Verification Through Validation

In today’s digital world, companies must embrace the zero-trust methodology of “never trust, always verify.” They must assume that threat actors have compromised every system, network, device, and employee credential. In a cloud-native world, verification has become a business imperative. As companies work to implement technical controls at the workforce and IT environment level, they struggle when trying to secure their vendor ecosystems. They lack control over and visibility into their vendors’ security and privacy controls. Most companies verify their vendors with third-party validations, like audits and certifications.

Despite these processes providing only point-in-time assurance, companies can use them to understand their vendors’ approach to security and privacy. Even though companies lack control over their vendors, they can use these certifications to gain visibility into their vendors’ philosophies around security and privacy.

Compliance is Not Security or Privacy

Most IT professionals agree that compliance is not security or privacy. Most compliance standards use a set of minimum baseline data protection best practices.

In 2022, the International Organization for Standardization (ISO) updated ISO 27002 “Code of practice for information security controls.” Despite changing some language and reorganizing the document, many controls remain fundamentally the same as in the 2013 publication.

For example, when comparing the access control requirements, ISO 27002:2022 focuses on the same principles as ISO 27001:2013 like:
• Using the need-to-know and need-to-use principles
• Maintaining consistency between access rights and information classification
• Managing access rights
• Formalizing the authorization of access requests

Many changes to the control seek to formalize activities implied in the 2013 publication. For example, ISO 27001:2022 specifies that the topic-specific policy should consider logging user access, whereas the 2013 document focuses on archiving records of significant events concerning the use and management of user identities. Although the language of the two differs, the spirit of the control is consistent.

The ISO access control requirement focuses on implementing the best, minimum baseline principle of least privilege best practice. Companies should know who accesses their sensitive data. They should have control over it. They should be limiting that access on a need-to-know and need-to-use basis.

Vendors with Certifications are Invested

From a security and privacy perspective, customers use these certifications to check off their own compliance boxes. To meet their own vendor risk management compliance requirements, they use the certifications as part of their due diligence documentation.

As the threat landscape continues to evolve, point-in-time audits seemingly provide little reassurance. Many large organizations that experience a data breach were able to provide third-party validation over their security and privacy posture. For some people, these certifications may appear to be nothing more than a business requirement.

Realistically, while certifications focus on minimum baselines, they prove a vendor’s investment in and commitment to security and privacy. The certification process takes time, staffing, and financial resources. For example, an ISO 27000-series audit can cost as little as $5,000 for a company with less than 50 employees to as much as $35,000 for a larger organization. Most certifications require a similar financial outlay.

However, these direct costs are only a fraction of the overall financial investment. Preparing for the audit incurs additional costs, including hiring a consultant and engaging in a gap analysis. Further, companies investing in certifications may need to supplement their current security and privacy programs with new technologies or services like:
• Training programs that meet the certification’s requirements
• Staff to support the compliance initiative
• Software and application licenses for technologies that implement and maintain controls

After finishing the initial certification, the company continues to invest in maintaining compliance through internal audit processes and regularly scheduled third-party audits.

The certification process is not a one-time investment; it’s a long-term commitment.

Beyond the Bare Minimum: The Swiss Digital Trust Label

Most certifications focus on technical and administrative data protection controls. Often, customers still question their vendors’ ability to protect information. In Europe, the Swiss Digital Trust Label seeks to create a framework that recognizes the import role social and ethical responsibilities play.

Rather than viewing these humanistic elements as disconnected from digital vendor relationships, the Swiss Digital Trust Label recognizes that technical, social, and ethical must be woven into the fabric of a customer-vendor relationship.

The Swiss Digital Trust Label works towards reducing mistrust by focusing on the following elements, viewing them all as equally important to the digital ecosystem:
• Transparency: Clear communication, including a culture willing to admit mistakes
• Understanding: Willingness to understand others and enable understanding
• Participation: Ability to help direct the digital service’s future
• Authority: “Relationship capital,” meaning respected parties willing to provide an endorsement
• Accountability: User recourse to hold digital services accountable
• Technology: Reliability and ease-of-use
• Infrastructure and ecosystems: Reliance on interconnected digital services and frameworks for identification and data sharing
• Norms: Clear rules for how digital services should work and behave
• Forums: Open and inclusive discussions about norms
• Economy: Business models that offer customers a real choice rather than exploiting data

The Swiss Digital Trust Label provides the first certification to unify the psychological underpinnings of trust with the technical requirements for data protection. This certification goes beyond the bare minimum technical requirements and incorporates a vendor’s philosophy around data protection.

As always, no certification can prevent a data breach. However, this new approach recognizes that in a digital world verifying a company’s technical controls is not enough to build customer and digital trust. Trust must be earned by recognizing the social and ethical responsibilities vendors have to their customers, both consumer and corporate.

Verification through the Right Validation

Building customer digital trust requires more than simply offering a set of technical and administrative controls validating a company’s data protection efforts. In an increasingly digital world, vendors need to recognize the role they play in their customers’ lives. Technology is not just business critical; it is now embedded into all facets of people’s lives.

Data protection is a business imperative. Technology companies need robust technical and administrative controls so that they can build cyber resilient business models. Too often, vendors forget that their products exist to enable people. By eliminating people from the equation, they build sterile policies, processes, and procedures.

The Swiss Digital Trust Label brings the human elements under the data protection umbrella. By doing so, it gives companies a way to validate more than their security controls and commitment. It enables them to validate their data protection philosophy.

About the Author:

Szilveszter Szebeni is the Co-founder & CISO at Tresorit, An European security company, that end-to-end encrypted productivity solution.

As a Chief Data and Compliance Officer, Szilveszter is responsible for the seamless operation of Tresorit’s information management and compliance. With his experience in Business Intelligence and Data Analytics, Szilveszter supports all departments, by continually updating and improving decision making tools. Szilveszter holds an MSc degree in Computer Science from the Budapest University of Technology and Economics (BUTE).