Security has a trust problem and it’s not what you think

#1733938: Security has a trust problem and it’s not what you think

Description:	Security teams spend money and time adhering to compliance frameworks, issuing SOC 2 reports, and conducting penetration tests. It’s all done to show they’ve done their jobs and are building a secure infrastructure. And yet, in boardroom after boardroom, the conversation still circles back to the same uncomfortable question: Does anyone actually trust us? We’re talking about human trust. The kind that gets budget before waiting for a catastrophe to hit. Trust that makes a business leader call security before they go around it. In dozens of episodes of Security You Should Know, that theme keeps surfacing. Security leaders have a credibility problem that no tool solves on its own. They need a different relationship with the business. And that’s a harder fix. Here’s what practitioners told us — in their own words. “Every vendor puts it on a slide. Every CEO puts it in a board deck.” The language of trust is everywhere in security. The substance, less so. Terry O’Daniel, former CISO at Amplitude, put it plainly in the episode sponsored by SafeBase (Acquired by Drata): “We’ve been talking about customer trust in security for more than a decade. Every vendor puts it on a slide. Every CEO puts it in a board deck. So why are we still talking about it? I think we have had challenges in actually solving it. I remember a decade ago when we were mailing spreadsheets back and forth. We’ve had some advances, but I think the core rubric we use to assess customer trust stays roughly the same.” The machinery has improved. The relationship hasn’t. That gap, between what security says about trust and what the business actually experiences from security, is where credibility goes to die. The “Department of No” has a branding problem Before security can be trusted as a partner, it has to stop being perceived as an obstacle. That perception isn’t always unfair. Ross Young, CISO Tradecraft®, said this in the episode sponsored by Harmonic Security: “You can start to see which tools are actually being used, which ones are higher risk, lower risk, and make security more of a business partner versus a ‘Department of No’ trying to block things. This is an opportunity for security to become a bigger part of the C-suite conversation.” Sounil Yu, CEO at Knostic, offered the most memorable reframe in their episode: “We’re the ‘Department of No,’ N-O, but if we look at it as a permissive thing, we can become the ‘Department of K-N-O-W.’ How do I deliver content that is within your need-to-know boundary but doesn’t include things that are not in your need-to-know boundary? That is, I think, transformative within how we look at ourselves in security, but also how we can help enable the business and accelerate the business.” The “Department of No” framing isn’t just a PR problem. It’s a strategic one. When security is synonymous with friction, business units don’t seek permission. They seek workarounds. When people go around security, that’s a security problem In an episode sponsored by Island, Bradon Rogers, chief customer officer at Island, captured a dynamic that every security leader recognizes: “I’ve had a history of working around environments and delivering technology that had a ‘say no’ philosophy. We have to say no to a bunch of stuff. And when you say no, the end user is trying to find creative ways to get around the system. And at the end of the day, we always said it was important. Let’s understand why they wanted to use it so we may provide them an alternative path.” When trust is absent, people don’t stop doing the thing. They just stop telling security about it. Shadow IT, unapproved vendors, and endpoints that never see an agent are all symptoms of a relationship problem disguised as a technical problem. Dan Holden, CISO at Commerce, cut to the essence in the episode sponsored by SafeBase (Acquired by Drata): “It’s security’s job not to introduce walls into the sales process.” That principle extends well beyond sales. Security that creates walls without building visible channels around them trains the organization to route around it. A security function that gets routed around is now functionless. Proving value when nothing goes wrong The hardest trust problem in security isn’t recovering from a breach. It’s maintaining credibility in the years when there isn’t one. Montez Fitzpatrick, CISO of NavVis, on why quantification often stalls inside organizations (from the episode sponsored by Qualys): “When we try to go to the business, and we talk in this language of risk quantification, we are really discussing in a language that no other department talks like. “ Qualys’ Utpal "U.J." Desai responded to that challenge: “The central theme here really is to keep the language simple. If you cannot explain your quantification to various stakeholders, you have failed. The idea is to keep the model very simple.” Trust lives in the translation between what security does for the business and what the rest of the business needs from security. The best way to be perceived as secure is to be secure The language problem, the workaround culture, and the rebranding effort are all scaffolding. The foundation is the actual work. Christopher Gomes, CEO at Conveyor, said on the episode sponsored by Conveyor: “For us, it’s all about trust. And we like to say, ‘the best way to be perceived as secure is to be secure.’ There are certain compliance-specific hoops we’ll always have to jump through, but if you start with a strong security program, then it’s really not that far of a stretch to then communicate that to the market.” Al Yang, CEO at SafeBase (Acquired by Drata), connects that principle to internal credibility in his episode: “How does Safebase help CISOs transition their position within the business from ‘Department of No’ to ‘Department of Enablement?’ We offer an analytic dashboard that demonstrates trust center engagement. How many deals have been touched by the security streamline process? This helps CISOs prove their team’s impact so that CISOs can really focus on the higher-value work.” The proof is the point. Not the promise. What comes next On April 24, 2026, the CISO Series is hosting Super Cyber Friday: Hacking Trust in Security — An hour of critical thinking about moving from a cost center to a trusted partner. Joining David Spark for the live discussion will be Will Gregorian, CISO at Galileo Medical, and David Nolan, former CISO at Asurion. The conversation will dig into the questions every security leader is navigating right now: When business leaders see security as the ‘Department of No,’ is that a perception problem or an accurate read of how security actually behaves? If security’s credibility is built on fear and the fear is always the next breach, what happens to your influence in the years when nothing goes wrong? Is there a version of ‘no’ that builds trust instead of destroying it? And does your team know how to deliver it? What does it mean for security to have a brand inside the organization, and what’s yours right now? The Friday session on April 24th, 2026, starts at 1 PM Eastern / 10 AM Pacific. Register here: https://www.crowdcast.io/c/hacking-trust-in-security
More info:	https://www.linkedin.com/pulse/security-has-trust-problem-its-what-you-think-cisoseries-b9y2c/

Description:

Security teams spend money and time adhering to compliance frameworks, issuing SOC 2 reports, and conducting penetration tests. It’s all done to show they’ve done their jobs and are building a secure infrastructure. And yet, in boardroom after boardroom, the conversation still circles back to the same uncomfortable question: Does anyone actually trust us?

We’re talking about human trust. The kind that gets budget before waiting for a catastrophe to hit. Trust that makes a business leader call security before they go around it.

In dozens of episodes of Security You Should Know, that theme keeps surfacing. Security leaders have a credibility problem that no tool solves on its own. They need a different relationship with the business. And that’s a harder fix.

Here’s what practitioners told us — in their own words.

“Every vendor puts it on a slide. Every CEO puts it in a board deck.”
The language of trust is everywhere in security. The substance, less so.

Terry O’Daniel, former CISO at Amplitude, put it plainly in the episode sponsored by SafeBase (Acquired by Drata):

“We’ve been talking about customer trust in security for more than a decade. Every vendor puts it on a slide. Every CEO puts it in a board deck. So why are we still talking about it? I think we have had challenges in actually solving it. I remember a decade ago when we were mailing spreadsheets back and forth. We’ve had some advances, but I think the core rubric we use to assess customer trust stays roughly the same.”
The machinery has improved. The relationship hasn’t. That gap, between what security says about trust and what the business actually experiences from security, is where credibility goes to die.

The “Department of No” has a branding problem
Before security can be trusted as a partner, it has to stop being perceived as an obstacle. That perception isn’t always unfair.

Ross Young, CISO Tradecraft®, said this in the episode sponsored by Harmonic Security:

“You can start to see which tools are actually being used, which ones are higher risk, lower risk, and make security more of a business partner versus a ‘Department of No’ trying to block things. This is an opportunity for security to become a bigger part of the C-suite conversation.”
Sounil Yu, CEO at Knostic, offered the most memorable reframe in their episode:

“We’re the ‘Department of No,’ N-O, but if we look at it as a permissive thing, we can become the ‘Department of K-N-O-W.’ How do I deliver content that is within your need-to-know boundary but doesn’t include things that are not in your need-to-know boundary? That is, I think, transformative within how we look at ourselves in security, but also how we can help enable the business and accelerate the business.”
The “Department of No” framing isn’t just a PR problem. It’s a strategic one. When security is synonymous with friction, business units don’t seek permission. They seek workarounds.

When people go around security, that’s a security problem
In an episode sponsored by Island, Bradon Rogers, chief customer officer at Island, captured a dynamic that every security leader recognizes:

“I’ve had a history of working around environments and delivering technology that had a ‘say no’ philosophy. We have to say no to a bunch of stuff. And when you say no, the end user is trying to find creative ways to get around the system. And at the end of the day, we always said it was important. Let’s understand why they wanted to use it so we may provide them an alternative path.”
When trust is absent, people don’t stop doing the thing. They just stop telling security about it. Shadow IT, unapproved vendors, and endpoints that never see an agent are all symptoms of a relationship problem disguised as a technical problem.

Dan Holden, CISO at Commerce, cut to the essence in the episode sponsored by SafeBase (Acquired by Drata):

“It’s security’s job not to introduce walls into the sales process.”
That principle extends well beyond sales. Security that creates walls without building visible channels around them trains the organization to route around it. A security function that gets routed around is now functionless.

Proving value when nothing goes wrong
The hardest trust problem in security isn’t recovering from a breach. It’s maintaining credibility in the years when there isn’t one.

Montez Fitzpatrick, CISO of NavVis, on why quantification often stalls inside organizations (from the episode sponsored by Qualys):

“When we try to go to the business, and we talk in this language of risk quantification, we are really discussing in a language that no other department talks like. “
Qualys’ Utpal "U.J." Desai responded to that challenge:

“The central theme here really is to keep the language simple. If you cannot explain your quantification to various stakeholders, you have failed. The idea is to keep the model very simple.”
Trust lives in the translation between what security does for the business and what the rest of the business needs from security.

The best way to be perceived as secure is to be secure
The language problem, the workaround culture, and the rebranding effort are all scaffolding. The foundation is the actual work.

Christopher Gomes, CEO at Conveyor, said on the episode sponsored by Conveyor:

“For us, it’s all about trust. And we like to say, ‘the best way to be perceived as secure is to be secure.’ There are certain compliance-specific hoops we’ll always have to jump through, but if you start with a strong security program, then it’s really not that far of a stretch to then communicate that to the market.”
Al Yang, CEO at SafeBase (Acquired by Drata), connects that principle to internal credibility in his episode:

“How does Safebase help CISOs transition their position within the business from ‘Department of No’ to ‘Department of Enablement?’ We offer an analytic dashboard that demonstrates trust center engagement. How many deals have been touched by the security streamline process? This helps CISOs prove their team’s impact so that CISOs can really focus on the higher-value work.”
The proof is the point. Not the promise.

What comes next
On April 24, 2026, the CISO Series is hosting Super Cyber Friday: Hacking Trust in Security — An hour of critical thinking about moving from a cost center to a trusted partner.

Joining David Spark for the live discussion will be Will Gregorian, CISO at Galileo Medical, and David Nolan, former CISO at Asurion.

The conversation will dig into the questions every security leader is navigating right now:

When business leaders see security as the ‘Department of No,’ is that a perception problem or an accurate read of how security actually behaves?
If security’s credibility is built on fear and the fear is always the next breach, what happens to your influence in the years when nothing goes wrong?
Is there a version of ‘no’ that builds trust instead of destroying it? And does your team know how to deliver it?
What does it mean for security to have a brand inside the organization, and what’s yours right now?

The Friday session on April 24th, 2026, starts at 1 PM Eastern / 10 AM Pacific.

Register here: https://www.crowdcast.io/c/hacking-trust-in-security

More info:

https://www.linkedin.com/pulse/security-has-trust-problem-its-what-you-think-cisoseries-b9y2c/

Date added	April 20, 2026, 11:25 p.m.
Source	LinkedIn
Subjects	PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Security Management/Strategic Security/ROI/ROSI - CISO and Higher Level
Venue	April 24, 2026, midnight - April 24, 2026, midnight