The trust enabler has been saved
The authors would like to thank Max Kaiser, Madia Fahim and the entire Future Foresight Team of Deloitte Germany for their contributions to this article.
Cover image by: Traci Daberko
Germany
Germany
Germany
“It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.”1 This statement, as articulately expressed by Stéphane Nappo of Société Générale, illustrates how fragile trust is in the digital sphere. An organisation’s best way to deal with the fast-changing threat landscape is an understandable, well-structured cyber-security strategy. This acts as a shield during the constant and rapid upheaval of digital transformation, protecting the business’s tangible and intangible assets, including its reputation.
Digital transformation is largely influenced by a set of key factors that are shaping the future and characterised by volatility, uncertainty, complexity and ambiguity (VUCA). In a VUCA world, businesses, individuals and society face new threats and risks – ones that risk managers, C-suite leaders, IT professionals and also policymakers should be concerned about managing. Threats and risks can erode trust in products and services, undermining the carefully built reputation of even the most valuable company.
By analysing drivers and trends that affect the future of digital trust, decision-makers can proactively develop strategies that enable them to cope with the most likely challenges ahead. In Deloitte’s Future of Digital Trust study, we identified trends of our digital world, which revealed eight critical implications that the C-suite and other decision-makers should consider when developing future-proof strategies.2 This article builds on those implications, showing stakeholders how to mine them for insights that will encourage digital trust; each of the implications should be considered in an organisation’s approach to cyber-security.
Some readers might not be aware of the breadth and depth of all of these implications, and others may not have factored all of them into their cyber-security strategies. However, the implications are relevant for modern strategies, and for organisations that strive to proactively mitigate risks attached to processes, technology, people and governance. Behind every successful digital transformation lies an air-tight cyber-security strategy: The compass pointing the way to digital trust.
Think of digital trust as a new prerequisite of good old values, such as reliability, credibility or security, applied in the digital space. Fundamentally, digital trust is an essential factor in an organisation’s sustainable and long-term successful digitalisation.
In a trusting relationship, one does not have to worry about revealing vulnerabilities; each party can rely on the responsible handling of whatever they reveal. In the context of digitalisation, trust is the individual’s confidence in an organisation that data will be handled securely and responsibly in the digital environment. Digital trust has taken on new weight as the shift to technological practices and solutions has shattered previously accepted axioms, disrupting industries with new behaviours and attitudes.
To embed digital trust into long-term strategies, two key questions have to be answered: Which driving forces (drivers) and trends will form the future of digital trust in our society and economy, and how can cyber-security be an enabler for a sustainable and trustworthy digital transformation? Let us focus first on the drivers and trends, which lead to implications that help build a strong cyber-security strategy.
Future foresight methodology
It is impossible to definitively predict future developments, but Deloitte’s Future Foresight business methodology aims to expand our vision and understanding of the forces shaping tomorrow by reducing the ‘noise’ generated by big buzzwords and developments. With this model, decision-makers and stakeholders can focus on relevant factors that may otherwise escape them, and become empowered to make robust but flexible decisions.
Future Foresight can enable long-term strategy development by building an outside-in foundation. Starting with driving forces, trends are derived and their implications considered (figure 1). Unlike many traditional methods, this process captures the complexities around us. It really helps us get to grips with the most pressing and difficult questions confronting businesses on a daily basis.
If we see digital trust as the peak at the top of an upwards trek, cyber-security strategy lies just below that peak. But to form a winning strategy, we need to acknowledge the mountain of key elements that lie beneath the pinnacle (figure 1). All of these elements described below – driving forces, trends and implications – are explored in detail in our Future of Digital Trust study.3
Driving forces
At the base of the mountain are the individual, influencing variables that are already established, emerging or on the distant horizon: the drivers. An example might be the speed of globalisation, or the digital economy.4 Drivers can be categorised as social, technological, economic, environmental, political or legal (aka the STEEPL framework). The drivers vary in their impact and the uncertainty of their development. Identifying them helps us outline the highly dynamic environment we are experiencing today and pinpoint the change around us.
Trends
Driving forces link together to form trends that show over-arching developments with the potential to shape the future; they are found across sectors and show the interdisciplinary character of digital trust, which goes beyond technology. Trends consider the nature of the individual driver’s interaction and how that can catalyse – or cripple.5 For example, in our context, the trend ‘oversecuritisation’ describes an uncoordinated investment in IT security measures and is influenced by such drivers as offensive and defensive cyber capabilities, data protection, and privacy regulations.
Implications
The trends’ interaction with each other exposes eight key implications (figure 2) that present various opportunities and challenges across industries, sectors and core business priorities in terms of digital trust. Analysed individually, the implications illuminate unique points of action for each organisation. Together, they form the bedrock for creating, or revising, long-term cyber-security strategies and policies that will supercharge digital trust.
Having understood the relationships among elements that influence digital trust, we can now glean solid insights from the eight implications and consider them in developing future-proof strategies. Below we place three of the eight implications in the context of cyber-security, providing concrete recommendations. The same kind of examination could also be applied to the other five implications.
1. The rethinking of the enabling potential of technology
In the context of cyber-security, two perspectives need to be considered. First, the ever-increasing amount of information is driving up complexity (the biggest enemy of proper cyber-security). Complexity does not scale and will only get worse with the interconnectivity and exponential proliferation of new digital end points. Standards and methods must help reduce those complexities, improve collaboration and automate our responses, using the potential of any new technology that arises.
The second perspective is found by looking through a ‘security lens’. Technology advancements are disrupting existing business models and offering new means of attacks. Attackers should not be the only ones exploiting the full potential of new digital tools. Technology must accommodate specific business requirements, threats and risks; this requires a deep understanding of the business needs and the current threat landscape. The cyber-security strategy should enable services and match them with defence tactics and goals to enable a secure digital transformation.
Recommendations derived from this implication for cyber-security strategies:
Applying the insight
A useful exercise when developing a cyber-security strategy is to extract key questions and steps from an implication’s insights. We do this below for one of the eight implications, but a decision-maker should also repeat the exercise for the other seven.
Implication: The rethinking of the enabling potential of technology
Use case: Take a technology architecture management approach with the following steps and corresponding questions.
2. The fragmentation and expansion of responsibility and accountability for digital
The burden of ensuring a trustful digital environment – which includes cyber-security – has shifted from single actors to multiple internal and external stakeholders, either through public pressure or regulations and laws. The burden now sits with a wide variety of private- and public-sector stakeholders who were not traditionally responsible or accountable in the digital sphere.
That means that within a firm, accountability for security can no longer be broken down into separate entities, because of increasing complexity and dependencies. The classical boundaries separating businesses, operational technology, information technology and connected digital products have been erased. To establish digital trust, governance models and accountability should reflect the interconnectedness of everything in the cyberspace realm.
Recommendations derived from this implication for cyber-security strategies:
Beyond trust: Rounding out a solid strategy
The implications discussed in this article, and the insights they reveal, mainly focus on digital trust. But ‘common sense’ elements must still be part of the foundation of a solid cyber-security strategy. These include:
3. The primacy of data as a governing principle
Data is continuously growing and diversifying, and its governance has expanded far beyond privacy and regulation. The staggering influence, relevance and importance of data must be acknowledged proactively in cyber-security strategies – governing, rather than merely guiding. As we shift towards data- and platform-driven digital business models, we are surrounded by smart and personalised services. They generate and use personal information (mobility data, health statistics, financial transaction details, etc.). Building trust in those digital services is key, and data handling must be governed similarly to how we govern our analogue world.
Recommendations derived from this implication for cyber-security strategies:
Day by day, cyber-security is becoming more important. However, business leaders may be overlooking its influence on clients and staff, who worry about their daily interactions with technology as attackers constantly look for new attack surfaces. Digital trust is only likely to be granted to organisations that implement forward-looking, modern cyber-security strategies.
There are a mountain of factors affecting trustworthiness, and at the peak is the promise of a protected digital estate and a protected customer and employee relationship. Cyber-security is an enabler to reach that peak – and to ultimately support the creation and preservation of a trusted and invincible company brand. By considering digital trust’s implications on long-term cyber-security strategies, and what should factor into the development process, decision-makers and stakeholders can turn VUCA on its head. Volatility becomes vision, uncertainty becomes understanding, complexity becomes clarity and ambiguity becomes agility.
For more detailed information about the driving forces, trends and implications, including future scenarios, check out our Future of Digital Trust study.
The authors would like to thank Max Kaiser, Madia Fahim and the entire Future Foresight Team of Deloitte Germany for their contributions to this article.
Cover image by: Traci Daberko