"Trust me, I’m an engineer!1" – According to the "Urban Dictionary", this saying is used as a universal statement of absolution: "You construct buildings that are structurally dubious and you provide unreliable solutions to problems but as you are an engineer, everyone has no choice but to accept that your methods won’t fail". Consequently, as a scientific, technical discipline, cyber security is associated with engineering. So does "blind trust" apply to cyber security as well? Which one comes first – security or trust?
First of all, let's take a look at the technical definition of security: "the condition where it is anticipated that operation will be a failure and risk-free2"; or to put it another way, freedom from unacceptable risks. Therefore, security is the result or the consequence of taking control of unacceptable risks. If you think this right through to the end, security cannot come before trust, as it is the result or the consequence of being in control of the risks.
Of course, these can only be identified risks; hence unknown risks cannot be controlled. The best case scenario is to deal with this reality and prepare as well as possible for unforeseen events, but it is not possible to have actual control over them.
Does this mean that blind trust is needed, inevitable even? In my opinion, there should be no such thing as premature or forced trust. You can ask someone to have confidence in you, but it is difficult to demand trust without having earned it. In English, unlike German, there is a distinction made between "trust" and "confidence", which is at least linguistically sounds a bit more subtle.
To sum up, in the digital world, people (or users) must or should build up "trust" – which is very often what is demanded of service providers and product manufacturers with ideas of "have confidence", but often in the form of "trust us, we know what we are doing".
An auditor should have a basically critical attitude, in line with the principle of "trust is good, control is better". If as a customer, you want to get a closer look and take a critical view of the security assurance promise, more often than not you will not find many doors opened for you. When it comes to transparency with customers who explicitly request information or an insight into processes and security measures, this is often refused by referring them to trade secrets. What I see in many digitalization projects is the classic "chicken and the egg problem" – hence the title of this blog post.
As a specialist in cyber security, I am often asked whether, with information security, there has been an increase in recent years in the number of attacks and risk events. The answer is a definite yes. There have indeed been more attacks, but there are also more vulnerable targets (networked electronic devices) and greater monitoring. The ubiquity of the Internet has grown hugely and steadily over the last 20 years.
Although services are becoming easier to use and more intuitive, there is a huge increase in complexity behind the scenes, with many systems still based on architectures and concepts that were designed 20 to 40 years ago. Frequently there are prohibitive cost implications associated with fundamental, total (and in line with the "security by design" principle) new development, and so it is avoided and put on hold. In terms of IT security, this is not helpful at all. However, in the short term, repairing and patching is cheaper than building what is referred to as a "secure system development lifecycle". Culturally, admitting mistakes and omissions is frowned upon too, so the worst case scenario is where a fake facade is allowed to be kept up.
The key to trust is confidence and transparent, authentic, effective security and digitalization, and digital transformation cannot be done without trust. The (much loved by companies) phrase "Trust us" can be said as often as you like and honestly meant, but if there are no subsequent authentic, transparent, comprehensible deeds, trust cannot be built and your credibility will suffer. "Security by obscurity" is a terrible strategy – trust needs to be earned!
1: https://www.urbandictionary.com/define.php?term=Trust%20me%2C%20I%27m%20an%20engineer
2: https://en.wikipedia.org/wiki/Security