By Don Peppers and Martha Rogers, Ph.D.

In an article recently published by CIO.com, privacy/security veteran John C. Reece took aim at the current state of privacy and security, and specifically how the words themselves have become almost meaningless. Part of his solution? That the words must "go away" as companies shift toward a trust-centric business model.

"What I'm saying is that organizations should stop talking about privacy and security, and start thinking about how to make customers trust them," he explained to INSIDE 1to1: Privacy. "It's not a situation, as with Sarbanes-Oxley, where there's an obligation to comply with tough-minded methods and procedures. It's about 'I need to secure my business in a way that will allow stakeholders to have trust when they do business with me.'"

Reece, currently Chairman and Chief Executive Officer of John C. Reece & Associates, is a self-proclaimed "IT-guy-turned-security-guy-turned-CIO." He is the former Internal Revenue Service's deputy commissioner for modernization and chief information officer (CIO). Before that, he held IT, strategy and privacy/security-oriented posts at companies such as Time-Warner, IBM and American Express.

We think Reece could have gone further by emphasizing the importance of intent. He believes that an organization builds trust by being competent -- which, of course, comprises the necessary privacy/security protections to prevent breaches and rights violations.

"Trust must be earned every day through consistent operational excellence, which includes leading-edge information protection," Reece wrote in the article. "When stakeholders' experiences with an institution consistently meet or exceed their expectations, these experiences build awareness, then breed familiarity and finally, earn trust -- which inevitably translates into profit. In this way, trust undergirds enduring success."

At the same time, events in recent years suggest that competence alone doesn't necessarily foster trust. Enron was competent, as were the banks and cable companies that, in the wake of privacy/security and related issues, still find themselves in the public's crosshairs.
 
Any definition of trust should comprise two elements: competence and intent, because no high level of competence will encourage trust unless it is paired with a philosophy that puts the customer's interests front and center. An organization can't be self-oriented; it must be "you"-oriented, where "you" is the customer. The most trustworthy organizations, then, are the ones that ensure through their operations that transactions are secure and private, but also act in the customer's best interest even when doing so may result in short-term costs.

Asked about the exclusion of intent from his trust-building hypothesis, Reece doesn't chafe. Rather, he enthusiastically concurs: "I absolutely agree with [the role of intent]. Every stakeholder will be happier and more willing to expand their relationship with you if they can trust you without exception."

Even a company regularly singled out as among the more trustworthy, American Express, has had its share of trust pratfalls over the years. Some time ago, the company launched a catalog service centered around selling top-name merchandise (electronics, jewelry, exercise equipment, etc.) to cardholders at supposedly low prices. Initially, it was a wild success, as trusting customers took Amex at its word.

When news leaked that the "special" prices weren't all that special, however, cardholders reacted quite aggressively: many cut up their cards, some sending them back to American Express in disgust. The catalog program ultimately failed   -- not due to the company's lack of competence, but its intent. Rather than providing trusting customers with the service and value they had come to expect, the company chased a quick (and likely not-all-that substantial) profit.

Reece notes that the vast majority of organizations have much work to do on the trust front, mostly because of their reluctance to address the most basic components of trust-building in the absence of crisis.

"Look at the history of the security and privacy businesses. It's one of remedial action after some disaster has occurred," Reece said. "Nobody is asking, 'What do I, as CEO, need to do to make my business trusted by my customers?' Most people look at it like they're buying insurance, which isn't what trust is about. It's not bolted on. It's built-in."

This internal philosophical and strategic shift must be accompanied by proactive effort on behalf of the privacy and security professionals who are essential in safeguarding a company's reservoir of trust. Among the challenges is the structure of the organizational chart, he said.

"In most firms, there's a place for marketing or human resources to report," Reece explained. "They have a home within the established framework. The chief privacy officer and the chief security officer don't. They're usually thrown in the CIO's office, because what they do is seen as a technical and not a strategic issue. For that to change, the onus is on privacy and security people to find new ways to communicate and understand the bigger-picture challenges as they relate to trust."

Do good, and be good at what you do.

You can reach Don Peppers and Martha Rogers at dpeppers@1to1.com or rogers@1to1.com.