Building Trust Between Entities

A philosophy for security in business relationships.

Index

What Is Trust
Sun Tzu and the Nature of Trust
The Five Trust Models
The Stallman Model: Trust Through Transparency
Trust in Practice
How to Build Trust

What Is Trust

The Oxford dictionary defines trust as "the belief that somebody or something is good, sincere, honest, and will not try to harm or trick you."

NIST puts it differently: "Trust is a belief that an entity will behave in a predictable manner in specified circumstances."

Both definitions point to the same thing. Trust is about predictability. When I trust you, I believe you will do what you say. When a company trusts another company, they believe that company will behave as expected.

Trust is not binary. It exists on a spectrum. I might trust you with small things but not large ones. A company might trust a vendor with non-sensitive data but not their crown jewels.

Trust is also contextual. I might trust you in one situation and not another. A company might trust a partner in one market and not in a competing one.

And trust is earned. Or mandated. Or mediated. More on that later.

Sun Tzu and the Nature of Trust

"He will win who knows when to fight and when not to fight."

Sun Tzu understood something fundamental about conflict and cooperation. Not every battle should be fought. Not every relationship requires complete trust. The art is in knowing what level of trust is appropriate for each situation.

"If you know the enemy and know yourself, you need not fear the result of a hundred battles."

This is the foundation of trust assessment. You must understand the other party. Their motivations. Their capabilities. Their history. And you must understand yourself. Your risk tolerance. Your dependencies. Your alternatives.

Security questionnaires exist because companies need to "know the enemy" before trusting them. Due diligence exists because acquirers need to understand what they are buying. Trust without knowledge is not trust. It is hope.

"The supreme art of war is to subdue the enemy without fighting."

In business terms: the supreme art of partnership is to align incentives so that trust becomes unnecessary. When both parties benefit from cooperation, enforcement becomes optional. This is why good contracts work. Not because lawyers will sue. Because the relationship is structured so that neither party wants to defect.

The Five Trust Models

NIST describes five ways organizations establish trust. None is inherently better than others. Each fits different situations.

Validated Trust

One organization provides evidence of their trustworthiness. Security certifications. Audit reports. Pentest results. Assessment documentation.

ISO 27001 is validated trust. SOC 2 is validated trust. Security questionnaires are requests for validation.

The more evidence provided, the greater the trust possible. But validation takes time and resources. You cannot validate everything.

Direct Historical Trust

Track record. Past performance. "We have worked together for years without problems."

This is why references matter. Why reputation matters. Why burning bridges is expensive. Historical trust builds slowly and can collapse quickly.

At Krizo, we built historical trust with clients like Vodafone and Maersk through repeated successful interactions. Each passed questionnaire, each delivered feature, each resolved incident added to the trust account.

Mediated Trust

A trusted third party vouches for the relationship. "I trust them because you trust them, and I trust you."

This is how references work. How introductions work. How auditor certifications work. The auditor is a trusted third party who says "yes, this company meets the standard."

Be careful with transitivity. Trust does not always transfer cleanly. I trust Alice. Alice trusts Bob. That does not mean I should trust Bob. The mediated trust model has limits.

Mandated Trust

An authority figure decrees that trust shall exist. Government regulations. Executive orders. Corporate policies.

"You will accept certificates from this CA." "You will trust vendors on this approved list." "You will allow data sharing with these partners."

Mandated trust is efficient but risky. The authority explicitly accepts risk on behalf of all covered parties. If the mandate is wrong, everyone suffers.

Hybrid Trust

Real relationships use multiple models. You validate some claims, rely on history for others, accept mediated assurances for some things, and operate under mandated trust for others.

A vendor relationship might combine ISO 27001 certification (validated), years of successful partnership (historical), industry association membership (mediated), and regulatory requirements (mandated).

The Stallman Model: Trust Through Transparency

Richard Stallman built the Free Software Foundation on a radical idea: trust through verifiability. You should not trust software you cannot inspect. You should not depend on code you cannot modify.

"Free software is a matter of liberty, not price. To understand the concept, you should think of free as in free speech, not as in free beer."

The GPL and open source movement created a new trust model. Instead of trusting the vendor, trust the community. Instead of validating claims about what software does, read the source code and verify.

This is validated trust taken to its logical extreme. Complete transparency enables complete verification. No black boxes. No secrets. No trust without evidence.

Stallman was right about something important: asymmetric information creates power imbalances. When a vendor knows what their software does and you do not, they have power over you. Transparency equalizes the relationship.

This applies beyond software. In security relationships, transparency builds trust:

Share your security policies, not just say you have them
Provide assessment results, not just certifications
Explain your risk decisions, not just your controls
Document your incidents and responses, not just your plans

At Omnio, auditors called our ISMS "the best they had seen." Not because we had more controls. Because we documented everything in LaTeX with complete transparency about what we did and why.

Trust in Practice

Every security questionnaire is a trust negotiation. The customer is asking: "Can we trust you with our data? With our reputation? With our business continuity?"

The questionnaire format varies. Excel spreadsheets with 300 rows. Procurement portals. Standardized frameworks like SIG or CAIQ. But the underlying question is always the same: "Give us evidence that you are trustworthy."

What Enterprise Customers Actually Want

After handling questionnaires for Vodafone, Maersk, BCG, Palo Alto Networks, IBM, ABB, Schneider Electric, and Siemens, I have learned what actually matters:

Consistency: Your answers should match your documentation should match your actual practices
Specificity: "We use encryption" means nothing. "We use AES-256 for data at rest with AWS KMS-managed keys" means something.
Evidence: Screenshots. Logs. Audit reports. Not just claims.
Honesty: "We do not have this control but plan to implement it by Q2" is better than lying
Responsiveness: Answer quickly. Follow up promptly. Show you take it seriously.

Trust in Acquisitions

When a company is acquired, trust moves from commercial relationship to ownership. The stakes are higher. The scrutiny is deeper.

Two companies I worked at were acquired. Krizo to Dataminr. Omnio to IBM. In both cases, security was not a blocker. It was a feature. The security infrastructure we built made the companies more attractive, not less.

Due diligence asks: "What are we buying?" Security due diligence specifically asks: "What risks are we inheriting?" The better your security posture, the cleaner the acquisition.

        The lesson: Build trust before you need it. By the time you are in due diligence or facing a critical security questionnaire, it is too late to start. The trust infrastructure must already exist.
      

How to Build Trust

Trust is not built by talking about trust. It is built by consistent behavior over time. Here is what actually works:

Document Everything

Policies. Procedures. Decisions. Incidents. Changes. If it is not documented, it did not happen. Documentation is the foundation of validated trust.

Say What You Do, Do What You Say

The gap between stated policy and actual practice destroys trust faster than anything else. Do not write policies you will not follow. Do not claim controls you have not implemented.

Be Transparent About Limitations

No one expects perfection. Everyone expects honesty. "We have gaps in X and Y, here is our plan to address them" builds more trust than pretending you have everything figured out.

Respond to Incidents Properly

How you handle problems defines your trustworthiness more than how you prevent them. A well-managed incident can increase trust. A poorly-managed incident destroys it.

Invest in Certifications Strategically

ISO 27001 and SOC 2 are not just checkboxes. They are signals. They say "a trusted third party has validated our claims." Use them strategically to build mediated trust.

Build Relationships Before You Need Them

Historical trust takes time. Start building relationships with customers, partners, and auditors before critical moments. The trust you need during a crisis must be built during calm.

Conclusion

Trust between entities is the foundation of business relationships. It is not something you achieve once and forget. It is something you build continuously through consistent behavior, transparent communication, and verified evidence.

Sun Tzu would understand modern security. Know yourself. Know the other party. Structure relationships so that trust is rational, not hopeful. And remember: the supreme art is building partnerships where both parties benefit so much from cooperation that trust becomes self-reinforcing.

Security work is trust work. Every policy, every control, every questionnaire answer, every certification is a contribution to the trust infrastructure. Build it well.