Digital Trust Isn’t a Fad; It’s a Requirement in Today’s High Velocity Environment

Just over a year ago, ISACA reached out to me asking for my thoughts on digital trust.  Of course, I had a few ideas related to the subject, as it had come up in several board meetings I’d been in recently.  As it turns out, this short discussion vaulted me into an entire new realm of cybersecurity, privacy, governance, risk and compliance and I can’t turn back now.  

Digital trust is the next generation of privacy and cybersecurity, risk and IT governance.  If you don’t believe me, read on.  

How do I see digital trust?

Let’s take one of my favorite hotel chains, Marriott.  I’ll admit it, Marriott has experienced a few issues in the last couple of years.  They’ve had a few hacks, been fined for privacy violations under the GDPR, and of course, they’ve overcharged me a few times.  You would think that I would have dropped Marriott by now, but I haven’t.  I’m still a loyal customer.  I’ve talked to other colleagues who removed Marriott from their travel plans due to a few ‘glitches,’ but I’ve chosen to stay with them.  This is because I still trust our digital relationship.  This got me thinking about digital trust.  Why am I still a fan of them when many punted them after the first sign of distress?  

This is digital trust.  

There are a lot of definitions of digital trust out there.  Now that it is becoming a buzzword, everyone seems to have a solution for it.  Sure, I’m a huge ISACA fan, but I really like their definition:  

 

Digital trust is the confidence in the integrity of the relationships, interactions and transactions among providers and consumers within an associated digital ecosystem. This includes the ability of people, organizations, processes, information and technology to create and maintain a trustworthy digital world.

To be fully transparent, I was a member of the development team for the Digital Trust Ecosystem Framework (DTEF) with ISACA.  It might not be a surprise to you that every word in this definition was evaluated and argued over to make sure we had the most appropriate definition, and I really like how this turned out.  

Let’s take this a step beyond just defining digital trust.  There are several attributes that build trust.  Back to my Marriott loyalty – why did I choose to stay with them when others opted out?  For me, there were several factors:  

  1. I’m a longtime member with a lot of loyalty points and a lot of perks when I use Marriott
  2. I am satisfied with their communications, and approach to negative newsworthy events
  3. I still trust Marriott’s digital communications and their protection of my privacy
  4. I prefer to use their app to schedule and manage my stays rather than calling them
  5. I like their brand

In turbulent times, customer trust is key, and it is easier to lose trust than gain it.  Speaking of brand, this is one of several factors that build trust.  I was reading an article from a company called Morning Consult, they have done significant research around brand.  What I got out of their research wasn’t surprising.  They’ve identified the most trusted brands, both internationally and in the United States.  Guess what the top trusted brand is?  BAND-AID (see the report here).  If they get hacked, will you stop using BAND-AIDS?  I wouldn’t, for the same reasons I still like Marriott.  

Build a Digital Trust Ecosystem

You may be thinking, as I did at first, that this is another consultant buzzword to sell more services and products.  Believe me, this is not a passing fad.  The proliferation of cybersecurity, privacy, and a myriad of other compliance concerns is vexing companies with overwhelming requirements.  So, think of digital trust as 1) an extension of your cybersecurity and privacy programs, 2) a holistic approach to protecting your brand and your consumers, and 3) a means to increasing your reputation while supporting digital transformation and customer loyalty.  

What’s more, even the World Economic Forum (WEF) is in this game.  Back in November of 2022, the WEF published a report titled “Earning Digital Trust: Decision-Making for Trustworthy Technologies” in collaboration with Accenture, KPMG and PwC.  Although the paper was very high level, there is some very important information here that is useful.  Take a look for yourself and make your own assessment here.

Now, let’s look at the ISACA Digital Trust Ecosystem Framework, or DTEF.  I can say without a doubt that this framework really gets into the actionable areas of creating a digitally trusted environment.  Think about it, digital trust is more than a bunch of principles.  Of course, these are great guideposts, but as a business manager, C-Level executive or board member, I need to know what I should be doing.  If you are interested in a really good webinar that explains the framework, and are an ISACA member, check this out

The DTEF starts at the highest level of the organization, called nodes.  Not surprisingly, these include People, Process, Technology and Organization (see the diagram below).  Nodes are connected through Domains, which create the dynamic relationships that enable the DTEF to describe the complexities of a system in today’s highly interconnected environment. These interconnections show that the DTEF is not static. They represent the dynamic parts of the framework where actions occur and where changes within the domains influence the nodes.  

 Thus, an ecosystem.  

ISACA DTEF Hierarchy (Mark Thomas’ rendition)

Here’s where the DTEF earns the right to be called a framework.  The model takes these domains and breaks these down further into trust factors, practices, and activities.  All of which are supported with outcomes, and key performance indicators.  I have not found another digital trust framework that provides this.  

As with any framework, you should NOT expect to copy and paste this into your environment and have digital trust magically appear in your organization.  Also, this framework doesn’t replace everything you currently have in production.  It is designed to mesh with all your current models used, such as ITIL, COBIT, ISO, NIST, TOGAF and many others.  

Top 5 Digital Trust Objectives

I’ve given you a lot of information so far and suggest that you keep an eye out on the ISACA site for more information about the forthcoming DTEF.  In the meantime, here’s my top ten five list of things that I’d be looking at if I were a C-Level or board member of any organization that interacts with customers or consumers digitally: 

Top tip 1:  Know what types of digital interactions you have with your customers and consumers.

Organizations have multiple relationship types. These are determined by understanding the products and services, and stakeholders. The type of digital trust relationship can be a major factor in how digital trust is designed and controlled. There are many types of interactions.  These include: 

  • Business to Business (B2B)
  • Business to Consumer (B2C)
  • Business to Employee (B2E)
  • Business to Government (B2G)
  • Government to Consumer (B2C)
  • Peer to Peer (P2P)

Top tip 2:  Know what products and services are digitally enabled and how you interact with customers and consumers.  

Analyze each product and service to determine what digital interactions are required to ensure their proper delivery and support. Look at the entire development and delivery cycle to identify where each product or service might depend on digital solutions, or leverage digital interactions with suppliers, partners, users, customers, consumers, etc.  This is important because the product or service lifecycle identifies all the potential digital touchpoints between various stakeholders throughout the deployment process.  

Top tip 3:  Get digital trust embedded into your governance structure.

No initiative can be successful without proper governance, and the DTEF includes this. Considering digital transformation usually occurs in a high-velocity and fast-paced environment, it is important to ensure that risks are addressed, authorities are defined, and governance components are considered. 

Consider creating a governing body to oversee digital trust efforts. Governing bodies typically start at the highest level of the organization: a board of directors, board of regents, or an equivalent of these. Each board receives and disseminates information using committees. Examples of these committees include the strategy, finance, governance, compensation, and audit committees.  However, throughout the organization there are several governing bodies who are chartered to prioritize efforts, allocate funding, and address escalations. These bodies are often not considered governing bodies of organizations – but in reality, they are. A digital-related committee could provide the governance over enterprise digital trust. If this is not a viable option for your organization, you should at least have digital trust embedded as a topic for the board and each committee.  

Don’t forget about risk.  The risk register is a list of risk areas that have been identified, analyzed, prioritized and either accepted, transferred, avoided, or mitigated. It is not just a list of control deficiencies or missing software patches from a server, rather, it is an inventory of events that could affect or prevent the organization from meeting its goals and objectives. 

Top tip 4:  Create use-cases for all digital interactions with your customers and consumers and use these to help you select the appropriate trust factors.

A use-case describes how an actor interacts with an organization through a digital solution to accomplish one or more of that actor’s goals. It is a full description of the attributes and steps that are required to accomplish a specific goal. The creation of use-cases is a critical step in digital trust. Knowing these can help identify the appropriate domains and trust factors that are key to a trusted digital ecosystem. Use cases could include the following:  

  • Product or Service 
  • Relationship Type
  • Relationship Medium
  • Inputs or Preconditions
  • Interaction Description
  • Outcomes or Post Conditions
  • Related Use Cases
  • Stakeholders
  • DTEF Relationships

Top tip 5:  Use the ISACA DTEF to guide you in adopting the appropriate trust factors to support your digital trust efforts.  

Keep an eye out for the DTEF and any supporting publications from ISACA regarding digital trust.  No single body of knowledge thoroughly addresses the scenarios, risk and controls required to operate in a digitally trusted environment. The references I’ve found so far focus on a single industry, organizational goal, or type of transaction/interaction. To provide a holistic view of the complete digital trust ecosystem, go to the DTEF.  

ISACA’s DTEF supports the establishment and maintenance of digital trust from multiple perspectives. Digital trust is broader than just technology; it applies to the entire organization and to all its external stakeholders as well.  You may have heard of this as the digital supply chain.  Selecting, establishing and maintaining digital relationships requires confidence and transparency from all parties involved. However, the needs, principles, values and objectives of providers and consumers influence the levels of trust.

Bonus tip:  Adopt digital trust iteratively over time.  

It may seem a little biased for me to add COBIT to the mix here since I’m a huge COBIT fan, but I believe the COBIT Implementation model is one of the most comprehensive and complete guides to implementing almost ANYTHING.  The COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of governance of I&T and can also be used for digital trust initiatives. 

COBIT Implementation Model (ISACA)

COBIT Implementation Model (ISACA)

The continual improvement life cycle approach allows enterprises to address the complexity and challenges typically encountered during an enterprise governance of information and technology (EGIT) implementation, and by extension, a digital trust initiative.  If you haven’t given it a look, maybe now is the time.  

A quick summary

You can be secure, you can protect customer privacy, and you can be compliant, but if your customers or consumers don’t trust you, you’re out of business.  No organization is immune to a negative newsworthy event, and if that happens, it’s most likely too late to think about creating digital trust because your customers and consumers have already calculated their losses.  As with my Marriott experience, they had more than one event, but I’m still a loyal customer because they recognized how to build trust in their digital interactions with me.  Don’t treat cybersecurity, privacy, information technology, risk, and digital transformation as separate functions in your organization.  Think of these as integrated components to digital trust.  To do this, I’d keep an eye on the ISACA DTEF for guidance.  Today, it is the most comprehensive tool to consider all aspects of digital trust in the people, process, technology and organization areas.  

As always, I hope you’ve learned from this post.  Please let me know what you think.  Email me at mark@escoute.com with your support, questions or challenges to this post – my SLA is a 48 hour response 😊

COBIT 2019 Governance and Management Objectives Domains

Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.

COBIT Governance and Management Objectives link to Processes.

This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.

Getting from the COBIT “Core” to a tailored governance system

One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.

As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.

What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.

Linking the COBIT2019 Core to a tailored system.

Design Factors and Focus Areas

In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.

Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:

  • Enterprise strategy
  • Enterprise goals
  • Risk profile
  • I&T-related issues
  • Threat landscape
  • Compliance requirements
  • Role of IT
  • Sourcing model for IT
  • IT implementation methods
  • Technology adoption strategy
  • Enterprise size
  • Future factors

If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.

Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.

Impact of Design Factors.

A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:

  • Small and medium enterprises
  • Cybersecurity
  • Digital transformation
  • Cloud computing
  • Privacy
  • DevOps

As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.

Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.

Workflow for designing a tailored governance system

COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.

Steps to creating a tailored governance system using the COBIT Design Guide.

By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.

Linking the Design Guide and Implementation Guides

The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.

In case you are not familiar with this, the COBIT implementation roadmap looks like this:

The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).

The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.

COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.

The Design Guide and Implementation Guide have a very distinct relationship and specific uses.

Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:

COBIT Design and Implementation Guide Relationships.

You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.

Using tools to assist in designing your new governance system

Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:

  • Introduction and instructions
  • A canvas tab that consolidates results including target capability levels
  • One tab for each design factor
  • Summary tabs that graphically represent the outcomes of steps 2 and 3
  • Mapping tables for design factors

I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.

Closing and suggestions

We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.

As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.

Skip to content