Lowe’s Knows Third-Party Risk Management

Amanda: Hello everybody. I’ll give it a second for people to start signing on in five, four, three, two, one. Take it away to myself. Welcome everyone to our webinar Lowe’s knows third party risk with our special guest Jefferson Pike, senior manager of IT security for TPR. RM. And also joined with us today is our very own vice president of third party risk, Brenda Ferraro. My name is Amanda Fina, wannabe TV show host and hopeful bachelor contestant if I’m still of age. But for now, I’m also just your business development rep here. I have a couple of things to get started with before we start the show. Everyone is muted. That means everybody, we know you’re all home. We don’t want to hear vacuums. We don’t want to hear coffee makers or Amazon Prime coming to your door. So, we’re going to just cut to the chase. No one can talk. But even though you can’t talk, we really want this to be interactive. So, please answer, not answer, sorry, we’ll answer, ask any questions that you may have in the console in Zoom. Do the Q&A, not the chat. That makes it easier for everybody. And hopefully, when time permits at the end, we’ll answer all of those. Today’s webinar is being recorded, so we will send it to you tomorrow morning and you can share to whomever you wish. And that’s about it from me. I’m going to take it over to Brenda. Thank you so much for both of you for joining and let’s get started.

Brenda: Thanks, Amanda. I always like it when you start these because they are so exciting and fun and I will totally promote you for the Bachelorette.

Brenda: Thanks everyone for all your support.

Brenda: So, I’m happy to be here with Jefferson today. And and by the way, all of our announcements have come out with him as the senior dire or senior manager. He has recently been promoted to director of information security. So, congratulations on that, Jefferson.

Jefferson: Thanks.

Brenda: I think that this is our one-year anniversary of when we met and started talking about the third party risk program for Lowe’s. I was in North Carolina around this time and we were I think it was also maybe some your first week.

Jefferson: I think it’s my first day or second day on the job.

Brenda: Was that like firestorm of here’s Brenda talking about third party and all the strategy things she thinks that you should do. But congratulations on on how far Lowe’s has come in one year. It’s been expedient more so than any other company that I’ve ever been working with before on strategy. So kudos to you and your team. Congratulations at your promotion and on your promotion. And the the one thing that I’d like for you to talk about, everybody pretty much knows about me. I’ve come from the finance background at Charles Schwab and eBay and PayPal and then I went to healthc care and I’ve worked in retail before and now I’m at prevalent being able to help other companies grow their programs. But tell us a little bit about you and then maybe a fun fact about um what’s your favorite thing to do during 2020.

Jefferson: Sure. Uh thanks and first of all thanks for having me here. I love being here representing the the team who actually did all the work for us to be here. But uh um my name is Jefferson Pike. I’m a former Navy first of all probably what I’m I’m proudest of former military spent time in the telecom sector, financial sector and uh and eventually came to Lowe’s and actually cyber security was is my passion but I actually did that late in life. I was actually more on the technical side in other areas and in business analysis for years and even internal audit at a big bank over their third party program. So um it’s kind of it’s not your typical approach but what we find is a lot of people in this industry don’t have a typical background and come from a mix of uh backgrounds which actually helps us uh in our particular case with third party. So um and we’ll learn more about that. Um since been down with uh this whole period of being stuck in the house pretty much when trying not to gain weight uh you know this is a great time to learn and uh and and read and actually go after certifications and training because most classes now are on demand online and you can even take your certification exam at home. So uh I’ve been taking advantage of that is trying to you know learn as much as I I can uh just in every area. So, it’s pretty boring, but but uh it’s it’s it gets you out of trouble.

Brenda: Well, it’s way more collegiate than me. I’ve been just trying to get away in 2020 to places like Sedona, Arizona, walking around the creek looking at birds. Many people know I’m a burer. So, I like to go out and identify birds. So, that’s part of the craziness about me. But, we will now go away from what have we been doing in 2020 for ourselves? I like the way that you’ve been learning and help others learn about what Lowe’s has been doing with their program. Our agenda today is we tried to be very creative and Lowe’s is a home improvement store with many other items that they they provide for their customers. But we took this webinar and we started thinking about well how can we make it relatable from a third-party riskmanagement building process to building a home. So there’s blueprinting which is really about assessing what you need to build. There’s building the team how to how to integrate all the different departments within your organization. So, it’s an enterprise approach. There’s scoping the job. Um that’s more about understanding the univers the universe of vendors or suppliers that you need to assess. Um gearing up, that’s more about what are the core competencies that you need to implement and execute for your program. And then of course execution, getting getting that port part of the program up and running. and then measuring progress um showing how well you’ve done and what risks you’ve identified for the company. So, anything you want to add to that agenda? It looks pretty meaty for us to go over. Jefferson, is that enough?

Jefferson: That’s that’s plenty enough. Let’s go ahead and get to it.

Brenda: So, let’s start real quick with um I I have watched your program grow and there’s many different things that you need to look at when you’re architecting or building your program. And from my my experience, it takes discovery. It takes planning. It takes knowing multiple fundamentals that have to be incorporated into that that design that you’re going to do use for building the program. So, what what did you do to assess the needs to architect your program and build it?

Jefferson: Sure. Great question. And first of all, so it’s called thirdparty risk management for a reason. It’s not third-party compliance management. And I think a lot of people in including me in the in the past have had the mindset that, you know, you need to come in and and do everything. And you honestly just can’t do that. You have to figure out where to start and and not beat yourself up thinking, you know, you’re not accomplishing everything on day one. It does take time. And risk management is not new. In fact, when you study information warfare on the military side, you learned that the guy who wrote the art of war talked about risk management 7,000 years ago, Sunzu, and he said that if you know yourself and you know your enemy, you don’t need to worry about the outcome of a 100 battles and essentially saying you know if you assess yourself and you assess the threats to yourself you don’t need to worry about the outcome you’ll make it and with third parties we have to own them as part of us and actually you know assess them and assess the threats to them. So we we started with that and we had to look at our industry because the retail industry is totally different from financial or healthcare and uh you in the financial sector you have regulatory agencies telling you what to do for third party and the OC will tell you you have to have a continuous monitoring program in place which is great, but in retail, you don’t have those regulatory factors like you you do. There’s this there’s heavy fines. There are other things you can take into account. There’s guidance, but you don’t really have any kind of real regulation across the industry. So, you have to figure out what your own risk appetite is if you’re taking that that risk management approach. So, uh first it came from from leadership and our leadership a lot of them came from places like uh Target, Home Depot and other places that have experienced, you know, bad situations. and they don’t don’t want that to happen again. So, it’s something we’re very mindful of like how do we best protect ourselves in a retail environment which is totally different from uh from healthcare. So, had to look at that. And then you have to figure out, you know, if you’re out in the in the middle of the woods and you’re trying to uh you know, get out of the woods, a map won’t help you by itself. And the compass won’t help you by itself. You have to have the two together and use that compass. You identify a couple points, see where you are on the map, then you work your way out. And it’s the same thing with this. So, we had to look for a reference frame we could use and a a framework that we could figure out, you know, what the lay of the land would be. But but then we had to figure out where we were on that uh that map. And so we uh we conducted a couple self assessments and we found a framework one from shared assessments uh called the vendor risk management maturity model and we conducted a self-assessment on oursel and figured out where we score on this is very similar to doing a gap analysis for NIST or something else but much w better than this and we’re also looking at things originally from an information security perspective and every company does it differently but for us third party is embedded within information security. So when you have when you’re looking at an asset an asset can be anything of value to a a company typically you’re looking at just the confidentiality at first uh you know for example when you hear about most data breaches it’s because what’s making the news is how the confidentiality was breached there actually two other factors to it there’s integrity you know making sure that data stays accurate and availability which now is a big thing especially with supply chain. So u you can’t do all three at once. You start with what you know and in our case we knew information security. So we started there and we plotted ourselves on the self-assessment framework and figured out where our gaps were and and just like any organization we had some good gaps but then we would take that and actually plot that on a road map. Now that we know where we are how do we get out of there? And so we would take every domain from the uh the share assessments framework uh from that that room assessment and create really lanes on this road map and so program governance is a great example. We figured out okay for that category here are some issues where we’re we’re falling short so let’s put them on the road map and every subcategory from the framework we just plugged in the road map and started following that and if you follow the agile framework we then you’d understand this terminology where we’re taking all the u the big categories on the framework we made those are epics and then uh the subcategories, those big projects, those were our tasks for each epic. I’m sorry, our features. And then it breaks down into stories and and tasks. So, we’re using that as a framework really just to get us out of the woods and and to move forward. And rather than just assess ourselves once a year, we actually assess ourselves maybe every six months or so to get ready for our big annual assessment because we don’t want any surprises at the annual assessment. So, theoretically, just like when you do a a performance manager eval, when you get to the annual assessment, you should not be surp rise of what you see as the gaps. So, we like to know the gaps ahead of time and it’s just a continuous process of doing that.

Brenda: Yeah. And I like how you this isn’t the only slide that shows what those features or or components are or epics. You’ve got eight of them. And and many companies that are building their program aren’t looking at all eight. They’re just looking at what is my life cycle of an assessment? How far is it going to go through? Um and where am I going to get stuck? So, um did you want to talk a little bit about this road map or did you want to move to the next slide to show all of the eight components or there’s specifics to these two?

Jefferson: Sure, we can go on to the next one. This just shows example. If you look at that uh that VRMM self- assessment framework then these lined up perfectly and you’ll see where we got these from. Uh we added one other category though if you do go to the next slide. Not sure it’s on here or not. And and we do we have a separate category for additional information security group work streams. And a big part of this is trying to figure out how do we best partner with all the other teams and how do we take work on board to support other teams but also uh you know provide value for what we’re doing. So we created a separate team for that or separate lane for that. And a couple other things we did in the beginning was we knew that you can’t be a lone wolf doing this. No one person has all the answers. And so we we actually got you actually set us up with a peer group with leaders in from other companies who were maybe ahead of the curve or had you know they’ve been doing this longer than us and they’re experts in their field and they shared information with us because a lone wolf will will not survive in this and other people have have been here and done this and so it’s great to learn from their experiences and just like you have uh special forces you have a team you don’t the Rambo model one guy going out there and doing everything doesn’t really work you have a team of of professionals that all have skills and so this peer group is is a a mixed group of different people different uh industries but they’re all focused on third party risk And it’s a great opportunity to actually hear from the experts and and learn what they’re doing. And um I mentioned that I like to read. Well, if you go on Amazon and look for a book on third party risk, you’ll find almost nothing at all.

Brenda: Only three.

Jefferson: Yes, there there are very few books and they’re not even that great. Um but for the most part, but there’s not a lot out there. So maybe somebody will will write the the definitive third party risk management book for us, but u there is no great book to go to except for one, and this is thing I would advise everybody if you’ve not seen this book. There is a a two two book set called the the SISO desk reference guide and it’s by Bonnie Heslip and Stamper and these three gentlemen were all accomplished sysos at their their companies. They know everything about information security but there’s a chapter in there just about third party risk and it was the best resource I found anywhere that is actually on paper on on how to do third-party risk management. So that that’s where the nerd comes out and says well if you want a book that’s the book to go to. uh but about the only one I could find anywhere uh before even starting this.

Brenda: Well, I am a geek nerd when it comes to third party as well. So, I’m going to be picking that up and reading that chapter or having you copy it and send it over to me if it’s just that chapter. So, let’s let’s work into like um talking about how you aligned other departments because everybody’s doing assessments their own way. Procurement might be doing attestations or looking at things such as credit checks or done in Brad Street. Legal has their own lens. that they need to look at assessments. Um there’s vendor security, IT security, OT security, and then a lot of leadership teams that may be a little bit fearful of how you progress in your program. It might be at a speed they’re not comfortable with. So, so how did you take and and look at how to change culture in a a normal way that’s appetizing for Lowe’s?

Jefferson: You know, it it sounds silly, but it’s all about diplomacy and being the ambassador to other business units. and being there for them because a lot of times the big company you have a problem with silos. Different teams don’t talk with each other. Everybody uh does their own thing and it’s not even aware of what else is going on. So uh we position ourselves kind of be the ambassadors between all these different teams. So you we’re the ones talking with the third parties. We’re also uh speaking with legal on on issues and offering to review contracts for them if if they come up. We’re working with the business units and explaining to them the risk associated with the vendors they’re working with. And we’re also working with sourcing and letting them know, you know, here’s what we’re what we’re seeing and here’s what we recommend. Because usually these teams don’t talk all that well to each other. And if you try to explain information security risk or a lot of these third party risks to a business unit or to a vendor, they have no idea what you’re talking about. So, you actually have to be not just an ambassador but a translator as well and be able to explain uh in very easy terms to non-technical people, explain the risk and explain in business terms. And so, it it’s a unique skill set and there so just having, you know, cyber savvy people on a team won’t necessarily help you when you’re trying to translate. So, uh, and we found, and I know we’ll talk about this in a little bit, but as we built our team, it wasn’t really the skill set necessarily that was what brought them to the team, uh, because we didn’t want people always being the same. And because we have that varied skill set, we have different people that can take different tasks and and follow their passions differently. So, um, essentially, we had to be the ambassadors. And at at Lowe’s, there’s a mentality that you want to take the customer to the aisle. And hopefully you’ve seen that in stores where if you if you walk into a store and you don’t know where something is. If you ask somebody, they shouldn’t say an employee there should not tell you, “Oh, it’s down in, you know, aisle 12.” They should not walk with you to the aisle, take you to that uh that area and show you that part, make sure it’s what you need for what you’re doing. Maybe even ask you some more questions and and help you. We want to do the same thing for the business units. So, we want to make sure that we’re taking them to the aisle if they’ve never seen an assessment. before or they they don’t understand why we’re doing this. We want to work with them through the process and actually get that assessment done, get the business unit happy, get the vendor happy and and play that uh that ambassador role. And the other trick we found, not trick, but one thing we really try to focus on is uh there’s something called the sundown rule, which is in every company everywhere probably, but a lot of people teams just get slack and don’t follow it. And that is, you know, if you get an email request, you respond to it by the end of the day. And that sounds So silly, but we found as we made that a priority for us and other business units or uh divisions within the company would send us a question, we’d respond the same day and because usually they have a project going live next week, a vendor has to be on boarded, contracts getting ready to sign, this is the first time they heard about us and now they’re stressed out and we always try to respond the same day and just that decent amount of respect going to a non third party business unit would have them come back to us later on and saying, “Hey, you were really helpful before. or what do you think about this? And over time, those relationships develop, but it’s not something that happens overnight. It was just trying to make ourselves relevant and and be that translator for everybody.

Brenda: Yeah. You’re actually enabling the business and enabling the company to identify and reduce risk. And so, I like the way that you’re taking the approach to help them and be that ambassador or translator. I remember when I was making a decision of going from a big company to a vendor type company that has so many clients, which makes it big and it’s right and I was told by a very wise individual that Brenda you are going to be the translator between the customer and the product and the company. So you have to be able to speak different languages. So I really like how you put that. Now the first thing that’s important about a third party risk program and even getting started is to be able to know what your vendor or your supplier universe is. So did you experience a challenge with identifying and understanding that holistic list?

Jefferson: Yes, and thankfully we asked other companies in that peer group and and other you know auditors and and and everybody we could ask who were the experts and mentioned our our issue to them and they said great it sounds like you were like every other company in the world which is good uh and and bad in a way uh but essentially it’s always a challenge it seems like after talking with other companies as well to have that definitive list and it kind of goes back to that whole risk versus compliance issue you’re never going to find that totally complete exhaust accurate list of vendors, but you also can’t wait for 3 years to get that actual uh that list put together. So, yes, you may have some in uh some vendors listed in the procurement database. You may have some in the accounts payable database where you actually see who’s getting paid. You may have it in a governance risk and compliance database somewhere. But to get information from all these different databases and and figure out who’s actually right is a huge challenge.

Jefferson: And and there’s no silver bullet for it either. It’s just it It takes a lot of detective work and and the guys on the team would tell you that, you know, a lot of their efforts are spent just trying to find owners or find out who vendors are and uh sometimes you’re you’re you’re playing detective just like trying to hunt down leads.

Brenda: Yeah. I like one of the approaches that your organization is using where because of resiliency and what we’re going through in 2020, you’ve actually looked at well, if we have a point of contact internally, we’re going to go internally and ask them for stratification or profiling information about about the vendor and in order to make sure that we’re providing the right type of assessments. But you’ve also decided innovatively to go directly to the vendor to say here’s a very short questionnaire that’s going to give us the attributes that we need to know in order to make sure that we are assessing you appropriately and then using that to shore up with what the records are internally. It’s it’s okay to do that even though the vendors may come back to you and say, “Well, why don’t you know what we’re doing with you?” Well, it’s you know, everybody needs to shore up and make sure that we know each other what each other is doing because things can change over time. You might have a vendor that’s doing one thing one year or for a couple months and then all of a sudden someone says, “Hey, we already have this vendor vetted. Let’s use them also for X Y and Z.” So, it’s a good thing that what that you’re doing in that perspective. So, what is this goalkeeper for third parties?

Jefferson: Yeah, that was an analogy we used for our our team internally. A lot of days it seems like and every industry has their own metrics like we know that there are thousands of vendors and for uh for the retail sector, an average breach costs about $1.8 million. And you know, we know what the record dollar amount is or the dollar amount per record uh for a breach. And you can use all this um um you know the the FUD factor, fear, uncertainty, and doubt, which you don’t ever want to do. You want to have facts and actually when when you’re explaining to leadership what the risks are, but knowing that you have a large number of of these vendors out there that any one of them could become like an explosive soccer ball where you have, you know, you we’re trying to make sure that that does not become a breach for the the company. So every third party we’re looking at is like we’re the last line of defense trying to make sure that they don’t score on the company. We want the business to succeed but if the business is making profit but then having to pay it out the back be due to uh you know fines and all the the financial risks associated with a breach then the company’s not having making the profit it should be. So we’re trying to safeguard that and uh so kind of feel like the lonely goalkeeper in the back rather than have just one soccer ball coming at you. Imagine thousands that you’re trying to stop because from the third party perspective, you’re trying to make sure that all of these thousands that are in your inventory, none of them become the next big explosive soccer ball. So, it’s uh.

Brenda: I liked one of the presentations that you had before and all of a sudden it was like thousands and thousands of soccer balls.

Brenda: I would not want all of those coming at me if I was a goalkeeper. For sure. So, what’s the strategy that you’re putting together to make sure you’re at a competitive advantage?

Jefferson: Sure. So, some businesses you can have the us versus them approach where you know you have the you know almost like like an American football team you have the offensive team they’re the ones out scoring they’re bringing the dollars in and you know it it’s all about the offense or you may have the defensive squad out on the field and they’re the ones you know ju just trying to do their job but you have almost have two different teams both playing for the same side but on the field at different times and never actually working as one and uh this approach is more of the actual football, you soccer, the approach is you have the business units and all the other teams on the field at the same time. We’re all working together. You know that the business units are yes, they’re trying to to increase revenue and generate it and we’re trying to help them do that and do it in a way that they they succeed, but they succeed securely so that the the revenue that comes in stays with with the company and no bad reputational risk is ever encountered and no no bad apples really come in and we’re keeping the company safe. but working with all these different teams and all on the same page and kind of taking away that that diverse approach of thinking that oh it’s you know we’re business units or we’re we’re playing defense so we don’t we don’t talk to you. That’s not not the case at all.

Brenda: Yeah. And I like how you have different filter levels. It means that everybody is working together as a team and somewhere it’s going to get caught into that gatekeeper perspective versus just go directly to the goal and and get through where it shouldn’t. So there are so many different products and ways to manage your thirdparty risk. And I remember when I was at a company and I I owned thirdparty risk management, I had three different Intel companies and three different standard questionnaires and none of them were integrated. Now that was about five or six years ago, of course, but what process did you use to select the right tools and how did you weigh the process or the options?

Jefferson: So, and it wasn’t just tools for us, also was the the proc processes and people you know how do we choose do we outsource all the work do we do we just have one person at at Lowe’s doing a third party or how do we want to do it the uh and that was really based on risk appetite and direction from leadership where they wanted this to be an in-house program so you know there are other solutions our solution was to you create our own team and so you the team that we brought in like I said before all had extremely different skill sets you know well one guy is is an expert at networking and another one is expert at um you know actual relations with with the vendor and or maybe knows a company inside and out, our company inside and out, but uh one thing they all have in common is passion. So when we were hiring people on board, we weren’t necessarily looking at making sure they had certain certifications in place because if they have the passion and want to learn, we can teach them and they and then they actually learn from each other. And and then we had a um a core team of of lead analysts who would train all the other analysts and share their perspectives and over time everyone got to learn from everybody and learn these different perspectives and that was huge. So we had this you know this core team that’s extremely talented now and extremely passionate about what they do. So we had that in place and as far as the tools go uh we really want everyone to become risk managers essentially not become just you risk analysts but you can’t have thousands of analysts doing third-party risk because you no company could ever afford that. So there has to be a trade-off between you know how many assessments can one person do and do them effective effectively and efficiently. And so we we look at multiple options not only for how to handle assessments, but how to um actually look at what we call thread intel, how to do a security ratings platform. And we looked at multiple solutions for that. We knew that we couldn’t just send spreadsheets out to everybody, which is like the old school way of doing it, sending out a a word document or a spreadsheet. So u that that didn’t work for us. Now, full disclosure, what worked for us best was the ent solution. And just the fact that here we have a a portal where we can automate, you know, loading up these vendors into a portal, inviting them to come into it and fill out the the information, answer the questions, and then automatically have risk findings generated that we can then uh validate, see, you know, if they’re accurate or or not. We can work with the vendor to actually remediate those findings. And all that was in one solution. So that that for us that has worked out to be the best way to go. So um all of our analysts uh we feel can do a a probably a larger well we know a much larger bucket of assessments per year doing it this way than they could with going through spreadsheets and just trying to figure out you know h how to translate these spreadsheets or or word docs.

Brenda: Yeah. I like the way that your program has embedded preconfigured risk remediations and you’re using those to guide the vendors on what you’re looking for. You also have preconfigured tiers that you’re going to talk about. and you’ve you’ve identified risk multipliers towards those tiers so that if you’re looking for a higher risk third party then those risks would reflect appropriately and um having that u portal where you’re just keeping track of everything in one place it’s very easy for the vendors so it’s like a one-stop shop not only for you but for the vendors and in the future maybe the business units as well.

Jefferson: absolutely.

Brenda: so if we look at um everything that you had to put together which was a lot. Um, how did you address the fundamentals to execute? So, looking back a year ago and looking at the spreadsheets and having to decide on what questionnaire you were going to use as a standard and so on, what what did that look like? And you let me know these are your slides that are coming up. Some of them have animations. So, tell me when to push the button so that I do it at the right time.

Jefferson: Okay. Oh, well, again, it all goes back to the fact that we know we can’t do everything at once. We can only do what we can currently do and then to have a plan for adding capabilities in the future. So that’s how we started and you can go to the the next slide here. So the conventional approach as you know probably everyone here knows is that when you bring any third party on board there should be a series of assessments that are done. A lot of times uh you may find that only one assessment has been done if any and that’s just to bring them on board in the very beginning and after that they’re kind of forgotten about. We’ve seen that happen before. or many times you may find that vendors would just be brought on board with no assessment ever and when you actually go to ask about an assessment you’ll kind of get a blank stare that’s not at Lowe’s that’s you know any company so the conventional approach ideally would be to possibly do an assessment up front a very quick assessment if you had multiple vendors being looked at for uh for an RFP process as they’re coming on board do an onboarding assessment and make sure that they have uh critical controls in place make sure there are no other big issues that you found. If you find anything, you could possibly remediate it or you let them know about it, let the business unit know about it. Um, ideally maybe resess them later on and then um you could have virtual or on-site assessments and then if you ever do finish that relationship with them, ideally it terminates at some point. All good things must come to an end. So theoretically, you know, the that vendor goes off the menu one day, you do an offboarding assessment and make sure they’ve actually destroyed all the data that you consider to be your your your vital data with them. That’s a conventional approach, but again, if you did that for every vendor and did that, the staff would take for that would be insane and uh and just not not affordable. So, we’re taking more of a a riskbased approach and that would be the the next click there. Uh we still do the RFP assessment that actually takes about you and we give SLAs’s too service level uh agreements or service level targets to the business units and we try to stick by that for for new assessments. So, the business unit knows that if they come to us with two or three companies and they’re wondering which one to use, we’ll do a a quick mini assessment uh within several days and we they know what that that is. Our onboarding assessments a little bit longer, but we tell them that upfront, tell them what to expect, very clear with the expectations, but then we go into a a continuous evaluation approach where we’re not doing the annual bi-annual reassessment uh necessarily, but we are looking at things consistently and and all the time like um we’ll use our security ratings platform to look and monitor for alerts coming in. If we see something drop on the on the alert. Now, this could be security scorecard, bitsite, uh risk recon, there are a bunch out there. But as you get alerts, then you take action and actually trigger a reassessment if necessary. Um if they have findings from their the risk assessment initially, then you work with them to actually remediate those findings and track them over time, which thankfully for us of the prevalent platform does that. Uh we can u work with the business owner and then we also look with look at uh incident response capabilities. So if we learn of security incidents with vendors, then that will trigger an assessment as well. Theoretically, if they’re low risk, if we’re watching them the whole time and they’re you that risk rating, that that security credit score is good and you know there are no issues, then we’ll continue to monitor them, but not necessarily go in and do an a reassessment every every year, every two years. We’ll reassess as required, and we’ll make sure every year that the business owner is still having a relationship with that vendor. And now we can do on-site assessments. So in the you know the team is trained to do that but co you cannot do that. So there’s a big push to do virtual which I know shared assessments teaches about but we can also do on-site if necessary and and depending on the situation and the the vendor we we do do that and then do that offboarding assessment as required. So taking this risk based approach allows you to do really you can do more assessments and and be more effective with fewer people. So that’s the the long-term solution here.

Brenda: Yeah. And I like that you’re doing continuous evaluation. A lot of companies are doing the one and done or the annual or bannual. And when risks are mitigated, that’s when you’re supposed to verify or validate. So, good job on that. This is one of my favorite two slides that you’re getting into. So, to hear about it.

Jefferson: Oh, this one it always takes some some discussion. So, the way I best explain this is uh you know, security many times is thought of being a roadblock and uh you know, I’ve seen it at companies before where the business unit really doesn’t want to go to security or go through a third party risk process because they’re in a hurry. They don’t want to be slowed down. And it’s a lot like when you go to the airport, uh, you know, you get there, you have to stand in line at TSA forever, go through the process, get through, and then get to your your gate. Now, it’s not TSA’s fault if you show up late to the airport. They say you should be there two hours early, but no one ever shows up two hours early. You’re always running in at the last minute, and then you get frustrated with TSA because they’re they’re holding you up. And uh the so the typical model for onboarding assessments as well is you know hold up. Let’s look at the third party. Let’s look at the assessment. Let’s make sure we’re doing everything properly. You wait until we give you the the go-ahhead and then you may proceed and you go onto your gate and take off and then you and launch your your engagement and enjoy the the friendly skies. That doesn’t work in a retail environment. You know, we have a that risk appetite for us is uh is really about making sure that the business gets done what they need to. do and we do not hold them back which puts us in a very fine line in security because you want to make sure that the business is moving forward and developing everything it needs to to succeed but do it securely. So our our approach is a little bit different and you can uh go to the next slide here. So when a a new engagement comes in we learn of a new vendor we ask the business owner to you create initial intake request and that’s where we’ll do that initial due diligence and assess them and and see what is the real risk there. What data are they working with? This is where we tear them. And you hear about tearing all the time. We’ll look at the the true inherent risk at the very beginning. And so imagine you’re walking through the airport, but now you don’t have to stop at TSA anymore. Now, as soon as you walk in, you get your boarding pass. And as you go through the airport, maybe stop at Starbucks, get your coffee, get to the gate, you’re ready there to take off. And there’s maybe somebody from TSA saying, “Thank you for your time. You’re good to go. Here’s your, you know, your we’ll stamp your your boarding pass, have a great day. And and that’s what we’re doing in the background. While that engagement is moving forward, uh we’re doing things and we’re we’re looking the assessment. We’re we’re looking at any thread intel we have on them. We’ll ask questions. We’ll follow up with the questions. At the end of the day, we give a recommendation uh to the business owner. They either can recommend that or we recommend the engagement, re they can proceed. We will recommend that they can proceed, but there’s some things that need to be remediated and we need to remediate that, you know, within a certain time frame. or we’ll say we do not recommend and you know we’ll say you know there are some serious issues here we really don’t recommend you continue at the end of the day though it’s the business that owns it and we use that the three lines of defense risk management model that uh you know so common place it’s now called the three lines defense or three lines model because defense isn’t really an issue anymore because they want business to be proactive but the three lines model says the business units are the first line of defense they’re the ones really responsible for risk the second line are all your your risk and compliance teams, legal, security, and everybody else. And then your third line is internal audit. They make sure that from a a high angle, a high perspective, everybody’s doing what they say they’ll do. So using that that approach, we’re telling the business unit, okay, here’s the engagement, here’s what we discovered, and here’s what we recommend, but it’s your choice. If they continue with that engagement, then they actually um their VP has to sign and accept the risk and then And we track that. But uh we are not the department of no. And in in you know at the bank you you can be the department of no to some extent and in healthcare you can but in retail you have to really be doing uh risk assessments quickly and efficiently and and act as that adviser. So we advise the business units and so we’re not acting as the you know the big bad police officer. Uh we’re we’re giving them the the full information and then it’s their choice.

Brenda: Yeah. So I I like how you’ve put together your pyramid of tiers and how many days and and you did discuss recommended, recommended with remediation or not recommended. What what more can you talk about with the taring and and how that’s worked for you?

Jefferson: Uh sure. So the taring is essentially based on the uh the data classification for for our company. Every company has their own way of looking at data. Uh you know some data may be considered public or not really a big deal. U data may be more you know proprietary or could be personal information. So based on the data that we learn about during the intake process, we’ll tear it. And that simply means that, you know, the the higher risk vendor gets more scrutiny and additional due diligence. And uh either way, all of these get assessed. Even if it’s just a company that has public data and no real risk, they’ve still been assessed by doing that intake form. So, we have the record of that. We have their engagement number. We have their uh you know, their URL, their domain that we can put into our monitoring tool and monitor them for security incidents in the future. So we ask everyone come through the funnel just so we can you at least log them and then determine if we need to do anything else and then once they come through the system to get that that external review where we’re looking from the outside in using the the platform uh then we use automated questionnaire through prevalent and get that inside out view and then we’ll follow up if necessary and then at at the end of the day we get that that final assessment status and that recommendation.

Brenda: Excellent. All right, so we’re going into the next question. question and I would assume that you would want to make sure you have key performance indicators and risk indicators that you’re telling your management about like one of the things we did at the very beginning was we not only did you use the vroom from shared assessments but you also used a maturity assessment from prevalent. So what are the what are the things that you did and what are the KPIs and KIS that were important as you progressed through your program?

Jefferson: Sure. So the the self assessments are a big part of that and we in in turn use those for the overall enterprise assessments as well that those feed as inputs for the the enterprise assessment. Uh and it’s also important to know the difference between KPIs and KRIS and who your audience is. U for example, you don’t want to be telling your CEO all the little details about which analyst has how many assessments at any given time or how many they’ve completed this week. They don’t care. They want to know at the end of the day what’s the risk of the company and where do we stand and what what’s the the biggest iss So, uh there are multiple levels of these KPIs and KIS that that we use. Um KPIs can be something as simple as you know the the number of assessments that we’re doing this year compared to last year and then how do they result? What’s the final status of the the assessments that we’re doing? How many are coming in from the different intake points? You know, how many are RFP assessments versus how many are onboarding? Are we not getting many onboard onboarding assessments? Well, why not? Let’s let’s focus on how to increase that that workflow. Then we can also break it down. Thanks to the prevalent platform, we can see all the different phases of the assessment and we have service level objectives for each one of the phases. Like we know how long it should take um for us for from the time it comes in from intake to getting launched to the vendor. How many days does it take or hours to actually get that assessment out? How long should they be taking to fill out the questionnaire and give us all the information back? And then so we’ll look at that. How long should it be taking us once we have the information to make that final recommendation? So we track all that you for performance and improvement. Um, so we know what the the durations per phases are. But for KRIS, that’s really where you’re telling management, you know, the the so what what does all all this mean? And uh that’s where it gets really interesting because the the data we can pull from the platform allows us to see things like what are our top 10 risks right now? What what risk are we seeing across the uh the enterprise with our vendors? What are the most common things? We can also blend that in with our security monitoring platform and see what are the biggest vulnerabilities we’re seeing out there right now with our our third parties and what what should we be working with them and addressing with them. Um we we can look at you breaking down by business unit, breaking down by by tier. We we can figure out okay well which business unit is the riskiest business unit. How many business units you know who has the most the most engagements that have been recommended against by us and and they’re proceeding and figure out what how we need to to work with that. So really like breaking it down to the the business unit level That’s really where we’re headed is and we can actually show you know the the third parties per business unit and show that risk level based on accumulation of the findings we had from all the risk assessments.

Brenda: That’s great to know and I know that you’ve worked really hard on KPIs and KIS for your management and that’s why you’ve been seen as a a program and a a team of resources along with yourself that have gotten so far so fast. I remember when we were talking about okay well let’s just do a couple of launches at at time and now we’re like ramping up 250 a week just for the stratification questionnaires so that we can get the information back to know what type of assessment needs to then get sent to them. So um you’ve grown from I only maybe have a thousand of vendors that I need to assess to. I really need to research my entire universe and that could be up into the and I’m just making this number up. I’m not saying it’s Lowe’s at all but it could be up into the 14,000 range. So we’re trying to figure out very rapidly with thread intelligence and with stratification and essentials or profiling questionnaires what do I need to work on first. So it’s it’s a really interesting thing watching you go through and it’s and there can be a lot of a lot of numbers out there and there’s a difference between data and information like we can we can pull a lot of data from everywhere but unless there’s actually value to that that data then it becomes information if there’s value to it and being able to have it be actionable. So trying to take all this data which we can pull from multiple platforms. Boiling that down and then delivering it to to leadership and and giving them that you that so what with real information is critical.

Brenda: Yeah. You when you architected the program, you thought about categories, you thought about tags, you thought about tasks that would have to happen. You thought about every little step that may have to be taken. And then when you came up to a scenario that you didn’t think about, you very quickly pivoted to figure out, okay, where’s sending out a ton of essentials or profiling or stratification questionnaires, which you call the vendor information gathering questionnaire. And as that comes back, there’s some that aren’t responding. What do we do with those? There’s some who came back within minutes. Now they’re ready for an assessment. What do we do about that? So, it’s been very fun to watch you go through it. But with all that being said, what are maybe the three key takeaways? And you can say more than you want to, if just more than three, but what are the key takeaways that you would tell everyone on this call listening in that you would want them to learn from your experiences versus having to experience it themselves?

Jefferson: Number one, don’t try to be a lone wolf. And I figured out the hard way. There are other people, other teams, even with your your own company, who have the answers. You have to find out who they are, and you won’t know until you ask. Uh, you know, looking back, I think, um, I could have asked other teams better questions in the beginning and found out answers that we found out eventually three or four months later. that really there should have been more collaboration in the first place and you we’re very good about collaborating but that could have been done done done quicker going back to the whole lone wolf versus the you know special forces team model it really does take a team to do this no one has all the answers and um so that was big asking for help now in our case we we use your advisory services the strategic services which really helped us a lot because first of all we found out that well we’re not so different from everybody else So we’re not so behind the curve as everybody else. So that’s good. We actually, you know, we have our own issues and it’s normal. So finding out that we’re normal first of all was great because you can if you’re in a silo, you think that everybody else is so far ahead of you with their development and maturity that, you know, we really need to catch up. Well, it turns out that was just an illusion. But and until you actually hear from people in other peer groups and and and talk and try to find out, you know, a perspective outside of yourself, you don’t realize that.

Brenda: Yep.

Brenda: All right. So, Um, we’re going to do a couple little prevalent slides, but get ready. There are some questions that have been coming through. The only thing I wanted to say, there’s two slides about prevalent. Um, we are a leader in the magic quadrant. Thank you for the strategic partnership from companies like Lowe’s for putting us in this position. So, we have strengths with the product and the service, the product strategy as Jefferson had mentioned, and then also understanding verticals and industries and helping with strategy in that space as well. Our program and our platform has expanded exponentially. So as we work with companies like Lowe’s and Jefferson and his team, we realize the things that are needed in order for third party to be successful and even nth party to be successful. So Jefferson may broach the topic during Q&A that he’s expanding from it into supply chain management at some point. And so those are the kinds of things that we like to integrate into the program for a holistic view and he was very kind for prevalent since we have a threat monitoring um program which is VTM but he does right now use Bitsite for his um threat intelligence and we have integrated with them to identify the highle scoring so that he can harmonize and normalize his risks and make risks come from one particular platform versus having the vendor go to both. So with that um Amanda I’m going to shoot it back over to you for the polling question. And I have noticed a couple questions or a handful coming in and giving more time to Jefferson for the next 12 or 13 minutes to answer those.

Amanda: Yeah, absolutely. I’m going to put the poll question up right now. Are you looking to augment or establish a third party risk management program in the next several months? I just launched it. I’d ask that you guys just answer honestly. We will reach out. I personally probably will reach out to you. if I haven’t already, I’ll be honest. I noticed a couple of names I’ve seen before. So, do that. Also, check your spam if you’re looking for a followup. Just wanted to say that as well. Sometimes we fall in there. But, we do have plenty of questions for you guys. The first one is, could you share the details and link for the shared assessments framework was one? I don’t know if it’s possible for you guys to do that.

Brenda: I’m on the steering committee of shared assessments and if you go to sharedassessments.org and you will find that they have a tools section in their website and you can look for the vendor the vroom and they also have the sig which is a standard and they also have the SCA which is their on-site visit testing protocol that we now do virtually so shared assessments.org is the best place to start and then they’ve got a sales resource by the name of Vicky Dean and if you need to get her email address I’m sure it’s either on the website or you can contact us and we can get that for you so that you can get information from her directly.

Amanda: Perfect. Thanks, Brenda. Next question is, how does Lowe’s deal with third parties versus suppliers delivering products to your stores? Separate teams are joined at the hip, especially those suppliers who provide smart products.

Jefferson: Good question. And it’s it’s really a a blend and you won’t really get into specifics about who owns what, but I will say that really we’re looking at everything. And it really goes back to um you know, talking about the the CIA triad. we’re which has nothing to do with the spy agency but the an information security for any asset imagine a triangle you have the confidentiality on one side the integrity and the availability and typically information security risk is looking at confidentiality but with supply chain you’re looking at the availability and so you really that comes under our purview as well because now we’re looking at we need to make sure that there’s a business continuity plan in place that every manufacturer we work with and every supplier can get products to us and do they have the control in place to actually survive a ransomware attack or to um you be able to to continue if something bad happens or even if COVID hits. I did a tabletop exercise one time business continuity planning and we chosen pandemic as the the episode to for for a scenario and this is months before co ever hit. We had no idea it would actually happen but that company’s business impact analysis their BCP they thought pandemic would be the the biggest problem and turns out they were right a totally different company when I was a consultant but they were right. Right. So, u for supply chain and if you want to reference NIST recently came out with an enhanced cyber security framework uh called one that’s version 1.1 and they have a section for supply chain risk there under the uh identity category or identify and that’s big because actually helps us we combine that with shared assessments to really determine what controls we need to look for for supply chain. So we look at it all.

Amanda: Perfect. Okay. Next question is how do you handle nonresp responsive vendors. Do you hold ISG responsible for the delays etc?

Jefferson: No. Well, first of all, we work the business unit. You again going back to that that three lines model where the business unit is the first line of defense. We will work with them and we’ll work with the vendor and and send them reminders and actually through prevalent reminders are are automatic, which is great based on certain time frame. We’ll work with the business unit and say, “Hey, here’s what we’re encountering. You may want to reach out to your vendor and tell them we’re we’re not getting a response.” At the end of the day, if they fail to respond to us and we’ve given them chances, uh, they may wind up getting a do not recommend status.

Brenda: So, I mean.

Brenda: that’s those are red letters, so that’s bad.

Amanda: You know what I’m saying? Okay, let’s continue. Um, this is for you, Brenda. Does the platform have access to a repository of vendor data or is that obtained via assessments?

Brenda: So, there’s two different approaches. We have networks and we have exchanges. Some companies decide that they want to just ask for their proprietary questionnaires or they’ll use the prevalent control framework questionnaire and some companies will use the if you’re in a certain industry we do have a legal network and if you’re in the healthcare industry we have a healthcare network. We’re more than willing to create a retail network but we’re waiting to get a couple more of those um types of companies that want to use the same standards. So right now they’re all kind of using their own standards and we want to make sure that we get into a marketplace scenario for them. So, uh, assessments can come in and be completed and if you are a company that wants to use one that’s already readily available, we allow you to do that. And if you have your own questionnaire content that you need to absorb or collect, we also help you to do that as well.

Amanda: Perfect. All right. This is back to Jefferson. How do you manage changes to business relationships? How do these loop back into the internal taring?

Jefferson: You know, that will that’s a good question. And uh one way you can look at it is from the the relationship level which is actually you know the relationship with the business and the engagement level. Theoretically you want to assess everything on the engagement level or at least we do. So one relationship could have multiple engagements with the company totally different business functions different data types and so on and have those engagements trickle up in the ideally if you have a governance risk and compliance system have those multiple engagement risks trickle up into an overall relationship risk.

Amanda: Perfect. And another one for you, Jefferson. What are the names and where are the peer groups that you referred to?

Jefferson: Well, the first one first one I’ll say I’ll throw Brenda under the bus for that one because she actually got us in touch with some other uh clients who had had similar challenges and we worked with them. RH Isac is a is a great one at least for us for the retail uh industry. There are different ISACs for information uh sharing groups essentially for different industries. and they’re actually very informal and you can actually reach out to other companies there as you develop relationships and share best practices without giving away anything proprietary. Uh then there are local conferences as well, you know, Isaka conferences that we have here uh in town, other networking conferences where you can actually as you get to to know peers in the industry, you can reach out and and kind of bond with them. And at least in our area, it’s a small circle for information security. So a lot of people know different people at different companies and you kind of do behind the scenes there. There is not really an official networking group uh yet, but hopefully we can get there.

Brenda: So, from a perspective of Prevalent, if you are already a customer of Prevalent, you can go ahead and contact info prevalent.net to find out if you can become part of the strategy peer-to-peer team. Um, we have approximately five different types of companies already in the group and we’re trying not to make it grow too large because we have a very systematic approach. They’ll invite some of their leads to listen in and only the directors or the lead the people in charge of the programs are doing the discussion topics and through teams and chat they’ll get information. So Jefferson will bring three or four of his people and they’re in the background asking questions to Jefferson and Jefferson will then bring them up if it’s something that’s pertinent to the topics but um otherwise become part of pre prevalent and then find out how you can be involved and we’ll figure out how to make it work.

Jefferson: That’s right.

Amanda: Uh I have a couple more questions here. I like this one. What is the area or one area or concern that might be on the horizon that has your attention for third parties for you?

Jefferson: You know, when you look at the biggest threats to third parties right now, you know, ransomware is an old term, but it’s still it’s very prevalent. So, making sure that companies are are secure. Patch management never goes away. It’s still an issue with third parties. And as we depend more and more on operational technology versus information technology, there’s not a good connection there. There’s a huge risk between IT and OT and A lot of companies don’t have that figured out yet.

Brenda: Yeah. And I think from your perspective, Jefferson, as well is as you’re looking at your supply chain management, the resiliency of being able to get content or products or services delivered to the customers is also just as heavy now being that um we’re we’re not only looking at ransomware and attacks from a threat from that perspective, but what does that threat then do from a supply for transportation or manufacturing as well?

Brenda: How about this question. Oh, sorry. Jefferson, were you still going?

Jefferson: Nope. Go ahead.

Amanda: Okay. Um, how about the 2020 SIG from shared assessments? Is there any big differences between 2018 and 2019?

Brenda: I think that that answer can come directly from shared assessments. They do a great job of sharing what are the differences that they’ve put in place. And again, shared assessments.org can tell you what the 2019 to the 2020 is. I think that’s the best place to go. I do believe that we are targeting to have the 2020 available in the very near future following the guidelines from shared assessments. So you’ll be able to look at that yourself as well and hopefully we’ll be able to share what the the Delta uh content is.

Amanda: All right, a couple more if we can squeeze in. How do you create buyin from the different business units in order to utilize a new platform process etc.

Jefferson: You don’t do it easily. Uh there’s a lot of security awareness that that goes on behind the scenes actually you know for us this being October security awareness month or cyber security awareness month. So, we’re taking adv advantage of that, doing a lot of road shows, a lot of presentations uh within the team and and getting the word out and and just educating people over time, asking for lunch and learn sessions and speaking with different teams. Uh if you’re in a hurry, it won’t be done in a hurry, but over time, as people see that you actually are are are here to stay, you’re not going away, and you’re relevant to them, uh they’ll start coming to you.

Brenda: Another empathetic thing that you’ve been doing is sometimes you’ll outreach to people like For example, a business unit has responsibility for over 20 vendors plus. I’ve noticed that you’ve also gone to them and said, “Hey, here we are. We’re going to help you and and this is how what we think you own. Is this correct?” So, you’ve been very empathetic and I think that approach has done you good service.

Jefferson: That’s a good point.

Amanda: All right. One last question I think that we’ll have time for is, is the 25day SLA in relation to a determination or to get through the entire procurement process? Good question. And no, that’s that’s for us to deliver our final report. That’s our goal.

Brenda: Yeah. So that’s from collection to analyze to risk identify, verify, and validate in order to get a final representation report that says here’s the risks. You’re either recommended, recommended with remediation or not recommended. So that’s 25 days. And they’ve been doing pretty well with sticking with that turnaround time.

Amanda: Love to see it. All right. There is one last question. You guys kind of answered it. But I’ll just reiterate it one more time. How do you handle the last minute assessments where a supplier can’t or won’t engage? You can’t access uh you can’t assess risks where there is no information. Question mark.

Jefferson: There’s no information then and we’ll go with what we can. If if we have that security ratings platform like a bit rating, we’ll use that. We’ll use anything we can get a hold of and we’ll look at his historically have they had any security incidents. We’ll give a recommendation but we’ll also say and and underscore that with the knowledge that hey this bas we know here’s the risk, but we don’t know much. We we need to know more and and let the business unit make that decision.

Brenda: I believe you’ve been raising the risk a little bit, stating that they’re they’re higher risk because you’re using what’s available versus what you’re asking them to provide.

Amanda: Right.

Amanda: Well, that’s it for now. It is at the top of the hour or bottom of the hour. How does that work? I don’t know. It’s 11:00 a.m. here in Arizona. All right, everybody. Um hope you all enjoyed it. Thank you so much, Jefferson and Brenda. Pleasure. Pleasure to meet you, Jefferson. And and we will see you next time.

Brenda: Thank you, Amanda. And congratulations again, Jefferson. Bye.

Jefferson: bye, Jefferson. Bye.