Building a culture of Digital Trust

Our vision at Snyk is to make the digital world a safer place.

As a company building security solutions for developers, we want to ensure that our customers and stakeholders trust our ability to protect and secure their data and privacy. This is also known as “Digital Trust” and it is the center of our business value proposition and user experience — it also presents a constant challenge.

When we live in a time of heightened user awareness around privacy and security, how does a company demonstrate that it is a trustworthy custodian of their users’ secrets, texts, images, purchases, travel plans, medical data and their “every moment of frustration or weakness” (to paraphrase Tim Cook in his 2019 Stanford commencement address)?

For companies who want to succeed and lead, in a world with “trust issues,” they have to think beyond a box-ticking compliance exercise.  Companies that demonstrate Digital Trust gain a competitive advantage, are more attractive to investors and instill greater confidence among its employees and stakeholders.

Leadership and accountability are often mentioned as a prerequisite for instilling desirable corporate behavior. Yes, leaders acknowledge that in the event of a security breach or major hack, their heads are on the block. As a result, a team of compliance, security, and IT experts is tasked with ensuring these risks are controlled through stringent policies and the leveraging of systems and tools. However, security flaws or data privacy issues often emerge at an early stage of a product development life-cycle or deep within the detail of a business process or workflow. It’s down to the team on the ground to spot the issues and raise the red flags early enough so that course-correction can happen. Furthermore, it’s often not the big hack or the code failure that makes the data breach headline; it’s sometimes the mundane but careless act that causes unintended, far-reaching consequences, i.e. human error. It is safe to say that eliminating human error is nearly impossible. However, by changing the way humans think, it is possible to reduce that risk of human error, when handling sensitive personal data.

How do you operationalize Digital Trust in your company?

You’ve heard the phrases — “security-first mindset”, “privacy by design and default,” and “creating a culture of continuous compliance”.  But how do we operationalize compliance? How do we change behavior and embed that mindset into our culture? How do we get everyone in the company to actually care?

Here are some of the things we have done at Snyk to adopt the Digital Trust behaviors and mindset:

• We talk about it. A lot! Some of the key messages we share: The stakes have never been higher. Digital Trust is what our customers expect us to deliver and our success depends on meeting this need. Security and privacy is everyone’s responsibility, no matter what job they do. The legal team may write the policies, the security team may implement the tools, but everyone’s job has the potential to touch confidential and private data. Basic training is compulsory for all staff, and additional training is available for people in specific roles. In our messaging, in our guidance materials and in company meetings, we refer to real examples and use-cases where red flags have been raised. In doing so, we are training our people to recognize these red flags and never to be complacent.

• Celebrate. We appreciate and celebrate our people when they raise a security or privacy issue. Just as we celebrate a sales win or a new product launch, we give a shout-out on our Slack #appreciation channel to people who have displayed privacy awareness, which sometimes means they build or design a product or feature in a different way or decide NOT to build a feature at all.

• Leadership. Our CEO, Peter McKay, leads from the top in reinforcing the messaging around “making the digital world a safer place”. A newsletter on Security, Ethics and Trust is now sent out by him to all employees every quarter with tips and reminders on how to take responsibility for security and data privacy.

• Donuts! Or Doughnuts! If you leave your laptop unlocked whilst you’re away from your desk, one of your colleagues snatches the opportunity to send Donut emojis from your Slack account to the office, and the owner of the offending laptop has to buy donuts (or other similar sugary, carb-loaded treats) for the entire office. This is just an example of how to foster good security habits in ways that don’t feel heavy-handed.

• Privacy champions. Security teams and legal or compliance departments cannot be everywhere or see everything. The company has champions in each team who can be the trusted partners with the context and credibility to spread awareness in their team and to help reinforce good behaviors. Extra privacy training and know-how empowers the champions and offers them a chance to develop a skill set alongside their day job. The champions are an invaluable extension to the security, legal and compliance functions of the company.

Changing behavior is always hard. No one ever claimed that security and privacy were sexy topics. There are other carrot/stick approaches that some companies adopt, e.g. measuring compliance in employee objectives, or disciplinary processes for those who breach policies. These probably have a place in the total package of measures. However, building a culture of Digital Trust involves getting inside the heads and under the skin of people. Folks only engage with digital security and data privacy when they really understand what’s in it for the company (and by extension, for them). With encouragement, behaviors that start off as unnatural (e.g. locking your laptop), become habitual. A low-level paranoia about security breaches seeps in and brains are slowly rewired to become alert to Digital Trust issues. The job is never complete, but by making people care deeply about this issue, we are on our way to building, growing and innovating responsibly and safely.