Trust Starts Here
27 March 2019

Trust by Design

Anne-Marie Chun

When I worked in the Aerospace and Defense industry, trust was paramount. We were creating systems that were responsible for defending and upholding our national security, from fighter jets to cloud services. As such, we had to be able to confidently trust that our sophisticated defense systems would work if under attack. We had to be able to trust that these systems were handling data appropriately. And we had to be able to trust that these systems would not and could not fall into the wrong hands.

Trust takes time to build. The defense industry, like many industries, spends years building relationships between vendors and customers, defining requirements for new defense platforms, and developing sophisticated systems that people trust. The attention to quality doesn’t stop after the building phase; after we built the sophisticated systems, we would test them, evaluate them, and make sure they could be trusted in operation. The irony, however, is that trust takes painstaking time and effort to build and only an instant to shatter. After years of development and testing, an attacker could find and exploit a vulnerability and take a system down in as little as a few hours.

Just as our modern digital world has called for a shift from developing software through a waterfall approach to developing software through an agile approach, it also calls for a shift from developing trust over the long term to developing trust by design.

Today’s digital business environment requires trust be built into an organization from the ground up, starting with the individual digital assets that makes up a company. Building secure assets ensures that the business can create trusted products and deliver on their brand promise, and by extension, that the customer will trust the business. For a defense company, this could mean delivering cloud services that host and protect data on behalf of their national security clients, and no one else. For a consumer company such as Domino’s, this could mean building pizza delivery apps and infrastructure that uphold the brand’s “30 minutes or less” delivery promise.
Ironically, while the CMO has always been the primary guardian of the brand, this decisive shift to digital business now puts the CISO in the important role of protecting a brand and its trustworthiness. The CISO is now the link between security at the asset level and brand value and trust at the business level.

This shift, focused on building trust by design with CISOs at the helm, is already being demanded by leading companies and brands across industries. Synack works with the largest brands across the G2000, and across every industry, our CISO partners tell us that the board has upped the ante for their position. A CISO’s job is nowhere near as simple as a 9-to-5 job with the convenience of snoozing email notifications over weekends. Ethan Steiger, CISO of Domino’s and Synack’s Most Trusted CISO award winner, commented: “Now, in 2019 more than ever, I need to prove to my board, executives and customers that they can trust that our security is working, and therefore trust our brand.”

To accompany this new mindset shift towards trust, Synack is releasing a new report today – the 2019 Trust Report: Trust Has a Number. The report is the first of its kind to actually quantify organizations’ trust at the asset level, from a hackers’ perspective, and measure security performance over time. We gathered and analyzed our unique crowdsourced penetration testing data based on thousands of tests on assets owned by hundreds of companies across nine industries over several years to generate this report . We interviewed dozens of executives and they all agree: getting to trust is critical for business success. However, building trust requires security rigor and measurement.

Here are some of the 2019 Trust Report highlights:

  • Manufacturing & Critical Infrastructure and Financial Services lead the way as most Trusted Industries
  • Security teams are making progress! They are enhancing the trust of their organizations, but it requires dedicated practice – Up to 200% higher Attacker Resistance Scores among those organizations that work to improve their attacker resistance for 2+ years versus <1 year.
  • Continuous, rather than point-in-time, penetration testing has a greater impact on security – 43% higher Attacker Resistance Scores on average among organizations that practice continuous vs. point-in-time penetration testing.
  • Organizations with the highest Synack Attacker Resistance Scores are: 1) making it harder for attackers to find vulnerabilities, 2) integrating security testing into the SDLC to reduce the cost of vulnerabilities, and 3) remediating security issues quickly.

Secret to Higher Attacker Resistance Scores

Download a copy of the report here. Read how leaders from Home Depot, Intel, CLEAR, Stanford University and Just Eat are defending brands and building stronger security programs by building trust by design.

Today’s cyber attacks have become a top hindrance to brands’ promise fulfillment. 2018 witnessed 81% more breaches than 2017, totaling 2,216, and many millions of consumers affected (2018 Verizon Data Breach Investigation Report). And while Gartner estimates that security spend will increase 9.4% in 2019, and breaches continue unabated, boards are demanding results, ROI, and trust from their CISOs.

An “agile” approach to building trust by design will require not just a shift in mindset, but also a shift in operations. This means shifting security left and building it into the software development lifecycle. Product security must be a priority, not an afterthought. Just as it’s difficult to change code at the end of waterfall development, it’s equally as difficult to retroactively build trust into a product. It must be integrated as part of a continuous security lifecycle. Trust must be built by design.