Trust isn't a tangible thing. It's tough to measure, and there's no SI unit defined yet I'm aware of. However, it's something you'll often need to communicate with your clients and potential clients.
For example, if you (a) work for a large company (b) deliver services to a large company, or (c) are regulated, you might have to convince someone to trust your IT or cyber security controls. I mean, you know you’re doing what you can, but how do you convince others of that?
There are lots of ways, and here’s a few I have come across:
1. Fill out your Client’s questionnaire
Your client will have a list of questions they’ll use to judge your cyber or IT controls. They may send this to you and ask you to complete it.
Benefits:
- Your client gets exactly what they need.
- You get a steer on what’s important.
Drawbacks:
- It’s a form – there’s no evidence behind it. It may not give the client much assurance in the end.
- The form might not fit your organisation. This is particularly true if you’re a small company trying to answer 160 page questionnaire.
- You might not really understand what you are being asked and answer incorrectly. As there’s little dialogue with the sender and no evidence, you sometimes need knowledge to complete them properly.
- Completing forms takes more time than you’d imagine.
2. Get certified to a recognised standard
You adopt a standard and get an outside body to certify you comply. Examples are ISO2700x series or Cyber Essentials. You hope this will pass on enough trust to avoid some forms.
Benefits:
- You’ll understand the area better, because you’ll have had to go through it yourself.
- You will probably have better security or IT controls in place.
- You’ll feel more comfortable you’re doing the right thing.
- If you have gaps or issues, you can resolve them without a client looking over your shoulder. Being told there’s a problem by a client is not ideal.
- It can (sometimes) reduce the need to complete a questionnaire.
Drawbacks:
- Certification or accreditation takes time. Not necessarily a lot, but it does take time.
- There’s also a cost to certification. It may be pretty reasonable, but this cash cost is real and you need to budget for it.
- It doesn’t really give too much formal assurance. It’s point in time, and it says you do the right things, not that you do the right things all the time. This matters in the world of assurance.
3. Third party audit
You decide to get a third party in to audit you to a recognised framework, like SOC2 or ISAE3402. These third parties are usually from accounting or professional services firm. You hope that this report will convey trust.
Benefits:
- The reports do tend to convey trust pretty well and are accepted by many organisations. That’s only one benefit, but it’s a really big one.
- Reports usually convey that you’re doing the right thing over a period (not at a point in time).
Drawbacks
- They are expensive to design and complete. Firms charge a lot for these reports, and it takes longer than you think internally to prepare for these audits.
- They use a lot of management time internally to prepare and complete. Much more than you think.
- They check in detail, and so your processes need to be mature. Not everyone’s are, quite yet, and this will lead to a problem with the audit.
There are other options, including option 1.5 (send a questionnaire and audit the company) but these are the three we see most often.
If you’re not sure how to communicate trust in security and security controls, get in touch below. We’ve been doing this for a long time, and the industry is moving quickly, so we can help you understand the steps to building client trust in your services.