In his blog Bryan Fite wrote something very interesting. Suppliers of various digital services face competition with providers of ‘free’ service and the first victim is information security. All that because the risk analysis went ballistic.
It seems that information services are well advanced in their specific version of the race to the bottom. Every industry must go through such a phase, usually associated with consolidations and hostile takeovers. The end result tends to be a handful of companies delivering stale, mediocre services at slightly lower prices. Like no-frills airlines.
Let’s look at the underlying vicious mechanism. Businesses and individuals can buy an information service from a more traditional service provider or can get it for free. It is of course not free, but it doe snot show up on the balance sheet.
The truth is that we pay for it in two different ways. The first one is well-known: services are cross-subsidized and our information is sold of a profit to advertisers. We do not pay only because we are being sold. Cattle also do not pay for a feed and transport to the slaughterhouse.
The second way of paying for it is that we (as well as all the providers of internet services) take increased risk without acknowledging it. For users of free services, the whole notion of risk management actually disappears. It is either the prefect operation or a total disaster, with nothing in between, and with no probability attached to either.
Think: what is the MTBF (Mean Time Between Failures) of Google services? Of Amazon cloud? We do not know and we will not know. So we do not know whether we are short-charged or whether we get an excellent deal. Just like that. The only thing that counts is that it is free. For as long as it works, security is of no concern. Once security becomes a problem, it will be too late to do anything.
TERM allows us to look at the trustworthiness of service providers and try to judge the risk better. It may not be a cure for our problems, but at least it acknowledges that there is a problem. From this perspective, it is better to use TERM than to wake up one day with all your information assets disappear.
As a member of Trust Across America, I recently received a poster with 2014 weekly reflections on organisational trust. You can have your own copy from here.
One of them stroke me as being particularly true. Week 50: “The Swedish word for trust, ’tillit’, is a palindrome, highlighting the reciprocal nature of trust.”
As Trust Journey is telling us, there are two kids of trust. The first one is an asymmetric one. I trust you because you are trustworthy, but that’s the end to it. If you stop being trustworthy, I will stop trusting you. I call this trust ‘credere’, as this is how banks assess our creditworthiness. The want us to be trustworthy but they do not offer much in return.
The second, better, kind of trust is a symmetric one – ‘fides’. Here the relationship of trust is mutual: I trust and I expect you to trust me. We both grow our relationship into trust. Into ’tillit’, so to say. So if you stop being trustworthy, I will not reject you. We will both sit down and try to work it out. I will not foreclosure your house just because you have troubles paying your mortgare.
The trick is, only the symmetric form of trust is a stable one, because it is where the relationship focuses on building and sustaining trust. Asymmetric relationships have tendency to end up in a deterioration of trust, and possibly even in a breach of trust. That’s how incentives are stacked up, I am afraid.
So, follow Trust Journey towards a symmetric, reciprocal trust. Towards tillit.
It will take five to 10 years to rebuild public trust in banks. That’s not my assessment. This is what Antony Jenkins, the Group Chief Executive of Barclays said recently . Well, he knows a thing or two, as the banking world has been plagued with problems: from mis-selling insurance to rigging exchange rates to exorbitant bonuses for under-performers. Not to mention normal problems with non-working computers or incompetent support personnel. I experienced all of those, so that I know.
It is funny that he picked 5 to 10 years for the change. It is funny because the average tenure at his level is less than five years. What he effectively said is that he will not solve the problem of the lack of trust; he will leave it to the next overpaid executive. He will just make a lot of noise about it and then will move somewhere else while collecting his large bonuses.
If I were him, I would have picked 20 years, not 10. Twenty years is the generational change. The new generation of customers come, looking for someone to trust, inexperienced in the level of greed and criminal incompetence we experienced. They are easy to be deceived and they are easy to build trust with. It is also a lot cheaper to woo a new generation than repair trust with the old one.
Meanwhile, I used Trust-O-Meter to quantify my trust in banks, including Barclays. It came at the unimpressive 20%, bearing the warning that I have to balance trust and control. That I have to be prepared to be disappointed. To have my trust breached. Not a great start.
Still, Happy New Year.
There are two famous American roads: Route 66 and yellow brick road. The “yellow bit road” is the one less traveled. It is a kind of a hopeless hope of technologists. It is the information path that you can trust that gets you to the trustworthy riches of the Web. That there was no tampering in-between. That you deal with trustworthy guys and trustworthy communication.
Pull on the screen a Web page of your choice and look at it. Bits that make up this page traveled far, sometimes across the world. They traveled from different locations and through different routes. In this process they could have been tampered with. Several times. What you see may not be what you were supposed to see.
The hopeless technology dream is to build the road so secure that you can trust the content on your screen. We were successful with fragments of this solution, mostly with securing the communication between your computer and a server. Still, we failed to deliver the complete solution. Sorry.
There are two fragments of the yellow bit road that we tend to sweep under the carpet. The first one is in your device. The second one is at the remote server. The lack of the first fragment leads to viruses and Trojans. The lack of the second fragment leads to phishing and scam.
Still, even if we manage to protect the whole road, it may lady you to the untrustworthy site. In the end, the yellow brick road faithfully led Dorothy to the fraudster: to the wizard who was not wizard at all. Security, so it seems, cannot replace trust.
“Businesses and users are going to use technology only if they can trust it.” That’s not me. That’s Satya Nadella, Microsoft Executive Vice President. Strangely, he is almost right.
Almost, because businesses are not looking at an abstract trustworthiness. They were conditioned to look at balancing risks and benefits. So, if a new technology brings siginificant savings, it will be adoted even if it is not completely trustworthy. Like cloud computing that Satya Nadella is actually managing.
Right, because what he had in mind is the uncanny inclination of any modern technology to convert a causal risk into a catastrophy, thus killing any normal risk-based analysis. Cloud computing is a case in the point: when it works it works. When it fails it fails big.
The introducion of modern information technology means that you operate in only two modes: it is either the completely normal operation or a disaster recovery. It is either that you have all your data at your fingertip or you have none. There is nothing in the middle. There is no warning. Which means that you cannot expect help from risk management as it is right now.
TERM is better in this respect. TERM allows you to reason about trust in a way that Satya Nadella might actually approve of. Try it.