Why companies need a chief trust officer today

COMMENTARY: Trust isn’t a department. It shows up in quiet choices: what we promise, how we prove it, and how we respond when something goes wrong.

In the pressure of everyday work, trust either scales or stalls. We should treat it like any core system: design it deliberately, instrument it, and explain it plainly — with established standards, tested fail-safes, and one playbook when seconds matter. A function dedicated to trust turns that intent into an operating rhythm.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

A chief trust officer (CTrO) unifies work that’s often fragmented, spanning security, IT, product development, governance, legal, compliance, privacy, IR, and communications.

Run as one program, trust becomes a measurable capability that reduces friction and drives growth. Commercially, that means fewer stalls in the deal cycle: standardizing the information customers rely on (certifications, security questionnaires, AI disclosures), keeping them current, and ensuring the story we tell matches the controls we run. It’s the connective tissue many leadership teams are missing.

While trust was once implicit, today it’s inspected. Buyers and partners want proof, employees want clarity, and scrutiny keeps widening — from medical sector rules like HIPAA and global privacy law (GDPR) to security standards (ISO/IEC 27001, PCI DSS), corporate governance (SOX), and the EU AI Act.

It's a simple message: govern in the open.

Under my own company’s trust umbrella, we focus on actions that drive outcomes. We joined MITRE to share threat intelligence and raise the resilience bar across the ecosystem. We’ve welcomed global security and AI teams — from India to Israel — to deepen capability. And we’ve partnered with AI companies to develop responsible AI strategies for our enterprise customers. Together, these moves cut diligence friction, improve preparedness, and build stakeholder confidence.

A changing remit, driven by how we build

As software takes on more autonomy through AI, the questions shift from “Is it secure?” to “When should it act? Who supervises it? and How do we know it behaved as intended?”

The CTrO helps convert aspiration into repeatable practice, with clear criteria for what the organization considers accountable outcomes. The NIST Generative AI Profile gives teams a shared language for model risk; ISO/IEC 42001 makes governance auditable so oversight isn’t bolted on at the end.

Meanwhile, AI adoption pressure isn’t showing up in the boardroom; it’s happening at the edge. Varonis reports that 98% of employees use unsanctioned apps across shadow AI and shadow IT. We can treat that as a scolding, or as a signal: people want these capabilities.

The CTrO partners with the CSO/CISO and CPO/GC to enable approved tools, publish practical rules for sensitive data, and create safe sandboxes — so innovation doesn’t equal exfiltration. Taken together, these moves make accountability part of the design, before causing a headline.

Day-to-day, the role connects hard controls such as identity, logging, provenance, and change management, with soft levers like culture, incentives, and language. It’s bilingual: translating detections and model-risk thinking into board-level trade-offs. It’s product-aware: baking trust signals into experiences so customers can see the controls at work. And it’s operational: rehearsing decisions and communications so the organization can execute when it counts.

The bottom line: Customers expect evidence, regulators expect timely, consistent disclosures, and employees expect clarity. Without a single owner, we get drift — security says one thing, product says another, and comms learns about both during a crisis.

Centralize accountability so the organization speaks with one voice and executes faster when the clock starts. This isn’t “nice to have” governance. It’s choreography under time pressure. Give someone the mandate and the mechanisms to run it end-to-end. That’s how we make trust observable and repeatable.

Danielle Sheer, chief trust officer, Commvault

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.