Youve never seen enshitification happening? These companies butcher their customers as soon as their incentives shift to increasing short term shareholder value
I work in the space, this articles is kind of written in the style of "If you know, you know".
This role is becoming popular because customers and prospects are demanding more and more information about a company's internal controls and processes before committing to buying. Mega companies have cared about this stuff for ages. Historically, the need was met with Audits. A big ticket item that gets cooked into the price of a $$$$ deal. The buyer sends their people into the vendor to validate controls are in place. That type of stuff still happens on big deals, but it's essentially coming down stream to your every day deal. Often, as a byproduct of a compliance need (like SOC II).
You'll likely see this role dealing directly with customers to answer questions about compliance, security, and controls. Essentially, it's like a mini-audit.
1. The Snowflake incident played a major role for this demand, as well as the ongoing Salesforce incident.
2. Most organizations will only trust commitments from someone who is an exec or in the leadership chain, so this kind of role now demands a C-Suite title, and CISOs are already overloaded and shouldn't necessarily know the ins-and-outs of GRC or Data Management requirements/regulations.
So companies have now realized that they need to have trust with their customers? That they need to protect their customers data? And that someone in the company should be concerned about it?
This seems more like corporate CYA than anything else. “well we did hire a trust officer and trust officers are trustworthy.”
I work in this space. The article does a poor job of explaining exactly what this role does - but they allude to it with Chris Peake's comments.
> Peake, a former CISO, said a lot of the skills from his previous role have translated into his current one. However, he said the CTrO role differs from the CISO role because it operates more on the “business level,” as the work done by a CTrO can directly impact revenue generation, contract negotiation, and onboarding new customers.
In my view, it's a role that sits between Sales and Security. A major part of the role is getting customers and prospects information about your business and security controls to validate their own needs (e.g. compliance requirements). It's still a semi-technical role, but isn't necessarily focused on the nut-and-bolts of ground-level security.
Thats what i was thinking. The lack of regulations limits opportunity because customers are scared of getting screwed, so the companies have to make their own rule to comply with, after assessing what safety customers want
Always look at who is requesting more regulation. Make sure they’re doing it for the right reasons and not simply to build moats that small companies can no longer cross. It can be a form of regulatory capture to propose the regulations in the first place.
Well, it also helps to spread the responsibility and when you get hacked you can either promote one and fire the other one, or just fire both to show that you are doing something.
Eh, not really. There's pretty clearly lines of responsibility here.
The nuts-and-bolts security still falls to a CISO. This role is more about bridging the gap between security teams and customers. The Trust officer might have influence over high level roadmap items ("our customers are asking about X"), but the actual implementation will still land with the CISO.
Sort of like Chief AI officers. Or Chief Happiness Officers. We all wanna tell ppl we are at the forefront of some hot new trend… that isnt really a trend
The dirtiest management trick I know is get a manager to make a promise to employees, fire the manager, and then refuse to honor the promise, because the organization is not accountable for honoring promises made by its representatives (which is bullshit but we haven’t cracked how to push back).
It does seem like at many places this person will be in charge of managing optics, rather than getting the workers training and priorities straight for making trustworthy software.
For one it’s always been easier to not get caught than to do the work. And even people who do the work will generally agree with that. It’s not about easy it’s about looking yourself in the mirror.
Unrelated: don't recall I heard this term (chief trust officer) before and immediately started questioning what its abbreviation will look like since CTO is already reserved. Turned out, from the article, to be CTrO.
does this feel to anyone else like hiring a Chief Fall Guy? Securing data is and should be under the chief technical officer or the chief security officer, depending on how the org is structured, rendering this position redundant. The pattern I bet we see emerge is gonna be one where it's rather a cushy gig for a while but if there's a breach you're expected to resign or be fired so that the company can give us the old "the people responsible have been sacked". Like the moderately racist legends of tribes in a land untouched by modern civilization who designate a king and let him live in luxury for as long as times are good, and then behead him as a sacrifice at the first crop failure.
> “Effectively, what the role does is offer assurance to the customers or potential customers of that organization that their data, their information, their technology, the infrastructure, the platform itself, can be trusted as those customers adopt it,”
Like, protecting your customer's data should be assumed and the default. That you would need what's effectively another PR executive to communicate that and "offer assurance" just sounds like marketing speak for "We are doing the bare minimum, but we need our customers to think we do more than we actually do to keep theri data safe."
Just sounds like the CISO's personal PR mouthpiece and like you said, someone else to take the fall when they get breached.
Probably because everyone knows most SaaSes are slimy schemes to lock customers in and exploit them for every last penny that can be wrung out of them.
If you want trust, you don't need a Chief Officer for it---you just need a product that works well and a business strategy that doesn't rely on making your product slowly worse and more expensive until all your customers hate you.
Remember "Do no evil"?
This sounds like another bogus role they'll ditch once they get their Nasdaq listing and need to make profits for their shareholders.
I'd probably trust any organisation with a role like this even less. It sounds like an organisation that doesnt think it can be trusted.
I remember "Don't be evil"
How'd you get so cynical?
Wisdom acquired by age.
Youve never seen enshitification happening? These companies butcher their customers as soon as their incentives shift to increasing short term shareholder value
I work in the space, this articles is kind of written in the style of "If you know, you know".
This role is becoming popular because customers and prospects are demanding more and more information about a company's internal controls and processes before committing to buying. Mega companies have cared about this stuff for ages. Historically, the need was met with Audits. A big ticket item that gets cooked into the price of a $$$$ deal. The buyer sends their people into the vendor to validate controls are in place. That type of stuff still happens on big deals, but it's essentially coming down stream to your every day deal. Often, as a byproduct of a compliance need (like SOC II).
You'll likely see this role dealing directly with customers to answer questions about compliance, security, and controls. Essentially, it's like a mini-audit.
Also,
1. The Snowflake incident played a major role for this demand, as well as the ongoing Salesforce incident.
2. Most organizations will only trust commitments from someone who is an exec or in the leadership chain, so this kind of role now demands a C-Suite title, and CISOs are already overloaded and shouldn't necessarily know the ins-and-outs of GRC or Data Management requirements/regulations.
So companies have now realized that they need to have trust with their customers? That they need to protect their customers data? And that someone in the company should be concerned about it?
This seems more like corporate CYA than anything else. “well we did hire a trust officer and trust officers are trustworthy.”
Is this just title inflation for the PR team?
The article doesn't really say anything beyond "CTrO positions exist and think tanks think they're not a trend."
I work in this space. The article does a poor job of explaining exactly what this role does - but they allude to it with Chris Peake's comments.
> Peake, a former CISO, said a lot of the skills from his previous role have translated into his current one. However, he said the CTrO role differs from the CISO role because it operates more on the “business level,” as the work done by a CTrO can directly impact revenue generation, contract negotiation, and onboarding new customers.
In my view, it's a role that sits between Sales and Security. A major part of the role is getting customers and prospects information about your business and security controls to validate their own needs (e.g. compliance requirements). It's still a semi-technical role, but isn't necessarily focused on the nut-and-bolts of ground-level security.
Sounds like a Chief Compliance Officer but with applicability to less-regulated industries/markets.
Kind of. I think Compliance and Security officers have historically been considered an inward facing role.
The Trust officer is an outward-facing role.
Thats what i was thinking. The lack of regulations limits opportunity because customers are scared of getting screwed, so the companies have to make their own rule to comply with, after assessing what safety customers want
The corpos yearn for regulations
Or like a Chief Risk Officer, but with extra customer facing responsibilities
This could be something to watch out for.
Always look at who is requesting more regulation. Make sure they’re doing it for the right reasons and not simply to build moats that small companies can no longer cross. It can be a form of regulatory capture to propose the regulations in the first place.
Basically. But the issue is, in a lot of enterprises, the decisionmakers won't chat with anyone who doesn't have an exec title.
Well, it also helps to spread the responsibility and when you get hacked you can either promote one and fire the other one, or just fire both to show that you are doing something.
Eh, not really. There's pretty clearly lines of responsibility here.
The nuts-and-bolts security still falls to a CISO. This role is more about bridging the gap between security teams and customers. The Trust officer might have influence over high level roadmap items ("our customers are asking about X"), but the actual implementation will still land with the CISO.
Sort of like Chief AI officers. Or Chief Happiness Officers. We all wanna tell ppl we are at the forefront of some hot new trend… that isnt really a trend
I see myself as the CDE (Chief Delusion Enabler) for the managers I work with
CWB checking in. We should talk.
Chief Executive Nerd checking in!
I am the Chief Apology Officer.
"We're really sorry it broke again, it wont happen again.. again"
The dirtiest management trick I know is get a manager to make a promise to employees, fire the manager, and then refuse to honor the promise, because the organization is not accountable for honoring promises made by its representatives (which is bullshit but we haven’t cracked how to push back).
The way to push back is to leave for a company that doesnt pull this bullshit*
(*requires healthy economy)
It does seem like at many places this person will be in charge of managing optics, rather than getting the workers training and priorities straight for making trustworthy software.
For one it’s always been easier to not get caught than to do the work. And even people who do the work will generally agree with that. It’s not about easy it’s about looking yourself in the mirror.
I really like the old fashion way of Apple with only three C. CEO, CFO, and COO. Nothing else. Others are at best SVPs.
Unrelated: don't recall I heard this term (chief trust officer) before and immediately started questioning what its abbreviation will look like since CTO is already reserved. Turned out, from the article, to be CTrO.
How would you say that out loud
You earn trust by doing the right thing by users/customers on a sustained basis.
It's not something you get by appointing someone to the board, someone who will be unknown to the vast majority of users of a product/service.
At best they'll do no harm I guess.
That title will age like milk
CTrO == CISO with marketing spin.
This is probably cheaper than re-engineering the actual SaaS product to build trust..
Let's pretend that happens. How would customers know you did that without some way of communicate that to users?
I will never trust a chief trust officer…
But what if his lips stop moving?
Because nobody trusts them?
>implying the rest of the company is not trustworthy
does this feel to anyone else like hiring a Chief Fall Guy? Securing data is and should be under the chief technical officer or the chief security officer, depending on how the org is structured, rendering this position redundant. The pattern I bet we see emerge is gonna be one where it's rather a cushy gig for a while but if there's a breach you're expected to resign or be fired so that the company can give us the old "the people responsible have been sacked". Like the moderately racist legends of tribes in a land untouched by modern civilization who designate a king and let him live in luxury for as long as times are good, and then behead him as a sacrifice at the first crop failure.
Kind of what it sounds like to me.
> “Effectively, what the role does is offer assurance to the customers or potential customers of that organization that their data, their information, their technology, the infrastructure, the platform itself, can be trusted as those customers adopt it,”
Like, protecting your customer's data should be assumed and the default. That you would need what's effectively another PR executive to communicate that and "offer assurance" just sounds like marketing speak for "We are doing the bare minimum, but we need our customers to think we do more than we actually do to keep theri data safe."
Just sounds like the CISO's personal PR mouthpiece and like you said, someone else to take the fall when they get breached.
The irony, it burns...
Remember to always ask if your Trust officer was in the IDF.
Probably because everyone knows most SaaSes are slimy schemes to lock customers in and exploit them for every last penny that can be wrung out of them.
If you want trust, you don't need a Chief Officer for it---you just need a product that works well and a business strategy that doesn't rely on making your product slowly worse and more expensive until all your customers hate you.
If only that were true
lol no they're not
Ironic, considering the last thing anyone should ever trust is a corporation who's sole goal is extracting profits at all costs.
This position is meant to shovel shit faster than the customers can figure it out.
Progress!
smfh
[dead]