysTrust, etc). It's actually become a cop out for many, as opposed to doing the real personal work of investigation. Fail to provide a SAS70 report and you can instantly expect to either loose the deal or need to reduce your bid by 50%. Somehow its thought that a good audit translates into a well-run company for which we can impart our trust.
Do Audits and regulation equate to trust?
Lets get this out in the open; the SAS70 is one step above a note from your mom. It has no standard framework and it's easy enough to change your stated controls to ensure a passing grade. Yes, the SAS70 report does include both the stated controls and their findings. So you as the evaluator of the findings take the risk in ensuring that the stated controls are what you desire in a vendor. After reviewing a SAS70 report, is the consumer now in a position to trust the provider or is that still in the eye of the beholder?
Those of you who work for a company bound by regulatory policy know the pain very well. According to some estimates, 10% to 15% of your overall IT budget is spent on SOX efforts. While some might say that spending 15% of your budget to gain someone's trust is cheap, but that would be false. That 15% was your admission fee to just get in the game.
Lets move out from the cover of policies, regulations and frameworks as a method to judge trust in a corporation. A person awards trust. Audit reports move us along the road to shared knowledge, but don't be lazy. In order for someone to earn trust, both entities need to co-develop a priori knowledge of each.
