ISACA: “Digital Trust is an Attitude, a Trust in Information Systems”.

A few weeks ago, Silicon covered ISACA’s international event on Digital Trust in Rome, where we had the opportunity to interview Chris Dimitriadis, ISACA’s director of global strategy, to learn more about the framework.

On this occasion, Ramsés Gallego, CyberRes’ international chief technology officer, has granted us an interview to talk about Digital Trust, the latest framework launched by ISACA. For this interview, Gallego speaks as an evangelist for ISACA, a company where he has held various positions, including international vice president on the company’s board of directors.

-How does Ramsés Gallego define Digital Trust?

Digital Trust is an attitude. Digital Trust is trust in information systems. Trust, on the other hand, is always subjective. You are trusted because others decide to trust you. That seems to me, in the case of Digital Trust, to be completely instrumental. I can say that my company is super trustworthy, but in the eyes of a third party, the actions you take, the processes you have, and how robust and solid the image is, is absolutely key. Answering your question: Trust in information systems and transactions, so that we perceive them to be robust and solid to merit trust.

-The new Digital Trust framework is based on previous frameworks such as COBIT 2019. How is this set of recommendations structured?

COBIT 2019, in its various interactions, COBIT versions 1, 2, 3, 4, 4.1. That’s where we decided to change the numbering. There were other frameworks called RiskIT, a framework dedicated to IT risks, and VAL IT, which was the value of IT. They were all brought together under COBIT 2019.

COBIT 2019, which I co-authored, was intended to be customizable. You don’t embrace this framework in its entirety. If you want to, yes. But its beauty lies in the fact that it is possible to take whatever processes you want, independently. This is where, at ISACA, we saw the opportunity to mold it, customize it and take it as the basis for the Digital Trust framework.

What is the architecture of Digital Trust? It has to do with availability, with ethics… To be trustworthy, one has to be transparent and have quality in the processes, one has to have integrity in those processes. So, all these values form the way in which the ecosystem is understood as something systematic (following processes and procedures) and systemic (belonging to a whole). If the ecosystem believes and transmits quality, availability, ethics, accountability, transparency, and integrity,… it deserves trust. Hence Digital Trust, coming from COBIT 2019.

-We are in an era of digital transformation of businesses and companies, how do you manage to integrate the Digital Trust framework in a company?

First, you have to have the unequivocal will to ‘not only say I am trustworthy, but I will prove it’. This is the acceptance phase. Then comes the training and communication phase. If my processes are robust, solid, reliable, and trustworthy, customers will come and see, not only that I have a good service, but also that I have two-factor authentication, integration with different gateways, and federation with robust services. So how do companies embrace Digital Trust? By accepting it, embracing it, and communicating it. In the end, the way you are perceived is what will say whether or not we deserve Digital Trust.

COBIT 2019 focused on the governance of the IT enterprise. This macro framework consisted of frameworks for different areas of the enterprise. There is COBIT 2019 for risk, service management, for privacy…, with these divisions of the framework it allows customization for certain environments.

-Why is governance of the digital enterprise at the heart of digital trust?

Good governance of the digital enterprise is at the heart of ethics, availability, transparency, and metrics… How often do we measure issues such as reputation or ethics? It is fundamental. Good governance is at the heart of Digital Trust because it is different to manage than to govern. The set of governance responsibilities of the IT enterprise is very different from management, and COBIT 2019 already differentiated between management and governance. In fact, the framework also talks about how people are recruited, and about talent retention. I think it’s brilliant that digital trust also has a people, transaction, infrastructure, and, of course, technology aspect.

-Why do you at ISACA consider Digital Trust to be in the DNA of relationships in the digital age?

Those transactions have to be integral, robust, and solid…, some are done machine to machine as we live in a world of machine learning. In the end, it is people who trust people. People deliver trust. Normally, a machine trusts because the algorithm tells it to or doesn’t tell it to. In technology, it is known as “handshaking” what machines do, but people trust because it seems trustworthy, it seems to me like an expert who knows what he is talking about. People are in the DNA of all this, we are the ones who deliver trust.

For this reason, ISACA has been very right to use the term Ecosystem, because, in addition to encompassing developers, cloud, platform, social networks, devices, mobiles, etc., it also includes transactions, which, at the end of the day, are done “human to human”. People deliver trust. Digital Trust is subjective by nature. I decide whether I trust a bank or another company.

-At ISCA, you believe that privacy is a fundamental pillar of trust. Why?

To simplify what I am going to say, in any company, there are three fundamental pillars: identities, data, and applications. When Digital Trust talks about answering the questions of who has access to what, what data is accessed, and what applications are used for access, and more instrumental questions like for how long, and how deep, we already have data and identities covered. Then, the applications are sufficiently compact, robust, solid, coherent, and consistent. That is the ecosystem that we ultimately translate from the ISACA framework.

If I, as a user of any type of business, have the perception that the identities, data, and applications of that company deserve my trust, I have an unequivocal approach to Digital Trust. If a company has applications that are secure from cyber-attacks, data that is encrypted, tokenized and encrypted, and controls who has access to what, that is the earthly approach to the Digital Trust framework.