Compliance Podcast Network: The 2020 Third-Party Risk Management Study

Melissa: Hello and welcome everybody. Um, it’s great to see everyone start joining this Wednesday. I will give you a minute to get situated and connected and maybe caffeinated if that’s what boat you’re in. And in the meantime, I’m going to launch our first poll. You’ll see it pop up on your screen here in just a second. Um, I’m curious to see, you know, what’s bringing you to today’s webinar. Is it because you’re in the beginning stages of your thirdparty risk program? Are you a current prevalent customer? Um, maybe you’re just doing some project re research. Be honest. Uh maybe you’re lost. I’m not sure. Um and let’s kick a few things off. Uh some intros. My name is Melissa and I work here in business development. And today we are joined by a guest, Eric Brown, who is the CISO at Cytokinetics. Welcome, Eric.

Eric: Hello, everybody.

Melissa: And we have Mike Yaffy, chief marketing officer of Prevalent. Hello, Mike.

Mike: Hello.

Melissa: And last but not least, we do have Scott Lang, our very own VP of product marketing here. Hi Scott.

Scott: Hey Melissa.

Melissa: And uh today Eric and Mike will dive into key steps in transforming TPRM into a business conversation. And that’s what today is is pretty much a conversation between Mike and Eric. So um you know a little bit of housekeeping. The webinar is being recorded. So you’ll get this along with a slideshow later uh in your inboxes. And you’re all muted. So use that Q&A box if you have any questions that are you know popping up in your brain. Don’t be shy either. Feel free to ask away. Um And without further ado, I will let Eric and Mike jump into things. Go ahead, guys.

Mike: Right on. Uh Eric, thank you for joining us today. Appreciate it, especially with the uh the backdrop you not being at RSA, which we talked about. So, uh thank you, Melissa. Why don’t you go to the first slide? Couple things, too, guys. Uh you know, for those of you not at RSA, I we’ve all I think been there or gone there. It’s uh it’s nice not to be hanging out with 30,000 people this week. So, a little quiet. Second of all, uh I apologize for this. Well, the generally the way I I look in the face, I can’t do much about that. But the casual nature of the approach, wife just had a baby a little while ago, and I know you’re thinking he’s old to have that. That is also true. But um this is the best I can do right now. So, um I’m on it. You get a hat. You get a little bit more casual today. But it should be a super fun conversation. Look, I am uh psyched. Eric’s been just a really good friend to us and he’s got a ton of experience. I think um when you kind of combine his IT and cyber security experience with what he’s done and his technical background, it’s a really good combination um of, you know, technical expertise, a guy who can dig in and kind of work in the trenches a little bit, but due to his position in title has really understands how to present at the executive level and how to translate kind of the technical up to the board level. And I think relative to what we’re trying to accomplish here. It’s challenging to to get CISOs or board level all on board with either a business case or support or expansion or just professionalization of your TPRM program. And um Eric would probably not say it because he’s a humble, but he’s an expert at this and I think he’s done this multiple times across his career. So very lucky that he would take time out of his day to to help us and and help you guys understand. So again, uh if you have any questions on the chat, uh rip them off. We’ll try to get them in context. If not, we’ll save them to the end. So, Eric, anything you want to open with? Melissa, why don’t you jump over to the next slide?

Eric: No, I appreciate the appreciate the intro. I’m looking forward to digging in.

Mike: All right, let’s do it. So, look, first question just to kind of get everybody aligned here is is how’d you do it, right? Getting getting in getting it up and down alignment isn’t all that easy in organizations. I always ask organ, what type of shop are you, right? Do you want the answer? do and not want the answer, right? So, um, how did you get alignment and and what type of organization would you classify yourself as too?

Eric: Yeah. So, I’ll answer the organization part first and do it in a couple different ways. So, I’m in the pharma sector broadly, right? So, some people will find that under healthcare. Um, but it’s it’s uh it’s a different business model. Uh, and pharma lives and dies by intellectual property. So, that’s one thing kind of know the customer, know the audience. Um, Cytokinetics is a smallish organization. So, think kind of 500 employees, thousand users with contractors, consultants, service providers, etc. So, not not a not a big organization. Um, and and really I think the one of the things that we always tried to emphasize at the inception when I when I came in and took over as the the CISO was trying to trying to frame the cyber security program broadly as not a technical problem. Yes, there will be technical things and technical aspects and there will be technologies, but um it’s part of a broader enterprise risk management play that ultimately keeps everybody in our organization and our key stakeholders inside and out happy and and safe. So that that’s number one is is just the beginning discussion of of being

Mike: what does that look like? Like what is that how do you if the organization hasn’t had it and you’re trying to, you know, everybody kind of had it in a little box or off in a corner,

Eric: right?

Mike: So, what is that elevated con? How do you even begin the where do you begin? How do you begin? Who do you begin with?

Eric: Yeah. Some of that got easier in recent years because so many things are headlines, right? Whether it’s uh uh Solar Winds or another local university or healthcare organization was breached and there’s ransomware or people saw Target or Visa or CASA, right? And retail shops in in uh uh larger European segments are shut down for a while because they’re running on uh uh POS systems that that get hacked off. Um so so Nightly News quote unquote right made made some of that discussion easier. So you have the emergence of more board members starting to ask questions as they serve on multiple boards to say how are we keeping our assets safe? Um you have news blasts and news feeds. So there’s just a general awareness in the water that’s different say than 10 15 years ago where cyber was fundamentally a function of hey do we have the latest and greatest firewalls. So

Mike: some of the some of the

Eric: technology problem right point a a a equals b it was it was there’s this buy this do this right execute and then Eric: so the the other part of uh not the technology issue that we that we focused on was um legal as a department inside of a inside of an organization. No one thinks of legal as the function of the contracts management system. Eric: But people think of cyber as a function of things like firewall and access and identity. And that’s all cool, right? That’s a critical part much like a contracts management system is. But helping people understand that legal is there to help businesses deal with risk management at a contractual level. Cyber is there dealing with cyber and technical security risk management. And yeah, there are technologies, but helping people draw that analogy. And then we built trust because we did do the basics as well. So, got a lot of the technologies, the processes, the controls out of the way such that internal and external auditors could say no, it’s a good ship. So that helps move the conversation to a much more businessfriendly vernacular out of technologies.

Mike: So is it so if you had to stack rank, who do you start with to start getting people kind of on board with this? Legals one, who’s and that’s a question, not a statement, but who are the top three orgs that you kind of need to really work with and and help them understand why.

Eric: Yeah. So in inside of our particular makeup, the three function or I’d say the few of the functional organizations or departments that were critical initially were quality compliance but legal preminently. That being said, there was also another effort to uh interact with our senior leadership team. So your sort of VPs and above in the organization to say here’s here’s the here’s the broad landscape of consultants and contractors who work with. They make up a ton of our capabilities in the organiz, right? They’re they’re supporting the automation, the data, the day-to-day operations of our organization. And if we don’t understand where the risk is in that large segment, we could easily find ourselves non-operational, compromised, dealing with reputational harm, right? Any number of knock-on negative effects that that we’d have to weather and overcome. So,

Mike: did you have to contextualize that within because I you you had said earlier, right? It was PII, right? So, did you have to help them understand that it was that the overwhelming or overriding concern for the organization? You’re like, we don’t even know how many people and I’m not saying you did or didn’t, but

Eric: yeah,

Mike: have access to PII or where it’s going or who’s accessing it or what they’re doing with it.

Eric: Yeah. So, PII isn’t is important to us clearly. I mean, right, European GDPR, California privacy rules, all that makes sense.

Eric: Um, intellectual property is the bigger thing. Uh, so when when we start seeing you know, organizations on on the news getting lost.

Mike: By the way, I meant IP. My brain trans that was sorry first one, but I meant the IP and it had the same letters in it. So, apologies.

Eric: No, no worry. Um, yeah. So, so helping them understand that what could this look like? This could look like data leaking out of the organization to people who shouldn’t have it. This could look uh like stuff where our maybe key opinion leaders or other health care professionals wouldn’t want to deal with us because they don’t trust us. We can’t we can’t make maintain the data. We don’t know what’s going on. So there the the negative effects that I always talk about have little to do with oh someone hacked a server and they’re always some business language generally speaking to say this could be the downstream negative effect that we have to deal with and that we’re trying to weather the storm of. So that was that’s the focus usually

Mike: is it and and look even in in security marketing and right enough to be dangerous been doing this for 20 plus years right there’s two ways the enablement approach right you’re better, faster, stronger, or more secure or the FUD factor, right? How what do you think works? Is it a hybrid approach? But how what’s the message that you deliver to these stakeholders? And and if you want to talk about exec team versus legal or maybe it’s all the same, but you know, what’s what is the what’s what’s the talk track look like?

Eric: Yeah, that’s a great question and I think it’s it’s really both. I mean, the the reality for us in the cyber spaces. It’s more um I won’t necessarily say say FUD, but I get the point of and I’ll I’ll put it into the risk avoidance cost avoidance type bucket. So there is there I mean clearly fear, uncertainty and doubt are the motivators in that space. Eric: Uh but in general to say okay if if we’re managing or mitigating risk or dealing with avoidance of undue cost burden fine but there are also things that we’ve tried to take as a principled stand inside of inside of the uh the team, which is wherever we can minimize risk, continue to push risk down as a general goal. Wherever we can do that with little to no operational friction, great. We’ll do that because then that then that starts enabling people. It’s like we’re we’re minimizing or or mitigating risk through technology. So, how do we make uh how do we make things like access easier but more secure, right? So, what are the MFA configurations? right? How do we think about SSO so that we’re providing broad easier access to applications but getting more controls under the hoods? So there there is an enablement piece to it and then ultimately building up some level of credibility in the organization where people say hey are we doing the right thing right I’m I’m in more questions rather than trying to introject the cyber program to go let me tell you why you’re doing it wrong and here’s here’s how I’m here to help. It’s now I get business partners sort of coming to us going, how do we think about that? How do we use cyber as a decision point when we’re looking at multiple candidates for vendors rather than, oh my goodness, it’s one more checkbox activity that we got to get done and slowing down the process.

Mike: Yeah, that look awesome, right? If I mean, if you can get to the point where you’re evaluating their controls um and it’s a differentiator, right? A super positive differentiator because you feel that they’ve done it, that’s you are way down the the pike on that. Uh one more follow-up question then we did get a question from the audience. Talk about like risk risk risk acceptance right at some point you don’t get enough money time people bodies to fill every hole. How do I mean do you go back to the executive team and say look we have to acknowledge this as a potential threat and it’s okay right we think it’s a 4% chance 1% chance but we’re going to do that. How do you how do you get the executive team to kind of put it in writing that we’re we’re willing to live with it X or Y.

Eric: Yeah. So, I I guess I um it’s a great question. I start this type of question always with unless you truly have mathematically infinite budget, you always have to prioritize. Eric: It’s just a function of how big is the bucket, right? So, no matter what you will prioritize and if you only invest based on risk, you can outinvest the revenue of any company by definition because risk doesn’t go to zero where revenue is not infinite. So, by definition, you will always be in a prioritization exercise for us given the importance of um uh information we generally categorize risk and I I won’t go too far into the details for some obvious reasons but I’ll give people a sense of it hopefully it’s valuable.

Mike: Yeah. Yeah. Perfect.

Eric: We generally categorize categorize risk on on a couple of different dimensions. What’s the sensitivity of the data that we’re dealing with? And we have an internal classification scheme that goes from public to need to know type range. um how operationally critical is the particular uh platform system vendor etc. And then um we use uh we use prevalent as part of our TPRM solution and we do some categorization around uh SIG light I’ll use as an example and then we have an actual official SOP that’s gone through our quality system that gets trained on and in that we have a risk decision matrix that defines if we have a if the data classification is this it’s a truth table fundamentally data classification and how risky is the thing then that defines at what level the risk acceptance occurs. So if it’s if we’re dealing with a system that’s hosting our our public internet okay that’s public information it’s by definition supposed to get out. So if there’s a risk on that platform it might be something that uh one of my cyber analysts can sign off on and go yes it’s a low risk risk for a publicly available uh system. So we have a truth table that just tells us based on the data sensitivity and the level of risk who gets to sign off. That goes all the way from one of my cyber analysts up to uh a partnership between me and the functional head of the organization that’s dealing with that particular area. So it’s it’s an official SOP that gets signed off on, gets trained, gets communicated. That’s how we that’s how we embedded the risk risk acceptance. uh criteria so people could see it. Will there be futures where there’s an exception and someone wants to complain about it? Yeah, maybe

Mike: there is always, you know, that’s funny. There is always exception handling, right? There is there’s, you know, you’re never gonna and if you try to build it to encompass everything, you’re you’re you’re you’re going to fail before you get there, right? 8020 rule, folks. Um that answers one of the questions we had. The other one is look, somebody had a basic question just how do you um how do you get your exec team to care and dedicate some time to cyber education. I I I’m going to take a pretty aggressive stance on that. It one, it’s the CISO’s job to do, right? And two, I don’t know that you can always make the exec team give a you know what about cyber. It it might be the organization’s DNA, right? Not to care and just live fancy free. And feel free to tell me you think I’m off, Eric, but I I don’t know that every organization is going to care the same about cyber.

Eric: Yeah. think that’s I think that’s a true statement uh on on the surface and and listen I’ve known executives who care very little about most of what their business is running on. Um but but that being said I I don’t know right know your audience I don’t know that most executives really care about cyber the program what they care about is is their workforce able to do their job can they go home and sleep at night without worrying that some right MC spent over a billion dollars recovering from some ransom some more stuff a few years ago. Their executives didn’t care beforehand. They cared afterwards. So sometimes it will be a crisis. Sometimes it won’t. Don’t don’t pitch something that some don’t pitch a product someone doesn’t want. Right? It’s it’s in the security team’s remit to deal with things that you know people just don’t want. They don’t need the behind the behind the scenes. But talk about things they do want. Can their workforce work? Do are they managing risk? Do they have areas and blind spots they need to be aware of? Everything else is Leave that to the wizards behind the curtain.

Mike: Well, and and look, the two things I always It’s one, it’s insurance, it’s insurance.

Eric: Yeah.

Mike: Right. How much insurance do you want in life? I look and and I know it’s not a a fabulous analogy, uh, you know, for some people, but right, you have a risk tolerance and and I have life insurance, right? And and you kind of up it as you go or decrease it as you go. You’re gonna that’s what the more you invest in security, the probably better you feel, but the more you spend. It is a cost center, but you have to look at it as if there were an issue, if there was a flood in your house or, you know, god forbid, somebody couldn’t work, uh, you know, are you covered? And the security technology helps that. I will say, Eric, the other thing, too, that I I we see a lot of, and this is uniform across every company I’ve ever worked for, is it’s amazing how if there’s an issue, everybody does find security religion almost immediately and budgets, budgets available. I mean, there’s nothing you can do about that. But sometimes that’s what it takes in organizations.

Eric: I And I I’ll add I’ll add one final thought. Yeah. I mean crisis crisis is don’t don’t let don’t let a crisis go unused, right? As someone once,

Mike: right? That’s the Yeah, I love that one.

Eric: Um I I think something else I’d add is I can also imagine a world where there are a lot of people who design automobiles for a living who believe everyone should reads read that manual that comes in your car that none of us do because we want to hop in, hit the button, get to our next location and get out. We didn’t want to read the owner’s manual. So sometimes, right, we may have a desire to convince someone of the importance of what we do and the necessity of it, but that’s that’s going to be a hard that’s going to be a hard product to sell. Just focus on the outcomes and and kind of managing risk for the organization organization. Excuse me.

Mike: That is Melissa, let’s go to slide two. Um, but that’s super important, Eric. The out. Can you dig in on it? Is the outcomes, right? That’s That’s what it is. Look, it’s it’s skipped to the end of the story, right? We have a BR like are we willing to do it, right? That’s I mean even and as we kind of get into the next question talking about a business case, the business case is potential negative outcome to the organization. I know we’re talking about FUD versus the enablement, but Mike: um Mike: you you just want to dig in there and how do you when people in security, right, have to present a business case to you, what are you looking to see? What are the things things that really help you decide in a positive way and if they can’t if it’s not articulated clearly, right? Why do you kick a business case to the curb?

Eric: Yeah, it’s a great question. So, uh I’ll use when when we started framing um I’ll use TPRM for shorthand, but when we started framing understanding where risk was in our third party and in some cases fourth party partners, um we don’t use the business case proper now. Right. So, because we’re not generating an ROI, risk avoidance is an ROI B, right? It’s cost avoidance or or risk mitigation type stuff. Um, but to put out the case to say here’s the investment, here’s the value we’re going to get, here’s how we’re going to handle it, and here’s how we’re going to used a word earlier, sort of professionalize it,

Eric: right? To get people to go, this not just another technology that a few people are going to play with behind the scenes. U, but here’s here’s the outcomes we’re trying to do is because we’re trying to Find the vendors to understand where our risk is so that our departments and functional business colleagues can manage around that or or minimize it through additional processes and controls. Again, it helps to have board members who are moving around the space and they come in and go, “Hey, what are you guys doing in your cyber program?”

Eric: And when we talk about TPRM, they go, “Oh, that’s fantastic. Tell me more.” Right? As a because they’ve been burnt. Um, Eric: so when and and external auditors like EY when they go what’s tell me about your cyber program and CPRM it’s it’s an easy story right there’s a lot less we have to prepare because it’s a cost of doing business at some level as the markets move um and so that was the story we told is here’s what we’re looking to invest here’s why and here’s what we’re going to get out of it and here’s how it will evolve we’re not trying to solve the whole thing on day one we’re going to we’re going to ease our way into this and evolve over time, but put some rigor around that evolution inside when if someone on the team brings brings a a proposal to say, “Hey, we’d like I’d like to do this or we’d like to do this.” Um, ultimately that there are budget questions that we have to. But, but the my my criteria or my hurdle for them to jump over is the same as I would want to jump over for the executives, which is how is this managing risk for the organization? How do we intend to use this? Where what’s the vision of where we’re starting and where we think it could go? And then we’ll work that problem over time. But it’s not just let’s sign up for the next next obligatory tool because someone got off a sales call and we can’t we can’t possibly support cytoinetics without these next one, two, three tools. That’s that’s just not an interesting conversation.

Mike: Yeah. And it’s it’s got to be a it’s got to go I think again outcome. You’re at point A. We want I get to point B. What is what does point B look like? What is what is the end state look like here? Right? How do we work backwards? And I look, I have long said that when a CISO like yourself is is purchasing something, it has to be a global win, right? It it look, it’s sometimes the shifts are incremental, but that’s all you can do, right? And when you’re moving an organization, you’re you’re not going from a, you know, a 60 out of 100 to 92 overnight, right? It’s maybe you go from 60 to 62. The path is to get you to 75 with this and then there. But it’s it’s um it’s a strategy. It’s a process. And I I have to tell you that the people that are I feel like there’s so many snake oil people out there, right, who overpromise and underdel. But a lot of the things in security, they help over time, right? They’re not helping you. They’re not helping you in two weeks. It it doesn’t work like that.

Eric: Yeah. Absolutely. Abs.

Mike: So, what can you tell me out of all the business cases, the best one that you’ve ever seen? And Melissa, just pop over the next slide, too.

Eric: The uh from a business case that was presented to me.

Mike: Yes.

Eric: Got it.

Mike: And why?

Eric: Yeah. Um, that’s a good question. Let me think. Let me find one that’s a that’s a good explanation of it. So, what I want people to do is tell me how they’re starting and where they think this is going and how they think this will move forward. Not because I believe they’re omnisient and they’re going to predict the future, but it’s they’ve given it some, you know, gray matter time upstairs to say this is what it looks like and this is how I’m going to move it forward.

Eric: So, um, just as part of our, uh, EDR solution, we recently added in, uh, kind of detonation capabilities, right? So, we could we could take a look at specific, uh, uh examples of malicious uh a malicious uh material. Okay, Eric: that was the one that was probably well thought out, right? Here’s how much it’s going to cost. Here’s a couple of options. We can approach it this way or this way. If we bundle it with this offering, we can get extra things that may or may not be meaningful, but the price looks like this. And I think this is the group inside of the organization that could use it today. It may extend. This is how we would want to use it. And this is what we think it’ll mean for us next. year. Okay, that’s sufficient, right? It wasn’t a it wasn’t a significant investment. It wasn’t it wasn’t high five digits or anything. Um it’s like, okay, someone’s thought the dimensions of the problem out. I

Mike: was going to say that’s well thought out. Like even what you just laid out there was super well thought out. Like here’s why we want it. Here’s who could use it. Here’s the benefit. Here’s here’s how it could expand and help us even greater over time. Here’s the cost and why we do it. Bang.

Eric: And that that worked that worked for me and it was it was ultimately something that was in at least my mental roadmap. for the next couple years. So that’s fine. We have someone who will oversee it and keep it manicured. That’s it’s okay to move on that.

Mike: How, you know, so you have a mental road map that obviously I think everybody does. I we have one in marketing, right? And this is what we’re doing. How do you how flexible is it? Like are you willing to again, you know, I I always think CISOs are juggling 20 projects that they want to do and one that they can execute on, right? And then because the It’s not even the money, right? It’s the resources to effectively manage the tools and tech that you’re bringing in to get value out of it, right? You’re not going to bring in 10 things if nobody can run it and you can’t get the value out of it.

Mike: So, how do you prioritize what you’re bringing in? How does your team prioritize it to you? One, and then how do you kind of shuffle the deck on that if something comes up?

Eric: Yeah, it’s a fair question. So, the the the I’ll give you two answers sort of the top down consulting answer and then the bottom up operational practicality answer.

Mike: right right

Eric: um in in general so I keep a I keep a list of um and apologies for the buzzwords these actually mean something to me in in uh uh in definition so I keep a list of goals these are things that have directional statements to them increase decrease maximize minimize so I have a list of goals that I believe align to the organiz ‘s goals and that that I’ll action. Then I have a number of strategies that support those particular goals. So these action statements that we’re going to end up doing and then the road map is a set of objectives and tactics that actually fulfill those strategies and support those goals. So that’s the stuff that I put on paper that says in a perfect world in a vacuum where nothing changes this is the plan, right? And and and plans are plans. Practically speaking, everything changes. all of the time, right? This gets to the re this gets to the reality of your question. Um, for me, building a capability isn’t that meaningful. And and sorry to say something that will sound stupid. Running a capability is incredibly crucial. So, I’ve seen a lot of organizations that start a lot of projects, deploy a lot of technology only to have it dead on year two.

Mike: Same. Like they just it it’s it’s like it’s like the add of security, right? They’re like, “Oh, look at this. Oh, look at that. Oh, look over here. It’s unbelievable, quite frankly.”

Eric: So, there was there was no year 2 planning, there was no sustainability planning, Eric: there was no kind of pragmatism of the operational fabric of what was going on. So, as we get close to either looking at deploying something that’s on this intellectual item called the road map, or I’m examining someone’s pitch around, hey, we know we have the road map, but we’re thinking about doing this adjacent where this peripheral play instead. All right, is this sustainable? So, does it at least at a minimum not contradict our goals and strategies? Does it support what we’re doing? Maybe is it slightly out of alignment? That’s fine. Can we run it in year two or year three? And and by run it, I don’t mean just can you know what’s securing dollars for it. Do we have internal organizational teammates who are responsible for it or service providers who are going to be responsible for it? That’s fine. Do we have general business alignment? then our partners are willing to operate under those those conditions as well if it’s exposed like a TPR. So

Mike: that’s a really good point, right? I I I honestly I hadn’t thought of that like extending it to your partners and your consultants and all the people like are you willing to do that? What do they think of it? Like like can you make it work with them? Because if it’s too hard like you shouldn’t or can’t

Eric: and it’ll just die. All you did all you did was waste money in year one, right?

Mike: Yeah. It’s it’s too much organizational inertia. against right so um you know on this slide we you had mentioned budget a couple times and then I’m going to ask you just as a follow-up so we’re going to do this one and then somebody had asked a a live question on KPIs KIS but

Mike: I mean budgets are budgets you you get 5% more you get 10% less they are what they are Mike: how do you get funding for a project that you think is crucial that isn’t funded I mean right there’s trade-offs there’s right you you have a number software costs X people cost Y upex, capex, and then you make decisions based on priorities and probably impact to your or your partners and the risk reduction that you get. Mike: Um, Mike: but you know, there’s always other things that you probably want to do or you deem critical. How does that go?

Eric: Yeah. So, some of it’s going to be discretionary at my level, right? Depending upon what we’re doing and how big of a shift if we have, right? If this was if this was an ex budget um need that manifested in a year, Okay, what am I willing to trade off either internally and I’ll just make the management call or is there is there a pitch that I need to make in the finance organization or the broader executive group to say I’d like more and I’m going to implicitly ask someone else to give up something and here’s why. Um, in general, right, I would rather control those in my space rather than having to do the ladder. But I’m, you know, that’s part of my job too is sometimes you have to go ask.

Eric: Um, and then as I said, earlier, right? Since budgets aren’t mathematically infinite, there’s a priority. So, part of our case for uh TPRM or VRM as some will call it was to simply say here’s how we’re going to prioritize getting into this. We’re going to focus on critical systems, sensitive data, new vendors, right? So, at least I can demonstrate to my constituents, my stakeholders, we’re not trying to boil the ocean. And so, alignment will build over time. People will get used used to it. I’ll find my evangelists in the organization in an organic fashion and I think that’ll come because of a couple of ways and then can we move forward. Uh and and we did that all worked out pretty well. So it’s it it was it was yeah I I’ll take that win any day, but there’s a little bit of there’s a little bit of luck. We had one sister organization that was, you know, sort of dragging their feet on doing some of this stuff because they saw it as an obligatory task. They ended up engaging a vendor that didn’t go well over the course of about a year’s time of execution

Eric: and then they came back and and based on things that we did with that vendor, they said, “Ah, got it. We’re going to play nicer now.” Right? My words, not theirs. But that’s fundamentally the sentiment and now they’re now they’re a great partner that says, “No, no, no. This is value add to us because it gives us visibility that we didn’t have the last time. We suffered through a poor relationship. So, we’ll we’ll take this any day of the week.”

Mike: You know, you know, it’s funny. I I heard a lot of the same things and it it look, I had to learn some of these lessons painfully, but to me, it’s about communicating what you’re going to do to the exact team, right? So they’re not surprised, helping them understand the priorities, the budget, how you’re applying, and get everybody to agree and buy in, and then say, “Look, here’s the seven things we’re doing.” And then invariably, somebody always comes to you, it’s a board member, an exec team, or you know, a sales guy always said they saw a new saw a new shiny thing, and they’re like, “Why can’t we do this, right? You’re like, we agreed on these seven

Mike: as as an org, right? That’s our strategy. I’m happy to alter, but what of these seven things can we stop doing or should we stop doing to add the eighth because we’ve agreed on that, right? To me, it’s that that hyper level of communication, Eric, that makes it Mike: successful.

Eric: Yeah, I would agree.

Mike: Um, let’s talk about KPIs, KISS. We got a question from the audience on that. I mean, what KPIs from Shirley, uh, what KPIs should an org focus on while developing a TPRM program from scratch? And Shirley, we’ve done a bunch of things on that. I’ll ask that we we’ll send you some stuff afterwards, but I’d love to hear, Eric, what you think.

Eric: Yeah. So, I’ll I’ll definitely uh surely sorry to disappoint. I’ll definitely stay away from the ought, right, what other organizations ought to do, but I will be happy to tell you some of the key ones we focus on and and maybe hopefully they’re meaningful. Um, we keep uh up-to-date uh uh I’ll say risk metrics for all of the organizations that have gone through the TPR process. We also use uh Bitsite to do sort of that external credit score if you will. Um so we keep those. I haven’t found that to be all that compelling frankly to our executives. Um as long as we’re sort of in the upper right greenish better than peer groups, that’s kind of the news headline that that they want to know the more meaningful ones that I that I socialize or hand out information are information on is what are the types of risks and what functional leaders have accepted those risks. So that’s that’s the stuff where our executive culture so the CC seuite culture if you will um has a strong belief that our functional leaders are responsible for risk in their in their functional departments. So having visibility to our VPs our SVP our EVPs to know what leader in their organization has taken what risk and is it make sense? Great. That’s the stuff they want to that’s the stuff they want to know and see. So, it’s really risk acceptance metrics. Um how much how much work have we done with vendors to uh uh mitigate potential findings where they came in and said we just don’t do this and we said it’s you really probably should based on on working with us. Um so it’s those things that the the risk portfolio, the risk scores that were the more meaningful uh indicators of the of the TPRM program more broadly, but we do track the other things as well. Um, if someone wants to know how long it took to do the assessment, even though it’s generally the the third party that takes all the time, we have those. No one in my experience in this organization has really wanted to talk about that. They kind of want to get a view of the catalog in their department.

Mike: Yeah. Um, I I I worked with a a CEO a while ago and he always used to say and it was a good good thing he used to say is that a good number or a bad number right you could present to the exec team you’re like we did a million assessments

Eric: sure

Mike: right and and you’re and you want them to all be impressed with a million assessments you’re like well how many did you need to do and the answer could be 10 million right so it it it without context right or benchmarking the numbers don’t mean anything to a lot of people it’s it’s all buzzwords and especially in your program right I agree with you on the the bitsite stuff just look it’s external bone scanning right you’re looking I I I think it’s valuable for delta for delta testing if you’ve configured it correctly and then something changes but you know it is what it is right um we got a question from Pat what type of metrics specifically relative to TPRM are you measuring can you bang out three or four and Melissa head to the next slide if you would

Eric: Yeah, it’s it’s really around the the catalog of risks. And I’m being a little bit dodgy just because

Mike: No, no, no worries. So, we’re not asking any secret sauce here. So,

Eric: yeah. Yeah. Yeah. Eric: Um and and and I’ll try to make it meaningful. So, general business process, right? People come in, some department finds a new tool or vendor they want to use. Great. We’ll run it. We’ll we’ll we do an internal profiling and taring survey so that we get a business context for how this particular partner is going to be used. That survey, I think it’s 12-ish questions, is answered by internal business colleagues and then we go out to the vendor itself with traditionally a SIG light and we get those hundred and whatever it is, 36 or something questions back and we go through the profiling. The number one question that most business partners want to ask at that point is to say, how quickly can we get these people on? Because it’s absolutely operationally critical to get them on and contracted today. And while cyber is not a a synchronous step, we don’t we don’t uh allow or deny that transaction. We’re consultative. Uh they they still want to know can we get through the the hurdles once we start highlighting the risk that we get back and I’m talking about critical risk things that I would go to a director or a VP on and have that conversation around. Are you okay accepting this risk? I think it’s I don’t think this is good, but I don’t have the business context. to know, can you go find a replacement early enough? So, let’s talk through this. Then that executive in my experience starts wondering, okay, we might be pushing this rock too fast. Let me talk to the team to see if we should rethink this. And oh, by the way, and now coming back to the metrics questions, what’s the rest of my portfolio look like? So, when we bring in vendors, we categorize them organizationally so that I can go to any functional VP, SVP, or EVP along the way and say, “Oh, the the vendors supporting clinical operations is this pool of vendors and here’s their risk score.” And then I have a discussion around

Eric: y Eric: are there areas that we think were overly vulnerable or not. They don’t they don’t know a number from anything else, but it the the metric that is trackable is what’s the overall risk rating for the vendor aligned by organization so that the so that I can have a conversation with the functional head and they can figure out do they need to change something rather than what are the what are the benchmarks the KPIs KIS KAS that somehow justify my cyber program.

Mike: Right on. Um you know we’re going to go probably another five seven minutes Melissa Scott and then we’ll have some questions at the end. So just a couple more Eric and then we’ll uh we’ll we’ll wrap up. This has been awesome by the way. Um tell me how you evaluate solution providers. Uh um just in general when you’re looking at things and anything when you’re looking at TPRM like you know where did we do well where did we do bad like but I’m just interested how do you think about bringing and I know everybody uses the word partners but how do whatever you want to call them into your org what’s what’s important to you

Eric: yeah so I’ll I’ll skip a lot of the kind of business right is the is the partner not generally a startup because we don’t have the risk appetite that’s going to typically work in those spaces. So, assuming that the partner we’re working with is actually a sustainable business, is profitable, been around for more than a hot minute, okay, now we can get down to some other things that are that are meaningful. For me, one of the most critical things is especially in the TPR uh space, is this thing easy to use? Right? I can I can hoist a crappy solution on internal team members and just say kind of we’re going to have to walk it off, right? the value we’re getting out of the the particular benefits of this product are just really good even given that it’s a comp complex thing, right? That’s that’s how Cisco survived with the Catalyst OS years ago or iOS is a horrible UI, but it was for networking engineers. You just suck it up and move on with life. But when you talk about something like TPRM where you’re going to put surveys to business colleagues or send it out to vendors, the the thing that makes this work is when you get answers back. So if it’s not easy to use largely intuitive then it won’t last long. So those are that’s that’s a dimension to say yeah I want it to be easy to use so we get engagement so we get compliance. Um is there something that the the particular vendor has done to jumpstart it because while right we’re all special snowflakes there’s a lot of the questions that are really we don’t yeah it may not be how I’d ask the question prevalent isn’t built the way I might necessarily build it if I were the software engineer, but that doesn’t really matter, right? And that that $9 gets you a cup of coffee at Starbucks.

Eric: So, it’s that’s just an opinion. So, are there things that we’re getting jump started with to help move the program forward without having to reverse engineer everything and and trying to move it forward? And in this particular case specifically, one of the things we looked at was are there augmentative services that if we wanted to outsource an element of the TPR and program to someone like prevalent to do on our behalf to chase down one vendor then we can right so are there cataloges of pre-existing data are there outsourcing opportunities where we can pay for someone to jump in just to provide scalability so those are things but that simplicity was one of the early ones that was the most meaningful uh for us

Mike: and and I’m gonna we’re actually getting a bunch of questions so um I do want to augment what you said but let me let me uh set this up. So, I think we should push pause here and let Scott go uh for a couple minutes. Let anybody who wants to type a question in do it. But we already have five questions here. So, um want to do that and then we can stick around for the questions. Uh Eric, the other the last thing and you said it is when starting a program like it it’s the crawl walk run and I know it’s a cliche. I I get that but you know we’ve seen all these people and we’ve done hundreds of implementations. They’re like I I I have 500 tier vendors. I I start with what’s consumable. Build a program. It’s about muscle memory here, folks. Like especially with the TPRM program, it’s not always easy and it’s not always intuitive. It was the snowflake comp, right? Everybody thinks they’re different and there’s they’re not necessarily,

Mike: right? I think there’s again, it’s 8020. 90 85% of this has been figured out. Figure out your 15% kind of, you know, as you’re doing this and and do it in a safe environment. And Eric, again, tell me I’m full of crap. if you want, but like where do you where do you come down on that?

Eric: No. So, so I would I would largely agree. I think the just to expand on the crawl, walk run for a second. I want our processes to to start at crawl and move quickly. I want our controls to start at crawl. I don’t need the software to start at crawl.

Eric: Right? So, the different different aspects start at different parts of the maturity. We’ll ultimately Eric: or we may ultimately change some things. as we discover stuff but what I don’t really do in most organizations or sorry as I’m acquiring technologies or process control uh platforms that while there are things that make cytokinetics unique from another pharma company and there are things that make pharma companies unique from other sectors retail manufacturing wholesale etc that’s that’s at the edge of these platforms that are broader than that. So we we may make changes, but I don’t think we’re going to make those in the first five days of a technology, right? We’ll go we’ll go a year, two years and go, oh, you know what? There there is an optimization that makes sense for us. And we’re going through a little bit of that now with

Eric: in the world of of privacy as that blows up, we’ll tweak around the edges to say we need to ask more questions around this because of the markets that we may choose to operate in. But that’s that’s a tuning. We didn’t start that on day one. We started that after running for two years. You can’t benchmark what you don’t have. You don’t know. And it’s okay to screw up. I’m Look, we’ve been doing this a while. I’d like to say I made every mistake possible. So, um, all right, let’s go to Melissa. Does it go back to you for a question or over to Scott? I should know, but don’t.

Melissa: We’re going to go ahead and pitch it over to Scott. Let’s see. Wow, got quite a few questions. Here we go. Um, so Scott, it’s all you right now.

Scott: Awesome. Thanks, Melissa. Um, go ahead and go to the next uh screen. You know, kind of what we heard well not that far anyway but to the previous one uh Scott: yeah kind of what we heard you know from Eric during today’s conversation is really about um making a consistent set of you know good fact-based databased decisions on third parties throughout the life cycle that’s what I’m kind of gleaning from a lot of the conversation today and what are the criteria you uh leverage in order to make those good decisions or what type of data do you do you leverage that’s consistent with what a lot of our customers tell us they really want out of their thirdparty risk management program. Get them the data that helps them make good decisions. Help them increase team efficiency and knock down the silos that kind of separate teams and departments and and tools that are utilized to to make those good decisions. And number three, get the program ready to evolve and scale as their needs for thirdparty vendor and supplier risk assessments change o over time. Those three things generally is is is you know what we hear from customers and in terms of what they want to experience. Next slide, please. Uh Melissa, and then you can build this out uh one more time. There you go. Um that’s what our approach is is to help you accomplish those three things at every stage of the third party risk management life cycle. You know, we don’t look at risk just from a perspective of vetting vendors and getting you onboarded and then off you go. Uh it’s about looking at analyzing and remediating risks at every one of the stages where problems can happen. And that starts with sourcing and selection. You know, uh getting good automation and intelligence to make good riskbased decisions on a potential new supplier or vendor in the same way that you’re making a decision on whether or not that supplier or vendor is a good business fit or or or fit for purpose. Um second, when it comes to intake and onboarding, giving you a single source of the truth in terms of supplier risk profiles, intake processes, contracting and onboarding workflows so that you can extend this foundational con cept of managing the third party relationship to all the different constituencies throughout the enterprise that have a hand in thirdparty risk not just security but also procurement also risk management also legal also compliance and more. Third is once you’ve got a selected vendor that matches your risk uh profile as well as your fitforpurpose and you know you’ve got you know some some contracting done and onboarding how do you get an initial picture of the risk that that particular vendor brings to your environment in order to uh not just do some initial triage but um uh kind of dictate what the you know ongoing assessment strategy is from that point. And we do that through datadriven insights to calculate an inherent risk score. And then kind of comes you know once that tiering and and profiling exercise and categorization uh um uh uh stage is done what we help you do is automate the process of conducting those due diligence and ongoing assessments to your third parties across a whole range of different risk uh domain areas uh security infosc cyber whatever uh p data privacy uh compliance across multiple different regulations both security and non-security related antiiryc corruption you know whatever ESG financial and then we consolidate that insight together into uh that single source of the truth in a single profile to help you make a good decision one risk register that you can then uh use to make good decisions on what to remediate uh what you know is below a threshold a risk threshold rep with risk threshold and what to kind of reinforce with the vendor and that leads us into the monitoring and valid validation stage of the life cycle. Uh again what we see is a lot of companies using a cyber tool, a financial tool, a business news or operational update tool or an ESG tool, a reputational tool and all of that produces good insight but very rarely is it kind of harmonized together. Uh what we specialize in is working either with your existing solutions or delivering our own where we can harmonize those different uh risk inputs into a single uh solution so that everybody around the enterprise has you know their view of data the way they need it uh according to the risks that matter to them. Speaking of the risks that matter to them you know we mentioned KPIs and KIS we have the ability to also extract KPI and KRI data from contracts loaded into the platform and help you assign ownership and measurement to that throughout the contractual process. And speaking of contractual process you know every relationship will end at some point like Neil Sodaka said breaking up is hard to do.

Mike: I was gonna say all right I know that one. Yes.

Scott: Um but all but if you kind of wind down that business relationship you know we deliver you the uh you know kind of the checklist to offboard that vendor securely so that you know you’re closing offline items collecting final payments and making sure access is terminated appropriately. Again at the end of the day those three things at the bottom of the screen is what we’re helping you to achieve. Speed and simplify the onboarding process with a single source of the truth and a single process. Streamline that process for risk assessment. the life cycle and close gaps in coverage and then unify those teams uh across the life cycle. Next slide please Melissa. Uh and uh you know we we do this through a combination of the expertise that we deliver by our people where we do the hard work for you of onboarding, assessment, remediation and management to all the different data sources that we mentioned before all housed in the platform that automates the workflow, the reporting and the analytics to help you kind of control that that third party estate. Uh, next slide please, Melissa. Um, we address multiple different types of risks. I’ve got six of them listed here uh in broad domains, areas that are covered in our platform, either via questionnaires or through continuous monitoring. But the important thing is that this this information is correlated into a single uh operational risk profile to help you uh you know make those good good risk based decisions. Next slide, please, Melissa. This is my last one. Again, just a reminder that at the end of the day, what we’re trying help you achieve is you know give you the intelligence to you know make the organization smarter in its approach to managing thirdparty risk. Uh unify teams uh and systems and processes and then give you some prescriptive guidance to move that vendor relationship uh or the management of the risks in that vendor relationship you know through the life cycle. That’s it from our perspective.

Melissa: List pitch back over to you Mike uh Eric question time.

Melissa: Um yeah I’m going to go ahead and launch our second poll. very quickly. So on your screen you’ll see that apparently it’s not working on my end. So that’s awesome. Um give me two seconds. Maybe I need to end the first poll. Very finicky today. Anyway, um I’m curious, you know, are you guys looking to augment or establish a TPRM program in the next coming months? Please be honest. This is something we do follow up on. Um you will see a call from me or an email or few. So uh you know, answer me please. But I do want to genuinely know if you are and if you’re not sure, put that as well. But um in the meantime, I know we do have a few questions. So Eric, if you wouldn’t mind, you know, answering a few of them. I know there are quite a handful um and since we only have maybe five minutes left, do you want to pick one or two that stick out to you uh more than the others?

Eric: Yeah, I’ll actually bounce through all of them. So I had to It was good for Scott to do the pitch because it gives me a moment to think about the questions. So first, Thank you for the kind words. Um, I’ll answer Karen’s question and work up the stack. Um, so Karen, just for ours, regardless of what you know, Prevalent will say, we we integrate Bitsite with prevalent. So Bitsite provides sort of that outside technical credit score view. Um, but we also do use the um, uh, VRM capabilities inside of prevalent to get a business look of an external organization. So but, but Bitside and that does plug in. You actually can see the Bitside scores inside of the prevalent dash. boards there is an integration that’s something they can talk about specifically to you. Um I don’t have to uh uh to the question of transferring or changing TPRM tools. I don’t have that particular experience. I could tell you uh how I would generally approach the problem if a regulator wanted to come in and ask or an inspecting agency wanted to ask. My general approach would be what governs our third party risk management is not the tool. What governs our thirdparty risk management is a set of policies, processes, procedures, and controls. Those are supported by a tool. So, let’s focus on the SOPs and the controls, and we will automate those in a way that’s meaningful to us as a business. And here’s how we handle risk. Here’s who gets to approve risk. Here’s who gets to accept risk. So, that’s the discussion I would generally change to with any sort of inspector agency if they care that much around the particular tooling set. Um, with regard to the risk registries question, um, so we focus and we’ve had this come up a couple times, but our approach is this is about monitoring and managing a third party. It’s not about managing a service. It’s not about managing a tool set. So, we look at the third party. So, if I have to the question of if I’ve got one vendor providing two services within the organization, kind of how do we think about that in the risk management sense? In general, if they have one part of the organization that’s managing a lower level of data sensitivity as an example and then another part that’s higher level data sensitivity, we just put them at the higher level. So if they have we put it the most sensitive system operations specification, put it the most sensitive data classification and we manage it at a vendor level, not a not a department level. Um and then with regard to the risk registries, we do have official signoff level levels that are uh outlined in an SOP. So we have a couple of risk registers uh that we deal with. One is profiling and taring and then we have the the master one that is where almost all the the pre-anned assessment risk get dropped into. Uh and then our SOP dictates who gets to sign off or who has to sign off and accept a risk. Um and that that we track through actions and tasks inside of the platform to uh to do it. Um So, I hope I think that was the answer, a quick answer to each of those questions. I can provide more detail if people want, but that’s I I think kind of get you there.

Melissa: Perfect. And I think I just saw one more pop up about four seconds ago. Um, can you see that one? The non-public company vendors. How does your DD alter? I’m not sure if you want to answer that.

Eric: Non-public company vendors. Um, let me think about that for a second. So, I don’t know the the acronym I can’t contextualize it but I I can’t I think I get the thrust of the question um sure with non non-public companies ultimately right we don’t get to we don’t get to see anything that’s been publicly available however there are things you can go after if you wanted to oh due diligence thank you appreciate it um yeah so part of that is the assessment itself right so we ask the company to attest we don’t do inspection we don’t do audit so we work with companies and we give them a chance to self attest and talk about what they’re doing and how we check. Um, but at that point, we take we take their word. There will be other contractual clauses that deal with enforcement. We haven’t gotten to a place yet where we’re doing actual auditing inspection to do confirmation of what they’re trying to uh what they’re trying to do. Um, so with non-public, we still it’s still the same approach. We may ask for additional uh right certificate of insurance for uh if you know, for cyber or general business liability to make sure we see that because we’ll let the insurance companies kind of do some of that due diligence for us, but that’s generally how we’re doing it at this point.

Melissa: Perfect. Well, I appreciate your time, Eric. Um, I know you’re busy and Mike and Scott, thank you so much. And most importantly, thank you for those who asked questions. Um, it was meant to be very interactive and, um, we’re at the top of the hour on my clock. So, um, I went ahead and I just typed my email in in case there’s any questions. I know there’s like an [email protected], but that one’s my direct one if you know there are any questions after this. And um I hope to see you all in a future webinar and take care everybody. Thank you.

Mike: Thanks Eric.

Scott: Take care guys.