Which Global Compliance Requirements to Use for TPRM and How

Amy: All right, we are live. Welcome everyone. As you trickle in here to today’s webinar, I’m going to throw up a quick poll question. If you’ve joined our prevalent webinars before, we usually have two of them. So, this first one is while you’re waiting, what prompted you to join our webinar today? U maybe it’s purely educational. Maybe you have a thirdparty risk management project coming up and you have questions and you want to hear from some experts. Uh maybe you’re not sure where you’re at. Um but if you want to learn more about global compliance, requirements, you should stick around or maybe you’re currently a prevalent customer. So, thanks for joining us. All right, take a moment to answer. I’m going to go through a few housekeeping things um and I’ll introduce our host here. So, you’ll see Brian Littlefair will be leading us to the majority of our webinar today um which is titled which global compliance requirements to use for thirdparty risk management and how. Brian Littlefair is the CEO of Cambridge Cyber Advisors and past global CISO of Vodafone Group and Aviva. So, thanks for joining us. Brian, I hope you’re having a lovely day so far.

Amy: And this other lovely gentleman you’ll see here, Scott Lang. He is Prevalent’s own VP of product marketing. You’ll be hearing more from him towards the end of the presentation. And so everyone knows, we really want this to be interactive. So, you are on mute and cameras are off, but please um give us any questions that you have using the Q&A function on the bottom of the webinar here or the chat function is fine as well. And just so you know, we will have some Q&A time at the end. So, if you have any questions, please send them my way. I’ll make sure to relay them to um the lovely gentlemen here. Also, this is being recorded, so if you have to hop off um you can’t stay for the whole thing. It’ll be sent to your inbox first thing tomorrow morning. All right, I don’t think I’m missing anything else, so I will hand it over to you, Brian. I hope you’re having a lovely day. You as well, Scott. And thanks everyone for joining.

Brian Littlefair: Great. Thanks, Amy. And hello, everyone. It’s great to be able to speak to you all again. And hopefully some of you joined the previous prevalent webinars that I’ve I’ve done. I think this one’s really interesting because, you know, compliance is is only going to increase uh for all of us globally and I think you know it’s something we have to get comfortable with and you know we all know how complex it can be to to manage the supply chain and when you overlay compliance and regulation on the supply chain it becomes you know an everinccreasing challenge so we’re going to try and unpick a little bit of that today and just trying to get into you know from my experience what are some of the the challenges I’ve faced and what are the some some of the things that I see consulting with my customers and clients as well. So We’ve already done an introduction of me so that’s great. We’ll we’ll crack straight on. So I think as I said compliance is only going to go in one direction. You know over recent years I think the global compliance requirements have increased drastically. You know I consult with some fairly big multinational organizations as well as smaller companies. But you know if you are a large global multinational operating in in several jurisdictions across the globe then you’re going to have a lot of compliance and regulatory requirements that you have to start to adhere to and that is only going to increase. It’s not going to go down. You know a few years ago security teams in my view were you know when you were doing supply chain assurance checks you were ticking a few boxes you were checking a few policies you were getting some evidential data to give you some assurance over that they were doing what they said they were doing in their policies and you were doing some basic background checks who owned the company and all of those aspects. Now I think we have to run a very complex process. It has to be near real time. time we have to move away from the world of of spreadsheets and and Microsoft Excel. It definitely has a a role to play in in business Excel, but in my view, it’s definitely not in in third party assurance. We have to get into the data.

Brian Littlefair: We have to be able to manipulate it in ways that a spreadsheet can’t. For many organizations, I think, you know, the the supplier footprint is is huge and it’s growing. You know, 1,000, 2,000, four, 5,000 suppliers within their supplier footprint. And you know that can be quite daunting in terms of having to slice and dice that put them into the the classical tiers and understand where to focus what will be a very finite level of resource budget capability within your organization to get to that you know golden panacea that everyone’s aiming for and holistically understand the risk profile that your supply chain presents back to the the parent organization. But I still do see many people using spreadsheets. It’s something that I see fairly frequently. when we go in and consult and we we talk about third party as well as other things the the dreaded Microsoft Excel comes out and you know several thousand rows long several hundreds of columns wide you know that are used to encapsulate the information that’s gleaned from the the annual uh questionnaire that that goes out there and I think that’s partly why we’re getting a lot of regulation and and compliance requirements coming through you know the regulation wants us to step up it wants us to uplift the security of our organizations and hence that’s why they regulate. They say you have to do it this way. We want you to be better. We want you to improve how things are going. So I think we need to mature that capability internally. We need to accept that we have to get ahead of the curve on this. And I think that we all need to fully understand the supply chain, but we need to understand it on a daily basis, not an annual questionnaire. So I think what I’m seeing at the moment out there with with my customers and clients that I consult with, I think the most fundamental shift I’ve seen over say the last decade is is the best practice and knowledge sharing actually between the regulators. They used to be very siloed. You know when I was running large global multinationals, they just didn’t talk. There was no intergovernmental relationships that facilitated the regulators talking and sharing on how are they going to regulate their individual markets.

Brian Littlefair: But now what we’re seeing is they are sharing. They’re collaborating across the globe. Those that are more mature are flying their teams over to advise and consult in the in the countries that are developing in this space and sharing their best practice information. You know, this is what we’ve learned on our journey. This is how we recommend you approach it. This is what we recommend you look for. Here’s the results of our test. So, all of that information is being shared. And I think that can only be a good thing. And I think organizations are facing into this wave of new regulations while they’re not really understanding all of their data. And a little emphasis on the all there because often when I’m in organizations. They say, “Oh, we’ve got all of this structured data.” But then there’s this bucket of what they call the unstructured data, which, you know, no one dare touch because it’s too complex. They don’t understand it. It hasn’t, you know, been able to be classified. They don’t know what it is. They don’t even know whether they should be owning it or hanging on to it. And I think that’s the challenge. You know, the regulation is driving us towards understanding our full data sets, not just what we were able to to classify through automated tools, but you actually have to understand all of the data that you’re holding. so that you can understand whether you can comply to the regulations and I think you know third party security is absolutely viewed as a critical process by most organizations but but honestly not all you know we we see some very mature organizations that invested in the correct processes the correct tooling the correct resource to be able to run this this process effectively but then we see some pretty big organizations and companies that are trying to run uh as third party assurance program with, you know, two or three FTE, two or three people, uh, and a Microsoft Excel spreadsheet. And, and that’s never going to get you to a point where you understand your risk position from the supply chain. And, you know, that underresourced in terms of people and tools is is a trend that that I’m hoping starts to go away over time.

Brian Littlefair: And we’re starting to see certainly what we see within my company, we are starting to see people embrace the new technologies and capabilities that are coming out in this space. So, that’s really positive. And I think you know this slide highlights you know what we’re starting to see in terms of some of the convergence. When I said when I first started in security you struggled to find any commonality between the regulators or any of the compliance frameworks. Everywhere you looked across the globe they were different and everyone was doing things differently and and actually I think they were doing things differently intentionally. If one country wanted a widget red the other country wanted the widget green right? So it was very difficult when you were running whether your compliance programs and your third party assurance programs sit within the security function or they sit within the legal function. It doesn’t really make much difference but but ultimately was really challenging to understand I have to comply to this legislation I’m running a global business how do I do that in this very complex regularly landscape and that was driving some challenging situations within organizations but now I think you know one of the big drivers is is global multinational organizations and you know the proliferation of outsourcing and insourcing by particular countries and regions that’s really driven the start of convergence on on similar regulatory and

Brian Littlefair: and compliance frameworks across the globe. And I’ve just picked a couple here. You know, I assume it’s a predominantly US audience on today. So things like CCPA and then in over in Europe, we have the GDPR and and fundamentally they’re trying to achieve the same things which is good. You know, citizens want to be able to understand where their data is being used. I think that’s purely sensible and you know, part of the reason why these regulators came came in and actually started to enforce some of these rules is is quite honestly organizations weren’t giving them that option. You know, it was quite hard to be able to understand what data an organization held upon you. It was quite a long cumbersome process. And you know, people want to have that choice.

Brian Littlefair: We’re seeing that more and more. So, you know, the regulation comes in, it applies to different areas and different regions. They all have their own nuances, but there is a significant overlap which puts the power back on that citizen and back on that individual so that they can start to make choices around who has access to their data, how is that data manipulated or managed and they have the right to opt out or opt in to certain marketing campaigns and other initiatives that they may or may not want to receive. And certainly one of the things that I learned, you know, running security for for large companies is when you look across the globe, privacy is is quite culturally different. You know, I’m not going to name individual countries, but when you go into one country, they regard privacy very very seriously and when you go into another less so you know so this is a very geographic challenge that we’re having to crack but certainly the key area that regulators are focusing on is data and you know they’ve taken a very sectoral approach in my view so certainly in the UK and Europe it was the financial services sector that came under the spotlight first with a a very heavy regulatory environment and that is kind of fanning out in the critical national infrastructure as we call it into the various different areas focusing on telecommunications, pharma, power, utilities and all of those aspects forcing an uplift in security in in those individual disciplines and that will proliferate out obviously focusing on the big players first but that is only going to trickle down into the smaller organizations. So if you are working for a smaller organization and think well this doesn’t really apply to me because you know I’m haven’t got a$25 million US revenue or etc. it will come your way.

Brian Littlefair: I’m very confident of that you know but it’s just they have to tackle the big fish first and then obviously they’re going to expect everyone to step up to be of a similar level but there is you know that global focus on improving data securities but I think you know across the globe and I’ll put a slide up in a minute that shows the kind of maturity focusing on data I think lots of organizations sorry lots of countries are starting from a low starting point you know data security wasn’t a big thing because privacy isn’t a big thing but I think that’s starting to change with you know the generation of, you know, millennials that are coming through Gen X, Gen Y, Gen Zed, etc. that are very, you know, data consumers. They’re very used to consuming data and interacting with that. So, they’re a lot more savvy around, you know, well, I’m not comfortable with company X or company Y doing this with my data. I want to have control over that. And that’s really driving some of the changes that we start to see. And I think it’s safe to say certainly from a from a company perspective, introducing compliance regimes like GDPR or CCPA It’s been a pretty fundamental shift for you know companies to deal with. It’s not something easy and quick. It’s not a tickbox exercise that you just you know say right do this and do that. You have to really review your organization end to end to actually understand well how do we comply to this? What are our challenges? What do we comply to already? What are the gaps? And some of those gaps have taken a long time certainly on the GDPR side to actually be able to to mitigate. It’s meant a fundamental shift on on how businesses actually work.

Brian Littlefair: And you know Certainly from a GDPR perspective when people were saying they were compliant they weren’t actually compliant you know it was a it was a journey that they were on they were moving towards being compliant and getting things done and certainly from a from a US perspective when we look at GDPR many times when I go to access a US website it throws up a banner and says I see you’re uh trying to access this website from Europe we don’t want to do GDPR so we’re not going to show you our website and obviously in the US I’m not sure whether you’re aware that that actually happens, but it does. And you know, they’d rather just not have that visitor to their site than actually have to go through the headache of being GDPR compliant. Obviously, that’s not the same for every US organization, but it does happen. You know, it’s frequent to see that banner pop up. So, I think, you know, the key theme that we’re starting to see is, you know, global data standards emerging. You know, the right of the citizen to be in control and control about what that data, what that company holds on them. right to decide what they want to do with that and I think that’s only going to proliferate as we go through. So we can see here a small section of you know the global compliance requirements that are in circulation at the moment and for how every country in a region expands into that and starts trading with citizens in that country then obviously you’re going to come in scope with the regulatory requirements that are within that country and you know referring back to that example in the the US website they don’t want to comply to the EGDPR regulation so they’re just going to block visitors from that region coming in. That might be fine for a website, but a large glo global multinational that wants to sell its products, sell its services, and interact with the citizens in within those countries, they have to take a very different view. They have to embrace the letter of the law. They have to make sure that they’re they’re handling all of the data in in line with those regulations. But, you know, I have a view and I fully appreciate it.

Brian Littlefair: It’s a view that not everyone on the the call may share, but I think, you know, regulation is a good thing and we’ll get into that. a little bit more later in a little bit more detail, but regulators in my opinion are responding to demands from their citizens or responding to incidents or breaches. You know, they see something happening, they’re not happy with the progress. So, they come in and regulate. They say, “You have to do this now. If you want to continue operations, if you want to continue business, this is the way we want it done.” And as I’ve said before, regulation isn’t going to go away. So, we need to equip organizations and our own internal teams with the capabilities and tools enable them to effectively manage that risk exposure within their business and you know that by default will satisfy the regulatory requirements and I see all too often people actually just satisfying the letter of the law from a regulatory perspective but in my view and certainly in the teams that I’ve managed we we’ve took that as the bare minimum you know that’s the low point that we’re going to achieve but obviously we want to do the right things for our customers so we want to be able to build upon that and actually show that we’re we’re heavily compliant to those regulations not just at the bare minimum. So you know here we can see you know the maturity of one of the you know the types of the countries around the globe. You can see you know by the red that kind of shows where there’s heavy regulation in place. So you can see you know all of Europe, North America, Canada, China and Australasia regions. You know they have very strong thorough processes in place to protect their data citizens. It it wasn’t always like this and you know certainly before CCPA came came in and GDPR etc. I know that all of Europe would be drastically different colors but you know a Europewide legislation everyone had to comply everyone had multiple years to get their organizations in place and make sure that the processes the the technology the reporting the governance everything was in place. So I think this will start to color red as we continue to go on.

Brian Littlefair: Everyone is just on a different starting point from from a privacy perspective and from a maturity perspective. The country that I consult in and the the companies that I work with even in the African region where there’s currently not anything in there’s stuff planned you know starting from South Africa and maturing up in in the whole African region and I think you know the the fines is obviously the big thing that’s driving organizations to comply but actually more and more you’re starting to see a maturity in the boardroom and actually say well this isn’t asking for anything strange it’s not asking for anything out of the ordinary you know it’s making sure that organizations have effective governance over their data that they understand what their data is, they understand who they’re sharing it with. So logically, certainly in my view, it makes perfect sense. Um, and if we talk about the GDPR for for a few seconds, you know, under the GDPR, the the authority can impose some fairly significant fines. You know, it’s up to 20 million euros, which is, you know, about $20.5 million or 4% of the worldwide turnover of that organization in the previous financial year. So that’s That’s quite high. It can be quite impacting. And the GDPR came in before the CCPA. So, it’s been in effect since May 2018. And since then, we’ve seen around 800 fines issued across that European region that you can see in the center that’s that’s indicated red. And even though the UK has effectively left the the Europe from a from a Brexit perspective, we are still governed by this GDPR legislation. And if you look at some of the big fines that have been handed out, the largest fine to date is is Amazon. Uh obviously they had a greater revenue than 20 million euros. So they got a 746 million euro fine. Uh and they were fine for you know making it challenging or difficult for users visiting their site within Europe to opt out of their cookies. You know it wasn’t as transparent as it should be. Uh it was hard.

Brian Littlefair: You know you clicked reject on the cookie site and you were presented with numerous complex screens to go through quite simply because Amazon focuses on collecting as much customer data as possible and if everyone is just opting out of their cookies it makes it more difficult for them to be able to comply. So that fine was was levied upon them but I think that you know other countries are going to catch up you know more fines are going to be issued as I said they’re just on their own maturity journey and and you know as I said I think this map is going to start to color up pretty quickly so I have the you know the pleasure of consulting and advising organizations of of different shapes and sizes as I said in the beginning and and third party assurance is, you know, it’s one of the major problems on the agenda. It’s often one of the key things that we discuss at boards. It’s, you know, it’s one of the key concerns of the security and the legal teams. And that’s for a reason, right? It’s, you know, it’s one of the most challenging risks to to quantify and manage depending on how on the process and the tools and the capabilities of the teams that you have. But if you actually link, you know, those challenges with the security bulletins that, you know, I I read all of the security bulletins that come out from the security agencies. So whether it’s GCHQ over here in the UK or NSA out there in the US, there’s common themes emerging because, you know, we’re all fighting against a common adversary using similar tools, similar similar capabilities, similar methods across the globe. So that messaging and communication obviously has you know some common messaging which I’ve tried to capture in this slide and we can’t do a presentation this time of you know without mentioning the dreaded COVID word and I think you know co has not only changed way that that businesses operate with things like homework, but it also saw an unprecedented rise in in security attacks and you know that’s a key theme coming out of the the messaging.

Brian Littlefair: Um the attack level, the attack sophistication, everything kind of went up exponentially and organizations were seeing their infrastructure scanned, their infrastructure pro probed and and obviously their their home workers being fished or smished or vished, whatever you want to call it, but you know the attackers were having a heyday just Because the organizations had drastically shifted, their their policies were effectively not relevant anymore because everyone was working from home. New technology was rapidly introduced. There was confusing but genuine messages coming out to employees in terms of here’s some new software you have to use. Please change this process etc. And that’s a bit of a field day for the attackers because they can they can capitalize on that and you know they can weave in their own messaging and say we want you to do this and and you know employees were more receptive to those manipulative messages whilst the in the early days of homeworking and co and and certainly there were a lot more you know fishing emails and things floating around on the internet because of that. But ultimately what they want to do I often say that the the target of every attack is is the data you know ultimately they might want to monetize that data or you know they might ask you for a ransom or a fine to get that data back. But even you know crypto locker malware spreading around organizations now the modus operandi is to steal the data first then encrypt it because you know they found out that organizations are a lot more willing to pay if obviously you’ve got the they holding their data to ransom you haven’t just encrypted it so and the threat of disclosure on that as well and I think the trend that certainly I’m seeing and and I read in in trade presses and things like that is you know the trend of parent organizations being targeted by their supply chain is only going to stay and it’s going to going to increase as well and I think the perception is and in my view it’s a valid one is that why try and breach the parent organization to get hold of the customer data when a much smaller organization that probably has less security tools less security capability but they all they hold the same data.

Brian Littlefair: You know in my view that logic is sound. You know if you’re going to try and hack an organization whether it’s via its people or via its technology and circumventing its security controls why go after this big beast that spends a h 100red million on on security annually when you can target a smaller organization that doesn’t spend that much, hasn’t got as big a security team, perhaps hasn’t got the right monitoring or governance in place, but they have that company’s data. So, you know, that’s what we’re starting to see that the hacks within the supply chain to access the parent organization’s data and and I think that’s going to grow exponentially in the future as well. And this is where as security professionals or legal professionals and everyone on the call, we need that indepth view of the risk and the threat that’s within our extended supply chain and it needs to be refreshed in near real time. As I said, when I first started in security, the Excel spreadsheets, the annual uh surveys and questionnaires, tools like Prevalent didn’t exist when I was starting out. I’m showing my age. I’m only 44, but you know, it’s moved exponentially in in that time frame. And I think, you know, we need to be able to slice and dice the data, and spreadsheets just don’t give us that level of functionality. We need as much information. It needs to be as enriched as possible. We want to see risk scores on our on our supply chain. We want to understand technical policy breach information. Have they told us during our assessments that they patch external facing critical vulnerabilities within 24 hours? But you know, we’ve got tools and capabilities that can see they’ve got a a vulnerability that’s externally facing and it’s 4 days old. Information like that is really useful to actually put some context on are they living and breathing what they say they will do on their policies or do we have to pay this company a little bit more attention. Have they got the right capabilities to detect vulnerabilities and and mitigate them? We want all of that open- source intelligence flowing in. And we need it analyzed on our behalf and presented back to our analysts in an actionable way.

Brian Littlefair: They haven’t got the time to obviously pull all of these this information and do the analysis themselves. It needs to operate like a sock or a seam in some regards. The analysis is done by the platform and the tool and they actually present an actionable list of information. back to the third party analyst and a Microsoft Excel spreadsheet isn’t going to do that for you. I think we’re pretty clear on that. And I think, you know, too many organizations that I see are still running what I call legacy processes. They’re not adopting the advancements in technology and and process and capability that I’ve just discussed that are there. You can actually use them. And what I see is a very stressed out third party assurance team in a fairly large organization. You know, daunted by the scope of organizations that they’ve got somehow cover uh and actually get this information without using these tools that are available to them. But as I’ve just outlined, there is a different way. There is a different approach. And you know, I’m a huge advocate for organizations looking into tools like prevalent that can actually help support them. You know, not add to their data. Actually, it’s reducing their data. It’s actually helping them to hone down on the things that they actually need to look at, detect where the issues are in near real time and actually mitigate them or or circumvent them. And that doesn’t always have to be a cyber incident. You know, we’ve seen lots of supply chain issues here in the UK that aren’t cyber related. They’re due to, you know, various different reasons are touted around, whether it’s the Brexit or whether it’s, you know, the impact of COVID, etc. But sometimes we’re going into supermarkets and some of the shelves are empty, right? Organizations are struggling with supply chain issues. We’ve just had a a real challenge getting fuel. You know, people are queuing for hours in in petrol stations. These are all supply chain challenges that need need to be risk assessed. Can organizations mitigate those and model those before it actually becomes a reality and an impact for them? Another big one that we saw in Europe was the blockage of the sewage canal. You know, ships couldn’t get through.

Brian Littlefair: Container ships couldn’t get there. There was perishable food items on there and and and other things. So, you know, think about managing risk in the supply chain. It doesn’t always have to be cyber. You can model a lot of situations and lots of issues to actually, you know, being able to understand what actually impact us as an organization recognizing there’s going to be several people in this call from multiple different uh sectors etc. What could impact us delivering our product and service to our customer and how do we understand if that presents a risk to a you know within our supply chain if we can’t get our products from customer from supplier XYZ what’s our plan A what’s our plan B and what’s our plan C and how do we mitigate against that and I think you know that’s truly how you start to build that picture of risk So let’s look at some of the, you know, foundational components that, you know, I think are the cornerstones of an effective third party program that can operate in this very complex regulatory and compliance world that we’re finding ourselves in. First of all, I think you need to know your data. You look at any compliance or regulation framework and they all all of them require you to fully understand your data sets. You need to be able to categorize, slice and dice it based on numerous different fields and scenarios. Do they live in Europe? Are they in scope for GDPR? Are they a citizen of California? Are they CCPA? Have they set thresholds on their data permissions so that we can’t use it? Have they opted in? Have they opted out? So, you can’t effectively comply or you will fail an audit or you’ll get some significant, you know, uplift required without you fully understanding your data. And I think you can’t just do the easy bit. We talked about it earlier on, but I see it so often how people say that we understand our data. We’ve got it fully categorized. You know, we understand the life cycle management, etc. were really good, but that’s only on the categorized data. There’s, you know, pabytes and pabytes in in some instances of data sitting in uncatategorized data silos.

Brian Littlefair: And I think the regulation is there because that exists and and organizations need to really get a handle of, you know, if it’s uncatategorized and they don’t know a lot about it, then they’re not life cycle managing it. They’re not getting rid of it when they should have should have done. They’re hanging on to it for too long, longer than they should be in some cases and that can bring with it its own fines if you’re hanging on to data for too long when customers have left etc. that can you know bring just as big a fines from a GDPR perspective. So you really need to get into that uncatategorized data set to find out the problems and you need to understand your global vendor relationships. So emphasis on the global layer I see all too often organizations don’t understand the global impact of a supplier on their business. So what might be a really small supplier in India might be the biggest supplier in the US. So that obviously impacts the the level of attention and tiering that they need to have focus and attention on. So you have to understand from a supplier lens back into your parent organization. How critical is this supplier to us? What do they suppliers in various different locations? And then obviously you can you know leverage that not only from a cost perspective but actually from a risk perspective and understand how do we effectively manage the risk of this supplier within our organization. And then you know the challenging piece is you know a contract that was in place between a parent organization and your supply chain before the introduction of some of this compliance and regulation came along. It’s not likely going to be suitable going forward. You know and it will ultimately need renegotiating factoring in the new requirements. You know there are specific roles and requirements and clauses that need inserting in the contract. Who’s the data owner? Who’s the data processor? what requirements are imposed on each based on that that role that they’re holding and you know what happens from a contractual perspective in terms of you know punitive fines and if those responsibilities aren’t met and there’s a lot more than that that needs factoring into those contracts.

Brian Littlefair: So I know it’s a challenge but those contracts need revisiting whenever a new compliance uh um element comes in scope for your organization. But to be able to do all this effectively you need to understand what is my actual exposure to to the regulation and compliance frameworks and whether it sits within the legal function, the risk function, the compliance function, the security function, it doesn’t really matter but actually you need to understand where does my business operate. What type of sectors do we operate in and therefore what am I in scope in? And we need to get guidance from the business. This shouldn’t all be a security silo uh organization or or process that’s been run across the business. If all of those areas exist within your company, you should be chatting to legal, you should be chatting to risk compliance, security, IT, finance. This is a business problem. It’s not a security or IT challenge. It’s how does the business comply to these requirements? So, absolutely that we need to break out of the security silo that some organizations view third party risk as a security process. It’s not. It’s a business process. And I think, you know, all too often I see fairly large organizations that haven’t appointed a DPO. And, you know, and this is in my view is more common on on the state side because not much of the regulation actually mandates and I think correct me if I’m wrong in the comments but CCPA doesn’t mandate that you need a DPO whereas GDPR does and I think that that DPO the data privacy officer is such a critical role someone who is the champion or the custodian uh of data within your organization that has the say of where it flows and has the say of how it’s manipulated and used and sold on etc. Someone needs to have it as their full-time role to actually understand data within your organization. We often say it’s the lifeblood of the company. So, it’s important enough to have someone allocated to protecting it and make sure that we’re doing the right things with it. But I think this can get complex very quickly. You know, a large company that’s operating in maybe 60 70 80 countries across the globe, you can have a very large uh compliance exposure.

Brian Littlefair: So, how do you how do you manage that? And you know, I’ve worked in organizations that have had that footprint and you know, It’s pretty challenging in terms of what you do. But I certainly mandate the approach of keeping things simple. They have to be effective, but equally they have to be simple. I often say, you know, complexity is the enemy of security. If something is completely complex, it’s going to be difficult to secure. And I think, you know, the structure I certainly drive through security organizations is that we have our security policies, we have our security st guidelines, we have our security standards, and that all translates into our control environment. And it’s that control environment that we want to try and standardize as much as possible across the globe. You don’t want to be running different controls because controls are audited. If you have a different control environment in different countries and you have to have people that can audit that control environment in that country and it becomes highly complex when you magnify that by 60 70 80 countries. So in an ideal world ultimately what you’re aiming for is that this control environment would satisfy your global compliance requirements. So whether you’re operating in sing Singapore, in China, in the US, in the UK, France, Germany, etc. And places in in and outside of those geographic regions, your control environment would satisfy the requirements of those legislative environments and those um regulations and controls. So, let me explain what I mean here on a slide to kind of bring that to life. So, I’ve worked in organizations when I’ve joined uh that have had, you know, numerous different conflicting security policies and standards and that’s translated into numerous different uh control frameworks and that’s not a good place to be. So you know when rolling out global initiatives you know something as simple in certainly in my past it was something as simple as video conferencing or or messenger applications you’d rapidly run into a security policy that would restrict that or it couldn’t be done in way xyz in in country X etc.

Brian Littlefair: So you can’t operate in a world where you have individual country policies certainly what I’m starting to The most mature organizations is if they have a standard global policy. The only two changes that are allowed to be made are language. So it can be translated into local language. And if there is something absolutely unique from a legislation or a requirement perspective that it doesn’t make sense to globalize then that can be added to that individual country policy. But that’ll be one or two things. Everything else is standardized across the globe. So the approach that people are cha taking in my opinion and certainly the client I consult with you know where it can possibly be achieved and you know where it isn’t going to introduce a significant oper operational overhead where there isn’t a sign significant cost implication where it makes business sense to do we will standardize down on that single global process you know an example might be from the top of my head you know how quickly do you have to notify the regulator of a breach in one of the countries versus another you know and that does differ wildly if you go over to the map as in Singapore, you’ve got 24 hours, others, you got 48 hours, etc. So, how are you going to run your global business? You know, you need to be able to make sure that you’re complying to that global regulation because, you know, you might have a Singaporean resident’s data existing in another country and that breach may occur in that country. So, you have to be able to comply to that. So, if you take all of your control environments up to those most stringent levels and roll that out across your business across the globe, you’re only doing one thing.

Brian Littlefair: You’re uplifting your security to the tightest require ments and I think that’s a really easy thing to sell internally because it’s the right thing to do for your customers and I think you know more and more if I look at how large organizations are constructed I think it has to be done this way you know most big organizations have created shared service centers uh you know in in high skill lower labor cost regions should we call them that or captives and they run key business processes they run finance data center operations security etc but they’re processing the data fundamentally your global client base or operating systems that do do that. So you have to therefore ensure that these facilities meet the requirements of that local citizen. So you have to be able to elevate everything up to that most stringent level and run your global business that way. And I think that’s what the more mature organizations are doing to keep things simple and to remove a lot of the complexity out of running you know a global compliance program. And I think you know looking at three of the common mistakes that I see people making you know we’ve touched on a little bit. I think you have to go beyond the minimum. We always certainly the CISOs and the the chief procurement officers and people I chat to, they see the regulation as the minimum. It’s the low bar, the low point where you should pitch yourself and you’re constantly striving to improve and overachieve on that because, you know, I have this view that it’s if it’s the right thing to do for the customer. If the customer was sitting in the room when you’re making the decision and you’re saying that you’re going to just keep it at a low level, you’re not going to go up, would they be happy with that? or would they be more happy saying, “Okay, we’re seeing regulation as a low point, but we’re going to invest and we’re going to make sure that we’re constantly maturing above that level.” And I think your customers would be happy with that statement rather than the other one. And I think regulation extends to where the data flows. That’s a really important point. That’s why we talked about revisiting the contracts.

Brian Littlefair: It’s so important to understand, have the people that you’ve contracted to do work, have they further subbed that work? So, have is there fourth and fifth parties in play? And Therefore, what’s their security capability and do they have satisfactory controls and do you as the parent organization have your data owner data processor fully set up and is there contractual coverage in place from a financial perspective? So, we have to follow the data. It’s almost like a river. You have to understand where all the tributaries come off, where is it flowing, etc. You have to be able to visualize that and and understand that and have that codified into your supply chain assurance to make sure you’ve got the right governance and processes. place and obviously it’s around being too manual you know prior to tools like what we’re talking about today and Scott will talk a little bit about prevalent in a minute prior to these tools being available you know manual audits was the the approach and you used to be able to kill and cripple an operational team by saying right you’ve got your ISO audit today you’ve got your 2701 you’ve got your PCI audit next week you’ve got internal audit coming in to look at the controls framework then you’ve got PCI SS and you’ve got GDPR etc. It just continues to to grow. Running you know a large global multinational has you know six or seven tier with four data centers that can be quite a challenge for the operational teams to cope with that level of auditing. It’s a lot easier to click a button and actually understand you know from a supplier perspective this is where we are from a governance. This is where we are from an insurance perspective. This is what we know already. And if you need to delve a little deeper that’s fine but the tools can tell you a lot of information that you’re going to go and look for already.

Brian Littlefair: So coupling this information with your internal GRC platforms then becomes really really powerful and I think you know there’s a there’s a bit of a mixed bag on regulation so you know why do we have regulation and compliance there you know some people think it’s too little others think there’s too much you know death by regulation death by a thousand cuts etc you know it can be too overbearing my view is you have to think why that particular regulation was established in the first place and I’ve seen several organiz security teams struggling to obtain budget, struggling to get the right resource, needed to be able to, you know, manage the risk that they effectively have under management. And regulation honestly helps. You know, coming from a CISO perspective, it’s a lot easier conversation to go into the board and say we need XY Z budget because this regulation says if we don’t do it, then we won’t be able to operate the company. It shouldn’t be that way, but it is. So, you know, regulation can can help drive focus and attention to uplift the level of security in in particular sectors or you know particular countries or regions depending on what the regulation is. So over time that increased regulation has actually led to an increased level of capability of security. Organizations still have challenges and issues of course we we read about that in the newspapers and and on the papers every day but you know it’s uplifted definitely drastically over the the time period that I’ve been looking at. But I think there has to be a limit and by that I mean you know completely compliant company in a heavy regulatory industry can still be prone to a cyber attack and you know so regulation that we have to draw a line somewhere. We have to strike a balance and I welcome the regulators personally and compliance bodies collaborating globally because I think you know harmonization of those requirements across the globe will only make that more simpler for us all to comply to that. So let me summarize a few of the key messages before I hand over to Scott and he can talk a little bit about the pre prevalent platform.

Brian Littlefair: So I think we’re all clear or certainly I am and you can challenge me in the questions but whether we’re we’re managing the supply chain for security whether we’re managing the supply chain for compliance or regulatory requirements our objective is to reduce our risk exposure and that might be from cyber attack as or it might be for some of the other examples I give like the sewage canal from a business continuity perspective but fundamentally it’s all about risk reduction but you know this is another area of security that’s never going to be complete we often say in security that the job is never done. The journey is not going to be finished. There’s a constant evolution and churn within the supplier footprint. So, we have to keep, you know, driving those processes and making sure that they’re done. So, we have to keep focusing on that risk exposure. We have to keep driving down the taring of our suppliers and making sure we’ve got that global governance and capabilities, but we have to go easy on our teams by investing in the right capabilities and tools and processes. We can automate some of these processes heavily now and present you know, analyze results back to our teams without them having to go out with spreadsheets and and Microsoft Excel. So, we need to be able to embrace that technology that’s available to us and we have to work more closely with our suppliers and, you know, I more than most understand the challenge of that, you know, when we’re we’re actually looking at, you know, thousands and thousands of suppliers. But there’s suppliers and there’s suppliers. There’s people that are obviously really critical to your business, whether they run your data center or interaction with your customers, etc. And we need to turn those suppliers into partners, right? We need to fully understand their business. They need to fully understand ours. And you know, the contract can help with that, but then the contract needs to go away. If the contract comes out at every interaction and meeting them, we’ve got a bit of a problem. We need to mature that relationship though, so we can have sensible conversations about how we uplift the joint capability within our various different organizations.

Brian Littlefair: And I think we’ve already established, you know, this is broader than the IT and the security team, the legal function, the risk function, the procurement function. I did a whole webinar on how the procurement function is the CISO’s best friend. So, you should look that up because I think there’s such commonality and around, you know, viewing this whole area as a business risk rather than an IT risk. Something that I see all too often is that people view this as the CESOS problem and it’s not. It’s a pure business problem and we need to break out of that security silo and embrace those broader functions within the business. And then again, I’ll say it again because it really needs hammering home because you know complying with these regulations and compliance if you don’t know your data you’re not going to comply. So get underneath that structured data and that’s typically what the regulators are asking you to do and then adopt the process of show me don’t tell me you know all too often in the past it was right yes we do this you don’t need to look at our processes we we we’ve got this you know we we manage our vulnerabilities effectively you don’t need to come and look at how we do it now the more mature companies go into the process of I don’t want you to tell me, I want you to show me. I want the evidence. I want the assurance. I want that uploaded into my platform so that we can actually see that those processes and procedures are being followed. So I think you know once bitten twice shy is the is the approach. So you don’t want to be told, you want to be shown and see the evidence that that’s actually going on. Okay, I’m going to hand over to Scott who’s going to talk to you a little bit around the the prevalent platform and then obviously we’ll be happy to take questions at the end. Thank you very much Scott. Over to you.

Scott Lang: Uh cheers Brian. Thank you. Um that last comment on Brian’s last slide there I think is the perfect segue into a little bit about what I want to share uh with you about prevalent and it’s the show me don’t tell me and you know the process of gathering information and evidence and policies and procedures and due diligence from your suppliers and partners and third parties. I mean I’m not I’m not going to paint a rosy picture here. It’s soul crushing. I understand that. And uh it can quickly spiral an already over um stretched team down into oblivion without the right help. And if you’ve got to prove uh that your third parties have policies in place, security related, data protection related or others, you have to find a way to automate uh the collection of that information, the analysis of that information, and then the presentation of it both to your internal auditors as well as the external folks are going to want to ask questions about it as well. And frankly, That’s what we specialize in. Um our uh the prevalent thirdparty risk management platform is a solution that helps you um centrally assess all of your third parties according to the specific requirements you have to you know assess them against and report against as well. Collect that information through the completion of you know their assessments and the uploading of supporting evidence. Um the review of that information and then ultimately the the re recommended remediations to get them to a place that you’re comfortable from a risk perspective. You know, you’re never going to eliminate all the risk. We know that risk never equals zero. But to get somebody down to an acceptable level of residual risk is the objective of the exercise. And then we can help you, you know, take the time and the manual labor and, you know, the sweat and more, you know, out of that process uh by taking it on on your behalf. We address third-party risk at every stage of the vendor life cycle, not just uh, you know, the the collection of compliance evidence to support uh some sort of a you know, regulatory conclusion, but you know, we help companies uh get intelligence on their potential vendors in the sourcing and selection phase. Um, as you intake and onboard a vendor, we can give you visibility into their existing risk profile as well as some real-time risk insights. Give you some inherent risk visibility against whatever metrics you’re trying to measure against, execute those full and complete assessments. I think we’ve got 75 questionnaire templates built in the platform that you can leverage now from a GDPR assessment to a CCPA or CP assessment. Um, you know, HIPPO related assessments. There’s a NIST framework or so and then some in there. There’s ISO ISO questionnaires. It you I mean the platform’s got a library of them to draw from that you can pick and choose. You can be flexible with, you can build a custom one. We’ve even got a standard survey that you can ask and then map the answers back to whatever requirements you need to on the other end. So the whole process is meant to simplify that excruciating process of collecting that that uh that due diligence and just make it easier to to to manage. Next step is monitor and validate. Once you have the information in the answers from your suppliers and partners, you’ve done a bit of review and now it’s time to really do some controls validation. Uh you know we can leverage some existing cyber business reputational financial monitoring and then have our experts get in there and just do like a controls validation exercise to make sure that you know that uh that their reported controls uh you know map to your requirements you know measuring performance and SLAs’s you know Brian mentioned earlier on in his presentation excuse me that not every risk is a cyber security risk you know the the uh the Suez Canal blockage being a great example of that you may have suppliers that have um some reputational challenges you know maybe they’re not living up to their expectations from an environmental social or governance perspective and you need to have some visibility in that because those can be risks to their ability to deliver to you which is your ability to deliver to ultimately your customers if that’s the case. So managing SLAs’s and performance metrics goes handinhand with with security. And then finally the last piece of the equation that is way too often overlooked is um is offboarding. You know every relationship is going to come to an end and it can’t just be simply flipping a switch and walking away. There’s quite a bit of checklisting and processes and data destruction and and you know offboarding or terminating of of assets and whatnot that have to be uh followed through. And you know one of the values of our platform is that we can help provide that process that automated workflow-based process to guide you through that that uh that that workflow so that when you know that relationship ends you know you you have greater levels of assurance that um uh you know that the right steps have been taken. Uh next step please Brian. Um you know we offer several benefits at every one of the kind of the stage of the of the sales cycle that I mentioned there uh which you can kind of easily understand from from um uh from the previous slide, but I’ll leave you with this this piece down at the end. You know, third-party risk management isn’t just for the cyber security team. You know, Brian talked about that. You know, we talked about it a second ago on the previous slide. It’s also about managing risks throughout the the the vendor ecosystem that might be, you know, reputational, business related, financial related, their ability to deliver, you know, whatever. Which means Third-party risk is going to be important to all kinds of different teams throughout your enterprise. You know, if you’re in the security team, great. If you’re in the, you know, the risk management or or the compliance internal compliance and audit team, great. Um, procurement’s going to want a hand in this as well. And one of the significant values that we deliver as a solution set is that, you know, we can bring together all of these uh different teams under a single pane of glass. Everybody’s looking at the same data, getting the reporting that matters to them, and can take the actions uh uh you know act on that data accordingly. Next slide please. Um you know I think this is the last one. What uh you know we address use cases um from procurement to IT security to legal to compliance to frameworks. Uh you know each one of these items on this uh screen represents a specific uh assessment or questionnaire that we have built into our platform which then maps to a compliance report that you know you can provide. to your internal teams, external teams, external auditors, whatever, uh, to help demonstrate the the the progress toward um, you know, achieving whatever compliance, you know, objective you need to. And on that right hand side, we’ve got all of our threeletter acronyms and even a few four-letter acronyms uh, cooked in there as well. But just a just an idea of, you know, how we specifically help you um, show uh, not just tell uh, of of, you know, the current security posture of your of your third parties. Awesome. Um, and then just a wrap-up slide on on our approach here. Everything I I hope you learned just now was that, you know, our goal is to help make you smarter in thirdparty risk with all of the data that we have in the platform. Help you unify not just yourselves but your internal teams to to to, you know, uh, coordinate action and look at all the same data. And then finally, be very prescriptive uh, in your process. That’s it. Great. Thanks, Scott.

Amy: All right. Thank you, Scott, and thank you, Brian. So, a couple questions came up um throughout the presentation. A lot of acronyms, and we have some questions regarding it. I did my best to try to answer some, but I I told them I would relay the questions to the expert to make sure that we’re right. So, the first question is, what does POI A um stand for? What does it mean? And what country did it originate from?

Brian Littlefair: So, that I can’t remember exactly what the acronym means, but Essentially POPIA is CCPA and GDPR in Africa. So it’s a South African country, right? So

Amy: Got it. Okay. I did a quick Google and I said protection of personal information act. It seemed uh

Brian Littlefair: that’s the one. Yeah.

Amy: All right. We have a couple questions. I’m going to throw up our last poll question um as I asked these just in case you have to hop off. Um we’re really curious if you’re looking to augment or establish a thirdparty risk management program in the coming months. Um yes, no, I’m not sure. We are here to help. As Scott mentioned, a little bit. So, I’m going to leave that up as we continue on with some questions here. Um, the next one is regarding slide number seven. I’m sure that pops right in your mind there, Brian. Regarding um the processes that require near realtime governance, I think it was the second to last bullet. They are looking for some clear examples.

Brian Littlefair: So many organized which one sorry the comp to manage complex process require near real-time governance. Well, from my perspective, it’s around you know threat. So, if if you’re looking at an organization that is fairly critical to your to your process. You know, if you’re running a what I’d call a legacy spreadsheetbased process and you’re not overlaying the threat angle. So, you know, you would be blindsided if one of your organization is appearing on CNN or Sky News because they’re having a data breach. So, overlaying that threat intelligence over those processes allows you to actually get those insights a lot quicker and being able to, you know, pivot internally from your organizational perspective to actually drive that. So, that’s what I mean. by near real time. So you want to be able to understand what’s going on in your supply chain in near real time. It’s never going to be real time. Obviously someone has an issue, etc. But you know, if it’s if other customers know about it, you want to know about it as well. You don’t want a communication flow to go through a relationship manager and then up to his manager and then come through the trail and then you find out about it eventually. You want to find out about it in near real time. And I think that’s what these these tools and the overlay with the threat intelligence, that’s what enables you. to do, right? Be be have your finger on the pulse on what’s going on within your supply chain.

Amy: Got it. Thank you, Ryan. All right. Next question. Are there GDP certified or CCPA certified for IT application products or IT thirdparty vendors to reconfirm their baseline compliance such as privacy data encryption at rest, at transit, etc.?

Brian Littlefair: Yeah. So, I think you know from a software perspective absolutely and that’s where certainly where you’re going to start to see the world going. So if a if a company has to comply then you know there’s going to be accreditations for individuals there’s going to be compliance for software and you know and solutions that businesses can consume. So that’s natural flow that we’ve observed throughout time. So and that’s what companies will demand. You know if I’ve got to comply to GDPR then I need people within my organizations that can be certified to not just make sure that we are complying to it but do the assessments and the audits because you you don’t want to find about you’re not complying when the when the you know the regulator comes in to do their audit you want to test yourself. So you need people you need software that can able give you that level of assurance to actually say yes we are complying and obviously from an encryption perspective you know that needs to extend into your supply chain. If your stance is that you know we’re going to encrypt all of our data you know end to end throughout throughout our entire process etc then you need to be able to validate that is in place and there are solutions coming into the market now that can help you you know validate that even within the encrypted data sets without actually having to decrypt. So that you know it’s going to get a little bit more exciting.

Amy: Thanks Brian. All right, one last question I’m seeing here. What are your views on identifying and assessing regulatory requirements during Sock 2 audit for a global organization as privacy is one of the trusted service principles in the auditing process?

Brian Littlefair: Yeah, I think that you know it’s a very good question and I think you know from a sock two perspective you know it’s it’s demonstrating your capability to other organizations that you know this is how seriously you take security and all of those aspects and I think you know that’s where regulation can actually help you you know being able to fully embrace live and breathe things like ISO uh GDPR etc and and you know various other compliance regimes that might be implying to you it’s a lot more powerful sock 2 report if you like rather than the assessment to actually be able to present to potential clients and say look this is how seriously we take security If you look at, you know, an Amazon or a Google or an isu sock report, you know, it’s it’s fairly impressive in terms of, you know, their embracing of the the letter of the law in the compliance and the regulations, but as I said, they’ve built upon it. So, you don’t just see the tick box, you see how far they’ve gone to assure you that, you know, they are the best cloud services provider to put your data in, etc. And I think that that’s going to become a bit of a differentiator for people using their SOP 2 reports to actually say, look, we haven’t just complied to the standard, we gone over and above and I think that that will become a bit of a choice for for customers in terms of where they want to put their data. Right.

Amy: Got it. Thanks Brian. Um one last comment came in. So regarding third party I know that we focus a lot on third party being with you know prevalent and this being a prevalent webinar. Um but they’re saying organizations GRC has many more components um including policy management and etc. Um not really a question but just a comment that I wanted to make sure was passed your way.

Brian Littlefair: Yeah and I think that’s absolutely right you know and I think Prevalent will be the the first one to admit and and other people in this space as well that you know it’s a it’s an information augmentation and you know many of the customers that prevalent will be speaking to will have an archer or some similar solution in place as part of their GRC platform and you know that will still be the core platform to manage risk but you know third party risk is a is a portion of that risk that you’re actually managing and this can really help to augment that data and and do automated workflows between them. I’m sure Scott you see that all the time with your customers right?

Scott Lang: Yeah absolutely. Absolutely. You know, we we’ve got customers of ours that leverage one of these, you know, big GRC platforms that are a mile wide and an inch deep and uh you know, they leverage prevalent when they need the domain level expertise in uh in thirdparty risk management to augment you know their overall you know GRC you know a lot of those GRC platforms are great at managing organizational enterprise level risks but by their very nature they just simply can’t go you know one two levels steeper in specific domain areas which is you know why people choose prevalent. Right. Makes

Amy: sense. Um, in addition to that comment, they if they’re using Archer, do they have it all or do they still need prevalent? I know you touched on that a bit. Stop. Any else you want to add?

Scott Lang: Yes. Yes, you need prevalent. Absolutely. Yeah. No, you know, Archer outstanding solution for enterprise risk management. It been in the market forever. Um, but you know, like I said, you know, it’s specific third party risk management capabilities. Great. But, you know, we’re, you know, a domain expert. in that area and built a solution from the ground up that oh by the way integrates with Archer. So you know if that’s a concern for you definitely you know reach out and you know we’re happy to explain how that happens.

Amy: Awesome. Yeah. Well thank you. I think that’s it for questions this. I know we’re just going a little bit over the hour here but if you have any other questions or want to chat with an expert here at Prevalent, you can uh email info prevalent.net. Follow us on LinkedIn, follow us on Twitter. We post a ton of great blogs and webinars that may be helpful for you. Um thank you so much Scott. Thank you so much, Brian. I learned a ton. Learned a little more about acronyms myself. Um, as a reminder everybody, this is being recorded and will be sent your way um tomorrow morning. All right. Thank you both. I hope you have a great rest of your day. Thank you everyone for joining.

Scott Lang: Thank you everybody. Have a great one. Bye.

Brian Littlefair: Thank you. Bye now.