Is your trust model increasing your risk? Before we can answer that, let’s clarify what a trust model entails.
Assessing risk requires an understanding of trust
Risk assessment is the collection of many different variables that are measured and weighed. One of those variables is how a company will acquire services, software, and support to support IT operations and optimize their business. According to NIST SP 800-39 Managing Information Security Risk, trust is defined as a belief that an entity will behave predictably in specific circumstances. The publication goes on to state that “Trust, while inherently a subjective determination, can be based on objective evidence and subjective elements.” Without those pieces of objective evidence and subjective elements, we have a blind trust, furthermore leading to a lack of trustworthiness.
The sentiments above echo how we should be approaching risk. Practicing risk treatment to identify risks, mitigate risks, then accept risks. With trust, we want to follow the same model. Have you ever heard the saying, “Trust but verify?”
Trust can be tricky
As we educate our customers on cybersecurity, this topic continues to show up. Specifically, the trust model outlined in 800-139 is called Direct Historical Trust. While reading about direct historical trust, one particular concept caught my attention. “While validated trust models assume that an organization provides the required level of evidence needed to establish trust, obtaining such evidence may not always be possible. In such instances, the trust may be based on other deciding factors, including the organization’s historical relationship with the other organization or its recent experience in working with the other organization.”
In summary, it can be acceptable to work with an organization, software provider, MSP, 3rd party cloud provider, if there is a history of trust. Even if proving they are trustworthy is not possible.
However, and that’s a big, however, we observe significant mistakes with this approach with some clients and potential clients. Often, organizations place direct historical trust on their managed service providers to manage their IT infrastructure and assume cybersecurity is integrated into this process as well.
Trust but verify
The big mistake here is that it is completely plausible to verify the trustworthiness of a 3rd party partner. What is not acceptable is to blindly trust and assume. If you’ve been working with the same partner for 10+ years, or they are a friend of a friend or even a family member, this can cause issues with cybersecurity readiness and protections.
Working with Rhodian can help prove the trustworthiness of your partners and vendors, and provide better insight into cybersecurity protections in place and missing. Only then, can we truly gather one of the most key variables needed to calculate risk: Trust.
We’re ready by request to start a no-obligation Cybersecurity consultation.
