I help business leaders manage cybersecurity risk to enable sales. 🔷 Virtual CISO to SaaS companies, building cyber programs. 🔷 vCISO 🔷 Fractional CISO 🔷 SOC 2 🔷 TX-RAMP 🔷 LinkedIn™ Top Voice
The Trust Center tools offered by compliance vendors are pretty slick. They describe the organization's compliance program, what certifications and attestations they have, what controls they have in place, who their subprocessors are. In many respect, these are good tools that organizations should deploy. I have looked at a number of trust sites and have found a few themes. 1) The request for access to SOC 2 attestation report or similar documentation is not necessarily followed up on. While the company set up the site, they did not work on the process for when requests were made. I used the tool for one of our vendors (who doesn't have a great program) and they failed to respond. Since I am an actual customer I assume that I should be approved but they have not. I would bet that this behavior is not unique. 2) The controls listed on the website are very generic. I get that you are picking from a menu of controls. Someone in marketing is not crafting the specific language that is appropriate for your organization and site. Good trust centers should have language that is 100% applicable to the organization and not "The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key." The sentence above does not give a good sense of the control or even if it is really being performed. 3) Speaking of not getting a good sense of things. Many of these pages do not give you good context for the cybersecurity program. I would like to see something like "Our cybersecurity team is led by Jane Smith, CISSP. We focus on x, y, and z." Maybe some statistics about the program. Most of these pages just give you raw information about the program. What do you think of Trust Center pages? Do they make things better or worse? Let us know in the comments below. #fciso
i appreciate what they offer, but yeah feels like a baby step...
Tim Golden
4mo
The challenge we’ve seen with most “trust centers” Is that the company can “lie their way through them “ Many are simply a yes/no checkbox exercise and little to know, efficacy or data to support their claim. When we launched trust center at Compliance Scorecard we didn’t want to do what’s “popular” but rather what’s “right” Providing REAL-TIME data showing where / how you are meeting controls to show trust, with live data to us is what is “right” and actually building trust with the data to support it in real time.
Jovica Ilic
4mo
As a vCISO I had more than a dozen clients using "automate-compliance-get-certified-in-weeks" platforms, and 100% of them had Trust Pages, and poor to very poor security programs. Five of them used the same, apparently very popular vendor - and to my surprise, they had over 90% of the same policies (like, filenames were the same). Out of these, most of them were identical, statement after statement, word for word :D Only the company information in headers was different! Best of all, these companies had nothing in common: different industries, large variations in number of employees, etc. My sample is small, but sufficient for me to raise a big red flag every time I need to evaluate the security of a company using "automate-compliance" platforms which in reality, sell the fake feeling of security. I wrote more about this in my (recently published) book Cybersecurity Metastrategy, in case you're interested to find out more (https://www.amazon.com/Cybersecurity-Metastrategy-No-Guide-Executives/dp/B0D6LKR9JK)
Darren Gallop
4mo
The devil is in the details. Too many companies underestimate the importance of information security. They see it as red tape for which they must craft documentation to lubricate the sales process. In my opinion, the issue is not the tools; it's the users of the tools. If you are buying the tool to create the appearance of caring about security, then that's an issue.
Mark D.
4mo
Trust centres when done well can be a force multiplier but I agree that it does require putting the work in to do that.
Corey Carpenter
1mo
I find #2 to be the biggest problem as too many of these products tend to boil controls down into general gruel threaded throughout frameworks (MFA is on all these frameworks, let's have a general entry that this company uses MFA our trust center...never mind that some frameworks specify certain factors). Add that to low quality assessments and you have a great finger pointing session when the SOC Slop hits the fan
Tristan Roth
2mo
I had missed this post, but indeed, very aligned!
_ Paolo C.
4mo
Will keep in mind when setting up the next one!
Governance, Risk, Compliance (GRC) Executive, Building IPO-Proof GRC
4moWhen implemented well, Trust Centers are fantastic! A few vendors provide such a service really well. I don’t want to call them out here for unpaid advertising, but would say, Rob, your experience is probably more negative due to going through Trust Centers that were outdated. Unfortunately, that seems a common experience, but does not have to be.