Thoughts on Breach of Trust vs. a Breach of Security

By Peter Gregory, James Robinson ·

General thought: A breach of trust is different than a breach of security.

Trust and security, while related, are very different from each other. In recent years, we have seen information security continuing to be defined with strong frameworks, guidelines, and support from regulators to security offices, while the concept of “trust” has just begun to emerge. In recent years we have seen Offices of Trust being defined in companies with the role of Chief Trust Officer.  

Trust-vs-Security

In recent incidents where third and fourth parties were involved, there are some key things to understand when positioning a security breach versus a trust breach. To explore this further, I (James) will pull an experience from my childhood.  

As a child, I would not say I was a model child when it came to following my parents’ rules. I recall sneaking out of the house a few times to be with friends and do what teenagers do. I also recall getting caught by my parents and them lecturing me – not about how I got out or even what I did when I was out – but the breach of trust and confidence they had in me. Now that I am a parent, this is something I try to also share with my children.  

So, what is trust and the breach of it? We know there is an official definition, but for us, trust is the confidence we have in ourselves and others to do the right thing. Much like the saying courage is doing the right thing even if it is not the most popular, trust in many ways is the same concept. To establish trust, one must think about many factors in addition to security. One must evaluate situations where a stakeholder has a perceived notion of safety, security, trust, privacy, support, and other factors – in essence, that another party will do the right thing. In recent events, companies involved with breaches in many ways did the correct thing; however, areas of trust that were defined for users were infringed upon – not by the company but by other users in the ecosystem. We relate this in my ways to attacks like cross-site scripting (XSS) where a user is attacked by a flaw in the system. This is part of the trust ecosystem driven by information security. Another example is the breach of trust based on the supply chain when medicine and the packaging that protected the medicine was compromised. The trust of the company was impacted, and stakeholders (often, the investors and consumers) were looking to the company and its response to rebuild trust.

For us, the position of a trust officer would be more of a risk officer than a security officer, and more like a privacy officer – an ombudsman who advocates for customers. Nowadays, where security threats are eminent and breaches are weekly news, the establishment of a trust officer might be a key area that organizations need to evaluate to ensure that confidence in their goods and services are delivered to customers and stakeholders. This would help to ensure that trust is maintained throughout areas of security, privacy, supply chain, and others in a way where risks in trust are identified, reported, reviewed, evaluated, and decisions are made in the best interest of all stakeholders. Our mentors have taught us that every organization will have trust-related events. When an event does happen, trust and confidence is something organizations can maintain through their response and continued focus on areas where trust may be at risk.
 

Peter Gregory

Director, Information Security

Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online. 

James Robinson

Vice President, Third-Party Risk Management

As vice president, third-party risk management, Robinson oversees Optiv’s Third-Party Risk Management practice which includes the development and operations of TPRM-as-a-Service and Evantix. During his tenure at Optiv, he has worked as a core contributor around strategic internal initiatives including threat management, risk management, third-party risk management, vulnerability management and data program protection. He also develops and delivers a comprehensive suite of strategic services and solutions that help chief experience officer (CXO) executives evolve their security strategies through innovation.