Guardians of Trust: Navigating Third-Party Risk Across Business Realms with Jeffrey Wheatman
Host: Hi everyone, this is Purushottam,, and thanks for tuning into ScaletoZero Podcast. Today's episode is with Jeffrey Wittman. Jeffrey is a storyteller, mentor, coach and former Gartner Analyst. Currently he works as a cyber risk evangelist for BlackKite where he helps organizations all over the world solve the third party risk management challenge. He is an experienced risk management advisor with three decades of experience working in cyber security since the days it used to be called as information security.
Jeffrey, it's wonderful to have you in the show. For our audience, do you want to briefly share about your journey?
Jeffrey: Yeah, so thanks, Peru. I appreciate it. I'm excited to be here. I always like to talk to people all over the world. And thank you for not referring to me as an expert. That makes me crazy when people do that.
My whole sort of life in my journey has been about learning and making mistakes and learning from those mistakes. So I always call myself an experienced practitioner rather than an expert. I think experts, I think put themselves up on pedestals.
So I actually love to talk about my sort of journey, my path, because it's somewhat unusual. So I used to work in a hardware store in New York City, selling pipes and plumbing and electrical and screws and nuts and bolts and wood and I hated it. I hated every day I got home, I came home,
I was just very, very unhappy. And I said to myself, you know, I like computers. I've always been pretty good. So I put myself through a training class in Novell NetWare. So I'm dating myself a little bit. I don't even think they exist anymore. So I did that at night and it took me a couple of months and I ended up in a job managing a technology team for a company that installed printers.
And then I moved into consulting and I built a couple of consulting practices. I've always been very sort of strategic and project-oriented in my approach to how I do the things that I do. And in 2002, I found myself, I was running a project team for a small consulting company, rumors started circulating that they were getting bought. So of course all the business dried up.
They didn't want me to leave. So they put me on a site where I was working like four hours a week. And I had just nothing to do.
So I started playing around on an old website. I don't even know if it was there anymore called 2,600. And 2,600 was like an old-school hacker website. And I found these papers from this woman. Her name is Carolyn Minam. And she called herself the happy hacker. And I essentially taught myself how to be a penetration tester.
And I said, you know, this is much, much more fun than what I'm doing now. So that was sort of the career pathway that I took from that day forward.
So, you know, I've done penetration testing and I've done incident response and incident detection, which is enough to make anybody crazy. And then I ended up running some consulting groups. And then about 17 years ago, I ended up at Gartner where I found the perfect fit.
I got to talk to people for a living and it's what I do. About 18 months ago, I ran into, well, I mean, I'd known them before, but the company I work for now, Black Kite, and I kind of stepped back and I said, you know, I like what they're doing. I think they're doing some really interesting, disruptive things. I reached out to the CEO and said, Paul, I think I can help you blow this thing up. He agreed, and 18 months ago, you know, here I am. So, you know, I...
My title is Cyber Risk Evangelist, which is a silly title, I made it up. But essentially, I think about things and then I get to talk to people like you about the things I think about. I just got back from a conference in Huntsville, Alabama. As I mentioned before we started recording, I'm headed to London tomorrow to attend a conference being thrown by my former employer. So that's my career pathway. It's been...
It's been fun and I'm always trying to learn new things. I think a day where you don't learn something new is a waste of a day.
Host: Yeah, so that's a great quote and I love your journey right like from hardware store to consulting to security and now focusing on like cyber risk, cyber security and stuff like that And I want to ask a follow-up question even though it's not a security question We generally ask this question to all of our guests and we get sometimes unique answers
What does a day in your life look like? I know that you travel quite a bit, but If you are not traveling, what does your day look like?
Jeffrey: Yeah, so I love those kinds of questions. I don't think they get asked enough. So, you know, we usually, I get up usually seven, seven 15. I walk my dogs, I make coffee for myself and my fabulous wife.
And then I typically spend like the first hour of my day sort of learning, you know, looking at Reddit, looking at, you know, I subscribe to about 50 different newsletters. So, you know, I read about new stories and I sort of strategize, can I leverage any of that? during the day.
So as I'm sure, I know this will go up in a couple of weeks, but very big breach at MGM, the hospitality entertainment company.
So I've been reading a lot about that. And I'm like, okay, so are there any lessons I can take from that, that I can then go out and share on LinkedIn or on my blog, or having discussions with folks such as you guys on my own podcast.
And then… I do a lot of sales support. We have a very young sales staff, so I actually support them and help them be better storytellers. I do a lot of presenting, sometimes on site, sometimes remote.
And then typically I try to take half hour, 45 minutes during the day to exercise, because I think it's really important for my own sort of mental wellbeing to be able to get that out there. And then I wrap up the day very similarly to the way I start today.
What did I learn today?
What can I use to teach that tomorrow?
What are the takeaways from the day?
I'm a big believer in constant self-improvement. I always try to be a better person, a better human being, a better husband, better father today than I was yesterday. I frequently fail at that objective, but I always look back and decide, so what could I have done better?
Was there any where I was short with somebody or I sounded frustrated? And then I do all the cooking in my house. I make dinner, I sit down, I have dinner with my wife and then we watch a little Netflix and Lather Rinse and Repeat started all up tomorrow.
Host: I love your day honestly and one of the things that you one of the things that you highlighted was around health right a lot of folks do not pay a lot of attention to their health but I love that you pay attention to it you at least make sure you spend time taking care of your mental and physical health.
Like you highlighted about MGM I definitely want to talk about that but let's start with third party risks for today.
So let's start with some definitions for our audience who may not be familiar with it. Can you highlight what is third party risk and why does it need attention?
Jeffrey: Sure. So I think we have to really sort of take a little bit of a step up because there are three disciplines that we hear a lot about and that we talk to people about. And I think they're very interrelated.
So there's third party risk, there's vendor risk, and there's supplier risk, supply chain risk. So third party risk is essentially all of the people you do business with. Maybe you share data with them. Maybe they process things for you. Maybe they deliver, you know, office supplies or food or maybe they bring your garbage out.
So those are all of your third parties and some of them are more important than others, obviously. Vendors are really more of a subset of third parties. So vendors are typically people you pay for products and services. And then you have supply chain. And supply chain historically has been very much about physical things, right?
I manufacture these things. I ship them on trucks, boats, you know, planes, trains, automobiles, etc.
But really what we've seen is a big shift in that supply chain is no longer just about physical. It's also about digital. Okay. So those are sort of the three things with some broad definitions. I think that, so the area that's near and dear to me and to us at BlackKite is the cybersecurity element of that, right? Sure. You have to do contracts management, ESG (environmental societal and governance) and legal and regulatory and all those things.
But cyber is an important slice, number one, in and of itself, but it's also really important because it has an outsized impact on the rest of your business. If you get hit with ransomware, you can't pay your bills, you can't manufacture, you can't ship products, you can't take phone calls, you can't send bills out, you can't collect payments.
I refer to as this outsized impact on all of the other things. And historically, what has been a really big challenge, most people, if you ask them how many third parties you have, hundreds, but really what we found is they have thousands in many cases and they just don't always know about them.
And I think it's really, really important to be able to assess your exposure there.
Historically, how has that been done? People sent out questionnaires. Even assuming the questionnaire is 100% accurate, which is open for discussion, the day after it's filled out, it's less accurate. A week, a month, three months, a year later, it's less accurate still, and organizations are still making decisions based on outdated, maybe not even accurate data to begin with.
And I think just to kind of sum up the whole thing, even if you as an organization are perfect, your partners are probably not, and therefore you are absorbing risk because of things they do or do not do.
And it's becoming increasingly impactful and increasingly problematic. We hear there was a ransomware attack at the port of Nagoya in Japan. It's the biggest port or one of the biggest ports in Japan.
And I guarantee you, CEOs don't know their products flowing through there necessarily. They don't know raw materials are coming through there. They had no idea that ransomware attack was gonna have a significant and material impact on their business.
Host: So I like how you segregated them right like vendor and supplier chain supply chain challenges Let's say if I am running a fintech startup Growing at a very good pace does this matter to me should I be paying attention to third-party risk management?
Jeffrey: So yeah, I mean, I think, I mean, every organization has some risk. I think FinTech in particular would be more focused on digital supply chain rather than physical. Yes, it would stink if the food didn't show up to pay everybody or if you ran out of paper towels in the kitchen, sure, that would be bad, but it's the digital supply chain that's really problematic.
FinTech in particular is a data centric business model. If your data suppliers, don't get you the data or worse, if they have a breach and they get you bad data, we run into that. And there's a pretty recent example and I don't like to pick on anybody and it's public so we can share it. There's a company called ION UK. They're an options trading platform out of London. Well, back in February, they got hit with ransomware and they were down for about a week and a half. Two major European banks had to shut down their trading desk.
Why? because they were dependent on Ion UK. And that's not to beat on Ion UK. I'm sure their program is good. Everybody gets hit with these things. But when you ask about FinTech, that's the kind of example of the thing that we look at. And keep in mind too, they're heavily regulated, either directly or indirectly, even if the governments are not looking for them, the governments are regulating their customers.
So, in a nutshell, Puru, no organization is totally immune. Some are impacted more. So for FinTech, it may be a smaller number of impacts, but those impacts are going to be very large, or potentially very large.
Host: I really like how you described that.
One of the things that you said earlier was that as part of the third-party risk management or vendor management, vendors often fill out security questionnaires as part of the procurement cycle or maybe every renewal they go through security questionnaire and they fill out information around certifications or their practices or pen testing and many more things.
Doesn't that cover all the requirements and safeguard me as an organization from any future risks?
Jeffrey: The short answer is not even close. Again, it's a point-in-time snapshot and it is frequently based on aggregates of inbound information. It's unusual that you're gonna find one person in any organization who knows everything they do in security and risk. Just not a thing anymore.
When I started years ago, you could know everything in security, but now no way. There are just too many different moving parts. So they're asking people.
Self-reporting is always, you know, there's always exposures. The questionnaires are not always structured very well.
As an example, do you, have you implemented MFA, multi-factor authentication? Yes, yes I have. On every system, oh no, only the critical ones, right?
So when you ask those sort of, you know, yes or no questions, you run into challenges. And then as I said, even if they're 100% accurate, over time, they start to become less accurate because you're talking about very dynamic environments.
I also think that even if you say you do something, the tactical implementers might not be doing it. I had a meeting, this years and years ago, I was consulting for an advertising company and I was at lunch with the CIO and a bunch of the security team. And the CIO was very proud of his program and he talked all about policy. And then he specifically talked about a change control policy on firewalls.
And I could see the engineers were a little uncomfortable. And I said, what, what's wrong? And they said, no, we don't actually really do that anymore because it gets in the way of us doing our jobs. So had that CIO filled out the questionnaire, you were said, yes, we have change control. So, so those are the kinds of things. And I also, to your point, people send them out once a year, once every two years.
I was on, you know, in the vein of always learning, I was on a training class for, to get certified for third party risk management. And someone on the call said, so we send out questionnaires every three years. Is that okay? And I had to mute myself because I wanted to scream nooooooooo!!!
So that's the problem is that you, you need to get closer to real-time and, and questionnaires are just not that you need to get some validation. You need to get proof.
You need to do things like pen testing or implementing a platform like ours, or, you know, getting independent reports from third parties. But these things don't scale all that well.
To be quite honest, what we hear from a lot of people is they take the questionnaires, yes, you did the questionnaire, and they put it in a file cabinet. And then if something bad happens, they pull it out and say, well, you said you did this and you didn't, so we're going to sue you.
And that's just not a long-term sustainable risk management model.
Host: So, in that case, why even ask vendors for the security questionnaire if it does not even valid a month after the questionnaire was filled in?
Jeffrey: So I have to tell you, I have done 100 conversations like this. You're the first person that ever asked that question. So I applaud you for that.
I think the short answer, some of it is due diligence. Some of it is required, right? Some of it is used to make decisions, especially in onboarding. If you're onboarding a new vendor, you want to make sure at least when you sign the contract that you are covered to a certain extent.
I do think they give you some protection mechanism again. Hey, you said you did this, clearly you did not, right? You said you had MFA, you said you were encrypting laptops. Well, clearly based on this breach, those things are not true.
So you sort of can hold people to the fire, but the real answer is because it's always been done that way before. That's like, I hate to turn best practice.
Best practice doesn't mean it's good, doesn't mean it works, and it doesn't mean it's good for you. It just means that a bunch of people used to do it.
So I think that's really the short answer is everybody does it because there hasn't really been any other option. So everybody continues to do it and doesn't necessarily recognize that there are alternatives out there and those alternatives are getting better by the day.
Host: Okay, so then as an organization, what can I do? Let's say I'm onboarding a new vendor. What else should I expect from them or should I ask them to give us on top of the questionnaires?
Jeffrey: So some of it is based on setting proper context. So not every partner is of the same value. Not every partner is of the same risk. Some partners have your data, some don't.
Some you have alternatives, you know, multiple sources, so you don't have a single point of failure. Some of you do have a single point of failure. So the first thing we always suggest to people when you're looking at third-party risk is you have to prioritize
You can't have a thousand vendors all be of the same value and risk, but that's how a lot of these organizations treat them. So that's the first thing.
The second thing is then you need to work with your business stakeholders so that they understand there are going to be questions we're going to ask. They're going to be artifacts we're going to want to see. We're going to want to see potentially SOC twos or, or an assessment report or, you know, some kind of independent validation of your program, you know, whether it's an ISO certification or a NIST assessment, whatever it may be, but getting those things and building a defensible sort of repository.
I also think that we as security and risk people, third-party risk as a narrow scope, need to do a better job of articulating to our business stakeholders what we actually see as a problem.
I am a third party risk person or I'm a CISO and I go to a business person and go, hey, these guys aren't patching. They don't know what that means. But if you say, look, there are a set of things they should be doing, one of which actually keeps their systems up and safe and make sure that the data doesn't get breached and make sure that the systems are not down and that they're highly susceptible to ransomware.
Well, they're not doing a good job with that. Based on what we've seen, it's highly likely that in the next 12 months, we may see an incident there.
What does that mean to you, right? If their system is unavailable for a week, how bad is that?
If the data we give them gets leaked, how bad is that?
And then we can start to build this scalable, repeatable process so that we can continue to do this. And then for the companies that are the partners that are really highly rated, maybe once a month we ask them a question versus once every six months or once every year. Maybe we request a pen test report.
Maybe we implement a third-party risk intelligence platform such as ours at Black Kite where we're constantly monitoring and we have alerts, Hey, you know what? This partner that's really important, their score just dropped by 50% or two letter grades, or they were in compliance while they're not now, or, Hey, they just experienced a data breach. You may want to start to talk to them about that or
Maybe you change the kind of data you share with them. So the financial impact changes, therefore their risk exposure to you changes. And let me tell you, I'd like to be able to say questionnaires should die a fiery death, but that's never gonna happen, right? But I think it needs to be part of the solution. And to be fair, I have a thousand partners, questionnaires are probably okay for 500 of them, right?
because they're just not that important. They're just not that critical. If they have breached, yay, it wouldn't be good, but I don't think it would be a huge issue. And I think that's the key thing, right, is we need to focus more on the business impact. And we as security people do not do a good enough job of communicating with our business stakeholders. And one thing that I'm just gonna throw in there in the US,
There was a ruling just passed by the SEC, the Security and Exchange Commission, who oversees publicly traded companies. And I don't want to get into a lot of detail. I'm happy to have that as a follow-up conversation, but what we think and what we hope is gonna happen is now the business is gonna start coming to the security team and saying, hey, can you tell us what's going on? As opposed to the security team being pushed upon them, and then the board going, when are these people gonna get out of my office? Because I don't ever want to talk to them.
So Hopefully that's going to happen. We'll see what happens as it plays out once we flip into 2024.
Host: Yeah, so like you're spot on when it comes to that relationship between security and let's say business there is always that tension because security is always seen as a roadblock right? Hey, now security team has come up with five more things which we have to incorporate, which will delay, let's say one of our important deliverables or something like that. Right. So hopefully.
Jeffrey: Let's face it, Peru, there is not a single CEO in the world that I am aware of who is rated in any way, shape or form by how well he manages cybersecurity in their organization. What are they measured on? Profit, revenue, expense management, team building, right?
That's got to change. And hopefully the SEC regulation, and we're seeing some stuff in other regions as well. In the EU, for example, Dora, which is an operational risk framework targeted financial services.
We've seen actually a lot of really good, interesting regulation coming out of India, which is super important because so much data processing from the US and Europe is done in that region. Hopefully, we'll start to see, it's an accountability thing. They're saying, look, you trust us. We're going to show you that we are responsible and we're going to show you that we are responsible we're fine to be held accountable.
So it's a global problem. We could talk about regulations here and there, but this is a global problem that needs to be solved as a global set of solutions.
Host: Right, totally that makes a lot of sense. One of the things you earlier highlighted was that generally, we think that here we are working with 100 vendors, but we work with let's say 1000 vendors.
So when it comes to prioritizing your third party, let's say either a questionnaire or making sure that vendor relationship is secure.
How do you prioritize which vendors to put at the top, you go through them first and then you go through other vendors. Like how do you stack rank them?
Jeffrey:
Yeah. So, so I think there are a couple of ways to answer that. I think at a very simple level, how bad would it be if a partner had a breach or got hit with ransomware, right?
How much, how much impact would we not be able to function?
Would we be able to function, but at a lesser level, would we just go, whatever, or do we not care?
The second piece is if we, and this is particularly data centric, and I actually moderated a panel on cyber insurance in New York City the other day. And one of the things that came up was non-breach privacy violations, right? So nobody's stolen your data, but the company used the data badly and there's a declaration.
So looking at what is the impact to me as a company if one of my partners loses my data? So I think balancing those two things is important. And then,
I'm going to point to the map behind you because that is a great illustration. How many ways are there to get from Greenland, which is just over your right shoulder to Mumbai, as an example, not one way, not five ways, thousands of ways, right?
So that cascading and concentration risk is another thing. You depend on people who depend on other people who depend on other people.
So we need to start looking at not just third party, but fourth party, fifth party, sixth party risk and concentration risk.
How many of your partners have their entire operations in AWS, Google or Azure or Rackspace?
Because if they're all in there and those companies have an issue, that has an impact on you. So I think looking at the business impact, looking at the legal and regulatory exposure, and then also looking at that sort of extended ecosystem.
And we get the farther out you go, the harder it is, but that's where AI I think is actually gonna be really cool because we're seeing some cool AI analysis of, if you're familiar like with the old sales persons, traveling sales person problem, right?
AI is coming up with some interesting things and I think we're gonna see some really cool analysis there. But then I think ultimately, Puru, at the end of the day, you gotta draw a line in the sand have to make some decisions.
You have to document how you made those decisions. And then you have defensibility. If something bad happens, the regulators may come in and say, we don't like that. But at least you had a process, how you came to that conclusion. You may have to change that, but at least you have a process. It gives you that defensibility. Here's why we did what we did. Knowing what we know now, we would do the same or we would do something different. And here's how we would do that.
And I think that's, that's sort of, you know, how you would go about building up this program. And also one caution I'll give everyone out there. If you have more than three or four different categories, you're probably slicing and dicing it too finely. Three is usually pretty good. Critical, important, meh.
Any more than that, you then start to have challenges because, well, what are we going to do differently? And the answer frequently is nothing.
So, know, why get down to that level of granularity? I think people tend to overanalyze these things. Well, is it a million one of impact or is it a million one five? And at the end of the day, doesn't really matter that much.
Host: Yeah, I like how you put them into different buckets and by business impact. Let's say you are working with 100 vendors, put them into different buckets so that you know where to focus more versus not like as you highlighted earlier, right?
Maybe out of 1500 only security questionnaire is good enough, but the remaining 500 out of the remaining 500, maybe 50, which are business critical. And you cannot miss any security gaps there.
So that brings me to the next question which is like cybersecurity is not different than business right it impacts your business overall. So that would mean that there has to be some culture or an alignment between let's say CEO or leadership with the security team so that they go hand in hand rather than looking at security as a roadblock. So how do you deal with that?
Jeffrey: So I think it's a problem that cannot be fixed or addressed by one person. I think everyone needs to be involved. I think that the security people need to do a more effective job of building the connection between what they know and what the business cares about. I think the business people need to educate them a little bit and they don't need to be security experts.
But they do need to understand around the concepts of resilience and they need to know, you know, what is ransomware? What is encryption? They don't obviously need to know how to do those things, but they need to know what those things are.
I think that it's largely an accountability problem. What we have seen time and time again is security goes to the business and they say, hey, we have a problem.
And the business says, hmm, you're right. That looks bad. What should we do? And security says, well, we've identified three potential options. And the business says, we'll take the cheapest one. And security says, oh, you know, we're pretty exposed there. There's a lot of legal liability. And the business says, no, that's what we want. So the security person does that. Something bad happens. Who gets in trouble? Security person.
So you now have a disconnect between who is responsible for the decision-making and who's accountable for it. That is a problem that needs to be addressed.
We're seeing some improvement, but it's definitely slow and steady. I'm also a very, very big fan of scenario planning and workshopping. And what I always do, and I've run hundreds, if not thousands of workshops on a whole bunch of different things in my career. And the first thing I do is change everyone's job.
You're the CIO during the day. Today, you're the COO. You're the CTO. Today, you're the CEO. CEO, you're now the CIO. And it gets people to think differently because it doesn't always work well, but every single time I do it, you know what I hear at the end? Wow, I never thought about that before. And that's what we need to start doing because then people will start asking questions. And that to me, that interaction I think is important.
Um, we can talk all we want about, well, the CISO needs to report higher in the organization. Okay. That's fine. Just changing someone's role doesn't actually help. They need to be more embedded. They need to be more involved. They need to be treated as equal partners.
Now, on the flip side of that is if they're treated as equal partners and they show up for every meeting and say, no, stop, don't, that's too dangerous. You can't do that. They're going to be disinvited. So there needs to be give and take on, on both sides. And then I think there needs to be, it needs to be cyclical.
We made this decision last year. What came of it? Was it the right decision in part, in whole? What do we do to improve? Because you always want that continuous improvement. And I think too much of it is we make a decision and then we move on to the next decision. And to be honest, that's a problem with all business decisions, not just security and risk.
Host: So, I really like two points that you highlighted. One is where you mentioned accountability, right? And especially during the current economic condition, a lot of organizations are taking decisions based on cost versus the value, right? And that puts security folks not at risk, but in a way at risk, right? Because in future, if there is an attack or there is a breach or something like that. Ultimately, it's the security team's responsibility or they are accountable for it, but the decision was made by someone else.
The second thing which I really loved is the scenario play workshops, right? Where you sort of are playing someone else and you see what pain they go through or that builds empathy, right? Empathy for the person for the role and that helps you get better at that relationship and in running the business also, like seeing the value of security, let's say for leadership.
So I really love that part. I'm going to try it out in our organization actually.
One follow-up question that I have is, how would as a business, I will measure the effectiveness of these measures?
Let's say I have...few practices in place, how do I measure that they are effective?
Jeffrey: Yeah. So that's a, that's a tough one. Uh, cause there's so much sort of prep work you need to do. Um, I am a very, very big fan of some work that is done by one of my former colleagues over at Gartner, uh, Paul Proctor around, um, what he calls it outcome-based security and risk management. And really what they're talking about is helping executives to understand there's a trade-off, right?
The more money you invest, the more risk you mitigate, the less money, the less risk. And when the economy is tough and there's less money, it's okay to cut back, but the business needs to understand what kind of additional risk they are absorbing, right? Just like when the economy cuts back, you cut salespeople, you cut marketing people, maybe you cut operational people, maybe you cut administrative people.
Well, all of those people, when they go, they have some negative impact on the business, big or small. So to me, it's really about having that conversation. And what it can't be is if we take away a million dollars, how many dollars of risk do you pick up? Because that's never, you're never going to win that conversation.
We've seen cyber risk quantification, we have an implementation of it that's very narrowly focused and automated and it works great. But to do that on a wide scale is much, much more much, much more challenging.
So I think a lot of it is around how do you strike that correct balancing act and the balancing act will change over time as the economy gets better or the economy gets worse. But I think it's all about, can you defend it by explaining, we decided to take money away from this, understanding here's what the potential impact would be.
And you know, again, it doesn't always work out, but at least you can articulate it and What we need to stop doing is just cutting money for no reason without understanding what that means. Because that's frankly what happens most of the time.
Host: Yeah, that makes a lot of sense. Now, one of the things that currently we are going through, let's say, is economic challenge time, right?
So you have been in the industry for quite a bit of time in security and third-party risk management. How has that landscape changed?
How has economic downturns have affected?
From a technology perspective, how has it changed?
And any emerging trends that you are noticing that others should pay attention to.
Jeffrey: So one of the things that we've seen is that organizationally, people are focusing more on resilience, meaning how can we continue to operate if something happens, whatever that something is.
As a result of that discussion, we're starting to see some consolidation in some of the risk areas, rolling them up into sort of an enterprise-wide risk management framework.
I think we're still a long way away from full integration, but we're definitely starting to get that. As a result, organizationally, people need to start looking at their vendor third-party supply chain risk landscape more broadly and more strategically. That's one of the trends.
The second trend is there's an increasing awareness at the board level, at the C level about the fact that cybersecurity in general needs to be paid more attention to.
Supply chain in particular, even though as we talked about at the beginning, there's a lot of overlap, supply chain risk really came to the forefront during COVID because we saw all of these supply chain issues. You can't get this, you can't get that.
And I think companies have started to realize that their whole supply chain was being run out of one group without really interacting with the rest of the organization. Like the supply chain lead frequently is not part of a lot of other conversations. So I think there's an awareness there.
And then finally, I think another trend is people are trying to move more toward real-time data information, moving toward intelligence.
So I always say data is ones and zeros. Information is what you do with those ones and zeros when you provide a business contact. Intelligence is how you act upon that. And intelligence is where we need to get to.
So providing context, not just throwing, hey, here's a score.
On LinkedIn a couple weeks ago, I actually put out a question. Hey, I'm thinking about doing a balanced scorecard for third party risk management, who's in? And I got like 30 people say, we wanna help.
Clearly there is a need there for that higher order report. Now, of course, I need to figure out how to do that, because it was an idea.
So I think those are some of the trends that that we're seeing, I think it's becoming more strategic. I think more and more things are being brought in.
I mean, if you look back 10 years ago, third-party risk management and vendor risk were quite simple. If legal was okay with the contract and if finance believed they would be in business, then you would sign it. That is not the case anymore.
So there's a maturity. Unfortunately, as is always the case, the desire is always ahead of the capability. So… that's where we need to start working is building that capability, building the processes, looking for tools, looking for mechanisms for automation, looking for the ability to provide business context, not just technology, you know, data points that are meaningless to most business people. A million missing patches. Okay. I don't know what that means.
Host: So, yeah, there are so many pieces which has to be put together so that you have your third party risk in check, rather than it's just a score or a checkbox that you can check and you're all okay, right? There are so many systems you need to work with or so many vendors, so many areas to focus on. So, yeah, thank you so much for answering that question and the security section.
Summary
Thanks Jeffrey for the fun & insightful conversation. Here are a few important points which stood out for me:
- Vendor Security Questionnaires are not enough because they are out of date a month after its filled. Continuous assessment is more important than one time vendor security questionnaire.
- Prioritization of Vendors and their security is key to not get overwhelmed with massive number of vendors. it can be driven by Business Value & Impact of a particular vendor. Categorization can be Critical, Important and nice to have.
- When it comes to Procurement decisions, understand the Cost vs Value factor of the decision. Even though the decision is made by Leadership or Business, ultimately Security is accountable for this.
The next section that we have is the rating security practices.
Rating Security Practices
And the way it works is I'll share a security practice. You need to rate from 1 to 5, 1 being the worst and 5 being the best. Then you can add context as to why you are giving a particular rating.
Jeffrey: So I just wanna make sure I'm doing this correctly. So when you want me to rate it, you want me to talk about the value or how well I think people do it.
Host:That's it. Let's do the value. No, I totally understand what you're saying. Let's put it from a value perspective.
Jeffrey: Okay, alright. Okay. All right. Let's do it.
Host: So the first one is conduct periodic security audits to identify vulnerabilities, threats, and weaknesses in your systems and applications.
Jeffrey: So from a value perspective, that is definitely a 5. I think that we wanna get as close to continuous as we can. I think that being able to understand your current posture, being able to understand your current exposure level, and then of course you have to bring in what the threat environment looks like from the outside. I think there's a huge amount of value there.
Part of the challenge is, What does periodic mean? Is it once a week? Is it once a month? Is it once every 10 years?
The obviously different levels of value there. What I always suggest to people with these kinds of things is how often are you doing it now? Once a year?
Okay, what would be involved in doing it twice a year? How much would you need to invest? You're doing it twice a year? Let's go to quarterly. And again, back to that balance. I think eventually you get to the point where you could say, you know what?
Jeffrey: We're as good as we feel comfortable spending. Okay, that is a reasonable thing for you to say. So high-value implementation, I think is lagging a little bit, but that continuous assessment and analysis, I think is critical for the success of any program, security or not.
Host: That's spot on. Let's go to the next one, which is provide training and awareness programs to employees to help them identify and respond to potential security threats.
Jeffrey: So I'm going to give this one a three and I'm going to give it a three only because I feel like a lot of people implement training and awareness because they think they're supposed to and not because they know why. I think there's always going to be a limitation.
I always talk about sort of like a bell curve, you know, in probability.
There are always going to be people that are going to do the right thing no matter what there are always gonna be people that are gonna do the wrong thing no matter what. And then there are a whole bunch of people in the middle. And I think what training can help you do is push that curve up a little bit or down a little bit. So maybe you get more people doing it. Maybe you get less people doing the wrong thing.
But I think that the key thing in success there, I think is if you understand why you're doing it, I would probably move it from a three to a four. So I think there's value there.
I do think there's an over-reliance on it. And here's the thing, especially with AI, the bad attackers, they're able to fool people because people are not, I'm a professional paranoid. That's what I tell people.
But people don't think that way. People have day jobs. People have other stuff they need to do. They can't always be thinking, ooh, is this a scam? So I think awareness has limitations.
I'm a big fan of a concept called people-centric security, which is you tell people what's expected of them, and then you measure them on whether they do it or not. And when they don't, there have to be negative ramifications.
Host: I agree with your assessment. It should not be that you do trainings or awareness programs because you have to do it. You need to understand why you are doing it. That helps even the folks who are going through the training to absorb the material and be aware of what's going on. Right. And especially as you highlighted, like in today's world with AI, there is a lot of social engineering attacks going on. The more aware your employees are, it helps you sort of fight those attackers, right, as much as you can. So, yeah, I really like how you described that.
Let's go to the last one, which is development regularly test an incident response plan to help quickly detect, respond to and recover from security incidents.
Jeffrey: I agree. Okay. So we have to rate this one to five. I'm going to give it a 10 because this to me may be the most important thing. And it is the one that is the hardest. And I think it is frequently ignored because it's very process-based.
Here's what I'll tell you. And I've been telling people this my whole career. You are never ever going to stop every attack. So when you are victimized, when something bad happens, what do you do?
And, you know, I mentioned we did this panel on cyber insurance and we had an attorney there. Her law firm has an entire practice on incident response. That is what they do. If you don't respond well, you're going to get hit with maximum fines. You're going to get sued. You're going to be in a bad way.
And I talked a little while ago about the concept of resilience. You cannot have resilience if you do not have a mechanism to be able to recover.
What can you recover? How much of it can you recover? Can you recover everything? What's the bare minimum that you need? And most, I know when I say most, a lot of organizations have not had those discussions.
It's not exciting because it's process-based, but it is so, so important. And it is just, I don't think it's handled nearly as well as it should be. And we talked a few minutes ago about scenario planning. You gotta workshop these things.
I've run a lot of incident response workshops and you get in there and say, okay, so the press just called and they found your data on this data dump. What do you do? And most of the answers are, uh, why, I don't know. What do we do? Right? So you got to test it. You got to hone them. And it doesn't mean a full blown out week-long thing. You can do quarterly desktops. You can do monthly. You can do quarterly. You can do annual.
But if you're not doing it and if you're not doing it with your executives for material problems, you're gonna have a big problem. So that one definitely is a 10 for me.
Host: I see it very similar to how the fire drills work. You need to know how to operate the fire extinguisher. Otherwise, if there is a fire all of a sudden, you have no idea how to deal with it. You don't even know how to use the fire extinguisher and you are in danger. So doing those exercises sort of prepare you for any future fire or something like that.
Jeffrey: And, and, and the more, the more you practice, the better you get at it. And the, and the, and you can identify gaps. And that's why when I mentioned a few minutes ago, changing roles, that's why that's really important too, because what happens if you can't get ahold of somebody, right? Oh, you know, I remember when we did that exercise, I asked this question. That's where we need to get to.
Host: Yeah, that makes a lot of sense and that's a great way to end the episode as well. Thank you so much, Jeffrey for joining and sharing your knowledge around third party risk management because this is the first time we are doing this topic in this podcast. So thank you so much for coming.
Jeffrey: Oh, Puru, thank you so much for having me. And if anyone has any questions, feel free to connect to me on LinkedIn. If you have any kind of a profile, I take all takers. I am happy to answer questions. And again, thank you so much for having me Puru. It was so nice to meet you and the team. And if you have any questions, feel free to reach out. Happy to do the podcast again every week if you want.
Host: It was a pleasure to have you on the show as well. Thank you so much for coming and sharing your knowledge. And to our viewers, thank you so much for watching. Hope you learned something new as I learned as part of this episode. If you have any questions about security, share those at scaletozero.com and we'll get those answered by an expert in the security space. See you in the next episode. Thank you.
