by Andrew Burt

If you’re selling a product, you’re now selling trust.

That’s thanks to two conflicting trends. One is our increasing reliance on software across nearly every dimension of our lives. It’s for this reason that, among all Fortune 500 CEOs, a full 71% now claim they are running technology companies. The second is the inherent privacy and security vulnerabilities related to software itself. As security and privacy pioneer Willis Ware once wryly declared, “The only computer that’s completely secure is a computer that no one can use.”

To navigate these two trends, companies across every vertical will need to prioritize data privacy and security, clearly demonstrate those priorities to consumers, and safeguard their relationships with customers by being fully honest about the dangers of data in the digital age.

That’s where Olav Lysne, a Norwegian security researcher, and Apple CEO Tim Cook come in. While neither has much in common with the other, at least on the surface, they both illustrate how the future of technology—indeed, the future of business—is all about trust.

Let’s start with Lysne.

A few years ago, the Norwegian government realized that it bought almost all of its critical technology from outside of Norway—think of the software that runs things like electric stations, water pumps, and cellular towers. Untrustworthy software might, for example, allow access to Norway’s data in ways the government would disapprove—for example, to defraud the government by promising one thing and doing another, or to intentionally cease to function at a planned point in time.

These issues raised pressing national security questions: How could the government trust the technology it was increasingly reliant upon? What could Norway actually do to verify that it could depend on the software it was using?

In 2014, Lysne was tasked with leading a commission to answer these questions, an effort that culminated in a seminal book, The Huawei and Snowden Questions.

Lysne’s answer: Norway’s government simply could not verify as trustworthy the software it used. In fact, no one can. The very nature of our current software systems—the complexity underlying them, their supply chains, and more—makes it impossible to detect vulnerabilities intentionally inserted into software.

The sheer volume of code embedded into everyday objects, for example, is nearly impossible to review—the average car runs on an estimated 100 million lines of code, while Microsoft Office comprises up to 30 million lines of code. Meanwhile, the actual chips that make up circuit boards can be easily compromised themselves. These chips are composed of thousands, or in some cases millions, of gates; adding as few as 1,341 gates to just one chip has been shown to create a backdoor into an entire system.¹ The list of ways to compromise software is, as Lysne describes, seemingly endless.

This makes trust both the most important aspect of any commercial interaction and the hardest to measure. If we don’t trust the maker, we simply don’t know what it is we’re getting. And because trust cannot be proven, it must be signaled—through branding, marketing, and more.

So what does Lysne have to do with Tim Cook?

Cook is one of the few corporate leaders to understand the implications of Lysne’s conclusions. He has spent the past few years leading the charge in seeking to make trust the core of his company’s public identity.

This helps explain why, for example, in 2016 Apple picked a series of fights with the federal government about access to its users’ data while simultaneously staging a PR campaign around its actions.² This also is why, late in 2018, Cook publicly warned top European regulators of the dangers of the “data industrial complex” and called for new U.S. laws on data. And this is why Cook kicked off 2019 with an op-ed in Time magazine claiming to stand up for the rights of consumers who are simply “trying to win back their right to privacy.”³

It doesn’t hurt, of course, that this message also happens to undermine the ad-based revenue models of rivals such as Google and Facebook. But more broadly, Cook’s campaign aligns with Apple’s strategic interests. Indeed, it aligns with its own biggest long-term vulnerability.

That vulnerability is trust. While Cook cannot fix the problems Lysne identified—indeed, no one can—he can demonstrate that his company will do everything in its power to minimize them. He can make trust the core element of Apple’s brand, which is exactly what he’s been doing.

So how can other companies put these same lessons into practice?

To start with, trust must now be considered a key feature of every product containing software, no matter whether it is a purely digital product or a physical product containing software. In the consumer space, for example, studies have demonstrated that loss of trust can lead users to abandon a company or a product altogether. Some are even calling for a “return on trust” as a value proposition in and of itself.⁴ As a result, security and privacy concerns can no longer take a back seat in the product development lifecycle—not simply because of the value of security and privacy alone, but for their business impact as well.

Second, clear and demonstrable processes must be put in place to illustrate the importance of data protection, both inside and outside every organization. What group is in charge of privacy? What group is in charge of security? Where do both enter the picture as product features are being developed or as new IT procurements are made, to pick just two examples? Organizations that can’t answer these basic questions are failing to take data protection seriously—and are therefore primed to lose in the battle for consumer trust.

Once these processes are in place, companies can then signal their emphasis on protecting customer data to the outside world, just like Tim Cook. This is where marketing, branding, and public relations may get involved.

Last, and perhaps most important, companies and consumers alike must be honest about the risks we collectively face in the digital world. Because software systems are inherently vulnerable and the insights data might yield at scale cannot be predicted, no one should sugarcoat the dangers of digital technologies. Data breaches will occur, as will uses of data in ways that consumers can’t foresee. Failures in the world of security and privacy are, in short, inevitable. To pretend otherwise is to undermine data-protection efforts from the start.

All signs indicate that companies beyond Apple are starting to take these lessons to heart, with over 200 now echoing Cook’s calls for stronger federal privacy legislation in the United States. Are there other interests at work behind these calls? Surely. One national privacy regulation is easier to follow than 50 state laws.

But corporate America’s increasing clamor to be viewed as security- and privacy-centric is no coincidence; it’s a clear illustration of the increasing importance of trust. And that means we should expect all CEOs to be reading more Olav Lysne and to be acting more like Tim Cook.

TAKEAWAYS

We are increasingly reliant on networked software—and the privacy and security vulnerabilities that come with it—in nearly every aspect of our lives. Ultimately, the companies that customers trust most with their data will pull ahead of their competitors. Organizations that want to be seen as trustworthy need to prioritize data privacy and security, demonstrate those priorities to their customers, and safeguard their relationships with customers by being transparent about the threats to data:

• Trust can’t be measured or proven, it must be signaled—through branding, marketing, and so on.
• Whether your company offers digital products or physical products that contain software, trust should be considered a key feature for every product.
• To demonstrate the importance of data protection, organizations must establish straightforward and evident processes.
• Companies and consumers must be honest and accept that the risks we face mean that security and privacy failures are inevitable.