I recently sat down with Harmonic’s head of security, Ed Merrett, to speak about trust centers, technical transparency, and why we vendors need to do a better job of communicating how we’re protecting our customers’ data.
What is a trust center?
A trust center is a central public location where a security practitioner can go to understand their approach to privacy, security, and compliance. This is particularly helpful for when practitioners are performing their third party reviews.
It is a self-service way of being able to understand company’s technology. It builds trust before you purchase them or engage with that organization rather than the traditional monotonous sending over Excel spreadsheets of questionnaires or linking to tools where you have to fill out a hundred questions to assess a company.
It's a self-service, transparent, and open way of putting it out there to the public proactively rather than sitting and waiting for people to ask you a ton of questions.
Who makes a good trust center?
There are a few that stand out. I think one of the first ones I want to call out is probably Wiz. Wiz being huge in the security space anyway, it's super important that they're able to be transparent. But they've got a great trust center
HubSpot is another great example. Given that they host customer data for a lot of companies, it's super important that they have something that's really clear and transparent. So hats off to them.
A couple of honorable mentions to GitLab and Fleet Device Management too!
How important are certifications in building trust?
It's very common to see ISO or SOC badges at the bottom of websites. We want to be able to view that report and gain access to that report.
This is all good and well, but there needs to be a “trust but verify” approach. Visitors should be able to dive a little bit deeper, gain access to the report relatively easily, and read that and digest that yourself to reaffirm the trust that you believe you had based on what you can see in front of your eyes.
But trust centers is equally about how you communicate. Stop hiding answers behind verbose language that is written by a lawyer. We just want to be very frank and say, this is a yes or no answer.
There two types of audience for a trust center. One is a security practitioner the other is your DPO the person who is reading the DPA from a contract perspective. DPOs, for example, typically solicitors who understand privacy law who want things answered in a certain way and so we need to be more specific.
How can trust centers grow in popularity?
We need to talk about it more and the benefits it has on a mutual relationship between a vendor and a customer. There are speed and efficiency aims on both sides. If you zoom out, it's really about showing speed and being more proactive with your work. Why wait for someone to spend days reading questionnaires, answering them in a high-level way and then having to follow up with more questions?
We need to educate people. There shouldn't need to be this back and forth of clarifications and further questions because everything's there and it's about making that more accessible and teaching people you work with that actually that's the way that we do it.
The importance of being transparent
At the crux of this is transparency. On our side, within the trust center we have included a white paper, which we have spent an awful lot of time thinking about how to tell people exactly how our system works. We have actively gone out of our way to tell people more than we need to.
I hope this will go some way to fostering even more trust with our customers.
See for yourself
Check out the Harmonic Trust Center at trust.harmonic.security!
.png)