Trust is Earned: Part 1
Trust is earned.
Trust is doing what you say you will - over time.
Our strongest trust is often in our family. They pick us up when we fall.
Trust in an old friend who you don't speak to often. But you know exactly how the conversation will go when you do.
Trust in a longtime colleague.
Trust is not unique to cybersecurity.
Trust is (Sometimes) Earned: Part 2
Cybersecurity has a different view. Trust is about certificates, private encryption keys, and "roots of trust". It's about saying X is accurate and hasn't changed.
Trust is centralised.
It's based on a technology backed by an expert or institution.
But what if the technology fails? Or the expert and institution make a mistake? Just like Nvidia did earlier this month.
If you didn't see the news - Nvidia's private encryption keys, used to assign trust to their apps on Windows, were stolen. It took only 24 hours before these trusted encryption keys were used to sign viruses and malware. Meaning the malware became a ”trusted app”.
Experts and institutions are fallible.
Based on experiences and evidence, humans start with limited trust and let it grow over time.
When the cybersecurity industry says - "Trust me. I'm an expert...." then silently adds, "...until I make a mistake." Maybe it's time for cybersecurity to have some humility and learn from everyday experiences.
Maybe the industry should start by earning trust rather than assuming trust and leaving customers to pick up the pieces when there is a failure.