Anthony English on trust as an internal imperative

This article is part of “On the Topic of Trust,” a series of guest posts where we explore the relationship between security and trust through the words of thought leaders moving our industry forward. 

Anthony English is the VP of Information Security and CISO at WorkJam and a member of the inaugural class of The Vanta 25 to Trust. He is a seasoned IT and security professional with applied experience in healthcare, law enforcement, lottery and gaming, and more.

Trust and security are intrinsically linked. The connection is clear when you think about the elements of the CIA triad model in information security (confidentiality, integrity, and availability). Together, they create a foundation of trust between an organization and its customers and stakeholders.

Trust is also impermanent. It’s something that must be earned, monitored, and strengthened daily. As we’ve seen time and time again, trust can be irrevocably broken by a single security incident. 

While most of the current conversations around trust focus on sales acceleration and external brand reputation, it’s important to remember that trust is also an internal imperative. For an organization to succeed, security teams must foster trust among internal stakeholders with the same rigor they approach external trust-building initiatives. 

Fostering trust internally enables a faster pace of innovation and creates a sense of shared security responsibility.

Creating a trust architecture

Internally, the main goal of your security team is to enable people to access what they need and complete their work quickly, efficiently, and securely. Security should enable innovation, not stifle it. 

To accomplish this goal, you need a solid trust architecture to protect your systems and ensure they remain up and running at all times. Your architecture should be constructed to implement necessary controls seamlessly while allowing internal stakeholders to access what they need at any time with limited (or no) friction. 

Importantly, this should all happen behind the scenes. For employees, it should feel like accessing electricity—when they need something, they simply flip a switch, and it’s there. 

Whether this is implemented through role-based access controls (RBAC), zero trust, or an identity management system (IMS), it should ultimately ensure that employees don’t have to wait for access or request access to systems that are necessary to get the job done. 

By focusing on creating this robust trust architecture, security teams become an enabler for innovation and business growth—not a clunky control layer that slows the team down (or as I call it, the “security police”).  

Trust through transparency

Another important element of internal trust is transparency. Employees need to understand that security teams are partners, not roadblocks. This understanding is key to gaining support for security measures and encouraging active involvement.

Transparency doesn’t need to be complicated. For my teams, it’s as simple as explaining why we are doing what we are doing when we implement a new control or process. For security leaders, the actions you mandate may have an obvious benefit. But for the rest of your organization, security controls can feel restrictive and unnecessary. Articulating the “why” behind these measures cultivates trust and engenders a collective sense of ownership regarding security responsibilities.

I’ve found that focusing on transparency encourages more employee participation when it really matters—like when reporting suspicious activity or when it comes time to complete security training. 

A blameless security culture

One of the biggest issues that obstructs internal trust is blame. After all, the security world loves to place blame. Just think about the headlines that follow a major breach—there’s typically an announcement that the breached company’s CISO has been fired.

But blame doesn’t encourage integrity or inquisitiveness. It makes the team fearful to acknowledge issues and admit mistakes. In a blameless security culture, no one gets punished when they come forward with an issue. Instead, the security teams help them get past the issue and feel more empowered to avoid or tackle similar issues in the future.  

Say a sales manager comes forward to admit they clicked a link in a phishing email. Don’t scold them for failing to recognize a suspicious link. Instead, thank them for reporting the incident so your team can take swift action. If they hadn’t come forward for fear of blame, a bad actor may have had more time to infiltrate and lurk in your environment before your team spotted an anomaly. 

A critical element of the blameless culture is communication. Security teams need to remove negativity and blame language from their communications. They also need to focus on remaining calm and rational—especially during security incidents, which can quickly become very high stakes. 

I encourage all of my security teams to undergo conflict resolution training for this very reason. We learn the tools to de-escalate situations and avoid emotional reactions. During my time working in the security field, I’ve been involved in a lot of high-stakes security incidents. Most times, the people around you panic. The ability to remain calm is key. When you panic, you miss things—and in security, that’s simply not an option. 

Separately, I also find that conflict resolution training has an added benefit—it’s one way to combat the massive issues around burnout among cybersecurity professionals. Conflict resolution skills help cybersecurity professionals compartmentalize and manage the stress that often comes with the territory. 

Internal trust as a catalyst to shared security responsibility 

While external trust is crucial for customer relationships and brand reputation, the cultivation of internal trust within an organization is equally as vital. Internal trust creates a secure foundation on which to innovate quickly and encourages all employees to share security responsibilities. As the cybersecurity landscape becomes more and more complex, this cross-functional buy-in is key. 

While most conversations around security and trust focus on brand reputation and sales acceleration, I encourage all security professionals to remember that trust is also an internal imperative.