Digital Trust Enterprise Framework

Punit 00:00 
Digital trust enterprise framework. Yes, the digital trust enterprise framework has come from ISACA, and it aims to classify, consolidate and help you measure digital trust. Because, if you notice, in last few weeks, we've been talking about digital trust. What is digital trust? What does digital trust constitute of now, all those definitions, all those concepts, are individual, and everyone has an opinion. Everyone has an idea on how they see digital trust and what does it constitutes. But then, being in Isaka as a board member, I know that there is something called Digital trust enterprise framework from Isaka, and I wanted to talk about it in detail, because that's a structured approach to measuring and managing digital trust in an organization. So, I happened to meet, and I happen to have today none other than Ralf one, Ross Singh, who is an expert and who has contributed to this framework in its building, and he is going to share us His wisdom on what is digital trust, enterprise framework. So, let's go and talk to him.    

FIT4Privacy 01:07 
Hello and welcome to the fit for privacy podcast with Punit Bhatia. This is the podcast for those who care about their privacy. Here your host, Punit Bhatia has conversations with industry leaders about their perspectives, ideas and opinions relating to privacy, data protection and related matters. Be aware that the views and opinions expressed in this podcast are not legal advice. Let us get started.
   
Punit 01:35 
So, here we are with Rolf. Welcome to the Fit4Privacy Podcast.
    
Rolf 01:39 
Thanks for having me. Hello.

Punit 01:40 
It's a pleasure to have you. And let's start with the basic question. Few years back, we were talking of data privacy. Then came cyber security, or along with it, or before, depends who you talk to. And then we were talking about artificial intelligence. Is going to take all our jobs, and all of a sudden, nowadays, we are talking about digital trust. How would you put this concept of digital trust in a few words?
  
Rolf 02:05
Well, there are various definitions of digital trust around almost everyone has one. And my very simple take on digital trust is that it marks the end point of several professional disciplines that we've been pursuing. You mentioned some of them, whether it be AI, cyber security, business resilience, all of these tend to culminate in the one single question, do I trust this company? Do I trust this individual? Intuitively, you'd be able to say that within a split second, you just say, well, I trust them. I don't trust and there would be many examples of enterprises, institutions, other organizations who either enjoy digital trust or they don't. So, all the topics you mentioned before, I would say, converging towards that end point. They help strengthen digital trust. They help people understand whether a company or a business partner is trustworthy, and, more importantly, why they're trusted and trustworthy. So, I suppose my simple definition to sum this up is digital trust is both the objective and also the overarching concept that we need to look at when we do cyber security, when we do risk management, and all the other things which are effectively a means to an end.

Punit 03:14 
That's a very good definition, and that prompts me to ask, because you kind of put a can of www. Probably so how do you see this digital trust being constituted of, so I see in your head, or I realized, some components that make up the digital trust. So how would you kind of demystify this digital trust concept into some components?

Rolf 03:36 
Um, I think that's quite straightforward. Actually, if you say, did trust this the sum of all these things, then there are only two, if you will, natural states, trusted or not trusted, or maybe marginally trusted. So, what we need to do is then to ask ourselves, how can we transition what used to be analog trust, like I shake your hand, or I go to a shop hand over cash in exchange for a product? How do I transform that and move this into the digital world, where relationships are much more ephemeral. They're momentary. They are transient. And in many aspects, and you talked about AI earlier, so let me illustrate this. In many aspects, the digital world is radically different from our physical world, like in my village, here in Switzerland, simply because people, actions, transactions and other things may not be what they appear to be. If you take deep fakes, avatars, other things as an example, it just shows that digital trust is something you must have, but it's also very much at risk, because what you see isn't what you get. Um, so how can we achieve this? I suppose we have to move away from our analog traditional concept of absolute trust, nowadays in the digital world, it is probability of truth and trust. So, you have to find ways to measure, audit, assess, confirm digital trust by various means. What I mean by that is mainly you need metrics measurement. Controls, maturity levels, evidences, artifacts of trust that all have to come together for people to form a realistic picture of do I trust this thing or don't I? So, it's a multi-faceted problem. I should say 

Punit 05:12 
It is a multi-faceted problem. And there are two things I'm curious to ask you on that in one dimension, what are the facets of this? Like we spoke about few minutes back, there's the privacy aspect of it, there's the security aspect of it. Some people say there's a risk aspect of it. So, what are the facets of it? And then eventually, I would like to ask the second part later, probably we go deep into this one first.

Rolf 05:35 
Yeah, sure. So let me answer this from the back end. Um, as you know, at ISACA, we looked at the question of digital trust, how to define it and how to conceptualize it such that you have a thing like a framework that tells you what are the components, the constituent paths of digital trust. And what we did then was starting from this thought, we defined several domains in which digital trust is defined and shaped and decided underneath each domain. And this is part of the framework thought we identified several trust factors that constitute the domain and therefore bring life to the domain. And then you can go further down, more detailed on all these things, saying, Well, if I have all these trust factors, if I have all these measurable quantities, these items that I'm looking at, at least I get a fair notion of the level or the score of digital trust that you can expect when you're dealing with this entity or with this person. So we try to give it a regular shape in terms of what do you need, all these little things for digital trust in there are, accordingly, focus areas as you would expect from ISACA, and the ones that we identified include privacy, they include security, they include risk, but they also reflect on quality, and they also reflect on audit and assurance and compliance. So that, I think, rounds off the framework systematic world that we try to create underneath the notion of digital trust.

Punit 07:02 
So, that's quite comprehensive, because if you include quality and ethics and everything into the aspect, then you have the trust factors. You have. What did you say the other term, the trust factors? And the second part was?
   
Rolf 07:17 
Well, I can, I can outline this, of course, a little later, but it consists of, if you will, a top layer or top tier set of domains. And these, you will find that there are trust factors that constitute the domain underneath domains, and trust factors you will then find practices. So, this is where the whole framework is becoming a little more operational, and it then finally breaks down into activities and outcomes, and you have various attributes for the outcomes that you can use to measure and steer and control your levels of digital trust in each domain.
 
Punit 07:50 
So that's what I wanted to get to. So, thanks for helping me out. So essentially, with these trust factors or with these domains, it's possible eventually, with the outcomes and baselining against outcomes to measure how much of score you have in a domain on digital trust, or maybe overall as well.
  
Rolf 08:07 
Yes, you do, um, it rolls up quite nicely. You consolidate from the bottom layer of activities by adding things like key performance indicators, key risk indicators, key controls for an activity. Now that is a set of instruments or tools that assist you in understanding how well you're doing this activity and to which extent you actually reach the desired outcome. If you consolidate this up to the practice layer, you obviously get a fair picture of, you, know, doing your activities right, reaching your outcomes, and then how good are you at this practice? Now, to complement that, you will find that there are general controls around each practice that are at a slightly higher level. So, it mirrors and it reflects the usual hierarchical and managerial structures you find in entities institutions. So down from the operational activity through the tactical practices, you move up to strategic trust factors in domains, and the higher you get, the more closely you will have a sort of well-founded picture of what the trust levels are across the organization.   

Punit 09:09 
Okay, so that means there is fair bit of action that needs to be taken by someone in domains, in trust factors in outcomes to assess where they are, and that needs a lot of investment of time. Let's put it like that. And if there's an investment of time, people would usually say, because organizations are short on time and resources, is there a return on investment that we can say it will bring to people we know, all know digital trust is important, but is there a way to say there's a return on investment?

Rolf 09:39 
There certainly is what we did at ISACA, is we question ourselves all the time. So, we did it in this case. And since 2022 we have conducted an annual survey the state of digital trust that's freely available. This survey examined exactly these questions, saying, what do I get if I do digital trust right? And. What do I get if I do it wrong? The answer for the pros, the return on investment, about 1000 respondents. Most of them said, okay, digital trust is important to have. But notably, 27% of the respondents said we did it right, and we saw an increase in revenue. 27% the top quarter of all respondents said we made more money by doing it right. Conversely, when you look at the negative side, the downside of things, many respondents said that if you lose digital trust, or if you neglect it, you will feel the effects almost immediately. So, two thirds of respondents noted that they had customer losses, and 47% noted that they had revenue losses as a direct result of losing digital trust. And I think that that sort of paints a very clear picture. If you want to be in the top quarter of successful firms, yes, you will have an ROI if you do this properly and at the right level. You know of commitment. If you fail to do it, or if you fall behind, then very soon, not only are you part of the other three quarters, but no, you will feel the loss is more or less immediate, so it's a very binary, almost a black and white picture.

Punit 11:06 
Yeah, that makes sense, that there is a return on investment. But you also touched upon an important element, saying it helps you do things and helps you take actions, because you mentioned the outcomes or activities that you need to perform, but then at the same time in the trust factors or domains that you talked about privacy or AI or risk, or, for that matter, audit, there are already obligations that organizations have, and these obligations are in form of what we call legislation or laws. Now we know the GDPR, we know the EU, AI Act, to name a few. Now how would then this digital trust fit in or sit in with these because do I then comply with the GDPR or EU AI, or I comply with the digital trust framework, or maybe I comply with digital trust framework and I'm guaranteed, or assured, or relatively can be confident, that I'm meeting the obligations of laws. How does it work?

Rolf 11:59 
Well, the very short and simple answer is the digital trust framework. CO exists with what is out there. Our main goal, strategically speaking, was to not reinvent the wheel, where you have existing obligations, best practices, standards, other frameworks that address specific aspects of digital trust, we map them to the digital trust framework. We cross reference to these and say, well, take it, service management as an operational component, or a set of practices. We would not as Asaka, go through the digital framework, trust framework, and say, well, let's reinvent it, service management. No, we mapped it to ITIL before. So, the message all people, particularly senior management saying, well, yet another framework. Does that mean we have to do even more work on top of what we're already doing? My answer would be, no, let's be intelligent around this and reuse what you have. If you have a functioning ITIL V for certain that obviously pays in onto the digital trust practices and trust factors, and it gives you a green light because you have it. So there's no need to second guess things like ITIL, COVID, ISO 27001 the EU Artificial Intelligence Act, if it's there, if it's solid, and if it's generally recognized best practice, it is enough for us, from a digital trust perspective, to simply map to that and say, Well, if you have an ISO 27001 certificate in terms of digital trust, that tells You something already. We just have to take this building block in our hands and put it in the right part of the digital trust house. So, this is what I mean by coexist. Coexistence. You probably in many areas, won't have to reinvent anything new, but you have to form the logical connection between what you're doing in information security as a discipline, and then how that pays in on the digital trust account, and what your account balance is afterwards, when you go cross functional and across a variety of of standards and functions.

Punit 13:49 
That's very well put. So essentially, what I get is what we usually talk about, digital trust as an abstract concept, which people are, most of them. As you said, that I start having many definitions and grappling with how to define in detail or make it quantifiable, measurable and even evaluable also, let's put it like that, and here is a framework which people can use to not only assess but also comply with legal obligations and be at peace that they are looking at things from a 360 degree perspective, rather than one time Privacy, one time security, one time audit, or 360 degree view. But then the question would be, at least, if I'm listening to this podcast, would be, how can I or how can someone leverage on this Isaka, what you say, digital trust, enterprise framework. How can they get access to it?

Rolf 14:35 
It's a good question. So let me just very briefly describe where we're coming from and where, where ISACA is going with this. So initially, developing the underlying model and the framework was an exercise that looked like, let's create another framework, but let's also map and leverage what we already have so it fits, it complements, but it doesn't replace, or it doesn't contradict what we have. As a second step, it. Was published as an EK publication, which is available for members. It's free. You can access it through the ISACA bookstore by logging in and then go into that resource and getting yourself access the artifacts that you have on top of that are several documents. For instance, you have a written Implementation Guide. There will be a written assurance and audit guide for our audit profession, and our next iteration is likely to be a living ecosystem that will allow users to actually use this in real time, use it live, rather than having to go through printed or electronic publications that are linear. So, what we're looking at, and I think what's absolutely needed, is a full living digital ecosystem, not unlike the Google AWS or Apple ecosystems, and ideally, once you're in there, you would be able to both define your own role or your own view or perspective on things. Are you an auditor, a risk manager or a security manager, as well as being able to interact with other ecosystem inhabitants, for instance, to look at their badges, their scores, or other things. And in between, you'll obviously find that there are other parties who provide solutions, widgets, things. So the long term goal is to make this into an ecosystem which is the E in D,T, E, F, and to evolve incremental steps from the framework through explaining the framework and its publications through making the framework reasonably interactive, so you can use it in practice, and then all the way to an ecosystem where you can naturally integrate that with your normal business activities or your organizational structure. So yes, we need a few steps more to bring this to a point where people say, well, we can use this very naturally, like we use our social networks and the other things, but it's only about paving the way, because conceptually and strategically, the way forward is very clear.

Punit 16:48 
And if there's this framework, I'm assuming and guessing, that there is also some guidance on learning opportunities available for people to get used to it and get to understand it.

Rolf 16:59 
Yes, there are. We wouldn't be ISACA if we didn't have a whole bunch in terms of education and training. Yes, there are digital trust foundations. It's one of the smaller exams that exists. There are training opportunities, and there are also other lateral certifications and trainings that support various individual aspects for the roles within the Digital trust world. For instance, if you are a risk manager, you will obviously want to look at digital first foundations, but you should also have your foundations in information risk management, or even a C risk so all of that is integrated. And as I said before, the digital trust piece is there. It's certifiable for individuals. And then additional materials, like our white papers, the global survey and others are appearing as we go along. So, these are more incidental, but they come out infrequently. Every few weeks we have something new.

Punit 17:52 
Okay, that makes sense now. That has been a very useful conversation Ralph, I must say, because we put the structure and the emphasis on how to use that structure. And of course, it's a framework, so people have to take the effort, make the effort of going in, learning it, understanding it, and then using it. But would you have any final message for our audiences? And another aspect is, while you pass the final message, how can somebody get in touch with you or contact you if they want?   

Rolf 18:20 
Well, as a final remark, I'd say, simply because I happen to have the honor to write it and do the initial model that underlying the digital trust framework, do not be afraid of the elephant. It's big, but it's totally manageable. I saw to that in formulating and writing and designing it. So essentially, when you look at it, it only takes you very few simple steps to go through the overarching concepts, to understand what it does, and then it's going to behave just like another framework, COVID risk, it, or the others. And I'm very happy to help. So, anyone wants to get in touch with me, I'm available through my company, and I'm also available through the ISACA European office. Usually, they know where I am, where I'm around, but I will be happy to send my email address and my contact details and availability to anyone. So then just please feel free to contact me on any of the available channels. Be happy to answer questions.

Punit 19:14 
That is so good to hear that and roll with that. I should say, and I must say, thank you so much for your time and sharing your wisdom.

Rolf 19:24
You're welcome. It's been a pleasure, as always, same here.  

FIT4Privacy 19:28 
Thanks for listening. If you liked the show, feel free to share it with a friend and write a review if you have already done so. Thank you so much. And if you did not like the show, don't bother and forget about it. Take care and stay safe. Fit for privacy helps you to create a culture of privacy and manage risks by creating, defining and implementing a privacy strategy that includes delivering scenario-based training for your staff. We also help those who are looking to get certified in CIPPE, CIPM and CIPT through on demand courses that help you prepare and practice for certification exam. Want to know more, visit www.FIT4Privacy.com that's www.FITthenumber4privacy.com if you have questions or suggestions, drop an email at Hello, (@)fit4privacy.com, until next time. Goodbye. 

Rolf von Roessing is a partner and CEO at FORFA Consulting AG, an international consultancy firm specializing in GRC, security and related disciplines. He brings 30 years of experience in governance, risk management and compliance; security and business continuity; and crisis management in a range of sectors, including banking and finance, insurance, wholesale and retail, automotive, and healthcare. He has also been teaching as a senior lecturer in M. Sc. courses at Donau-Universität Krems (Austria) since 2005 and is a member of the Academic Council for M. Sc.  Management and IT, M. Sc. Information Security Management, and M. Sc. Cybersecurity. 

Since 2021, Rolf has been lead developer within the core team developing the ISACA Digital Trust Ecosystem and Framework (DTEF). In 2023, he was nominated as one of the few ISACA Global Evangelists to represent the association in government and media relations as well as high-profile public speaking. 

Websites www.fit4privacy.com , www.punitbhatia.com,  https://www.linkedin.com/in/steve-ahouanmenou/ 
Podcast https://www.fit4privacy.com/podcast 
Blog https://www.fit4privacy.com/blog 
YouTube http://youtube.com/fit4privacy