Cybersecurity: a reflection on trust

I am often asked, ‘Why does your office have “Trust” in its name?’

The Security and Trust Office (STO) of NTT Corporation was launched in July 2020, and as the CISO of NTT Corporation, I was asked to choose the name of the office to lead.

I strongly believe that trust will become the oil of the post-COVID world. As such, I felt that officially naming our operation the Security and Trust Office would be more appropriate and authentic than simply calling ourselves “The Office of CISO”.

For me, our name is an expression of the need to strike a balance between cybersecurity and trust in conducting business. This is a mandate to which I am committed.

Trust has played a fundamental role in the history of human beings. No social contracts can be made without trust between the contracting bodies. Mutual trust drives collaboration and leads to the progress of our society. In other words, trust is an essential driver of the advancement of our society.

The COVID-19 pandemic has accelerated the adaptation of digital technology across the whole range of our socio-economic activities. This drastic and rapid shift to a ‘remote world’ will be irreversible and continue for the coming decades. Trust used to be primarily formed through in-person meetings. But now, in our digitized and remote-based world, trust and genuine human connections must be built in the absence of such interactions.

Here, I believe that the role of enterprise security becomes amplified. For example, trust will more easily be realized if Identity and Access Management is ensured. System and Organization Control reports offer information that can validate whether the organization is trustworthy and that the integrity, availability and confidentiality of information are secured.

Therefore, in this new society, security and trust will become inseparable, just like the two sides of a coin. An entity that is not cybersecure won’t be able to earn the trust of other entities. Cybersecurity has become a prerequisite to becoming a trusted entity. And that’s why I wanted to call my office the “Security and Trust Office.”

How is trust built? In her book, The Power of Trust Sandra Sucher, a Harvard Business School Professor, writes that four key elements are required to build trust: competence, motives, means, and impacts. This applies not only to when an individual builds trust, but also when an organization builds trust. The individual or organization has to display its competence through good and credible motives and means. Finally, he or she or the entity needs to demonstrate impactful results. Trust will be built only after repeated demonstration of the four ingredients, i.e., competence, motives, means and impact, and it takes time.

In cybersecurity, competence manifests itself through the presence and application of a deep and broad set of skills in cybersecurity practices. These required skill sets cover not only technical knowledge, but also soft elements such as disciplined operational processes and organizational culture.

Motives are people’s mindsets as to why ensuring cybersecurity is important. At NTT, people’s attitudes are particularly important since what we provide to our clients are digital services. All NTT employees need to share a common mindset about why cybersecurity is important.

Means are installed through security technology and tools and people’s activities. People’s activities include adherence to security guidelines, collaboration and information sharing.

Finally, impact is about keeping damages from any cyberincidents to a minimum. Since completely avoiding cyberincidents is impossible, I would position ‘minimizing the damage’ as impact.

The Power of Trust shares both success and failure stories. What these cases tell us is that building trust takes a long time, but also that, on the other hand, trust is fragile. It can be lost in a short period or during the course of a single event if an individual or an organization fails to prove their trustworthiness.

The Security and Trust Office of NTT Corporation will make long-lasting efforts to build and entrench a culture of trust within NTT. Specifically, we will develop a competent talent pool within the NTT Group. Second, we will amplify our people’s motives to ensure cybersecurity of our services and contribute to the global cyber-resiliency agenda. Our corporate mission is to solve social challenges through technology. Third, we will use best-in-class security technology and tools and embrace collaborative efforts such as proactive information sharing and thought leadership activities. Lastly, we will continue to build on and demonstrate a continuous track record of excellence and trustworthiness to secure our clients’ businesses as well as our own.

But equally, we are aware that none of these efforts can be completed in isolation. Everything is connected and interlinked in our digital society. This is a journey we want to travel with our clients and partners.

I look forward to working on this crucial task with like-minded people and organizations.