Security or trust – which one comes first?

"Trust me, I’m an engineer!1" – According to the "Urban Dictionary", this saying is used as a universal statement of absolution: "You construct buildings that are structurally dubious and you provide unreliable solutions to problems but as you are an engineer, everyone has no choice but to accept that your methods won’t fail". Consequently, as a scientific, technical discipline, cyber security is associated with engineering. So does "blind trust" apply to cyber security as well? Which one comes first – security or trust?

First of all, let's take a look at the technical definition of security: "the condition where it is anticipated that operation will be a failure and risk-free2"; or to put it another way, freedom from unacceptable risks. Therefore, security is the result or the consequence of taking control of unacceptable risks. If you think this right through to the end, security cannot come before trust, as it is the result or the consequence of being in control of the risks.

Unknown risks cannot be controlled

Of course, these can only be identified risks; hence unknown risks cannot be controlled. The best case scenario is to deal with this reality and prepare as well as possible for unforeseen events, but it is not possible to have actual control over them.

Does this mean that blind trust is needed, inevitable even? In my opinion, there should be no such thing as premature or forced trust. You can ask someone to have confidence in you, but it is difficult to demand trust without having earned it. In English, unlike German, there is a distinction made between "trust" and "confidence", which is at least linguistically sounds a bit more subtle.

To sum up, in the digital world, people (or users) must or should build up "trust" – which is very often what is demanded of service providers and product manufacturers with ideas of "have confidence", but often in the form of "trust us, we know what we are doing".

Trust in services, products and providers

An auditor should have a basically critical attitude, in line with the principle of "trust is good, control is better". If as a customer, you want to get a closer look and take a critical view of the security assurance promise, more often than not you will not find many doors opened for you. When it comes to transparency with customers who explicitly request information or an insight into processes and security measures, this is often refused by referring them to trade secrets. What I see in many digitalization projects is the classic "chicken and the egg problem" – hence the title of this blog post.

The number of attacks has increased – along with the number of vulnerable targets

As a specialist in cyber security, I am often asked whether, with information security, there has been an increase in recent years in the number of attacks and risk events. The answer is a definite yes. There have indeed been more attacks, but there are also more vulnerable targets (networked electronic devices) and greater monitoring. The ubiquity of the Internet has grown hugely and steadily over the last 20 years.

Although services are becoming easier to use and more intuitive, there is a huge increase in complexity behind the scenes, with many systems still based on architectures and concepts that were designed 20 to 40 years ago. Frequently there are prohibitive cost implications associated with fundamental, total (and in line with the "security by design" principle) new development, and so it is avoided and put on hold. In terms of IT security, this is not helpful at all. However, in the short term, repairing and patching is cheaper than building what is referred to as a "secure system development lifecycle". Culturally, admitting mistakes and omissions is frowned upon too, so the worst case scenario is where a fake facade is allowed to be kept up.

Digitalization just cannot be done without trust

The key to trust is confidence and transparent, authentic, effective security and digitalization, and digital transformation cannot be done without trust. The (much loved by companies) phrase "Trust us" can be said as often as you like and honestly meant, but if there are no subsequent authentic, transparent, comprehensible deeds, trust cannot be built and your credibility will suffer. "Security by obscurity" is a terrible strategy – trust needs to be earned!



<< >>

Cyber Security , Cyber Risks

Daniel Däppen
About the author / Daniel Däppen

InfoGuard AG - Daniel Däppen, Senior Cyber Security Consultant

More articles from Daniel Däppen

Related articles
Zero Trust – take care in whom you trust
Zero Trust – take care in whom you trust

This probably sounds very familiar to you – dashing from your home office to meet the client, then on to a [...]
Red alert ‒ the hacking trick with Coronavirus
Red alert ‒ the hacking trick with Coronavirus

The Swiss government has changed its information campaign to red alert because of the current situation. In [...]
Zero trust is redefining cyber security
Zero trust is redefining cyber security

In cyber security, identities are the real problem, numerous security breaches and successful attacks are due [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media