WEBVTT 1 00:00:00.480 --> 00:00:02.820 Anna Delaney: Hello, I'm Anna Delaney. What's the current 2 00:00:02.820 --> 00:00:05.820 state of digital trust? And joining me to answer that 3 00:00:05.820 --> 00:00:10.230 question are David Samuelson, CEO of ISACA and Chris 4 00:00:10.260 --> 00:00:14.040 Dimitriadis, chief global strategy officer, also at ISACA, 5 00:00:14.130 --> 00:00:17.190 who will be sharing findings from ISACA's recently published 6 00:00:17.220 --> 00:00:20.670 state of digital trust survey. Great to see you both. 7 00:00:21.450 --> 00:00:22.170 David Samuelson: Good to be here. 8 00:00:22.920 --> 00:00:23.820 Chris Dimitriadis: Thank you. Yes. 9 00:00:24.360 --> 00:00:26.580 Anna Delaney: So David, I want to start with one of the 10 00:00:26.580 --> 00:00:31.680 survey's findings. Only 29% of respondents were extremely or 11 00:00:31.680 --> 00:00:34.710 very familiar with the term digital trust. So what are some 12 00:00:34.710 --> 00:00:38.220 misconceptions around digital trust that you'd like to address 13 00:00:38.220 --> 00:00:38.670 today? 14 00:00:39.810 --> 00:00:43.380 David Samuelson: Well, digital trust is a rising term in the 15 00:00:43.380 --> 00:00:46.770 conversation around cybersecurity. And I think the 16 00:00:46.770 --> 00:00:50.130 reason for that, we think the reason for that, is it's bigger 17 00:00:50.130 --> 00:00:55.710 than cybersecurity. ISACA has a more holistic definition because 18 00:00:55.710 --> 00:01:00.090 digital trust requires multiple components in every 19 00:01:00.090 --> 00:01:03.690 organization, not only cybersecurity, but quality and 20 00:01:03.690 --> 00:01:07.230 availability and security and privacy, of course, are very 21 00:01:07.230 --> 00:01:12.300 important, but also ethics and integrity, transparency and 22 00:01:12.300 --> 00:01:18.750 honesty and resilience because in the long run, almost every 23 00:01:18.750 --> 00:01:22.380 company's a digital company today, even the small mom and 24 00:01:22.380 --> 00:01:26.040 pop on the corner, as you know, is connected to the cloud in 25 00:01:26.040 --> 00:01:31.500 some way and can be compromised. And, in fact, they're at a 26 00:01:31.500 --> 00:01:33.660 greater risk than larger companies who don't have the 27 00:01:33.660 --> 00:01:36.690 resources. So, really understanding the holistic view, 28 00:01:37.140 --> 00:01:41.760 especially in our community of digital trust professionals at 29 00:01:41.820 --> 00:01:46.020 ISACA, we think that working together is going to create a 30 00:01:46.020 --> 00:01:51.600 longer-term solution than any one of these activities in the 31 00:01:51.600 --> 00:01:55.680 domain. So I think it's partly because it's a new term, and 32 00:01:55.680 --> 00:02:00.090 partly because we're trying to introduce and give meaning to 33 00:02:00.240 --> 00:02:06.000 this term. That is, we think it's important for the world to 34 00:02:06.030 --> 00:02:08.430 kind of operate in this digital trust environment. 35 00:02:10.350 --> 00:02:13.380 Anna Delaney: So Chris, what did you learn from the survey about 36 00:02:13.500 --> 00:02:15.690 the value of digital trust to respondents? 37 00:02:16.500 --> 00:02:19.620 Chris Dimitriadis: So one key finding of the survey is that 38 00:02:19.980 --> 00:02:23.820 digital trust is certainly recognized all around the world 39 00:02:23.820 --> 00:02:27.180 and its importance is recognized, as well. So, 40 00:02:27.180 --> 00:02:30.090 organizations, professionals around the world, they do 41 00:02:30.090 --> 00:02:34.170 understand the importance of digital trust, as far as the 42 00:02:34.170 --> 00:02:38.310 company or the organization's reputation is concerned about 43 00:02:38.310 --> 00:02:41.760 the success of the company in terms of its business goals, in 44 00:02:41.760 --> 00:02:47.160 terms of achieving wider stakeholder trust. And this 45 00:02:47.160 --> 00:02:51.120 awareness level is very positive. At the same time, 46 00:02:51.120 --> 00:02:55.860 though, we also identify that there is a gap between the 47 00:02:55.860 --> 00:02:58.770 recognition of the importance and the actions being taken 48 00:02:59.100 --> 00:03:05.400 right now, in our age. And this has to do primarily with the 49 00:03:05.400 --> 00:03:09.870 fact that collaboration between the different domains of digital 50 00:03:09.870 --> 00:03:15.240 trust, like cybersecurity, like assurance, or like privacy, like 51 00:03:15.570 --> 00:03:21.180 IT governance and IT management is very low, in order to really 52 00:03:21.180 --> 00:03:25.830 be able to enjoy the benefits of digital trust. And another issue 53 00:03:25.830 --> 00:03:28.800 we have identified has to do with measurement and the lack of 54 00:03:28.800 --> 00:03:34.560 capability at an organizational level, but also at an ecosystem 55 00:03:34.560 --> 00:03:38.610 level, a digital ecosystem level, to measure digital trust 56 00:03:38.610 --> 00:03:42.090 and this is very troubling, but at the same time, it's a 57 00:03:42.090 --> 00:03:45.270 challenge. It's an opportunity in order to offer a solution 58 00:03:45.270 --> 00:03:47.910 that will really change the situation. 59 00:03:49.830 --> 00:03:52.320 Anna Delaney: David, do you want to add anything to that? I found 60 00:03:52.320 --> 00:03:56.040 that dichotomy quite interesting that respondents are very aware 61 00:03:56.040 --> 00:03:59.550 of the value of digital trust. I think 62% recognize there'll be 62 00:03:59.550 --> 00:04:03.690 a decline in reputation for a poor digital trust to customer 63 00:04:03.690 --> 00:04:08.610 experience, yet only 23% say the organization measures the 64 00:04:08.610 --> 00:04:12.300 maturity of its digital trust. So we'd like your thoughts. 65 00:04:12.510 --> 00:04:16.110 David Samuelson: Yeah, you need to measure against something, 66 00:04:16.110 --> 00:04:19.980 right? You need to have a framework, which is something 67 00:04:19.980 --> 00:04:25.440 that we're working on to understand what good looks like. 68 00:04:25.470 --> 00:04:31.260 And especially in this sort of comprehensive way, we have lots 69 00:04:31.260 --> 00:04:37.650 of standards in the world that go deep on IT governance or risk 70 00:04:37.650 --> 00:04:42.330 or cybersecurity. In fact, it's become more important to people 71 00:04:42.330 --> 00:04:45.960 to measure that. But as these professionals tried to do their 72 00:04:45.960 --> 00:04:51.810 jobs in their silos, they lacked kind of the punch across the 73 00:04:51.810 --> 00:04:55.650 board in an organization that we think that our digital trust 74 00:04:55.650 --> 00:05:00.150 ecosystem framework addresses and that framework is going to 75 00:05:00.150 --> 00:05:05.070 help people identify where the gaps are and what to do about it 76 00:05:05.100 --> 00:05:07.980 - begin to understand what to do about it when they collaborate. 77 00:05:08.280 --> 00:05:11.250 And we're just at the beginning of this journey, but it's an 78 00:05:11.250 --> 00:05:15.840 important one that came from our members. I mean, ISACA has 79 00:05:15.960 --> 00:05:20.400 170,000 members strung across the world in all of these 80 00:05:20.400 --> 00:05:24.930 domains. And as we listen to the issues that they have and the 81 00:05:24.930 --> 00:05:29.760 problems that they have in the workplace, these themes emerged, 82 00:05:29.760 --> 00:05:33.150 which is what created our concept around digital trust is 83 00:05:33.150 --> 00:05:38.610 that they were asking for ISACA to help kind of sort out how do 84 00:05:38.610 --> 00:05:44.520 we measure success in these domains together. And the result 85 00:05:44.520 --> 00:05:49.740 is our digital trust ecosystem framework, but we really aim to 86 00:05:49.740 --> 00:05:54.990 try to close that gap and in the back gap of percentage of people 87 00:05:54.990 --> 00:05:58.710 who understand what to do here and give them the ability to 88 00:05:58.710 --> 00:06:01.740 start, first of all, start talking about it, understanding 89 00:06:01.740 --> 00:06:03.900 the problem, and then addressing problems. 90 00:06:05.280 --> 00:06:06.870 Anna Delaney: Dave, you mentioned what good looks like. 91 00:06:06.870 --> 00:06:08.490 What does good look like? 92 00:06:09.690 --> 00:06:12.120 David Samuelson: Well, it's a great question. We are defining 93 00:06:12.120 --> 00:06:15.060 digital trust as the confidence and the integrity of the 94 00:06:15.060 --> 00:06:20.010 relationships, interactions and transactions among providers and 95 00:06:20.010 --> 00:06:24.480 consumers within an associated digital ecosystem. And this 96 00:06:24.480 --> 00:06:28.890 includes the ability for people, organizations, processes, 97 00:06:29.010 --> 00:06:32.490 information and technology to create and maintain a 98 00:06:32.490 --> 00:06:36.870 trustworthy digital world. So, like I said earlier, every 99 00:06:36.870 --> 00:06:40.260 company is a digital company and many of them are going through 100 00:06:40.260 --> 00:06:43.830 digital transformation. And all of them are struggling with 101 00:06:43.830 --> 00:06:49.380 these, you know, cybersecurity news and security, just feeling 102 00:06:49.380 --> 00:06:54.960 vulnerable in this day and age because of all of that. And so, 103 00:06:55.530 --> 00:06:59.460 at the end of the day, good looks like trust, because their 104 00:06:59.460 --> 00:07:05.340 consumers need to understand that they're interacting with a 105 00:07:05.340 --> 00:07:09.780 company that is trustworthy in the digital space. You can, you 106 00:07:09.780 --> 00:07:12.750 know, you can walk into a neighborhood and sort of decide 107 00:07:12.750 --> 00:07:17.400 if you're going to go into a shop on a corner and trust 108 00:07:17.400 --> 00:07:21.540 whether or not this is a good neighborhood, you know, the shop 109 00:07:21.540 --> 00:07:26.370 looks like it's a good place to transact and all of those 110 00:07:26.370 --> 00:07:29.700 things, but at the same time, because of what's been going on 111 00:07:29.700 --> 00:07:32.910 in the world, you might go into a doctor's office today and say, 112 00:07:33.810 --> 00:07:36.000 "Please give me your social security number on this piece of 113 00:07:36.000 --> 00:07:38.250 paper and you start to wonder, well, where's this piece of 114 00:07:38.250 --> 00:07:42.510 paper going to go with my social security number on it, and who's 115 00:07:42.510 --> 00:07:45.120 storing it? Who has access to it? Who's got the keys? Are 116 00:07:45.120 --> 00:07:47.910 there controls in place? You know, do I want to give them 117 00:07:47.910 --> 00:07:52.410 this information?" So I think we're more aware of all of these 118 00:07:52.410 --> 00:07:56.820 things. So good has to be trust in the end. 119 00:07:58.680 --> 00:08:01.380 Anna Delaney: Chris, David mentioned that all organizations 120 00:08:01.380 --> 00:08:04.740 are going through some sort of digital transformation. What 121 00:08:04.740 --> 00:08:09.090 about an organization who is on the digital trust path quite 122 00:08:09.090 --> 00:08:11.760 early on? What barriers might they encounter? 123 00:08:13.290 --> 00:08:16.890 Chris Dimitriadis: It's a great question. I think that David 124 00:08:16.890 --> 00:08:23.850 explained about the gap in between, I think the definition 125 00:08:23.850 --> 00:08:30.300 that David gave makes perfect sense because David refers to a 126 00:08:30.300 --> 00:08:34.920 digital ecosystem, right? So nowadays, we realize that 127 00:08:34.920 --> 00:08:40.890 organizations, even if they have started their digital 128 00:08:40.890 --> 00:08:43.320 transformation efforts, or they're trying to invest in 129 00:08:43.320 --> 00:08:46.260 digital trust, what they're meaning to understand is that 130 00:08:46.260 --> 00:08:50.130 they can't really achieve innovation or to have a 131 00:08:50.130 --> 00:08:54.870 competitive advantage, or can be really different. If they don't 132 00:08:55.860 --> 00:09:01.110 use, they don't become part of larger ecosystem. So today's 133 00:09:01.140 --> 00:09:04.680 emerging technologies, for example, require a much larger 134 00:09:04.680 --> 00:09:11.550 supply chain in order to be able to really provide them to use 135 00:09:11.550 --> 00:09:14.520 technology as a real enabler of the business because of the 136 00:09:14.520 --> 00:09:18.570 speed that technologies are being adopted by several 137 00:09:18.570 --> 00:09:23.370 markets, right? So I think it's very important to understand 138 00:09:23.370 --> 00:09:30.750 that we really need to have the right people within that 139 00:09:30.750 --> 00:09:35.400 ecosystem or the organization in order to be able to take those 140 00:09:35.400 --> 00:09:39.030 efforts forward and this is one of the obstacles that right now 141 00:09:39.030 --> 00:09:44.370 there is a gap between demand and supply. As far as the right 142 00:09:44.370 --> 00:09:48.240 professionals are concerned, there is a skills gap. And also 143 00:09:48.240 --> 00:09:52.380 there is a gap between business and technology functions in 144 00:09:52.380 --> 00:09:57.810 terms of the language they speak. So many times we see very 145 00:09:58.350 --> 00:10:03.540 high-level executives - let's say board of directors and CEOs 146 00:10:03.540 --> 00:10:07.710 - still in many industries, they consider digital trust, 147 00:10:07.710 --> 00:10:12.210 cybersecurity and related professions are still too 148 00:10:12.210 --> 00:10:16.620 technical for them. And behind this, I believe that the reason 149 00:10:16.620 --> 00:10:20.700 is that we not only need to create more awareness about the 150 00:10:20.700 --> 00:10:24.720 linkage between the digital ecosystem and the business terms 151 00:10:24.780 --> 00:10:28.110 and the business objectives, but we also need to train 152 00:10:28.200 --> 00:10:32.310 professionals more at the lower levels in order to be able to 153 00:10:32.310 --> 00:10:35.850 speak the language of executive management to be able to 154 00:10:35.850 --> 00:10:39.960 quantify digital trust in terms of the strategic objectives of 155 00:10:39.960 --> 00:10:44.190 an organization, in order to be able to explain, and not in 156 00:10:44.190 --> 00:10:48.840 technical jargon, but primarily with business terms in order to 157 00:10:48.870 --> 00:10:54.150 achieve this buy in. And when we discuss about lower budgets, or 158 00:10:54.150 --> 00:10:58.200 lack of buying and so on, I think it all comes down to the 159 00:10:58.200 --> 00:11:02.070 languages that different professionals speak within 160 00:11:02.070 --> 00:11:04.500 organizations. So training - I think that the common 161 00:11:04.500 --> 00:11:10.110 denominator is training and upskilling professionals in 162 00:11:10.110 --> 00:11:13.230 order to be able to collaborate better and to speak the same 163 00:11:13.230 --> 00:11:15.240 language in order to achieve the same target. 164 00:11:15.540 --> 00:11:18.330 David Samuelson: Yeah, leadership. Leadership has to be 165 00:11:18.330 --> 00:11:23.910 brought in for this to work. And it is a business issue, right? 166 00:11:23.910 --> 00:11:27.900 It's a business issue for everyone. So translating into 167 00:11:27.900 --> 00:11:31.800 business terms, which isn't always easy to do, if you know, 168 00:11:31.800 --> 00:11:34.710 if you're an IT professional and you've come up through the ranks 169 00:11:35.040 --> 00:11:40.680 of IT or engineering, one of the skill sets you may not have is, 170 00:11:40.710 --> 00:11:43.980 you know, winning an argument in the boardroom or raising the 171 00:11:43.980 --> 00:11:48.060 flag of concern. And that, of course, there are many IT 172 00:11:48.060 --> 00:11:50.970 professionals that have that ability, who are leaders there, 173 00:11:51.150 --> 00:11:54.840 but giving more people the opportunity to connect the 174 00:11:55.170 --> 00:11:59.100 business issues actually helps achieve this. It's one of the 175 00:11:59.130 --> 00:12:02.430 most important gaps and like anything, you have to have kind 176 00:12:02.430 --> 00:12:05.490 of a bottom-up and a top-down approach in an organization. 177 00:12:06.510 --> 00:12:08.340 Anna Delaney: So you've mentioned leadership and 178 00:12:08.340 --> 00:12:12.210 training. What about tools? Are there specific tools that can 179 00:12:12.210 --> 00:12:16.500 help companies grow their digital capabilities? David? 180 00:12:16.980 --> 00:12:22.620 David Samuelson: Yeah, there are lots of tools that organizations 181 00:12:22.620 --> 00:12:27.720 use that come in the form of different standards and 182 00:12:27.750 --> 00:12:31.920 sometimes, because of regulation. And that generates 183 00:12:33.030 --> 00:12:37.620 tools that people are applying to, you know, check the boxes to 184 00:12:37.620 --> 00:12:40.410 make sure that they're complying and make sure that things are 185 00:12:40.410 --> 00:12:45.240 happening. But to really get the biggest benefit, we first need 186 00:12:45.240 --> 00:12:52.410 to understand this overarching structure, I think, and realize, 187 00:12:53.070 --> 00:12:56.820 what I like to call the whitespace between these 188 00:12:56.850 --> 00:13:00.180 activities that exist in organizations, because if you 189 00:13:00.180 --> 00:13:05.340 can close those gaps, then you actually potentially achieve a 190 00:13:05.340 --> 00:13:10.170 more important resilience in digital trust. And I think that 191 00:13:10.260 --> 00:13:14.040 this concept of, first of all, understanding that it's a 192 00:13:14.040 --> 00:13:19.800 business issue, maybe reframing it as digital trust, helps all 193 00:13:19.800 --> 00:13:23.220 of the areas. Risk is a good example. I mean, cybersecurity 194 00:13:23.220 --> 00:13:26.820 is a risk issue for an organization. Risk is managed by 195 00:13:26.820 --> 00:13:29.850 senior management and known organization should be, but it's 196 00:13:29.880 --> 00:13:34.500 often delegated to a risk register or risk officer and, 197 00:13:34.800 --> 00:13:38.850 you know, to manage the kinds of things that organizations should 198 00:13:38.850 --> 00:13:41.910 be paying attention to. And if you can get the marketing 199 00:13:41.910 --> 00:13:45.120 department or even the HR department to be partners with 200 00:13:45.120 --> 00:13:49.620 you in understanding the digital trust message and connecting 201 00:13:49.620 --> 00:13:53.220 that to the employees of the organization, who are the 202 00:13:53.220 --> 00:13:58.050 frontline of the interactions with customers and are building 203 00:13:58.050 --> 00:14:01.500 the trust with customers, then I think you start to achieve 204 00:14:01.590 --> 00:14:08.220 long-term trust and resiliency around this issue. And so I feel 205 00:14:08.220 --> 00:14:14.340 like the tools have to extend beyond just the specific domains 206 00:14:14.340 --> 00:14:17.610 and into the organization little bit more. Chris, I don't know if 207 00:14:17.610 --> 00:14:19.440 you have more specific ideas there. 208 00:14:19.000 --> 00:14:21.580 Chris Dimitriadis: They're very well said, David. Just some 209 00:14:21.580 --> 00:14:26.620 examples, maybe not ideas. For example - and it depends on the 210 00:14:26.620 --> 00:14:30.940 size and the nature of the organization - but we have many 211 00:14:30.940 --> 00:14:35.050 tools, as David said, in its domain, in audit, in 212 00:14:35.050 --> 00:14:38.920 cybersecurity, in privacy, or when we're managing technology 213 00:14:38.920 --> 00:14:43.780 projects and so on. What we don't have right now is a tool 214 00:14:43.780 --> 00:14:47.890 that will bring everything together. For example, if an 215 00:14:47.890 --> 00:14:51.670 organization is focusing on time to market using agile 216 00:14:51.670 --> 00:14:56.200 methodologies, how do you deploy continuous auditing 217 00:14:56.200 --> 00:14:59.350 methodologies? How do you introduce emerging technologies 218 00:14:59.350 --> 00:15:04.150 like AI in order to help you out identify partners, how does this 219 00:15:04.150 --> 00:15:09.820 link with the cybersecurity strategy? And therefore, is this 220 00:15:09.820 --> 00:15:13.870 part of the enterprise risk management framework? Do we take 221 00:15:13.870 --> 00:15:17.140 into account privacy considerations based on the data 222 00:15:17.140 --> 00:15:22.240 that the organization is controlling? But most 223 00:15:22.240 --> 00:15:25.000 importantly, what's going on with the rest of the supply 224 00:15:25.000 --> 00:15:28.600 chain? Because we may have tools for organizations, but we may 225 00:15:28.600 --> 00:15:33.190 not have tools in order to gain more confidence about the supply 226 00:15:33.190 --> 00:15:37.300 chain and we will depend. And it may be cybersecurity incidents. 227 00:15:37.330 --> 00:15:42.580 And this is another example, we see that usually the supply 228 00:15:42.580 --> 00:15:47.200 chain was the main, let's say, vulnerability of the whole 229 00:15:48.130 --> 00:15:52.600 digital ecosystem even of a large organization, or we see 230 00:15:52.600 --> 00:15:59.200 that even if an incident occurs, a cyber incident occurs, still 231 00:15:59.650 --> 00:16:05.590 digital ecosystem may have missed basic security controls 232 00:16:05.590 --> 00:16:09.580 that more or less demonstrate a vulnerability in auditing, 233 00:16:09.820 --> 00:16:13.750 rather in cybersecurity, in order to create that confidence. 234 00:16:13.750 --> 00:16:16.960 So bringing everything together is very important. And that's 235 00:16:16.960 --> 00:16:21.010 why ISACA invested in the development of a new framework, 236 00:16:21.040 --> 00:16:23.890 the digital trust ecosystem framework. Maybe David, you want 237 00:16:23.890 --> 00:16:26.110 to say a couple of words about it? 238 00:16:27.360 --> 00:16:29.670 David Samuelson: Yeah, well, I've talked about it already. I 239 00:16:29.670 --> 00:16:34.080 think we're launching this framework, which is across the 240 00:16:34.080 --> 00:16:37.860 domains that we mentioned, and not surprisingly, the domains 241 00:16:37.860 --> 00:16:43.890 that we serve at ISACA across assurance and auditing, IT 242 00:16:43.890 --> 00:16:50.940 governance, risk management, privacy, cybersecurity and 243 00:16:50.940 --> 00:16:58.290 quality. And those domains are essential across the board, in 244 00:16:58.290 --> 00:17:03.360 terms of achieving digital trust. And I feel like one of 245 00:17:03.360 --> 00:17:08.610 the things that we need to do as an association is provide that 246 00:17:08.640 --> 00:17:13.650 level of best practice or what does good look like and and help 247 00:17:13.680 --> 00:17:17.640 point people. There's lots of good work going on in each of 248 00:17:17.640 --> 00:17:21.960 those domains, and which is very important work. And we still 249 00:17:21.960 --> 00:17:24.810 need those frameworks. And we still need those experts and 250 00:17:25.290 --> 00:17:32.370 those tools. But it's not enough. There's something else 251 00:17:32.370 --> 00:17:36.810 that we need, which is across the board, that allows us to 252 00:17:36.810 --> 00:17:41.580 measure this kind of success for organizations and that's our 253 00:17:41.580 --> 00:17:41.880 aim. 254 00:17:43.560 --> 00:17:46.530 Anna Delaney: The framework can also help organizations measure 255 00:17:46.530 --> 00:17:50.310 the maturity of their digital trust practices, I presume? 256 00:17:51.090 --> 00:17:53.280 David Samuelson: Yeah, well, we'll get there, you know. We 257 00:17:53.280 --> 00:17:57.600 have one of the things that ISACA does is measure maturity 258 00:17:57.600 --> 00:18:02.370 against frameworks, we have the CMMI maturity model that is part 259 00:18:02.370 --> 00:18:06.330 of ISACA, which measures sort of quality in an organization. And 260 00:18:06.330 --> 00:18:10.140 what's nice about a maturity model, as opposed to, say a 261 00:18:10.140 --> 00:18:14.430 checklist of whether you're complying or not, is that it 262 00:18:14.430 --> 00:18:19.830 talks about a journey, like how close am I to great, or if I'm 263 00:18:19.830 --> 00:18:24.630 adequate, at least I want to know where I am on a maturity 264 00:18:24.630 --> 00:18:29.730 scale, so that I know where to focus because there are a lot of 265 00:18:29.730 --> 00:18:32.460 effort, especially in cybersecurity, because of the 266 00:18:32.460 --> 00:18:36.690 world that we live in, that is happening today. And so, you 267 00:18:36.690 --> 00:18:41.130 know, that's great. So measure where we're at, we've got this 268 00:18:41.130 --> 00:18:44.100 part covered, but maybe we're weak over here, or maybe our 269 00:18:44.100 --> 00:18:47.370 risk isn't talking to our cyber and therefore, we've got some 270 00:18:47.370 --> 00:18:51.390 gaps. And we're not identifying enough for the C-suite or for 271 00:18:51.390 --> 00:18:54.510 the boardroom because of that. Because maybe those tools are 272 00:18:54.510 --> 00:18:58.650 more mature, it's just understanding where you are on 273 00:18:58.650 --> 00:19:02.700 the journey, which we think is important in order to figure out 274 00:19:02.700 --> 00:19:07.650 what to do first. So we'll be launching them, the framework, 275 00:19:07.920 --> 00:19:11.730 this year and next year, we're working on the maturity 276 00:19:11.730 --> 00:19:16.230 assessment, or the index that allows us, our community, to 277 00:19:16.230 --> 00:19:19.980 start to make judgments about how to use this framework and 278 00:19:19.980 --> 00:19:26.610 where to apply their efforts. And then, as we develop those, 279 00:19:27.420 --> 00:19:32.370 we can understand what solutions are required. And there's many 280 00:19:32.370 --> 00:19:35.190 solutions in the marketplace. And so, part of what we can do 281 00:19:35.190 --> 00:19:41.670 is help point to those solutions once you identify the gaps. 282 00:19:42.900 --> 00:19:45.240 Anna Delaney: Very good. Well, just final questions. You both 283 00:19:45.810 --> 00:19:48.660 advise organizations how can they gain the most from this 284 00:19:48.660 --> 00:19:49.530 survey? Chris? 285 00:19:50.820 --> 00:19:53.340 Chris Dimitriadis: Absolutely. I think that first of all, it's 286 00:19:53.340 --> 00:19:58.020 about awareness. In order to understand that digital trust is 287 00:19:58.020 --> 00:20:03.360 very far from any progress an organization may be able to do 288 00:20:03.360 --> 00:20:07.200 at an individual domain. So it's about progress in all of the 289 00:20:07.200 --> 00:20:12.030 domains at the correlated combined manner. So this 290 00:20:12.030 --> 00:20:17.910 important awareness in terms of the business importance and the 291 00:20:17.910 --> 00:20:22.680 business aspects of digital trust. But also, since we have 292 00:20:22.680 --> 00:20:26.460 identified the obstacles and the impeding factors for digital 293 00:20:26.460 --> 00:20:30.180 trust to try and take action and based on the results of the 294 00:20:30.180 --> 00:20:33.570 survey, start considering how upskilling and training 295 00:20:33.570 --> 00:20:38.970 personnel can lead into more digitally trusted ecosystem. 296 00:20:39.210 --> 00:20:43.380 And, of course, anything that has to do with viewing the 297 00:20:43.380 --> 00:20:48.120 problem more holistically, rather than in a silo. I think 298 00:20:48.120 --> 00:20:51.600 that's very important. Plus, finally, about the maturity 299 00:20:51.600 --> 00:20:55.530 assessments that David explained. I think that it's 300 00:20:55.530 --> 00:20:58.590 important to read the results of the survey and understand that 301 00:20:58.590 --> 00:21:03.480 maturity assessments are about removing uncertainty because the 302 00:21:03.480 --> 00:21:06.990 higher you are in maturity, the more the certainty, and this is 303 00:21:06.990 --> 00:21:10.410 how maturity models work: certainty of the end outcome, 304 00:21:10.560 --> 00:21:13.800 and that's about confidence at the end of the day, which is 305 00:21:13.800 --> 00:21:15.780 part of the definition of trust. 306 00:21:16.350 --> 00:21:18.660 David Samuelson: Yeah, and I think one of the big things from 307 00:21:18.660 --> 00:21:22.830 this survey is to understand that it's a business issue, not 308 00:21:22.830 --> 00:21:27.000 an IT issue, and that the conversation should be broader 309 00:21:27.000 --> 00:21:33.000 than it is today. And that's why framing it under digital trusts 310 00:21:33.000 --> 00:21:36.840 makes it a little bit more understandable across the board. 311 00:21:37.170 --> 00:21:40.530 Really employees. If you think about some of the most 312 00:21:40.530 --> 00:21:43.500 vulnerable issues - Chris talked about one being the supply 313 00:21:43.500 --> 00:21:46.410 chain, the other one, sometimes its employees - you know, the 314 00:21:46.410 --> 00:21:49.980 weakest link in an organization might be a phishing campaign to 315 00:21:49.980 --> 00:21:53.220 a single employee that gets at some information you didn't want 316 00:21:53.220 --> 00:21:56.730 to share. But if there's understanding about how this all 317 00:21:56.730 --> 00:22:00.600 works, and why it's important, it's pretty basic. You know, 318 00:22:00.600 --> 00:22:03.630 it's about trust. Trust is something every business needs. 319 00:22:03.840 --> 00:22:06.870 Digital trust is important today, because we're all 320 00:22:07.140 --> 00:22:10.080 connected to the cloud. And we're all connected digitally. 321 00:22:10.380 --> 00:22:15.960 And it's happening so fast, it continues so fast that if you 322 00:22:15.990 --> 00:22:19.320 make it one person's job and it's delegated to that person 323 00:22:19.320 --> 00:22:22.380 and other people forget about it, if you make it everyone's 324 00:22:22.380 --> 00:22:26.400 job, then they understand why it's important and what role 325 00:22:26.430 --> 00:22:31.590 they play in achieving digital trust. And then you provide the 326 00:22:31.590 --> 00:22:35.100 tools to the experts who can help the organizations manage 327 00:22:35.100 --> 00:22:35.700 all of that. 328 00:22:37.230 --> 00:22:38.970 Anna Delaney: Very good. Well, this has been an excellent 329 00:22:38.970 --> 00:22:41.730 conversation. David and Chris, thank you so much for sharing 330 00:22:41.730 --> 00:22:43.320 your expertise and perspectives. 331 00:22:44.160 --> 00:22:46.410 David Samuelson: It was our pleasure, and thanks for having 332 00:22:46.410 --> 00:22:46.920 us, Anna. 333 00:22:47.520 --> 00:22:48.930 Chris Dimitriadis: Thanks for the opportunity. Thanks. 334 00:22:49.530 --> 00:22:51.960 Anna Delaney: We've been reviewing ISACA's state of 335 00:22:51.960 --> 00:22:55.230 digital trust survey. For ISMG, I'm Anna Delaney.