CISO Perspectives: Building Trust Literacy for Secure AI and Data Innovation

By Leia Mancahanda Field CISO, Oracle

As organizations accelerate adoption of AI, analytics, automation, and cloud-based data platforms, one question is becoming increasingly important for business and security leaders: How do we know what to trust?

Trust can no longer be assumed. It must be continuously evaluated, governed, measured, and reinforced through people, processes, and technology. This is especially true as organizations rely more heavily on AI models, automated decision-making, distributed data environments, and third-party digital ecosystems.

That is where trust literacy becomes essential.

Trust literacy in data security is the ability of individuals and organizations to critically assess, understand, and manage the trustworthiness of data, digital systems, and AI outputs. It goes beyond passive reliance on technology. It requires informed engagement, secure behavior, governance discipline, and the ability to question whether data, systems, and automated insights are accurate, appropriate, compliant, and secure.

For CISOs, security leaders, data leaders, and business executives, trust literacy is quickly becoming a foundational capability for reducing risk, strengthening governance, and enabling secure innovation.

Why Trust Literacy Matters

Cybersecurity has long recognized that technology alone cannot solve risk. People remain central to both security success and security failure. Phishing, credential misuse, poor data handling, misconfigured access, and overreliance on unvalidated outputs continue to create exposure across the enterprise.

In an AI-driven environment, the stakes are even higher. Employees are not only accessing data; they are interpreting model-generated insights, using automated recommendations, and making decisions based on outputs that may be incomplete, biased, inaccurate, or misapplied.

Trust literacy helps organizations close this gap by enabling employees and leaders to ask better questions:

• Is this data accurate and appropriate for the decision being made?
• Is this system authorized, secure, and governed?
• Is this AI output explainable, validated, and free from unacceptable bias?
• Is sensitive data being protected throughout its lifecycle?
• Are regulatory, ethical, and business requirements being met?

When organizations build these capabilities into their culture, they create a workforce that is not simply using digital tools, but using them responsibly.

What Trust Literacy Means in Data Security

Trust literacy is the capability to make informed, critical decisions about the reliability, security, and ethical use of data, systems, and AI. It helps organizations balance innovation with risk management by giving employees the knowledge and confidence to evaluate what they are using, how they are using it, and whether it should be trusted.

Critical Evaluation of Data

Employees must understand where data comes from, how it was collected, how it has been changed, and whether it is fit for purpose. Poor data quality, incomplete lineage, hidden bias, or unauthorized data use can undermine both security and business outcomes.

A trust-literate workforce knows that not all data is equally reliable. Data must be evaluated for accuracy, sensitivity, context, ownership, and intended use.

Balancing Zero Trust and Trustworthy Systems

Zero Trust teaches organizations to never trust by default and to continuously verify access, identity, device posture, and behavior. Trust literacy complements this approach by helping users understand which systems, data sources, and processes are trustworthy because they are properly governed, monitored, and controlled.

The goal is not to eliminate trust. The goal is to make trust explicit, conditional, and continuously validated.

Ethical and Compliant Data Use

Data security is not only about preventing unauthorized access. It is also about ensuring that data is used appropriately. Trust literacy requires awareness of privacy obligations, regulatory requirements, data minimization, consent, retention, and responsible AI principles.

This is especially important as organizations deploy AI and analytics across customer, employee, financial, operational, and regulated datasets.

Human-in-the-Loop Decision-Making

AI can accelerate insight, automate tasks, and improve decision-making, but it should not remove human accountability. Trust literacy reinforces the importance of human review, especially for high-impact decisions.

Users should be trained to question AI-generated outputs, validate results, escalate uncertainty, and understand when automation should support – not replace – human judgment.

The CISO Perspective

As a Field CISO at Oracle, I work closely with customers who are navigating increasingly complex security challenges. These challenges are being shaped by emerging technologies, evolving regulations, expanding cloud adoption, and new ways of working.

Across industries, one pattern is clear: organizations are investing heavily in data and AI, but many are still maturing the governance, security, and education models needed to support them at scale.

Trust gaps often appear in predictable places:

• Sensitive data is not consistently classified or governed.
• Employees do not always understand appropriate data use.
• AI outputs are accepted without sufficient validation.
• Security controls are implemented but not operationalized across business processes.
• Compliance requirements are understood by specialists but not embedded into daily workflows.
• Identity, access, and monitoring practices are not consistently aligned to data sensitivity.

Trust literacy helps address these gaps by connecting security awareness, data governance, AI governance, and business accountability into one enterprise capability.

Operationalizing Trust Literacy Across the Oracle Stack

Trust literacy becomes most effective when it is supported by practical controls and repeatable processes. Across the Oracle stack, organizations can strengthen trust by aligning education, governance, and security technologies around how data and AI are actually used.

1. Know and Classify Your Data

Organizations cannot protect what they do not understand. Establishing visibility into data location, sensitivity, ownership, and usage is foundational.

This includes identifying regulated data, classifying sensitive information, understanding data lineage, and applying controls based on risk. For Oracle Database and cloud environments, this should be part of a broader data security and governance program that supports discovery, classification, monitoring, and protection.

2. Strengthen Identity and Access Controls

Trustworthy data use begins with strong identity. Access should be granted based on least privilege, business need, and continuous verification.

Organizations should align identity and access management practices with Zero Trust principles, including strong authentication, role-based access, privileged access controls, and regular access reviews. The more sensitive the data or system, the stronger the verification and monitoring should be.

3. Protect Data Throughout Its Lifecycle

Data protection must follow data wherever it moves: from creation and storage to processing, sharing, archiving, and deletion.

Encryption, masking, tokenization, backup, retention, and secure data-sharing practices all play a role. Trust literacy helps employees understand why these controls matter and how their own behavior affects the effectiveness of the broader data protection strategy.

4. Govern AI Inputs and Outputs

AI introduces new trust questions. What data was used? Is the data appropriate? Are outputs explainable? Are models being monitored? Are humans validating high-risk decisions?

Organizations should establish AI governance practices that include data quality checks, model risk assessment, security review, documentation, monitoring, and human oversight. AI systems should be evaluated not only for performance, but also for security, compliance, fairness, and business impact.

5. Monitor, Detect, and Respond

Trust must be continuously validated. Monitoring user behavior, system activity, data access, configuration changes, and anomalous patterns helps organizations detect when trust assumptions are no longer valid.

Security teams should use logging, analytics, alerting, and response workflows to identify suspicious activity and enforce accountability. Trust literacy strengthens this by helping employees recognize when something does not look right and report it quickly.

6. Embed Security Into Business Workflows

Trust literacy should not be limited to annual training. It should be embedded into how people work.

This means incorporating secure data-handling guidance into business processes, providing role-based education, aligning controls to user workflows, and making trusted behavior the easiest path. Employees should understand not only the policy, but the reason behind it.

Best Practices for Enhancing Trust Literacy

Building trust literacy requires a sustained, organization-wide commitment. It is not a one-time awareness campaign. It is a continuous capability that should evolve with the business, threat landscape, regulatory environment, and technology stack.

Deliver Role-Based Training

Different teams interact with data and AI in different ways. Executives, developers, analysts, security teams, HR, finance, legal, and frontline employees all need training that reflects their responsibilities.

Training should cover data privacy, security fundamentals, responsible AI use, phishing and social engineering, secure collaboration, data classification, and escalation procedures.

Promote Data Transparency

Stakeholders are more likely to trust organizations that are transparent about how data is collected, used, protected, and governed. Clear communication builds confidence with customers, employees, regulators, and partners.

Transparency should include plain-language explanations of data use, security practices, privacy commitments, and AI governance principles.

Reinforce Continuous Education

Technology changes quickly. So do threats. Trust literacy programs should be updated regularly to reflect new tools, emerging attack methods, changing regulations, and evolving AI capabilities.

Continuous education helps employees stay current and reduces the risk of outdated assumptions.

Create a Data-Driven Security Culture

Trust literacy works best when it becomes part of culture. Employees should feel accountable for protecting data and empowered to ask questions when something seems unclear or risky.

A mature trust culture encourages responsible data use, cross-functional collaboration, and shared accountability across security, data, legal, compliance, IT, and business teams.

Measure and Improve

Organizations should measure the effectiveness of trust literacy programs through training completion, phishing resilience, access review findings, data handling incidents, policy exceptions, audit results, and user behavior trends.

The goal is continuous improvement, not checkbox compliance.

Moving From Assumed Trust to Earned Trust

Trust literacy is no longer optional. It is a foundational capability for organizations operating in an AI-driven, data-centric world.

As cyber risk increasingly intersects with business risk, organizations that invest in trust literacy will be better positioned to reduce human-driven vulnerabilities, strengthen governance, and make more informed, defensible decisions.

The path forward is clear:

• Embed trust literacy into organizational culture.
• Operationalize it through continuous education and transparent practices.
• Reinforce it with strong identity, data protection, monitoring, and AI governance controls.
• Align it with the technologies and security capabilities across the Oracle stack.

By doing so, organizations can move beyond reactive security toward a more proactive and resilient posture – one where trust is not assumed, but continuously evaluated and earned.

Ultimately, trust literacy enables organizations to unlock the full value of data and AI with confidence. It helps drive innovation while maintaining the security, compliance, and transparency that customers, partners, employees, and regulators expect.

Resources

Securing AI: A CISO’s Perspective on Trust and Resilience

CISO Perspectives: A Practical Guide to Implementing the NIST AI Risk Management Framework (AI RMF)