5 minutes with Emily Frolick - Trust in the digital age

Trust is the ultimate business enabler. When enterprises inspire trust in all their stakeholders, they create a platform for better business performance. But not all brands are starting from a level playing field, says Emily Frolick, KPMG LLP, Advisory Partner, IT Audit and Assurance.

Security: What is your background? What are your current responsibilities in your role?

Frolick: I am an Advisory Partner and lead KPMG’s U.S. Trusted Imperative, helping clients take a new approach to risk in our digital era. Our Trusted Imperative is designed to reframe the way companies look at risk management. Rather than narrowly focus on passive, more reactive compliance, I work with clients to think through strategic, proactive ways to build trust and generate value — across their entire business ecosystem.

During my 20+ years serving global companies across several industries, including healthcare, insurance, retail and consumer markets, financial services, telecommunications, and manufacturing, I have accumulated a wealth of expertise in business, technology and risk.

Security: Why do new economy, digital-first companies benefit from an automatic assumption of trust?

Frolick: There has been much research showing that new economy, tech-first brands tend to enjoy more implicit trust than old economy brands, and in fact, COVID-19 has accelerated this trend.

I think a big part of the reason is an assumption on the part of consumers that if an organization is built ground up as a tech company, they must naturally have a better grasp on cyber threats, outages and other failures or errors that create disappointing outcomes. The converse of that, of course, is a corresponding assumption that old economy brands are playing catch up to bring their systems up-to-date.

Whether this is true or not can be hotly debated, but one thing is for sure — when companies undergo a digital transformation, they open the door to new risks. It is, therefore, incumbent upon organizations to scrutinize these risks against the potential for trust erosion across their stakeholder map and plan against that.

Security: How can old economy brands close the gap — and why should they?

Frolick: Research has shown that trustworthy organizations have three key characteristics: ability, humanity and integrity. Organizations that demonstrate ability (or situational competence) have the collective knowledge, skills and abilities to reliably provide their products and services. Those organizations who prioritize humanity go beyond a profit motive alone to also show they care for stakeholders — and not just those people involved in transactions but also the overall community where they do business. Organizations that value integrity are respected for doing the right thing.

Trust is the ultimate business enabler. When enterprises inspire trust with all their stakeholders, they create a platform for better business performance — including responsible growth, bold innovation and sustainable advances in performance and efficiency.

Moreover, trust is a multiplier of benefits. For instance, the automation of a customer onboarding process can reduce costs and satisfy a regulator, but it can also transform the consumer experience and boost market share.

Trust is earned in drops, and lost in buckets. And recent global disruptors have dramatically shifted how and where stakeholders place their trust and how fragile the trust dynamics between a brand and customer or client can be.

Building and maintaining a trusted status means considering multiple stakeholders when approaching risk management. Companies can invest in a dynamic approach to risk and regulation in the digital era, designed to help enterprises take a deeper look at the concept of trust — where they have it and where they need to build.

Organizations must reframe how they look at risk management, moving from a narrowly focused, passive compliance function toward a strategic, proactive program that can build trust and generate value — across their entire business ecosystem.

Security: Could you discuss the impact of global megatrends, such as the move to hybrid and remote work, have on the concept of security trust?

Frolick: There are a few critical cyber considerations organizations should think about when adapting to a work-anywhere workforce. Many companies’ digital environments have grown significantly over the course of the pandemic. Conducting recurring asset inventories and having a good understanding of the state of your assets is increasingly more important. Cyber teams have spent years building walls to keep threats out. When work becomes location-neutral, improving cyber threat education, with a shift towards greater individual cybersecurity awareness and accountability, is needed. For example, in customer-facing applications, in particular, it’s important to remind employees that the brand, and therefore revenue, is more closely tied to the trust that consumers place in the security and privacy of their personal data.

Even though there is prolonged risk exposure with remote and hybrid work models, preparation, being agile, and getting an edge with secure and trusted technology can replace uncertainty with confidence. A safe and trusted digital environment, together with a culture of security, can allow organizations to significantly reduce risk as they enter new markets, launch new products and interact with their customers.

Security: How can companies implement a dynamic approach to risk and regulation in the digital era, designed to help enterprises take a deeper look at the concept of trust?

Frolick: A dynamic approach to risk and regulation focuses attention on the business outcomes and strategic priorities that matter most to the organization. By doing the right things, in the best possible way, you can secure a future that is successful and sustainable.

A good example is how a global financial institution reduced costs and created better brand perception.

This institution had invested in software to identify cross-border payments that were breaking international sanctions. Unfortunately, 95% of the alerts were false alarms, making the process slow, onerous and prohibitively expensive.

The institution invested in a self-learning algorithm that trawled through years of data to understand what makes a transaction suspicious. The algorithm was built open-source code, so auditors and regulators could see how decisions were made. While a human can process one alert in a minute, this algorithm can process a million alerts and classify 99.9% of alerts correctly — compared with the 95% human accuracy.

By eliminating 80% of the false alarms, the bank cut monitoring costs by 25%, and the average review time was slashed to 30 seconds. As trust grew with customers and relationships strengthened with regulators, the company’s ability to support the fight against organized crime, drug trafficking, terrorism and corruption became a good deal more effective.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Organizations rely on application innovation, particularly API-driven applications, to fuel their business transformation and growth. Attackers know this and are constantly looking for ways to find the unfindable and break the unbreakable. They’ve got tools, motivation, and time on their side.