The Digital Trust Imperative: Building a Culture of Trust

In the Digital Trust Ecosystem Framework (DTEF), there are four nodes which form the foundation of the framework. Between two of those nodes, People and Organization, is the domain, Culture.¹ The DTEF places a significant emphasis on culture. After all, an organization will ultimately reflect its culture. If the culture is healthy with respect to the organization’s respective goals and objectives, the organization is more likely to flourish and accomplish those goals and objectives.

Therefore, if an organization wants to have a strong trust position within the digital ecosystem, it must invest in the culture to support such a position. The DTEF reflects this with three trust factors by which to measure the success of the Culture domain within the organization. They are:

• CU.01 Manage Culture
• CU.02 Create and Manage the Digital Trust Cultural Environment
• CU.03 Manage Skills and Competencies

“Manage” and “Create and Manage” speak to actions by leadership. If an organization wants to have a culture of trust, this must be led by the board and the C-Suite.

It Starts at the Top

Culture is vital for organizational success and leadership must demonstrate that culture in their daily work and relationships. How important is culture, and what role does leadership play in establishing culture? Here are two statements that answer those questions: “Our research suggests that culture is not a luxury good, rather it is essential to continually invest in culture throughout the business cycle,” and “Another key finding from our research is that leadership is the pivotal piece in the cultivation and sustenance of the culture. The CEO, in particular, is identified as the most influential figure in setting the current culture.”²

The old quip, “The beatings will continue until morale improves,” isn’t the way to build culture in an organization. Employees need to see their leadership exhibit and demonstrate the qualities of the desired culture before they buy in. Culture is defined from the top down, not the bottom up. The board of directors and the C-Suite have to lead the culture. Therefore, if an organization wants to establish its trustworthiness in a digital ecosystem, the leadership must establish a culture of trust within the organization.

What do we Mean by Trust?

There are a lot of interpretations of trust, but here are three criteria I often see cited:³

• Transparency
• Authenticity
• Reliability

When I think about the DTEF, all three of these criteria find their way into the trust factors and practices throughout the entire framework. The DTEF is a great tool to help an organization increase its trustworthiness in the digital ecosystem. Let’s look at each of these and why they matter. After all, if we are trying to build a culture of trust within our organizations, transparency, authenticity, and reliability are critical for success.

Transparency
Let me demonstrate the need for transparency by giving an anecdotal story. Several years ago, I was working on a technology implementation that involved many people, and we were being pushed hard to “get it done.” There was no visible evidence as to why we were all being asked to work so many hours and why we had seemingly arbitrary deliverable dates that could have been moved further out at a reasonable pace. We were flabbergasted. Yet we put in the effort because we all valued our jobs, and we made the dates.

At the celebration of the project's completion, one senior manager finally gave us insight as to why we were working so hard. One of our biggest customers wanted to use said technology and a competitor that had already implemented it was trying to bring them onboard. We understood the implications: if the competitor was able to sway them over that technology, it could then leverage its position as a service provider to get more business from our customer. Therefore, we needed to deliver the new technology in a timely manner to ensure the customer stayed with us.

That lack of transparency from management was baffling. Had we known what the stakes were, we wouldn’t have been able to work harder, but there would have been more purpose to our work. Keeping the customer was important for our job security. We would have had greater motivation as well as a clear mission to accomplish. Senior management wasn’t intentionally trying to hide things, but by not being transparent, there was a lot of strife and discontent in the workplace. Transparency would have likely resulted in a unifying goal to fight hard to keep our customer. Instead, we did not even know we were in a fight.

Transparency is not just about communication. Transparency also requires accountability. If someone isn’t measuring up, accountability is necessary. Good leaders will address the lack of performance. This goes beyond telling someone to, “Do better,” but also having that open dialogue about what the issue is, what might be the reason, and what options there are to improve. The issue could be something as simple as the person doesn’t have the required skillset because they were never properly trained. Accountability isn’t about punishing failure but setting an expectation or performance standard and then working to ensure everyone can meet them.

Authenticity
Authenticity goes hand-in-hand with transparency. If people pretend to be what they are not, then there isn’t true transparency. There are a number of reasons why someone might not be authentic:

• They do not have an accurate assessment of who they are and what they are capable of.
• They do not want to appear weak or vulnerable.
• They have motives that run counter to a culture of trust.

The first two issues can be dealt with in supportive ways. Skills inventories, 360-degree reviews, and open feedback (transparency) from supervisors and peers are ways to address the first issue. A supportive culture where people are allowed to fail deals with the second. From a business perspective, I always think about one of the principles of Lean methodologies: fail fast to learn fast. If we are failing fast, taking the information from that latest failure and applying it to our next attempt, we are improving. We shrink what we don’t know and increase what we know. A culture of trust encourages giving people the space to fail. Think about the alternative: if failure is punished, most people are going to choose one of two options: they will not put themselves in a position to fail or they will hide their failures. The first stifles innovation and organizational improvement. The second runs directly counter to a culture of trust.

The last issue, when people intentionally deceive for motives that run counter to trust, is why we have sayings like, “Trust, but verify.” When people intentionally deceive because of unethical/immoral reasons, they damage a culture of trust. As a result, swift organizational action to remove such people is a must. If that’s not possible, then the organization should employ whatever legal methods are available to limit the influence and impact of such personnel.

Reliability
If a person is not reliable, that person isn’t trustworthy. If an organization isn’t reliable, it isn’t trustworthy. For instance, if an employee delivers exceptional work, but only does so in sporadic bursts, how do they compare to someone who works at a steady pace and consistently meets targets? Over time, the consistent producer will have the greatest impact for the organization. That’s the gist of the parable “The Hare and the Tortoise” from Aesop’s Fables.⁴ Another way to look at this: if I can’t rely on you to deliver, then I can’t trust you with the delivery. Organizations and leaders who desire cultures of trust must emphasize reliability.

It's About More Than the Framework

Let me be clear that doing enough to adhere to the DTEF or any framework isn’t enough. My experience with the aforementioned technical effort taught me this lesson, but I learned it again after the South Carolina Department of Revenue (DOR) had a data breach involving 3.8 million taxpayers, including my family. At the time of the breach, the SC DOR was fully compliant with US Internal Revenue Services (IRS) standards and requirements. However, the applicable standard was out-of-date and didn’t require encryption of PII data. As a result, taxpayer Social Security Numbers were among the data stolen.⁵

It’s a Process, not a Destination

The DTEF is a maturity model framework. Like all maturity model frameworks, an organization should expect that to maintain a certain level will require iterative processes to evaluate the health and performance of the organization’s implementation and adherence to said framework. Getting to a culture of trust is an achievement, but it’s not a trophy to put on the shelf. “Manage” means exactly that, putting effort into maintaining and strengthening the culture to support trustworthiness, both internally and externally.

Appropriate feedback loops are a necessity for maintaining a culture of trust. If they don’t exist within the organization, how do leadership and key stakeholders know if the efforts to establish and maintain the desired culture are effective? How will they know about risk and threats to said culture? Of course, having the feedback loop is useless without some sort of process in place to act on that feedback. Not all feedback is valid, and not all feedback is actionable. Any feedback, good or bad, which is both valid and actionable should be prioritized and acted on accordingly.

Likewise, members of the organization should understand the cultural goals and how they apply to them. This is typically accomplished through both training and communication. Both should be properly planned and developed. Some of the training and communication will need to be repeated at regular intervals, such as annually. Also, as feedback indicates issues and concerns, both training and communication should be adjusted accordingly.

Emphasize Culture

I’m going to return to one of those initial quotes:

Our research suggests that culture is not a luxury good, rather it is essential to continually invest in culture throughout the business cycle.

Whatever the organization’s goals and expectations are it will likely only achieve them by ensuring the proper culture is in place. This isn’t a one-time investment, but a recurring effort to ensure that the people who make up the organization embrace and demonstrate that culture. Of course, such a demonstration must originate from the top. Leadership must demonstrate transparency, authenticity, and reliability and insist those qualities are demonstrated by others in the organization. If leadership doesn’t demonstrate these criteria, then it’s unlikely for a culture of trust to form and it’s equally unlikely that the organization will be seen as trustworthy by others.

Endnotes

¹ ISACA^®, Digital Trust Ecosystem Framework, ISACA
² Grennan, J.; “Corporate Culture in a New Era: Views from the C-Suite,” Harvard Law School Forum on Corporate Governance, 13 March 2024
³ Lewis, A.; “Leading the way,” Harvard Business Publishing Corporate Learning, 26 October 2022
⁴ Aesop; “The Hare and the Tortoise,” The Æsop for Children
⁵ Kirk, J.; “South Carolina Faults ITS Standard in Massive Data Breach,” ComputerWorld, 12 November 2012

K. BRIAN KELLEY | CISA, CDPSE, CSPO, MCSE, SECURITY+

Is an author and columnist focusing primarily on Microsoft SQL Server and Windows security. He currently serves as a data architect and an independent infrastructure/security architect concentrating on Active Directory, SQL Server, and Windows Server. He has served in a myriad of other positions, including senior database administrator, data warehouse architect, web developer, incident response team lead, and project manager. Kelley has spoken at 24 Hours of PASS, IT/Dev Connections, SQLConnections, the TechnoSecurity and Forensics Investigation Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays, Code Camps, and user groups.