The article doesn't really say anything beyond "CTrO positions exist and think tanks think they're not a trend."
"We're really sorry it broke again, it wont happen again.. again"
(*requires healthy economy)
> Peake, a former CISO, said a lot of the skills from his previous role have translated into his current one. However, he said the CTrO role differs from the CISO role because it operates more on the “business level,” as the work done by a CTrO can directly impact revenue generation, contract negotiation, and onboarding new customers.
In my view, it's a role that sits between Sales and Security. A major part of the role is getting customers and prospects information about your business and security controls to validate their own needs (e.g. compliance requirements). It's still a semi-technical role, but isn't necessarily focused on the nut-and-bolts of ground-level security.
The nuts-and-bolts security still falls to a CISO. This role is more about bridging the gap between security teams and customers. The Trust officer might have influence over high level roadmap items ("our customers are asking about X"), but the actual implementation will still land with the CISO.
Always look at who is requesting more regulation. Make sure they’re doing it for the right reasons and not simply to build moats that small companies can no longer cross. It can be a form of regulatory capture to propose the regulations in the first place.
The Trust officer is an outward-facing role.
The corpos yearn for regulations
For one it’s always been easier to not get caught than to do the work. And even people who do the work will generally agree with that. It’s not about easy it’s about looking yourself in the mirror.
This sounds like another bogus role they'll ditch once they get their Nasdaq listing and need to make profits for their shareholders.
I'd probably trust any organisation with a role like this even less. It sounds like an organisation that doesnt think it can be trusted.
This seems more like corporate CYA than anything else. “well we did hire a trust officer and trust officers are trustworthy.”
> “Effectively, what the role does is offer assurance to the customers or potential customers of that organization that their data, their information, their technology, the infrastructure, the platform itself, can be trusted as those customers adopt it,”
Like, protecting your customer's data should be assumed and the default. That you would need what's effectively another PR executive to communicate that and "offer assurance" just sounds like marketing speak for "We are doing the bare minimum, but we need our customers to think we do more than we actually do to keep theri data safe."
Just sounds like the CISO's personal PR mouthpiece and like you said, someone else to take the fall when they get breached.
If you want trust, you don't need a Chief Officer for it---you just need a product that works well and a business strategy that doesn't rely on making your product slowly worse and more expensive until all your customers hate you.
It's not something you get by appointing someone to the board, someone who will be unknown to the vast majority of users of a product/service.
At best they'll do no harm I guess.
This position is meant to shovel shit faster than the customers can figure it out.
Progress!
smfh
This role is becoming popular because customers and prospects are demanding more and more information about a company's internal controls and processes before committing to buying. Mega companies have cared about this stuff for ages. Historically, the need was met with Audits. A big ticket item that gets cooked into the price of a $$$$ deal. The buyer sends their people into the vendor to validate controls are in place. That type of stuff still happens on big deals, but it's essentially coming down stream to your every day deal. Often, as a byproduct of a compliance need (like SOC II).
You'll likely see this role dealing directly with customers to answer questions about compliance, security, and controls. Essentially, it's like a mini-audit.
1. The Snowflake incident played a major role for this demand, as well as the ongoing Salesforce incident.
2. Most organizations will only trust commitments from someone who is an exec or in the leadership chain, so this kind of role now demands a C-Suite title, and CISOs are already overloaded and shouldn't necessarily know the ins-and-outs of GRC or Data Management requirements/regulations.
nathanaldensr•3mo ago