Security Is About Compliance, Not Trust

Phil Lieberman (Profile)
Sunday, November 28th 2010

The word “trust” appears in the tagline for a great many security products and services. But in the business world what we often tout as trust simply boils down to an acceptance of risk and the expectation that we can transfer liability to other parties should that trust be broken.

I contend that there is no place for the concept of “trust” in IT security. Examine a history of security breaches and you’ll see countless times when trustworthy past behavior fails to predict future actions. And if you could secure a business based solely on trust there’d be no need for auditors and the dozens of regulatory mandates they’re tasked to enforce. Moreover, if we could always fully trust those around us there would be no need for internal security policies and varying employee access rights.

What is Trust?

The concept of trust certainly has a place in personal relationships – say, between spouses, between a parent and child, or between good friends. However, when it comes to business security trust is a wholly unreliable concept because of human nature and the laws of unforeseen consequences.

For example, in the time it takes an employee to walk away from an unprotected computer screen to get a glass of water, he might allow outsiders to view sensitive information that damages the organization. Or, an employee might copy the contact details for a few friendly customers to a USB stick before quitting her job. It’s likely that in neither case the employee intends to harm the company, yet each has breached the organization’s trust.

When evaluating an organization’s security posture it can help to think in terms of compliance rather than trust. By this I mean employee compliance with rules established by internal policies and mandated by those responsible for the organization – both executives and IT managers. Unfortunately such rules vary widely by organization.

Are We Compliant?