I hope you’re watching the announcements about security as they fly onto your workstation through email, RSS and various postings.  Every week there is a new “discovery” about the need for security services and technology to help create value for the enterprise.  Just this week there are two powerful reminders (and it’s only Tuesday)!  In both cases, the message of Digital Trust is echoed over and over.  In particular, these announcements reinforce three of the four strategic conclusions of the Digital Trust research program as reported in Volume 8, the final volume of the Digital Trust report series:

* First, digital trust is real. The presence (or absence) of digital trust has real, direct impact on the ability of the enterprise to achieve competitive advantage and “make business happen.” The findings of the third quarter 2008 Online Customer Respect Study of life insurance industry Web sites has a specific warning about the impact of a lack of (digital) trust for this industry.

* Second, aim high and first with a digital trust strategy to get the payoffs. In a summary report from the Security for Business Innovation Council, published earlier this year by RSA, 10 security leaders from different industry sectors have declared that security teams must now become “full partners in the business innovation process.” When you read further, you will discover that this is their way of saying “apply a digital trust strategy.” In the words of the press release, “In this landscape, the security focus must move from solely mitigating risk to also maximizing business reward.”

* Third, security governance structures prevent digital trust strategies from being used more widely. A more recent companion report also published by RSA tries to develop and explain a “risk/reward equation” based on a foundation of enterprise information risk management.  Once again each of the 10 council members offers his or her advice about how to maximize the returns from such a strategy.  Compare this to the foundation equations of digital trust presented in Volume 1 of the Digital Trust report series (see “Not Your Father’s Information Risk Management” on p. 6), and to the results shown over and over in each of the succeeding volumes.  (All Digital Trust volumes can be found here.) There are some important differences between the two in just what “value” is targeted, but both insist on an organizational and governance structure that makes security teams aware of business objectives (not just operational objectives) and assigns them the responsibility for attention to value in prioritizing security actions.

Ten “thumbs up” for digital trust
RSA established a Security for Business Innovation Council in 2008.  The membership was selected by RSA from among security executives representing companies that had extensive security programs, regulatory issues, substantial investment in intellectual property, and an acknowledgement that “information security needs to be part of their business innovation process, ” as the summary report said.  Interviews with each of the 10 executives led to the conclusions of the first (summary) report and recommendations about risk/reward in the second report. 

In quote after quote from each of the 10 members in their first report, obligations to recognize business impact and (at least) not hinder business operation unnecessarily are promoted.  It’s a very tiny step between the words of the council members and the conclusions and recommendations of Digital Trust.

In the second report, the council members promote an “information risk management” methodology as a way of balancing risk/reward for information security.  While it does move security service away from being an innovation inhibitor, it still falls short of the digital trust reality (and equations) that include and account for enterprise value creation with security services and technology rather than incremental (even cost justified) reductions in risk exposure over enterprise value that already exists.  Despite this difference, there is strong and compelling agreement on the need to rearrange IT security/risk governance so that the security teams are directly connected to business objectives and value targets.  Only then can they more fully contribute to innovation within the enterprise.

A digital trust deficit for the life insurance industry
The Customer Respect Group “measures and reports on the behavior of corporate websites in relation to the treatment of the online customer and their personal data.” (www.customerrespect.com) As part of this measurement, the Customer Respect Group has invented a Customer Respect Index (CRI) rating.  For the past five years, the Customer Respect Group has reviewed and measured corporate Web sites, including life insurance industry Web sites.

While this latest study indicates that at least some life insurance Web sites have begun to improve their performance according to the CRI, the study also lists two items as its “most surprising results.” One has to do with the speed of innovation.  The other, however, is listed as “not enough emphasis on trust.” Since the study is based on an examination of Web sites (in this case insurance company Web sites), the kind of trust deficit being declared is a digital trust deficit.  And, that deficit is penalizing life insurance companies by limiting leads for offline business.

Despite the generally weak CRI scores of life insurance companies, five companies were noted as making good improvements. The top five life insurance Web sites and their CRI scores (10 is best) are:

-- Western & Southern Life (7.7)
-- Nationwide (6.7)
-- Metropolitan Life (6.7)
-- New York Life (6.4)
-- Principal Financial (6.4)

In the Digital Trust report series, Volume 7, “Transparency and Assurance,” examines how digital trust can be created, conveyed, lost and reclaimed.  Although four main techniques for the creation of digital trust are explored, special attention is given to the topic of digital trust creation for Web sites.  Even though the five insurance companies listed have begun to rise on the CRI ranking ladder, digital trust creation techniques are readily evident in only two of them (Nationwide and Principal Financial).  Even then, their use of those techniques falls short of the best applications as described in the digital trust reports.

There’s sure room for more value creation with digital trust in insurance company Web sites.  I wonder what the rankings could be if digital trust techniques were applied thoroughly?!

The sound of digital trust on the move
Can you hear it?  The sounds of digital trust and digital trust strategies are getting louder and louder as they move forward into more widespread application, with the recognition that security services and technology can, indeed, create value for the enterprise.  Be sure your enterprise “hops on board” before the last digital trust cars leave the station.