Defining trust for your organization, as a human trait, and within information security with Matthew Moog from OneTrust

 

In his role, Matthew advises companies throughout their third-party risk management implementations to help meet requirements relating to relevant standards, frameworks, and laws.

Prior to joining OneTrust, Matthew spent 18 years at EY where he led their Global Third-party Risk offering for Financial Services and their Third-party Risk Managed Service offering for the Americas.  Moog is a CISA and has a BS in Management Information systems from Rensselaer Polytechnic Institute in Troy, NY.

What are the core components of organizational trust?

Trust is an earned outcome. Trust is earned through a collection of integrity-based commitments and actions, that are continuously measured, tested, and enforced through consistent behavior. These actions and commitments traditionally come from four core components of the organization spanning privacy, GRC, ethics and ESG.

These pillars are often managed in silos, whether that be teams not communicating with each other or systems not integrating. While immediate needs for one organization might be privacy and security, it’s common for priorities to mature and organizations to consolidate their processes across all four pillars as they become more invested in building a more trusted brand and reputation.

Why is organizational trust important?

There are key fundamental shifts happening globally that are increasing the criticality of having organizational trust in place.

Not only is society-at-large urging organizations to align with stakeholder values and needs, but consumers have higher expectations on how their data is being used, and regulatory requirements continue to drive more urgency and focus in upholding privacy, security, ethics and ESG operations.

These four core components of trust fundamentally change the commercial outcome of an organization. By weaving the fabric of trust throughout an organization, the opportunity for business differentiation becomes more attainable. 

What about the human angle? How can individuals across an organization contribute to a culture of trust?

Building a culture of trust across an organization requires buy-in from all stakeholders in the business.

The culture is refined and reinforced at the intersection of employees’ willingness to speak up about wrongdoings and management’s willingness to mitigate these acts in an ethical and fair manner.

Without holding employees accountable, regardless of their rank or department—your trust culture will be undermined rather than strengthened. If the evaluation process is fair and transparent, then the findings will be more trustworthy.

How can embedding organizational trust help improve information security?

Information security is often siloed. To have a truly comprehensive information security program, organizations must embed security throughout the supply chain and internal processes from a singular standpoint: trust. Facilitating a trustful security posture empowers organizations to align privacy, third-party risk management, ESG, GRC and business needs collectively. So, how do you put this into action?

Organizations must conduct consistent and detailed due diligence. This includes everything from identifying key assets and weaknesses in your security posture, to understanding threats in your vendor ecosystem. This strategy will empower individual stakeholders to embed risk-based security measures into their day-to-day processes while improving the overall information security program.

What are some of the main considerations for IT and security leaders when trying to encourage trust within their departments?

There are several considerations that IT and security leaders must account for when encouraging trust within their departments. These include:

- Intent: Is your intention to be open and transparent regarding trust reviews and testing?

- Integrity: Are you being authentic and honest when it comes to the risk your organization is exposed to and have you adjusted your controls to a relevant cybersecurity framework?

- Capability: Do you know the skills and knowledge to address a major cybersecurity incident?

- Results: Do you have credible processes in place to measure trust and security metrics and do these metrics influence behavior?

 

For more information on this topic, download the infographic where we share 12 considerations to build trust for IT and security teams.