“It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.”¹ This statement, as articulately expressed by Stéphane Nappo of Société Générale, illustrates how fragile trust is in the digital sphere. An organisation’s best way to deal with the fast-changing threat landscape is an understandable, well-structured cyber-security strategy. This acts as a shield during the constant and rapid upheaval of digital transformation, protecting the business’s tangible and intangible assets, including its reputation.

By analysing drivers and trends that affect the future of digital trust, decision-makers can proactively develop strategies that enable them to cope with the most likely challenges ahead. In Deloitte’s Future of Digital Trust study, we identified trends of our digital world, which revealed eight critical implications that the C-suite and other decision-makers should consider when developing future-proof strategies.² This article builds on those implications, showing stakeholders how to mine them for insights that will encourage digital trust; each of the implications should be considered in an organisation’s approach to cyber-security.

Some readers might not be aware of the breadth and depth of all of these implications, and others may not have factored all of them into their cyber-security strategies. However, the implications are relevant for modern strategies, and for organisations that strive to proactively mitigate risks attached to processes, technology, people and governance. Behind every successful digital transformation lies an air-tight cyber-security strategy: The compass pointing the way to digital trust.

What is digital trust?

Think of digital trust as a new prerequisite of good old values, such as reliability, credibility or security, applied in the digital space. Fundamentally, digital trust is an essential factor in an organisation’s sustainable and long-term successful digitalisation.

In a trusting relationship, one does not have to worry about revealing vulnerabilities; each party can rely on the responsible handling of whatever they reveal. In the context of digitalisation, trust is the individual’s confidence in an organisation that data will be handled securely and responsibly in the digital environment. Digital trust has taken on new weight as the shift to technological practices and solutions has shattered previously accepted axioms, disrupting industries with new behaviours and attitudes.

To embed digital trust into long-term strategies, two key questions have to be answered: Which driving forces (drivers) and trends will form the future of digital trust in our society and economy, and how can cyber-security be an enabler for a sustainable and trustworthy digital transformation? Let us focus first on the drivers and trends, which lead to implications that help build a strong cyber-security strategy.

Digital transformation: The trek towards trust

If we see digital trust as the peak at the top of an upwards trek, cyber-security strategy lies just below that peak. But to form a winning strategy, we need to acknowledge the mountain of key elements that lie beneath the pinnacle (figure 1). All of these elements described below – driving forces, trends and implications – are explored in detail in our Future of Digital Trust study.³

Driving forces

At the base of the mountain are the individual, influencing variables that are already established, emerging or on the distant horizon: the drivers. An example might be the speed of globalisation, or the digital economy.⁴ Drivers can be categorised as social, technological, economic, environmental, political or legal (aka the STEEPL framework). The drivers vary in their impact and the uncertainty of their development. Identifying them helps us outline the highly dynamic environment we are experiencing today and pinpoint the change around us.

Trends

Driving forces link together to form trends that show over-arching developments with the potential to shape the future; they are found across sectors and show the interdisciplinary character of digital trust, which goes beyond technology. Trends consider the nature of the individual driver’s interaction and how that can catalyse – or cripple.⁵ For example, in our context, the trend ‘oversecuritisation’ describes an uncoordinated investment in IT security measures and is influenced by such drivers as offensive and defensive cyber capabilities, data protection, and privacy regulations.

Implications

The trends’ interaction with each other exposes eight key implications (figure 2) that present various opportunities and challenges across industries, sectors and core business priorities in terms of digital trust. Analysed individually, the implications illuminate unique points of action for each organisation. Together, they form the bedrock for creating, or revising, long-term cyber-security strategies and policies that will supercharge digital trust.

Building a cyber-security strategy that enables digital trust

Having understood the relationships among elements that influence digital trust, we can now glean solid insights from the eight implications and consider them in developing future-proof strategies. Below we place three of the eight implications in the context of cyber-security, providing concrete recommendations. The same kind of examination could also be applied to the other five implications.

1. The rethinking of the enabling potential of technology

In the context of cyber-security, two perspectives need to be considered. First, the ever-increasing amount of information is driving up complexity (the biggest enemy of proper cyber-security). Complexity does not scale and will only get worse with the interconnectivity and exponential proliferation of new digital end points. Standards and methods must help reduce those complexities, improve collaboration and automate our responses, using the potential of any new technology that arises.

The second perspective is found by looking through a ‘security lens’. Technology advancements are disrupting existing business models and offering new means of attacks. Attackers should not be the only ones exploiting the full potential of new digital tools. Technology must accommodate specific business requirements, threats and risks; this requires a deep understanding of the business needs and the current threat landscape. The cyber-security strategy should enable services and match them with defence tactics and goals to enable a secure digital transformation.

Recommendations derived from this implication for cyber-security strategies:

• Efficiency: Automate cyber-security services/functions⁶ end to end, from identification to recovery capabilities. Many cyber-security services and processes are conducted manually, but their efficiency and quality of results can be enhanced with automation technologies or artificial intelligence.
• Effectiveness: Follow a risk-based approach and prioritise according to business enablement-related investments. This means spending money where it matters most and generates the most impact.
• Security: Build modern security architectures that include the latest technology advancements and resilient services, following principles such as ‘Never trust, always verify’. This will enable flexibility and secure adaptation in a fast-changing technology and business landscape.

2. The fragmentation and expansion of responsibility and accountability for digital

The burden of ensuring a trustful digital environment – which includes cyber-security – has shifted from single actors to multiple internal and external stakeholders, either through public pressure or regulations and laws. The burden now sits with a wide variety of private- and public-sector stakeholders who were not traditionally responsible or accountable in the digital sphere.

That means that within a firm, accountability for security can no longer be broken down into separate entities, because of increasing complexity and dependencies. The classical boundaries separating businesses, operational technology, information technology and connected digital products have been erased. To establish digital trust, governance models and accountability should reflect the interconnectedness of everything in the cyberspace realm.

Recommendations derived from this implication for cyber-security strategies:

• Co-creation approach: Modern cyber-security strategies cannot be developed in the often isolated information security department; develop them jointly with the rest of the business and its system, including cyber-security representatives throughout the organisation.
• Shared responsibilities: Develop overarching governance and organisation models to include clearly defined cyber roles and responsibilities, both technical and non-technical, across the whole organisation (business, IT, etc). From a product security perspective, cyber-security responsibility for components or systems should be clearly designated and divided among the various stakeholders (e.g. suppliers) across the whole life cycle, from the beginning of development activities until post-production.
• Prioritisation and customisation: A strategy should meet business objectives while protecting the most critical assets to establish trust, rather than focusing on broad or solely technology-related controls.

3. The primacy of data as a governing principle

Data is continuously growing and diversifying, and its governance has expanded far beyond privacy and regulation. The staggering influence, relevance and importance of data must be acknowledged proactively in cyber-security strategies – governing, rather than merely guiding. As we shift towards data- and platform-driven digital business models, we are surrounded by smart and personalised services. They generate and use personal information (mobility data, health statistics, financial transaction details, etc.). Building trust in those digital services is key, and data handling must be governed similarly to how we govern our analogue world.

Recommendations derived from this implication for cyber-security strategies:

• Redefinition of data life cycle management: In the digital sphere, the life cycles of data must be rethought for application in the endlessly interconnected world – from creation to ultimate destruction/deletion – especially with regard to the ever-increasing number of interfaces and devices/tools communicating with each other.
• Creation of framework: Create frameworks for technical and organisational measures that will address the growing amount of data. For example, define and continuously maintain security standards in line with evolving cloud-provider capabilities and cloud usage. Also, continuously monitor compliance with security standards and enable auto-remediation, where possible. Finally, establish high-quality intelligence and monitoring capabilities (such as open-source intelligence, security operations centre or security information and event management structures) to stay vigilant and identify real threats in the digital jungle.
• Establishment of data governance throughout the data life cycle: From creation to deletion, governance should cover the various interfaces and consuming entities. For example, designate authorship and ownership of digital data, and define and maintain modern protection requirements for it, especially to guarantee its integrity and confidentiality. This will help build trust at all stages – from data in motion to data at rest. In addition, data transmission across the corporate boundaries should be properly governed and monitored, based on clearly defined data classification schemes, for example public cloud.

Cresting the peak: From strategy to digital trust

Day by day, cyber-security is becoming more important. However, business leaders may be overlooking its influence on clients and staff, who worry about their daily interactions with technology as attackers constantly look for new attack surfaces. Digital trust is only likely to be granted to organisations that implement forward-looking, modern cyber-security strategies.

There are a mountain of factors affecting trustworthiness, and at the peak is the promise of a protected digital estate and a protected customer and employee relationship. Cyber-security is an enabler to reach that peak – and to ultimately support the creation and preservation of a trusted and invincible company brand. By considering digital trust’s implications on long-term cyber-security strategies, and what should factor into the development process, decision-makers and stakeholders can turn VUCA on its head. Volatility becomes vision, uncertainty becomes understanding, complexity becomes clarity and ambiguity becomes agility.

For more detailed information about the driving forces, trends and implications, including future scenarios, check out our Future of Digital Trust study.

Deloitte Cyber

Through the help of the profound expertise of more than 250 colleagues in Germany and a global network of cyber experts, we are able to offer end-to-end cyber services consisting of advisory in strategy, implementation and operations. We help our clients realise the potential of digitalisation holistically in their organisations, to protect valuable assets and to enable innovative business models. We accompany them with a comprehensive range of services to help drive innovation for secure and sustainable growth.

Learn more