Distilling Useful Metrics From the Pile of Third-Party Risk Data

Amanda: I see the numbers climbing. Hi people. Welcome. Welcome. Oh, it is now at the top of the hour. I see people tricking in. Hi everyone. Hi. I’m just the voice. We’re all voices today. And I’m gonna put a poll question up. while you’re waiting. And that’s what we like to call it. Hey, while you’re waiting. So, as you guys come in here, feel free to respond to this question. Welcome. This is Amanda with Prevalent. I am in business development. I am your voice host. We are all off camera today just as you are. All right. Thanks you guys for participating in the poll question. Yeah, I’ll leave it up for a little while. But like I said before, this is Amanda with Prevalent. Thanks for joining you guys. I see more people coming in, but today we are talking about implementing an efficient thirdparty risk analyst approach based on meaningful metrics. You can’t see me, but I am doing the air quotes with my fingers. I hope everyone’s doing well. I’m sure you’ve been here before, but I’m going to go over a couple of housekeeping things. You guys are muted. Um, but we do want you to answer um the poll questions if possible and also ask questions in the Q&A below. Um, we love to have some questions at the end for our hosts um, and our co-panelists and hopefully we can get those questions answered for you if time permitting. Um, but yes, so today we are talking with Brian Littlefare. We’re really excited to have him on. He is the founder and CEO at Cambridge Cyber Adviserss, the former global C se CISO for a vodafone and tenure security adviser to the UK government. So you can say he’s uh uh pretty important in my book and and in the book of uh all this third party risk analyst stuff. And also bonus person, we have Brenda Ferraro on the line as well and she’ll she’s probably going to chime in here and there with a few fun facts and figures and you’ll be hearing from her later in the hour. Um we’re really excited to have you guys here and I’m going to let Brian um take it away and you guys will get this recording later tomorrow. So, thanks for joining us. Brian, go ahead.

Brian: Great. Thank you and thanks for the introduction. So, hello everyone. It’s great to be able to to speak to you all. Um, first of all, as we said, we’re going to be discussing how to implement an efficient third party risk analysis approach based on meaningful metrics. And everyone’s probably asking, well, what is meaningful metrics, quote unquote, and we’ll get on to that shortly to to explain what those are. are right. So, we kind of covered me. So, a little bit of scene setting in terms of where we are and just kind of to explain what some of the the terms are and where where my perspectives kind of come from on this. First of all, let me just say uh you know I’ve been working as a CESO for you know 20 25 years and now I spend my time uh leading Cambridge Cyber Advisors and we spend a lot of time mainly in the boardroom mainly helping uh chairman chairwomen uh Ned executive teams really get their handle on, you know, the security posture of their organization, what’s working right, what’s working wrong. So, you know, that’s been really useful to me from an experienced perspective to see it from the other side of the table, so to say. I was always the CISO going in communicating and now I kind of sit on the other side to to help, you know, give my expertise to the board and and make sure that the CISO is kind of answering the right questions and the right things are going on, not just in third party assurance, but obviously plays a big role and I think from from my perspective you know third party insurance is really hard to do well it’s hard to do well uh part of the challenge is obviously it’s global if that’s the way your organization is structured so you you’re having to manage suppliers in in numerous different countries you know it’s not uncommon for you know large organizations to have three four 5,000 different suppliers ranging from people that handle your sensitive data on your behalf all the way down to people that give the kitchen supplies and and refill the bathrooms etc. So there’s a full dichotomy of suppliers that you’ve you’ve got to got to manage for your organization and each of those different suppliers has you know different contract in place with you a different relationship inside your organization and as your company or organization grows its reliance on the third parties is only going to increase as well. So that’s why getting a really strong foundational component in place so that as you have to scale the process scales with you you then it doesn’t become so much of a of a challenge or a battle. But I I think we all know it doesn’t always go to plan. I think if we all sat back and thought of, you know, large household name brands that have had security challenges, data loss, breaches, etc. R that have actually emanated from their supply chain. It wouldn’t take us too long for some of those names to pop into our mind. And I’m not going to put some brands up on the screen, but we can all probably think of those. And I think that that is kind kind of evident that you know those organizations would have had a good approach they would have had a well- resourced team well sometimes not always you know the size and scale of the company doesn’t always equate into that but you know they would have had people focusing on this so I’m going to try and unpick what some of the challenges that I’ve seen and it’s great to get Brenda’s views as well uh and help get into you know what are some of the opportunities for improving your maturity and some of the opportunities to improve and then hopefully look at some meaningful metrics But I think you know just an observation from my side uh as I said spending a lot of time in the boardroom I I see uh and I present at uh conferences and focus groups and discussion forums and the topic of those discussion forums is how do we tackle this chasm uh between the CISO and the board and you know that’s when you get CISOs talking not all of them have the relationship that they would really like with the executive team and the board. Uh some of them don’t feel like they have the right support. Some of them don’t feel like they’re getting the right amount of resource uh from the executive team to be able to effectively manage the risk. But actually sitting on the other side of the table, you hear the same things. You know, if you speak to the Neds and the board, they think that they’re not getting the right information from the CISO. They’re not understanding what the current risk position is. They can’t see, you know, the wood for the trees. They don’t understand what the problem areas are. And they want a bit of clarity in terms of, you know, this is where we are. This is the problems that we’re facing. And, you know, what do we want to do about it and whether we invest or not that’s a riskbased decision but you know the opportunity to contribute to that risk statement is is absolutely key. So I always advise putting yourself in the shoes of the the board and the executive team. You know very rarely have they got a security background but you know very often are they presented fairly technical data and metrics emanating from security tools and they’re kind of expected to to understand whether those metrics should be going up, down, left, right, whether they’re KPIs K eyes etc. And I think that you know as security professionals on on this call or risk professionals or procurement wherever you are we kind of have a responsibility to do some of that leg work and do some of that thinking and present a clear message upwards in terms of what’s our current status and and what are we doing about it going forward. So this is a little bit about what we can do to make things better, what’s within our own power to improve things going forward. Okay. So um third party risk management the known risk and and and why is that? And I think that you know third party risk management definitely presents a clear and credible risk to all organizations big and small. I was doing this uh same presentation to a UK based audience earlier on today and you know there’s a lot of questions around does the organization size and scale make a difference and and actually I don’t think it does right because you’re actually trying to achieve the same outcome irrelevant of size of the company right you all all organizations big and small use suppliers, you need to understand that the the threats and risks that those suppliers present to your business and you want to achieve achieve an outcome in terms of educating the business about what they might be and then also giving some options for for compensatory controls or or mitigating those risks. So I think that there’s definitely a risk presented to all organizations from from their supply chain. But I think every company has definitely their own approach. You know, if I was to spend time with bank A or bank B or healthare company A or healthcare company B they would have different approaches to third party risk management they wouldn’t always be drastically different but there would be nuances in one company on how they approach it and compared to the other and I think I’ve seen it done very well you know with excellent uh stakeholder management everyone in the company understands the process it’s not attempted to be bypassed because people see value from it and then unfortunately I’ve seen it done very badly as well where you know it’s viewed as a bottleneck you know lots of information goes into it. Very little actionable information comes out of it. The team are very stressed. They’re underresourced, etc. So, there’s definitely, you know, a right way to do it and a wrong way to do it. And we’ll hopefully get into what some of those are today and how can we improve it going forward. I think, you know, for those of you who heard me talk on this topic before, you know, the lower end of the maturity organizations, I I tend to say, are still kind of completing Excel spreadsheets, you know, very very long uh questionnaires for their suppliers to to fill in a manual analysis of those questionnaires. It’s purely based on, you know, the experience of analyst A or analyst B. And and obviously that can add delays. It can add different different answers. You know, if you were to put the same questionnaire in front of two analysts, they might interpret it in different ways. So, it’s around how can we go up that maturity curve and, you know, adopt some of the innovation that’s been going on in this space for a long time. And we’ll kind of cover off that whole maturity landscape and what that looks like. But I certainly think that you can’t rely on, you know, touching an organization once peranom and asking them to fill in a questionnaire and then putting those results in an Excel spreadsheet because organizations change multiple points throughout the year. You know, sometimes they might be profitable, sometimes they might be not profitable, sometimes they’re growing, sometimes they’re in a recession. And you know, some of those behaviors drive different business actions. You know, when when budgets are tight, resourcing is constrained, you know, costs are cut back, etc. So, it’s it’s important to understand when these dynamics are happening in the market and and how that can impact your supply chain. And we’ll we’ll get on to some of the tactics and techniques to to hook into some of that near realtime intelligence rather than relying on a single assessment day in the calendar year. So, I’ve put up three common challenges that I see and I’m going to break these down on the next couple of slides, but I just want to kind of point to what I call the the art quad quadrant in the middle. And I think that you know this isn’t a good place. This is not where you want to be. If these three different dynamics are operating on on your function or your team where you haven’t got a clear approach, maybe you’re suffering from resource constraints, whether that’s, you know, an appropriate budget to maybe do some on-site auditing or you haven’t got the uh resource in your team to manage your your tooling choice, whatever that is, and you haven’t got the right tools to to scale. to the amount of risk that you’ve got under management. So maybe you’ve got a couple of thousand suppliers and you have to having to run them on a spreadsheet. All of those have a possibility to impact the performance of the team and and the net effect of that is the business isn’t getting the outcome or the result that it needs. So the art quadrant is is definitely not where you want to be. But let me break these couple of areas down and we’ll have a bit of a conversation around it. So I think the approach is is absolutely key and you know different organizations position this team in their in their structure in different places and you know I have a personal preference where I believe it should be but you know it doesn’t align with everyone else’s so I think as long as it’s positioned in the right place for that individual company and it’s got the right investment and the right support then you know that that’s fine it will work but I think you know it needs a very clear strategy and I and I mean a strategy for the third party risk management function not just the CISO strategy not the IT strategy not the business strategy. There needs to be a strategic direction of how are you going to manage, assess, quantify, communicate the risk that’s presented by those whatever whether it’s 5, 10, 15, 5,000 suppliers that are in your portfolio. And it should be obviously strategic in nature. You know, why does this team of people exist? What what outcomes are we going to deliver and who are we going to deliver them to? What action is taken on our metrics and reporting? We produce them. Does does Does anyone actually read them? Is is any action taken upon them? And if not, why not? And and in some organizations I’ve been in, uh the third party research management team can can feel a little bit of a backwater. You know, does the business realize we even exist and what is the value that we add? And these are some of the questions I get asked a lot of times when I go in and things aren’t working very well. But it obviously needs to be set up for success. You know, the the stakeholder management is is absolutely key. You know, know that the stakeholder isn’t only the security function. It’s it’s the very broadest parts of the business. You know, each area of the business whether it’s from logistics into technology or research and development, they will all work with a certain different list of suppliers and they will present different risks and different opportunities to the business. And obviously a supplier in in one country in a large global organization might be minimal but in another country it might be huge. So it’s really important that you understand that. that whole global supplier approach and then obviously the clarity of reporting um you know giving clear insights to the business about what’s going on and what is the actual risk and then trying to actively and positively reduce false positives as well. So if you’re constantly pushing messages into the business which prove to be inaccurate or not entirely true then obviously that damages the reputation of the team. So there needs to be a big focus on when you do report it’s accurate and something in genuine needs to follow on as a as an ongoing requirement going forward. So the focus of the team needs to be strategic. There are absolutely times when it will be reactive where where the business comes to you and says, “Hey, we really need to do this new initiative and we’re taking on this new supplier and we need you to do some shortcuts and actually get this supplier assessed as as quickly as possible.” That that will always happen. But fundamentally, if your team is always being driven in that in that tactical approach, uh you’ll never get round to your strategic direction and obviously your your goal and focus should be to strategically manage the risk going forward and then there’s the whole resource for the area as well and I’ve seen third party resource management teams are one or two people uh and that might be okay right if you’ve got a really intuitive tool and you’ve got all of the uh the knowledge flying into a small team and it and it’s manageable then then so be it that works fine but equally seen teams of one or two people having to manage a couple of thousand suppliers using an Excel spreadsheet and being completely swamped and you know significantly behind on the on the assessment timeline you know not producing the the reporting and metrics etc. So there’s there’s definitely a place on that scale where you you’d prefer to be and I think that you know this team manages a significant portion of the strategic risk for the for the company. Uh you know we’ve seen what a breach in the supply chain can can do do to your organization’s reputation and brand. So it definitely has a very clear purpose and outcome and that strategy and purpose of the function should be translated into a target operating model where it’s clearly presented back to the business saying look this is the amount of risk that we’ve got under management. This is the number of suppliers that we’ve got under management. This is the current tooling that we’ve got. This is our current process. But have we got the right resource? Have we got the right target operating model that we need to be able to drive that that initi? strategically rather than tactical and firefighting and and obviously what we see sometimes is you know a team is put in place and the organization goes through rapid growth you know massive numbers of suppliers coming on board but the the team size has to remain static because that’s all it’s got the budget for and I think that that’s where you know having that very clear strategy having the very clear business stakeholders bought into the value that you deliver that means that obviously if if the team is becoming stretched by the increased work load on it then obviously you need to be able to grow to effectively keep that risk under under management going forward. So there definitely is a different approach and we’ll get on to that in a minute. So embracing the innovation in this space. So as I said I’ve been a CISO for you know over 20 years. I still work very closely in in the space and I’ve definitely seen the the evolution in this space uh for the teams that have been under my management. So so absolutely have I used Excel spreadsheets sheets before to manage third party risk. Yes, absolutely. Uh it was all that was available to me. And then obviously we went through different levels of maturity as different software was coming out things like putting in place uh GRC tools, governance, risk and compliance to kind of harmonize our governance activities and our risk and and our compliance regimes. They were very, you know, difficult to integrate, very complex to manage, etc. And then obviously with there’s a new breed of tooling coming out, there’s there’s purpose built to to manage this space of which prevalent is is one of them. And I think that you know starting to see organizations fully embrace this well there have been for some years really is a bit of a gamecher not only for the the teams that have to operate the community of suppliers uh but it actually changes the the whole approach because you know rather than having to go to you know every one of your suppliers you know normally a large percentage of those have already got profiles on these platforms and tools. So it significantly reduced which is the the number of questions that you have to ask. So the the plea is to to definitely if you are still using Excel to manage this then start to to obviously move away from that and embrace some of the innovation that’s been made available to us in this area. So I just want to baseline this and I realize I’ll be teaching some of you to to suck eggs but but actually at the boardroom it’s not and you have to recognize that it’s it’s really important to explain yourself and and make sure that everyone’s on the same page and you understand what you’re going to be talking about. And you know, in my personal view, certainly in this space, you know, a key performance indicator, if I’m looking at a KPI in this space, I’m looking at it to to measure the performance and effectiveness of my function. I’m looking at the processes, the the throughput, you know, how many failures and successes that we have going through the the testing cycles that we’re running. But it’s it’s it’s as it says, you know, how are we performing? Are we delivering? ing as the business would expect. Are we delivering to the outcomes that we want to deliver and are we most more importantly delivering a quality service? Uh we could certainly push reviews and cycles through the system, but if it’s not quality, then there’s no point doing it. So quality is is absolutely up there as well. And then we have obviously the the key risk indicators that kind of start to delve into and and look into, you know, how much risk are we currently exposed to and what risk treatments do we have to apply? across our supplier base and and obviously typically that would be segmented as well. So probably already knew that all of you but you know from a KPI and KRI perspective that’s that’s how I manage and measure them. So what what do I mean from meaningful metrics? So you know this this was from one of my uh accounts that I worked on many years ago and this was an actual dashboard presented to the board on third party risk and you know this was one page of I think about five or six And obviously the supplies are grayed out. It would have been a list of supplies in very very small font where you’d have to have a lot better eyes than I have printed on a piece of A4 paper and and then across the top there’s the the controls that are distilled from the security policy and then obviously a line per supplier going across all of the controls. And you can see that that’s fairly complex and this was a view that is presented to a senior audience. And what it what it is in my view is it’s complex. It’s busy. It’s it’s definitely not dynamic. It’s completely static and and obviously because it’s printed on paper, it’s it’s it’s non-clickable, but you can see uh obviously what a security analyst has to actually go through. These are I suppose the responses to the key controls because it certainly wouldn’t be all the controls uh within a particular supplier. And you can see that some are green, dark green, light green, some are yellow, some are amber, some are red, some are pink, etc. And obviously it’s the expertise of an analyst that has to kind of look across one of those lines and think well with all of that taken to into account where where actually is this supplier from a risk perspective and I suppose the the missing dynamic here is of course threat this this snapshot on the left is a a single point in time view of how a supplier was operating during those couple of days that it probably took them to to fill in uh the questionnaire but as I said there is another way um you know having organizations precomplete for the majority of questions that we’d want to ask them, you know, they much prefer it because honestly speaking to suppliers like I do, if you put yourselves in the shoes of a of a really big supplier, I’m thinking like, I don’t know, a HP and IBM and Oracle or a big outsourcer, think of the amount of differing types of questionnaires that they must get from all of their suppliers in different shapes, different formats, all loosely trying to achieve the same thing, but structured completely differently. And they have to spin up a a small industry just to try and respond to this plethora of requests coming from their client base. Obviously, it’s really important work, but there’s obviously a simpler way to do that and that’s where all of these new uh third party risk tools have really come into their their own because it’s really simple for the end user, which is all of you guys and girls on the call. It’s really easy to understand what it’s telling you because you can codify all of the requirements that you have from your security policy. So, what do you really care care about what has he got a little bit of flex on you know what are our tolerance levels on individual risk statements and when they’re all answered obviously I’m not trying to put risk analysts out of jobs who can do some really important work in this space as well but the tool will digest all of that and and obviously suggest the the risk ratings the past failures on on your behalf but what it does do is obviously it’s dynamic it’s it’s not a single day in the in a calendar year it’s pulling information from its knowledge community It’s pulling information from assessments that are done by other clients. It’s feeding in the threat angle and it allows the the the customer to to really drill down and and you know explore what’s behind that red box. What was the what was the question asked? What was the response? You know, what have we tried to to ascertain from that and how can we improve things going forward? I don’t know. Brenda, do you want to say anything on that slide or do you see that as well or?

Brenda: I do and what I was kind of thinking about when you had shown this slide is that one grid on the left looks like we’re playing battleship. So I can only imagine a CISO andor a board looking at that going okay where are we going to have to go and attack? So that was really interesting. But I do agree that with regards to having meaningful metrics and having things simple and easy to understand seems to be the way that we need to focus on clearing out the noise and making sure that what is important and matters is what’s in front. of our board and our CISOs.

Brian: Yeah, absolutely agreed. Okay. So, what what metrics are best practices to be measuring or okay, what what groups are there? So, from my from my perspective, there’s there’s four buckets and I’ll what I’ll do is I’ll kind of introduce them as you know the the bucket title and then I’ll actually put up some KPIs and KIS that I think are important to be to be looking at and certainly what the board would want to be appraised of. And when I say board, I I kind of include the executive team as well. So whether you’re presenting to the CEO and and their first line or or the board of directors where the CEO and CFO and COO are typically there as well. So I think from from a risk perspective absolutely you know risk is going to be front and center and and what they’re looking for is is obviously a full balance scorecard. They they want it to be informed and and based on sensible logic. It obviously has to be quantifiable and and most importantly repeatable. You know all too often I see that uh the risk process isn’t repeatable. And if you were to put the same amount of information through the process with two different analysts, you get two different responses. And that’s where the benefit of the tool comes into play because you get a repeatable process. If the same data flow goes in, you’ll get the same outcome with the only dynamic being if there’s an overlaying threat uh angle that might obviously change the the picture somewhat. And I think, you know, threat is is the moving vector. It’s the thing that adds real value to to using an online platform. tool because uh if you’re just relying on um questionnaires being populated and and circulated back to you, that’s just a single view. There’s that’s the view of that organization. It’s not the view of the community. It’s not taking into account all of the public open source intelligence that’s out there. For example, you might have a company that says, “Hey, we’re absolutely on top of our patching, but this threat analysis tool says they’ve got six un unpatched, you know, open high threats on their public face website. So the two don’t necessarily correlate. So having that intelligence flowing into your risk decisions is is absolutely really powerful in actually quantifying beyond policies being in place and and practices being adeared to what is their real world compliance look like and and obviously as organizations risk posture changes daily, their threat position changes daily, it’s really useful to get that information thrown in into your environment as well. And I think from a liance perspective, compliance isn’t going away. It’s it’s only going to to increase in in my perspective. And you know, having ran global CISOs for large multinational organizations, uh the compliance and regulatory regime can be very complex and and obviously your suppliers play a key role in that. You know, those that are managing data on your behalf or or somehow involved in an element of your one of your compliance programs. Uh and I think the thing to say there is, you know, the onus absolutely stays on you as the the parent organization to manage the compliance or adherance to compliance within your supply chain. It’s not a devolved accountability that just because you have a supplier working on that piece, the issue is theirs. It absolutely remains yours and you’ve got to effectively manage them at distance. And that’s why all of these metrics and areas that you want to use to build up a coherent picture of that uh that supplers’s adherance to these is really really powerful. And then there’s there’s coverage as well. So, you know, having that absolute coverage of your of your supplier footprint is really key. We’ve already talked about, you know, a small supplier in the UK might be a massive supplier to a business unit in the US. And, you know, you need to understand that so that that supplier is having the right questions asked that, you know, you’re not broadsided by a supplier having a a security threat incident. You want to be able to, you know, get that insight first. And I think that You know, this is the eyes and ears of the supply chain for the business. And if a supplier of yours is having a security incident, you want to be on the front foot. You want to be able to communicate that to the business stakeholders. You don’t want to be blindsided by it popping up on on CNN or Fox News or something like that and you’re not aware. So having those insights and those learnings and having that coverage is is absolutely key. Brendan, do you want to say anything or?

Brenda: I can find my mute button. Yeah. So when I was listening to you talk, I think that as we’ve gone through the different scenarios of the past year and a couple months, the global view and the local lens has become more and more important. And without knowing that contextdriven compliance and the vendor threat intelligence and the quantified and balanced risk that you just talked about, you have to have all of those three things comprehensively reflected but easy to understand with that global view for resilience. So I really like the way that you laid that out.

Brian: Great. Thank you. So, I’m going to put up some KPIs and and K eyes just, you know, I’m not going to run through them all. Don’t worry. You know, I’ll just probably say a couple of KPIs and couple of K eyes on each each of these four areas. And, you know, these are they’re they’re not unique to me and obviously the none of them will be a wow, we haven’t thought of that before. But what it is is, you know, is understanding from both the CISO side and the board side what are some of the things that they want to hook into and And by all means, this isn’t an exhaustive list, right? So depending on the sector that you’re in, depending on the type of organization that you operate in, whether they’re really into the detail or they like the the high level view, it will change and it will be be dynamic. But but at a very high level aspect, you know, these are some of the key things that I would certainly like to pick out. So from a risk perspective, we’ve already touched coverage. You know, there shouldn’t be any supplier receiving revenue from your organization uh from your financ function that hasn’t been in some way, shape or form assessed by the third party risk management uh organization. It might have been a notification and a quick assessment done and decided you know that it’s not important for whatever reason but it should have gone through the process and the reason is because obviously if no assessment’s been done there’s there’s no understanding of the risk and and I do see that a lot. I see you know uh organizations not having a good handle on you know their coverage there being suppliers in place that that have an issue downstream and you know it comes back into the third party research team saying well what do you know about these guys and it’s like nothing they’ve never been assessed we didn’t know you were using them and this is a really important gap to close and it’s it’s you know the key thing here is that the business sees this as a valuable process because we all know especially with cloud-based services now it’s fairly easy for a business unit to spin up a relationship with an external supplier using a credit card and you know that would be fairly difficult for you know this this process to detect. So the business has to want to engage with it. So this is more of the carrot rather than the stick. It’s around come and engage with us because we absolutely offer value to you. And if they recognize that then they’ll obviously not try to bypass the process. And the second one is uh you know the number of suppliers that have completed the uh sorry the number of suppliers that have passed or failed the on boarding process. And and I’m more concerned here on on the failed the onboarding process because Often I see that as quite low and you know you have to ask the the question why because you know in especially in a large global organization but the same is true for a smaller you will definitely have organizations that that fail and you want to understand why that is and why that number is where it is on the scale. If it’s too high what’s going on if it’s too low what’s going on? And there’s definitely a sweet spot to be trying and achieved based on you know the nature of your business and the scrutiny that you put your suppliers under. But it shouldn’t be the case that no suppliers are are failing your process. It proves that you know if you have got failures then you’re asking the right questions and that doesn’t necessarily mean that you can’t work with that supplier. It’s you know you have to understand why they failed and you know what risk is presented from that and you know it’s our job to advise the business based on risk and they might choose to accept some of that risk but at least that risk is known is quantified and and can be tracked by us going forward. And then I think on you know the KR my side you know some of the the lagging indicators as well are really important. So the number of priority one security instance generated from the supply chain in the last quarter. So your supply chain will cause you security instance and if they’re not then you know are you have you got the right insights? Are you picking those up and and understanding what’s actually happening in your supply chain? You know that there’ll be things like uh employees leaving and the password for the service not being reset and it’s a whole plethora of things that can generate security incidents for your organization and it’s important that you know about them. It’s important that you understand and take the knowledge and the learning from those and apply those new knowledge and new learnings to your broader supply chain so that you don’t have a reoccurrence of the the same instance. So what’s actually happened in the past should be uh learned from and applied to what happens in the future. So you actually have a better process going forward and that’s really where I suppose the leading indicators come in. So the organization that have been through your process. Uh the number of vendors that within the supply chain that are carrying a high risk score and you know this isn’t abnormal to have vendors that are carrying a high risk score. It might be the the geopolitical risk that they present. It might be a parent company or a relationship etc. And you know a high risk score just means that obviously they they require extra diligence on an ongoing basis. So not just due diligence up front but diligence going forward and and equally understanding how that risk can be mitigated. So it may be having a secondary supplier. So if that vendor experiences difficulties, then obviously there’s another one to fall back on. But if you don’t know about those high risks or they’re not effectively managed, then that can obviously disrupt your your b your your business. And then I suppose a real uh critical one at the moment is, you know, if you’ve got if you’re a manufacturer and your your traffic goes through the sewers canal and you know, a big container ship blocks it, what are you going to do? So you know, you can’t you’ve got loads of ships stacking up. So, if you knew that your supply chain was coming through that canal, could you have mitigated that via having a a more local supplier that might be a higher cost on a day-to-day basis, but you could actually mitigate that risk going forward? And it’s really about just getting into the details and understanding those aspects as well. And then, of course, it’s the the net risk from each domain category within your supply chain. So, it’s it’s fairly normal to to categorize your supply chain, not just in is so you know tier 1 2 3 4 but actually category as well so things like I don’t know I’m a security professional so identity management service providers or physical gates etc and actually start to you know slice and dice your your information flow so you can actually understand for each of those domains have we got a single supplier dependency uh do we know that we’re going to have to terminate a supplier in that space and we have to start to look up a backup do we are we getting threat intel come through terms of geopolitical risk in that region that we have to mitigate. So really understanding and guarding the business based on your intelligence and insights and actually advising on that net risk is is really really key as well.

Brenda: Ryan, I think on those just real quickly is because of our ecosystem, I think you’re going to touch on in the coverage section something about unresponsive suppliers because that has become more risky if they’re not responding to requests for completing assessments and or mitigating risks. And then the other one that you touched on for the KRIS is the concentration risk because that like you said could cause a domino effect or impact based on the supply sourcing chain just like you had mentioned with the canal. But those two things are very important and critical to our ecosystem today.

Brian: Yeah, absolutely. Completely agree. Okay. Then there’s the the threat feed and and I I really would advocate, you know, if you haven’t got threat intelligence flowing into your supply chain, uh, information repositories at the moment to to look at how you can augment this capability on top because it delivers you know the real day-to-day insights in terms of what’s going on but I see you know certain sectors are mandated certainly in the UK uh and other and not subate in the the US regulatory requirements but for example if you work in financial services in the UK you are required by regulation to have threat intelligence coming into your organization what you’re not required to do is use it right so So as long as it’s coming in that satisfies the requirement but I see you know threat intel flowing into organizations at various different touch points and I see companies do an amazing job of distilling and disseminating that and getting it to the right people with context to action but equally I just see it hitting a brick wall and you know it flies into an email queue that people will periodically look at and you know it’s not really being given the credence that that it deserves. So I think you know a couple of things to look at is around you know the meantime to action. So when that int intelligent comes in, you know, it’s been uh certified as valid, it’s been certified as relevant, it’s had some context delivered, you know, and that’s disseminated into the organization. How quickly does that account team that’s responsible for managing that particular client or account, how quickly do they pick that up? How quickly do they action it? Because that’s one of the beauties of, you know, a third party uh risk team is that all the onus shouldn’t be on them. should be distilled into the organization to manage that. There’s certainly account managers that are responsible for individual clients etc. And you know there’s been a lot of effort to build up that relationship. So distill the information down to them add the context but certainly measure how quickly that action is taken on those as well. And then you know from a KRI perspective you know how many suppliers uh across the tiers whether it’s 1 2 3 4 have active uh high threat intel indicators coming in for them. And this could be for anything, right? You can have uh an entire country’s suppliers allocated as high threat indicators because of, you know, government instability or or something that’s going on in the region. But it’s really important that you obviously understand and just have that insight. And if you didn’t have this threat flow coming into your base, come into your information base, then it might just you wouldn’t understand it. You wouldn’t be aware of it unless something actually hits the news. So it’s around understanding, have you got the right information? flowing in. Is it being disseminated into the organization in the right ways? Is it being acted upon in the right ways both within your team and the broader business? And then obviously, are you driving resolution on that? You know, a threat is given for a reason. It it needs an action and it needs something to to either mitigate it or resolve it. And if it can’t be resolved, then it needs tracking as an ongoing risk. But, you know, having all of that information to be able to make that call is is really powerful. And then there’s then there’s compliance. uh my my favorite topic. It’s certainly not going to go away, but you know, it’s only going to continue to rise, but recognizing that your supply chain play such a pivotal role in in your compliance programs. And really for this, it’s just understanding who they are. What is the role that they play? Have you got the right governance over them? Are you tracking it appropriately? And have you got the ability to report on your broader regulatory requirements and compliance requirements, not just within what happens within your own organizational boundaries, but also within your supply chain as well. And here is where quality becomes absolutely key. And certainly in a compliance perspective, as Brenda was saying, you know, if you’ve got unresponsive client uh suppliers that are, you know, play a role in your compliance regime, then you’ve got a a definite real challenge and you need to address that. But quality is absolutely key here. If you’re getting, you know, the old saying is if you get garbage in, you get garbage out. So you need to really focus on the quality of the submissions, especially for those that are in play. from a compliance perspective. And then there’s the the the whole coverage aspect. So we’ve talked around a few of these already, but certainly no supplier should be receiving any payment that hasn’t been triaged or assessed. You absolutely need to to get that. It’s important that the the process doesn’t be seen as a bottleneck. So you need to measure your throughput, measure your time to onboard. And time to onboard from my perspective is isn’t the questionnaire being completed or the analysis being done in your platform. form. It’s, you know, the endto-end process where we engage with the supplier to either we’re comfortable or we’re not comfortable and they’re going into on ongoing diligence going forward and and tracking that and make sureing that it’s optimal. It it’s not that it’s quick, it’s that it’s done right and that the right questions are being asked and the right level of time taken to do it. But it shouldn’t become a bottleneck either. What you don’t want to see is this process being uh buil as a as a blocker to doing business. Uh it will obviously slow things down just in the nature of what you’re trying to do. You’re trying to understand a new relationship with a new supplier. Uh it can be sped up by using tools that already have a lot of that information in in the in the armory as well. And certainly that’s what should be looked at going forward. Right? So different lenses for different audience. So know who’s going to look at the information that’s coming out. And I see this all the time. I see the CESO’s dashboard being presented at a board level which isn’t the right thing to do. the CISO having been one and maybe it’s because I’m a detailed person but I wanted the detail. I wanted detail detail detail not to the nth degree but I wanted to be able to have the information at my fingertips that give me a good understanding of the security of the entire organization including the supply chain because ultimately that’s my accountability and my responsibility. Other people might have it as their job but it’s still my accountability to make sure it’s done right. So I need a lot of detail. The business doesn’t the business needs it to be quantifiable, relevant to their specific business unit. You know, if there’s a manufacturing division and they use a certain list of CL of suppliers, they don’t need to see the suppliers are relevant to them because they don’t use them. So, it has to be relevant to them. It has to be actionable, intelligent, and tailored to what they actually specifically need. And then the board needs something different. The board want the leg work doing for them. You know, they want a very clear view, consolidated, you know, grouped so that they can actually it jumps off the page what they’re being asked to to add input and guidance into. Um I don’t advise going to the board and asking them to make a decision on your behalf because obviously as security leaders you’re required to make those decisions. The board might want to challenge that decision or ratify that decision however they feel. But it’s certainly not good to go in there and say can you make this decision on my behalf. It should be look we’ve got this intelligence we’ve got this information or we’ve got this risk and this is how we’ve decided to manage it. Do you agree or disagree? But that that decision should definitely be made in advance. So really it’s about putting some time and effort into recognizing that this is very valuable information but it’s going to different audiences and how should we present that and again this is where the online tools can really help in terms of different lenses and different views that are that are actually designed and intended for those different audiences going forward. Okay. So my last slide before I hand over to Brenda to talk a little bit about prevalent. So why am I advocating meaningful metrics because this is such a critical business process. It’s not a security process. It’s not a technology process. It’s a business process and it means that the business can understand its risk and run as smoothly as possible. So it’s really important that this process end to end is fit for purpose. It has the account. It has the right strategy set up. You know it’s set up for success. It has the right resource. It has the right tools. But in my view, you know, the reporting aspect of it is as important as the capturing. Otherwise, you’re just capturing for no action. You know, reporting out in those correct lenses, getting the stakeholders engaged, getting them involved, getting them to contribute on what this process should look like, what are their requirements, what do they need from this process so they actually see value from it. And really, as with other areas of security, you know, we’ve seen automation drive across our patching and our vulnerability management, our ident life cycle management, JML, etc. And this is no different. You know, automated workflows to get access to intelligence and threat and and drive behavior within the organization. You know, that’s where moving away from Excel into these tools can can really help you as well. So, and I just add that, you know, the security team isn’t accountable for this end to end or regardless where this sits, it’s a business challenge and a business risk. And that’s why I really advocate that integration with the broader stakeholders. and the business going forward. Good. Thank you, Brenda. Over to you.

Brenda: Okay, great. So on the next slide, basically Brian talked earlier about the art quadrant and as it pertains to metrics from capturing to reporting as he had just mentioned, prevalent provides the strategic approach to collect and perform versus risk management as well as designing the program to meet the needs of the increased assessments and leveraging innovation by taking advantage of of not only machine learning contextual information but also AI so that we can reflect the risk information using the right lens such as the CISO and the business and the board and others. So the prevalent platform gives you this repeatable process that Brian discussed to fulfill quantified and balanced risk using the overlapping vendor threat intelligence and networks and it includes not only the assessments but also cyber business and financial moni monitoring information So we gather all of that content and that drives the compliance understanding that you need to put into those reports as well as the global view for resilience all by using the platform and the people. On the next slide today we majorly focused on the last dot and that dot that comes up is going to be report and manage and it looks like my slides are mixed up so I will switch to the next one. So for smart the datadriven comprehensive and contextual is metrics focused. Nonetheless, for the unified, we will provide risk transparency, giving it that oneandone shop where all of your program can have information embedded into the platform and everyone has the same voice. It gives you what you need to know at every level. And then for the prescriptive approach, we make sure that it’s streamlined, actionbased, and it triggers what matters to have that action. And on the next slide, We are your trusted partner. So for this one, we are the leader in the Gartner magic quadrant and we are the fastest growing vendor of networks with the largest library of assessments. And we use the harmonization and the normalization of every content information that you can gather, whether it be assessments or thread intelligence. And we’re here to help you get your program more mature with the innovation that we’ve put in place and backed by the trusted partners and customers that we have that always give us examples of what’s happening in the field along with Brian on exactly where our platform should go next. So, I will hand it over to Amanda. I believe there’s questions and we have about 11 or 12 minutes to go through those.

Amanda: Yes, we do. And thank you guys all for participating. We really appreciate it. I have overall looks like six questions so far. So, I’ll start from the top here. Um, this will be for Brian. What would you rank as your top five third-party risk vectors?

Brian: Yeah. Well, you know, five off the top of the head. I mean, certainly my top two uh coverage uh in terms of, you know, making sure that you all your suppliers are assessed. Uh I always advocate the the net risk uh the the because obviously there’s a gross risk and there’s treatment plans applied and you need to understand well after all of that is done, what is the risk that we’re we’re still hanging on with? I’d put the the threat intelligence feed coming in absolutely is, you know, one of those top five up there as well. So, I’ll give you three off the top of the head. They’re the most important ones that I would advocate. You know, making sure that everyone is fed into the system, making sure that they’re assessed, and then making sure you overlay that with the threat intelligence as well. Right.

Amanda: Perfect. And the next one is another uh ranking here. What are your top five third party risks ideal for board level reporting?

Brian: Top five what? Sorry. Top five third-party risk kis ideal for board level reporting. So from a from a KRI perspective, I’d go back to obviously if we can go back these aspects. So I think a board level the lagging and the leading indicators are really key for the board. So what’s happened in the past and have you learned from that? Uh a board will be very forgiving if something happens for the first time. Uh and obviously the organization needs to learn about that. They will be less forgiving if it happens again. So, it’s around how do you get that information and apply it to what’s going to happen in in the future. Uh we’ve already talked about the the net risk uh threat intel is absolutely key because um certainly I’ve seen some of the prevalent reporting as well. It’s around this is what we know about this supplier and this is what we’ve gleaned from the community. So, it’s about getting that the power of that community to work to your advantage. So, as we call in security oin all the open source intelligence feeding in as well. board love to see that stuff because it adds context. It adds rationale as to why you’re asking to change what is currently the status quo. So those are the things that I would cover off. Right. So.

Amanda: perfect. And then the final question of this little three uh trifold here is do you have any suggestions on how to best create and automate a process for vendor offboarding?

Brian: Yes. So offboarding is as important as onboarding. And I’ve I’ve heard Brenda talk about this as well. So I I know it’s it’s it’s how she views it as well because in in offboarding, you know, it can happen for for a multiple of reasons, but regardless, you you’re you’re severing or reducing, you know, the the service that you work with on that individual supplier, but there has been a relationship historically. You know, there’s been accounts created. There might have been networks connected together. There’s certainly been data flow between the various different organizations. And you actually have to understand what that looks like and and track it on a as part of your program. So you know what that customer or supplier has been granted access to or given because obviously you need to ask it for it back. You know you don’t actually have to ask for it to be handed over or maybe you do depending on what it is but you have to need know that you know it’s being deleted in the right manner that the the relationship is being altered whether it’s terminated or reduced etc. So it’s really thinking through what your your termination process actually looks like is actually as vital as your on boarding as well. And Brenda I don’t know whether you want to add anything on that.

Brenda: Yeah. No, I would totally agree with that. And I would also from a perspective of the previous question with regards to um what would be the top five KIS, the ones that I would recommend at a down deeper level than what Ryan was talking to about was I would focus on software and mobile development risk. I would also focus on identity and access management risk. The other one is the unresponsive suppliers and then the compliance to any regulatory components just if there’s any risk in there. And then finally, the one that changes and modifies from a KPI into a KRI is the overall highle program compliance within your company if they’re using the third party risk management program or not. So that would be a risk that I would turn into a KRI. Um but yeah, with regards to offboarding boarding, I completely agree. It is just as important and you have to have the checks and balances in place and working in cohesively. with your other departments to make sure that everything is turned off, destroyed if appropriate, and so on.

Amanda: Thanks, guys. Um, and also FYI for everyone, we have another poll question I um failed to put up quick enough, but just while we’re while we’re still talking with other questions, please answer that. Are you guys looking to augment or establish a third party risk management program this year? Do you have an active project is another way to put it, um, that we can potentially help you with. All right, we’ll leave that up. We’ll continue questions. The next one is, what would you recommend a good trigger for initiating periodic reassessments probably for Brian?

Brian: Yeah. So, I mean, you should have, you know, depending on which tier the supplier fits into anyway, you know, a schedule of assessments going forward. And I think that, you know, you need to understand based on the risk profile, whether that’s, you know, you’re going to audit them yourself maybe physically or you’re going to audit them using a, you know, a trusted supplier. that does some auditing on your behalf. But I think, you know, triggers are, you know, change events or a change in the relationship with that supplier. So, if you’re going to be doing something new, if you’re going to be doing something significantly different with them, maybe they’ve changed their location, they’ve decided to offshore some of their operations or they’ve gone through some business change, or there’s some threat intelligence coming through that, you know, maybe you don’t like the look of. So, I think that list is potentially endless. And it’s just kind of understanding that you’ve got that trigger events codified into your process where if A plus B plus C happens then hey we want to take another look at this supplier and just check that we’re comfortable but then that doesn’t negate obviously the periodic assessments and reviews that you should already have in place that’s kind of the triggers for an offcycle review right.

Amanda: perfect. uh this one is based on when you were talking about self-certification someone asked you to clarify a bit more on that.

Brian: for self-certification Yeah. So, I mean there there there will be tiers and suppliers within your structure that you know you’re not going to get round to as as rapidly as possible and and you know I I jokingly said people obviously that you know do the kitchen supplies or supply the restrooms but that’s not always the case because you know cleaning staff within your organization can still present you know a risk and they need appropriate vetting etc. So it’s not always the case that they’re the lowest tier. It’s around you know some some initiatives or or services that you’ve got in place that you don’t think are critical to your business. You know, they don’t connect into your infrastructure. They haven’t got, you know, access to data, etc. where you may think, you know, do we need to visit this company straight away or can we for the moment rely on them answering our questions and providing some form of self-certification and maybe we’ll just check compliances and accreditations and reputation and the threat, etc. So, that’s what taring is all about. You know, the the companies that you need to spend time with down to the ones that you need to spend less time with, but but actually you need to focus on all of them, right?

Amanda: And final question here. Should the reporting be based on inherent risk or residual risk?

Brian: Yeah, that’s a good question and I think that’s going to, you know, be tailored somewhat by uh the the organization and how they manage risk internally, but from from my perspective, it’s, you know, residual and inherent risk. are absolutely important and it’s around certainly if if if it was me I would be reporting on both because it shows the risk journey and actually shows you know this is what we started with this is what we’ve done this is what we’ve applied these are the mitigations we’ve put in place and this is the risk that we’re left with and that gives the you know a view of you know the residual risk that’s under management and you know there can always be further risk treatments applied but it becomes a business decision then you know maybe it requires more investment Maybe it requires another supplier coming on board etc. So I I think it’s you know the purpose of the teams that run this process and ultimately to see to give the business the information it needs to make those riskbased decisions and hey they might accept them that’s perfectly plausible or they might choose to mitigate them but at least they’ve had the opportunity to contribute on because you’ve captured it and you’ve pushed up the chain towards them and I think that’s the important piece right.

Amanda: Absolutely. Well that is what we have. have left for today. Uh, thank you guys all so much for joining. Brian, you’re amazing. Thank you for doing this from across the pond, as they say. Um, we always love having you um, give us some education on this, so we really appreciate it. Um, just FYI for everyone that’s left, you will be receiving this recording tomorrow in your inbox. Feel free to view it and share it with whomever you wish. And please continue to check back for our other webinars that we’ll have upcoming. We’ll have a jam-packed um, month to come and we’re excited about it. So find us on LinkedIn or make sure that you are a part of our communications and if you have any questions, I’m Amanda Fina for business development here at Prevalent and Brenda and Brian. Thank you again so much for joining. We’ll give you guys a minute back in your day.

Brian: Thank you.

Brenda: Thank you.

Amanda: Bye everyone. Take care.