I'm writing this on a flight home from Qualtrics X4 in Seattle. In a few days I'll be at RSA Conference in San Francisco. Two conferences in two weeks, two completely different worlds.
But the same word kept coming up in both: trust.
At X4, the conversation was about what customers expect. In an era where AI is reshaping every interaction, people want to know that the companies they do business with are handling their data responsibly, making decisions transparently, and earning the right to that relationship every single day. Trust isn't a differentiator anymore. It's the price of admission.
At RSA, the conversation will be about what attackers exploit. Every attack, whether it's a phishing email impersonating your brand, a ransomware event that takes your services offline, or a supply chain compromise that poisons software your customers depend on, is ultimately an attack on trust. The entire threat landscape is, at its core, a trust problem.
Sitting between these two worlds this week, something clicked. These two conversations almost never happen in the same room. And they need to.
The Gap Between Experience and Security
I've spent most of my career in security. But working at an experience management company changed how I think about what security teams actually do.
Early in my time at PayPal, I learned that the company's brand promise was built on trust and security. Those weren't marketing words. They were the foundation of why 400 million people were willing to hand their financial information to a digital platform. Every security decision we made either reinforced or undermined that promise.
When I started asking business leaders my standard three questions, "What does a good day look like? What does a bad day? How can my team help you have more good days?", I kept hearing the same thing from different angles. Sales leaders wanted security to help close deals, not slow them down. Product leaders wanted security baked into the experience, not bolted on as friction. Customer-facing teams wanted to tell a trust story that was real, not performative.
They weren't asking for less security. They were asking for security that understood the customer relationship.
That realization forced me to rethink how security teams operate. We spend enormous energy building controls, monitoring threats, and responding to incidents. All necessary. But if we're not connecting that work to the trust relationship our company has with its customers, we're solving the wrong problem at the right technical level.
What the CX World Knows That Security Doesn't
Sitting in X4 sessions this week, a few things hit me that I think every security leader heading to RSA should hear.
First, customers don't separate security from experience. When a login flow is clunky, when a privacy policy feels evasive, when a data breach notification arrives, customers don't think "that's a security issue." They think "I don't trust this company." The experience IS the security posture, as far as customers are concerned.
Second, trust is measured in moments, not programs. The CX world has gotten sophisticated about mapping customer journeys and identifying the specific moments where trust is built or broken. Security teams could learn from this. Instead of thinking about security programs, what if we mapped the trust moments in our customer and employee journeys? Where does a security interaction build confidence? Where does it create doubt?
Third, AI has collapsed the timeline. Before generative AI, building trust was a slow, steady accumulation. A company earned trust over years of reliable behavior. Now, a single AI-generated interaction that feels wrong, a hallucinated response, a recommendation that reveals too much about what the system knows about you, can destroy trust in seconds. The speed at which trust can be lost has fundamentally changed, and most security programs haven't caught up.
What the Security World Knows That CX Doesn't
The relationship goes both ways. There are things the security community understands deeply that the experience management world needs to internalize.
Trust without verification is vulnerability. The CX instinct is to reduce friction, make things easy, remove barriers. That's the right instinct most of the time. But in an AI-enabled threat landscape, some friction is a feature. The security challenge is designing that friction so it feels like protection, not punishment.
At PayPal, we built systems that added authentication steps only when behavior seemed unusual. Users understood that extra verification wasn't arbitrary. It was the system looking out for them. That's what good security design looks like in practice: friction that builds trust instead of eroding it.
Trust is also a target, not just an outcome. The CX community thinks about trust as something you build. The security community knows it's also something adversaries actively try to destroy. A ransomware attack doesn't just encrypt files, it tells your customers you couldn't protect the systems they depend on. A data breach doesn't just expose records, it breaks a promise. Even a vulnerability in your product that makes the news erodes confidence before any exploit is attempted.
And then there's third-party breach, which might be the clearest example of trust as an industry-wide problem. When a vendor in your supply chain gets compromised and your customer data is exposed, your customers don't call that vendor. They call you. They trusted you with their information, and the fact that you trusted someone else with it doesn't reduce your responsibility, it extends it. Every major third-party breach reminds the entire industry that trust is a chain, and customers only see the link they chose to do business with.
Every category of attack, from social engineering to supply chain compromise to infrastructure intrusion, ultimately lands in the same place: customers, employees, and partners asking whether they can still trust you. As AI makes attacks faster and more convincing, the trust infrastructure that CX teams build becomes the attack surface that security teams need to protect.
The Conversation RSA Should Be Having
Here's what I think is missing from most RSA agendas. Not more threat intelligence briefings. Not more vendor pitches about the latest detection capabilities. What's missing is a serious conversation about security's role in the trust economy.
Every company is, whether they realize it or not, in the trust business. Their customers, employees, and partners are making daily decisions about whether to share data, adopt new tools, and deepen their engagement based on whether they trust the organization to handle that relationship responsibly.
Security teams are the custodians of that trust. Not the only ones, but central ones. And most security organizations aren't structured, measured, or incentivized around that responsibility.
We measure mean time to detect and mean time to respond. We track vulnerability counts and patch rates. We report on compliance percentages and audit findings. All important. None of them tell you whether your customers trust you more today than they did yesterday.
If I could add one session to every RSA agenda, it would be this: How do we measure and protect trust as a business asset, not just manage risk as a technical problem?
Where This Goes Next
The convergence of CX and security isn't theoretical. It's already happening in the way customers evaluate products, the way regulators write policy, and the way boards ask questions about risk.
Companies that figure out how to bridge these worlds, that treat trust as both a customer experience priority and a security imperative, will have a meaningful advantage. Not because they'll be better at stopping attacks, though they will be. But because they'll be better at earning and keeping the relationships that drive their business.
I wrote about product thinking in security in my book, and about how the best security capabilities are the ones that feel like features rather than restrictions. The trust conversation takes that further. It's not enough to build security that doesn't annoy people. We need to build security that actively makes people feel safe, informed, and respected.
That's a higher bar. And it's the one that matters.
If you're heading to RSA this week, I'd love to talk about this. I'm hosting a couple of events around my book, Lessons from the Frontlines, where conversations like these are exactly what I want to dig into. Find me there.
Assaf Keren is a security executive with experience as Chief Security Officer at Qualtrics and in senior security leadership at PayPal. He writes about the intersection of security strategy, organizational dynamics, and emerging technology.