Responding to a high-profile security incident or supply chain disruption is the wrong time to engage senior executives in your third-party risk management program. Instead, proactively working with leaders to communicate the value of third-party risk reduction before an incident occurs ensures that you will be prepared when they do call.
Join our next webinar, presented by Bryan Littlefair, CEO of Cambridge Cyber Advisers and past Global CISO of Vodafone Group and Aviva, to gain insights on making third-party a priority for your executive team.
In this on-demand webinar, Bryan discusses:
- Distilling third-party risks to focus on how it affects bottom lines
- Best practices for effectively communicating with executives and board members
- Key metrics for reporting on what’s working and what’s not
- Tips for optimizing your third-party risk program
Register now and be better prepared to approach your executive team to make third-party risk a priority for your organization.
Interested in how Prevalent can help? Request a demo and strategy call to discuss your project with one of our experts.
Amanda Fina: Hello everyone. I’ll look at those numbers jumping. Good morning, good afternoon, good evening wherever you are. My name is Amanda Fina. I’m your host for today’s session. And in today’s session, we have Brian Littlefair, CEO of Cambridge Cyber Advisors and past global CISO of Vodafone Group and Aviva. And he’s going to offer his insight on making third party risk a priority for your executive team. And as an added bonus, we have Scott Lang, our very own VP of product marketing, joining us today as well. And we’d love to know what prompted you guys to be here today. So, I’m going to put up a poll here called While You’re Waiting. And we’re just curious as to what brought you to our session today. Is it for education? Is it project research? You don’t know why you’re here? You know, that’s a whole issue in itself. Love to find out how you got here. if you have no idea or you’re a prevalent customer, which is always great. I mean, we’d love to have you here. So, let’s go over a couple of housekeeping items. You guys are all muted automatically, but we do want to keep this as interactive as possible. So, please use the Q&A. Take advantage of Brian’s brains, Scott’s brains, ask as many questions as you can, but just to keep the flow going, we’ll more than likely do Q&A at the end with another poll question, which also brings me to another thing. Please be honest with your poll answers because we will personally follow up based on what you say. So, especially if you’re saying something along the lines of yes to something. Um, expect something from me or expect something from my counterpart Melissa or Landon. So, let’s not, you know, get confused there. Um, the session’s being recorded as well, so you’ll get it in your inbox either today, end of day, or tomorrow. So, you’ll have an extra time to review it, share it with friends, whatever it is. but you’ll have it in your hands as soon as we possibly can give it to you. So, I think that is it for me. I think we’re good to go here. Brian, I’m going to hand it over to you.
Brian Littlefair: Thanks, Amanda. And hi, everyone. It’s great to be able to talk to you from the UK today. So, it’s you’re starting your day or in the middle of your day. It’s it’s winding to an end over here. But this is a topic that’s very close to my heart. I think as Amanda said, I’ve been a chief information security officer for a fair few organizations and can still continue to do that as a as an interim or or roaming executive. But I spend a lot of time in in the boardroom and a lot of time speaking at conferences as well on how to bridge the perceived chasm that can be between the CISO and the board or the CISO and the executive team or to improve that relationship. So it’s great to be able to use third party risk management, a topic that’s very close to my heart on some examples and and certainly some techniques or what are some of the challenges issues that I actually see on a on a day-to-day basis. So, let’s crack on with this. So, that’s me. I need a haircut, right? So, a little bit of of scene setting. I’ve certainly spent the last decade sitting in in boardrooms not just for the security section. So, when you’re a CISO, you’re kind of wheeled in. You do your CISO bit and then you’re wheeled out. Now, as a you know, a cyber adviser or a consultant to to boards and executive teams around the world, you you get to see a lot more of the board meeting which has its pros and cons. You also have to read the board pack and and those aspects as well. But I’ve seen a transition over that period in terms of you know boards starting to get cyber security.
Brian Littlefair: Uh and I think you know what’s driving that is um monitoring the global regulations around the world for a lot of multinational clients and we are starting to see the requirements and you know the directives that they set starting to harmonize and and be very clear about certainly if you’re in a regulated sector what their expectations are of how your organization treats cyber security. And I think you know whether you’re in the US side or on the UK and European side governments uh or certainly the citizens within those governments are starting to think well you know we trust our data with all of these customers and you know there’s breach after breach or incident after incident and you know they want to get that trust model fixed and resolved they want citizens or or people living within countries to actually, you know, have some trust with that organization that they’re giving their data with. So there’s a requirement on that organization to put in the appropriate controls and the appropriate measures. But as we all know, it’s not just that organization you’re liaising with. There’s a whole third party, fourth party, nth party supply chain that in a lot of cases actually gets hold of of customer data. So that’s why boards and executive teams I think are starting to really care and you know starting to focus down on on these topics as well. So I see them actually driving for that clarity, that risk position and actually I see a lot of the problem being on on our side now, the security team’s side, saying, you know, we’ve been trying to tell them this message for so long now. They’re asking for it, but they’re not 100% happy with how we’re telling that story or certainly not in not in all cases. And a lot of organizations are starting from a fairly low maturity point when it comes to third risk management. It’s a long complex journey to get your head around what is the risk that is presented to the parent organization from your entire supply chain. So if you’re just embarking on that journey, there are obviously some acceleration points that you can put in place, but it’s going to take time to get to that viewpoint.
Brian Littlefair: And a lot of organizations, as I’ll cover in this slide deck, are at a different uh maturity point. And you know, no one’s at the same position. Every organization is different. But I think if you do recognize that the board will be interested in what you’ve got to say. Board and executive team I know are different entities but for for this purposes are are interchangeable. They want that clarity. They they want that information. And I think if you can get your head around the formats that they want that information presenting in in terms of the universal language of the board being finance and risk um then I think you’ll start to get that traction. And hopefully what I’m going to talk about today are what are some of the the approaches that I’ve seen work. What are some of the approaches that I’ve seen that don’t work? And then obviously hopefully I’m going to leave a little bit of time after Scott and myself have talked for for some Q&A and challenge and and as I always say on these, you know, please feel free to to disagree or challenge, right? These are just my views and and my perspectives and if you’ve got another one, I’m more than happy to debate that. But I think, you know, what we are seeing across the globe is we’re seeing these challenges. We’re seeing these is issues. We’re seeing, you know, hackers being very public that you know, it’s easier to hack a parent organization via their supply chain with those trusted relationships in place than it is in some cases to go after the parent organization. That parent organization might have 200, 300, 400 uh security team members. Uh they might have budgets 10, 20, 30 million or be a lot smaller. But you know the organizations they put trusted network user relationships in. They won’t have that that capability or certainly not all of them. So there’s a lot of effort in the the hacking community, so to say, to identify where are those relationships in place and which suppliers does company X, Y, and Zed use and can they go after them and and leverage that pre-existing trust relationship? So, let’s try and get it right. Let’s debate the topic. And I think when you do, you’ll be pushing on that open door. And I think that’s what the boards want to do.
Brian Littlefair: They want that clarity of information is because they want to engage. Um, a lot of them don’t know how to engage in complex security topics. So, I think we we don’t have to simplify it because they’re very clever people. We have to recognize their skill set and present it in a language that they can understand. So that’s what we’re going to hopefully cover today. So why do we actually need third party insurance and and you know why do the executive team actually care? So we’ve already touched on on regulations. Regulations are only going to go one way in in my view and I really would you know one of my personal desires would be that regulators talked more. Uh For example, if you’re running a large global multinational in 60 70 80 countries, for example, regulations differ in every or every every country that your organization operates in. And that harmonization uh there’s a lot of overlap. That harmonization would certainly make a lot of sense. And you know, we see that to some degree, but but certainly not all. And we’ll cover that a little bit later on. We need it for our risk management, right? So we we need to understand what role the third parties play in our delivering our product or service to our end customer. And in in a lot of cases, it’s they play a significant role. They might be running our IT systems or if we’re a producer of a product, they might be delivering our, you know, raw products and and that we need or the raw ingredients that we actually need to to make our product to sell. And there’s a lot of factors that can can impact that. You know, they could be attacked. They might go offline. And then how can we continue uh obviously selling our services, but but equally physical, we need to understand that from a risk management perspective and and a great example is the Suez Canal being blocked. So if if container ships can’t get through that canal, then obviously our product can’t get to the end destination and we can’t sell it to to the customers and that can cause brand or reputational damage. It can cause customers to move to the competition. So we’re not just talking cyber here.
Brian Littlefair: We’re talking third-party assurance and that’s a more holistic view in terms of managing that risk and it’s important we we recognize that. And we need to get this right so that we can support business decisions as well. So the the business needs to you know consume the metrics and data that we can actually present to them to know how how fast they can move, how fast they can accelerate, how fast they can expand and and what are the risks that are inherent in them them doing that and and I often see a bit of a disconnect here in terms of the security team assessing risk and assessing security really for their for their own compliance requirements and not actually fully integrated with the the broader business and I think a a really effective third party risk management program has you know the full support and backing from the business but but equally the data that’s captured analyzed is disseminated broadly into the organization and really helps support and underpin other business decisions that are required and I think that’s a really good indicator that you’re doing the right thing but obviously compliance really matters as well. Uh pick an acronym right there’s going to thousands around the world, but they all certainly dictate how we manage our our third parties. And that’s really because it’s a huge risk because of the, you know, the things that we’ve already discussed. Um, and again, very little, you know, global um, adherence here. There’s 160 different legislations that pertain to how we manage data. So whether you’ve got the California Act over there in the US or you’ve got GDPR over here in Europe, there’s 160 of those around the globe. So if you are running a a global multinational organization. It’s getting your head around what are we actually required to comply to and where and how does that stipulate the requirements and controls that we need to push into our our supply chain as well. And then from a governance perspective as I mentioned earlier on our customers care that you get this right. Um certainly depending on the product and services that you offer if you’re in financial services if you’re in telecoms if you’re in pharma for example you’ve got some pretty sensitive data.
Brian Littlefair: on you on your customers and they’re trusting you to do the right thing to effectively protect that and you know and I think that’s why the executive executive team are really buying into this now because they recognize that the tolerance from a customer perspective to to breaches is certainly going down and there’s an expectation that the right steps and measures are taken to adequately protect the security and the data that is ultimately the the target of any attack. So so that’s why they they really should care and you know, obviously explaining to them if they’re not caring isn’t a bad thing. And then there’s quality, and this is often overlooked, but quality is absolutely critical, right? We had this challenge over here in in Europe, not just in the UK and Europe, where the quality over the supply chain in in meat wasn’t really there. And we actually found out that in some cases, horse meat was making it into uh ready-made lasagnas and ready-made, you know, processed meat products, for example. And the customer didn’t know that it wasn’t on the label. Uh it was a whole supply chain breakdown. So again, just to highlight that we’re not just focusing on on on cyber IT risk here. We’ve got quality in. We’ve got our compliance requirements. We have to satisfy our regulators. We need to understand what are the risks in terms of supply. Can we actually get hold of that product and services? And what are we going to be doing? So it’s a whole picture. And if you think about all that of that as an entirety, that’s why the executive team is starting to care because if this goes wrong or if it starts to erode or the quality goes then obviously that impacts the product and service that you deliver to your consumer and they’re going to want to know about it and they’re going to start to come to whoever manages third party risk management within your organization and because of this holisticness you know it’s not always the CISO you know this isn’t always a security-led initiative in in all organizations but you’ll always play a role in that and and you know it’s important just to to recognize that.
Brian Littlefair: So how do different companies approach the challenge and you know I see this breadth on a daily basis and you know I’m certainly not going to go through each one of these individually but you know there are companies that quite frankly do very little the bare minimum the business can dictate who they want to you know put contractual arrangements in place. There’s very little due diligence performed. Therefore they don’t understand the risk. They don’t understand if the person behind the business is a sanctioned individual in in some countries. So I don’t think really doing nothing is acceptable anymore. Uh you have to you know have some moral compass and you have to understand you know where is your data flowing on your on your customers and certainly as I said if you’re working for a a regulated industry it’s a requirement that you actually have to have an effective third party require uh program operating. So others do more you know they’re a little bit more managed. They have some engagement but they don’t extend their control environment into their supply chain. They don’t stipulate, you know, this is how we expect you to behave. Here’s our security policy. Here’s what we expect you to do. And hey, here’s the framework that we’re going to operate within. And then as you start to to move up, uh, you start to get into the more mature space where the third party risk management program is established. Uh, you can’t engage with a supplier without going through the pre pre-engagement due diligence and all of the risks are kind of understood before that contract is put in place. And before money starts to flow or services start to flow between the two organizations and I think at a minimum that’s where you can expect to be or certainly the expectation is that you start to get there because you actually start to understand the risks and the issues that are contained within that commercial arrangement that you’ve just still put in place but there’s still more to do uh so at a minimum three but you certainly should be striving for for four and five so what we want is we want to understand all of the risks that are supply buyer presents to us before that contract is signed.
Brian Littlefair: Uh we’ve extended some controls to them or actually the more mature aspect is that we’ve extended all of our controls that we think are relevant to that particular supplier. So we understand that supplier, we understand what they’re doing for us on a global basis. We understand the nature of uh how they operate. We understand what security policies and practices they deploy. We understand the capabilities within their teams. We understand the geography that they’re going to be operating within and we have these frequent sitdowns with them depending on the criticality of them to us to get that continual assurance and that’s the start of a partnership. It’s the start of a relationship and obviously you can’t do that with every supplier but the aim is to start to get as much information as you can and as you’ll see shortly I’m as I’m a great advocate and hence why I’m talking for for tools like prevalent because if you’re moving away from an Excel or a manual-based approach to a to a you know an online threat driven risk modeled organization like prevalent then you can start to get a lot more detailed information on your supplier footprint rather than relying on that manual process that some of you might be running at the moment. So what are some of the problems they encounter and I think I’ve encountered most of these in terms of delivering an an effective third party risk management program and you know these are some of the barriers that stop that effective executive relationship being being put in place. There’s nothing worse than you trying to run an effective program, but the broader business think it’s a bottleneck, think it’s a challenge, think it’s not effective. So, you really have to work in in collaboration with your broader stakeholders and actually understand, you know, what are these issues and challenges and how can you move forward from it. But I see these all the time. I see, you know, security teams running manual processes based on Excel. You know, you might have a a 50 person security team. You might have two people dedicated to third party risk management. They might have three and a half thousand suppliers to manage. It just can’t be done.
Brian Littlefair: It’s like trying to run a security operations center with manual processes. It’s like trying to run a data loss prevention platform with manual processes. The numbers are just too great. Uh and thankfully the world has moved on and we have to embrace the technology that’s been developed to help us number crunch and get an accurate position. So I see security teams taking the brunt of it. I’ve done a webinar for prevalent as well on how to improve the relationship between the security team and procurement and you should look at that because the objectives are very similar in terms of what are people trying to achieve. But if the security team’s process isn’t optimized, if we’re sending out very long questionnaires, if we’re sending them out once a year and then we’re not getting back to the c the supplier with feedback, then procurement get the brunt of that. They get the complaints from the suppliers saying, you know, we’re ready to deliver our service or product you but we can’t do it yet because we haven’t got sign off from your security team and then that starts to create friction between the procurement team and the security team. So it’s really understanding what are the processes how can they be optimized who are the stakeholders that are going to be involved in this and then we go up to the executive you know the board or or you know the executive layer the CEO CFO COO etc and they can’t get clarity and I’ll highlight some of this later on in the deck but what they’re looking for is is what I’ve coined as meaningful metrics. They want, you know, the analysis to be done for them. They want to understand what are the major risks within our supply chain. Where are where are they likely to materialize and what are we doing to mitigate it? You know, it’s a fairly simplistic question, but when you broaden that across an entire supply chain, two, three, 4 thousand uh suppliers in some cases, it’s quite a hard, you know, question to answer. So, we need to embrace obviously the technology that’s there to help does get that answer as as quickly as possible. So what are you know that executive team looking for?
Brian Littlefair: They’re looking for 100% coverage and and this is really really important in any process that we deliver or deploy needs to cover all third parties globally. And I see this as a as a bit of a challenge or or a blocker for these stretch security teams. You know, sometimes it’s still three or four people to cover a multinational organization and that can be an issue. Because suppliers quite frankly and honestly from my perspective like to slice and dice companies in some way. You know they if they can do they’ll sell to the UK business then they’ll sell to the Indian business and they’ll sell to the Turkish and the US and the Canadian etc. And they actually like organizations that haven’t got that global view because they can set different pricing. They can set you know different contractual terms and and they can leverage that you know uncertainty. What we need to do is work effectively with our procurement colleagues to to make sure that we’ve got clarity over where is our spend going so we can get maximum bang for our buck but equally we can actually manage that risk exposure more effectively. It’s a lot better to give you know a lot of the the spending to a few suppliers if possible because then you become more important to them. You can get that relationship put in place and actually you can start to understand that risk. If you’ve got 10 20 30 suppliers across the globe overlapping in terms of the services they offer to you then going to be a challenge to manage from a risk perspective. But but equally, it doesn’t make financial sense to to do it that way. But equally, you need to understand, you know, if you’ve got these uh third parties uh assurance team sitting somewhere like the US or the UK and they might understand the local business that we have with a supplier, but they might not understand that in another country like India, this supplier is huge. So, we need to understand that global coverage from our supplier footprint and what that actually looks to from a risk perspective. And then we need to actually obviously balance that risk. We need to we can’t spend all of the time that we need to actually focus with each of our suppliers. We need to tear them. We need that ability to drill down.
Brian Littlefair: We need the data to be able to be modeled. We need to understand and and inject that threat angle. And that’s what’s really critical with with platforms like Prevalent. And certainly when I started in security, I would have loved this tool to be around. But you know, we did have to use Excel. It was all we had at the time. Uh and you can’t introduce risk. You know, as soon as the the company is assessed, sorry, we can’t introduce threat. And as soon as the organization is assessed, the data is out of date pretty much straight away. We all know the change that happens in each of our organizations and and therefore our suppliers are no different. The risk position will look different day to day, hour to hour, minute to minute. So we need a a capability to keep our finger on the pulse from a supplier perspective. and actually understand what is going on from a risk perspective. We need that ability to drill down into that data. And we need to be able to operate in in facts, not fiction. If you go into an executive team with uh with perspectives and views rather than fact, then that will very quickly not hold water. So, we need to be able to make sure that we’ve done the analysis for them up front. We need to make sure that it’s fully quantified, that we’ve got faith in what they’re presenting, and that we can model going forward what we think that risk position is going to look like. For example, we may use the sewers example. We may have used a supplier that traversed that route, but actually we should have thought through that that might should that might have materialized as an issue and we’ve got a backup plan that we can invoke and and put in place. And then we need the meaningful metrics that we’ve just discussed. We need to get the board and the executive team bought in. You cannot go in and I’ll show an example in in a little while You cannot go in with highly complex grids and expect them to do the the analysis and the modeling of what the risk position is on the fly. We need to actually do all of that for them. They can’t do that in the meeting. It’s too much information and they certainly can’t present, you know, these complex grids with with rags all over the place. So, we have to put the leg work in.
Brian Littlefair: We have to understand what are the KPIs and the KIS that we want to present and actually we want them to be able to actually, you know, lend their backing or their support or we can make meaningful decisions to to move forward. But if we compare that to the the CISO’s priorities, you know, what is what is the CISO there to do? I mean, fundamentally, when I was the CISO of large organizations, I was viewed as, you know, you’re protecting the brand. There’s huge investment that goes into promoting a positive brand position for for you know, your organization in the eyes of your current customers and your potential customers going forward. And nothing impacts that worse in a security incident and and that can be a supplier of yours as well. So you are giving or in all likelihood the people on this call are giving data to other suppliers to process on your behalf. You still remain the data owner but there are people controlling that data on on your behalf and if they have a breach of the data then actually it’s still your problem. It’s still your challenge and you know getting that understanding and and recognizing that you have to protect your data in someone else’s network and that’s where your control frameworks and all of those aspects come in and that’s you know what the executive team want to understand. They they they are getting comfortable with working with a distributed supply chain. They’re getting comfortable working with with aspects like cloud computing but it all comes down to how we managing the risk. What are we doing to you know embed our control environments into these new ways of working? And it’s the CISO’s job in most organizations maybe in financial services you have the CRO risk officer for example. But you have to manage that risk exposure and it is very very challenging. In my view, in my personal view, the third party risk is one of the most dynamic and challenging risks to quantify to present but and also to to manage because you’re dealing with so many different organizations and and something can happen at any one of those organizations that can spoil your day and obviously cause a a significant challenge to your organization.
Brian Littlefair: So, it’s getting your head around, you know, who who are my critical suppliers? Who do I need to spend the time with? Who’s processing data on our behalf? Who has access to our network? All of those questions need answering in advance so that you can actually, you know, quantify that risk and and manage that effectively within the organization. And as we’ve discussed, you know, we it’s the CISO’s job to adhere to compliance and and regulation. And this is only going to go in one way. But I think, you know, we can’t get overburdened with compliance. It’s something that we actually have to do of course, but I don’t believe that compliance equals security. I’ve done lots of work for lots of organizations that have been 100% compliant to their security, 100% compliance to their reg regulatory requirements, but have still suffered fairly significant security incidents. So, we can’t just rest on our laurels and actually say, well, we we comply to this, we comply to that. So, you know, we have to have that risk and threat driven view of the world and actually understand that there there are ways around around our security and there are ways around our processes that even if we are compliant to our security policies. So, you know, it’s it’s getting that hacker mindset and actually understanding how can we test ourselves, how can we test our suppliers to make sure we’ve got maximum levels of security because ultimately, you know, we’re trying to protect our customers data. I think that is, you know, one of the key CISO priorities. Uh we are the custodian of that trust that has been put in from our customer perspective and it’s the right thing to do. And lots of the discussions I’ve had, you know, where things haven’t been going the security way is, you know, pretend the customers in the room. Pretend one of our customers is sitting in that chair over there. Would they be comfortable and confident with the way that we’re going? Would they be comfort comfortable and confident with the way we’re managing risk? And that’s the litmus test that I always use to understand are we doing the right thing going forward. So what options do we actually have to improve? Right?
Brian Littlefair: So we can improve, we can invest in in tooling and you know that is absolutely the the key thing and hopefully why a lot of you are actually sitting on this call today is saying you know how well what can we do what can we improve to go forward? The world has moved on from the world of Excel. So if you’re sitting there today thinking well you know we send out manual questionnaires and we have analysts actually look at the findings and you know if analyst A looks at something versus analyst B we might end up at a different perspective on a supplier. Or if you’re sitting there thinking uh we use one process but procurement use another so actually we have two different views of of risk from a supplier within our organization. We have to start to harmonize that view down. So investing in tooling recognizing that there’s great products and capability out there that can help you get that rapid view of a supplier going forward. And you know I was a customer of prevalent when I was a CISO and you know the thing I actually loved about it just a small story from my perspective running a large global organization lots of new suppliers coming on on a daily basis and you know this is the days when we were running Excel and we were running manual processes and the business used to come to us and say look Brian we we want to start a business relationship with this supplier we knew nothing about them from the outset so we only knew what we could Google and that was the challenge and then we had to send them out our questionnaire and then we had the lag of them filling in the questionnaire and then we had to get the results back and we had to analyze it and that frankly could take weeks. Now uh you can log onto a platform and and obviously thousands of suppliers are pre-coded into this platform.
Brian Littlefair: So you’re already starting off from a you know a big leap forward where you’ve got you know the a lot of information that other customers have asked this supplier and actually what you’ll I think you’ll find out is there’s a very small amount of additional questions that you’ll need to satisfy your own security policies or risk requirements and and then you’ve got a a good holistic view of that supplier and that really shortcuts that that process to getting that risk driven approach nailed down. But that is absolutely critical that you do get there and and equally what I like about it is it brings in that threat angle. Um as I said that threat position from a supplier can change day on day and you don’t want to be you know finding out that there’s issues from your supplier from Sky News or C NN where or your local news channel you want to be a little bit more have your finger on the pulse from that perspective. So the community community aspect and you know that collective view of everyone that’s using this supplier or equally that supplier communi communicating out that they’ve had a challenge and the notifications you can get that really gives you that near realtime view of you know what it actually is the risk within my supply chain on a day-to-day basis because if you think about it from that Excel way of working you wouldn’t actually find out anything materially new unless you sent them out another questionnaire and it was analyzed. So I think we have to leave that that world behind and and as it says leave Excel behind as well but that segmentation needs to be done carefully and you know I’ve worked with lots of procurement organizations and lots of business stakeholders and you know quite frankly and honestly lots of business people don’t want their supplier to be in tier one because they understand that that’s extra governance it’s extra headache it’s extra paper work, but it’s us that working with the business that have to actually decide, you know, what makes a tier one supplier, what makes a tier two and what makes a tier three. And that’s frankly, it’s going to be different for every different organization that’s listening on this call.
Brian Littlefair: There’s no unique, you know, rule set that actually categorizes within them. But there are some, you know, standard requirements, customer data, logical, physical access to our environments and all of those aspects. So, you know, getting that taring right and understanding, you know, how can we use our scarce resources as effectively as possible to spend, you know, quality time on moving those relationships from, you know, a supplier up into a partnership where they clearly understand what we expect of them and we understand, you know, their ways of working. I think that has to be the objective in the goal. So, let’s talk a little bit about, you know, meaningful metrics and, you know, this is actually an example, an obfuscated example of course of of what some of the things that I’ve seen in my in my consulting world. And this is only one page of it, right? This this grid went on and on and on. And this was actually in an executive board pack. And and and some of you might recognize something like this, but it if you are using this this wayin model, it doesn’t work. This was bought into an executive meeting and it was left down to the the non-executive directors and the executive team to scroll along suppliers and a red and then scroll up to a control and then to try and gauge, you know, well, who is that supplier? What do they do for us? And and how critical is this control? And and obviously there’s a few reds on controls and there’s a couple of reds on suppliers. You can’t live in that world. It it’s too complex and you’re not going to get an accurate view of the the risk that relates to you. It’s too busy. You know, you’re looking at it, you can’t see the wood for the trees almost. But the worst thing is it’s static. You know, that picture won’t change materially.
Brian Littlefair: month on month and it will take a huge amount of effort to update that that data sets right so getting in touch with each supplier having a physical conversation or email conversation with them understanding where is their progress on control XYZ and and what does their time frame and plan look like and then understanding well is that a red is that an amber is that a green it’s and that’s where you can burn you know the resource on a team and that’s where you see security leaders or risk leaders going into the board saying we need another 10 20 people but actually you don’t you know you you just haven’t optimized your process you haven’t optimized your tooling. You can actually handle uh you know fairly complex supply chain with with modern tooling with a fairly lean team if you’re actually embracing you know the new ways of working and the new capabilities and and actually you know when I moved from Excelbased approaches into you know tools like prevalent when when I was a CISO it was actually taking dashboards into the actual meeting room and and showing, you know, this is the movement that we’ve had. Here’s where we think, you know, the the major risks are presenting themselves within our supply chain. And you can start to have those meaningful conversations. You can drill down. You can click on individual suppliers that are of notable concern or that we think we’re having regulatory issues for and you can actually discuss what those mitigations that are currently in flight and and what the impact is going to be. So, obviously, you can see, you know, moving from a very complex static way of of presenting information into a into a highly dynamic. I think that really helps you know foster that engagement with the executive team and I think it’s it’s really important to understand you know what are the executive team there for obviously the the CEO CFO COO etc the seauite they’re there to run the company then when you step above that and you’re actually interacting with the board typically depending on the organization size.
Brian Littlefair: They’re they’re representing the shareholders interests and in a lot of sectors uh the non-executive directors have you know personal liability and accountability to on their own financial situation to make sure that things are done appropriately and things are done correctly and then obviously they’re representing the interests of the shareholders as well. So that’s why they give challenge that’s why they ask for improvement that’s why they ask for things to to move forward and are we doing things the right way and how are other companies approaching it and have we asked and made sure that we’re we’re approaching things the right way because we have to mature. We have to be able to you know keep that capability improving going forward and that’s where you know some of those sometimes difficult conversations around budget and resource. I would personally focus on making sure that I fully optimized my way of working that I’ve embraced the latest technology and then obviously go up and present a very clear picture and I think that will show that you’ve taken it very seriously and that you can get that buy in and support into what you’re trying to achieve going forward. So what are some of the metrics and best practices that you should be measuring? Let me just build this up. So I think that you know broad categories from a board and executive team perspective fall into these four categories that I think you know you can distill all of your KPIs, you can distill all of your measures into these four different areas:
- Risk
- Threat
- Compliance
- Coverage
Brian Littlefair: If you can actually, you know, put your communication into the executive and a board into these buckets, you won’t be far wrong in terms of getting the engagement and getting them to actually understand what you’re trying to achieve. Risk is, as I’ve mentioned, the universal language of the board. You can’t go into a board or an executive team and talk technical. Uh technical language loses its, you know, traction as soon as it leaves the technical audience.
Brian Littlefair: And not a lot of board members and executive teams in my view, depending on obviously the organiz and and the nature of that organization really understand the techn technicalities of what we’re trying to achieve. So if there are technical issues and controls that are failing, we need to translate that into risk. We need to translate that into threat. What are the likelihood of that occurring? And from a threat perspective, I see so many organizations having to treat threats as incidents and and and what I mean by that is they don’t actually have the information on their supply base. So when there’s a threat floating around out there and it’s on the news about you know something like Blue Yonder or some malware crypto malware that’s flowing around. You can’t answer the question of you know are our suppliers sub you know um susceptible to this and the latest log 4j challenge that we saw um floating around recently. Lots of organizations could answer that in a heartbeat because you know they knew the the capability of their suppliers. They knew their patching regime. They knew what technology was in play. They knew their approach to using open-source technology. So, they could actually answer that very quickly. Others that are on a more manual approach said, “Well, we’ve got to go and ask 3,000 suppliers. We’ve got to send our emails. We’ve got to wait for the responses.” So, fundamentally, we don’t understand what our threat exposure is. So, you can see the benefit of moving into yes, we need to understand the risk, but actually, we need to, you know, model that through our threat intelligence and our threat feeds as well. And compliance, we kind of covered, you know, it’s not going to go away. It’s a necessary evil, but I think you know compliance is becoming more standardized around the globe and it’s it’s a good thing in in some regards because it’s making you know organizations step up their security. Certainly over here in in the UK uh financial services, telecommunications, critical national infrastructure.
Brian Littlefair: There’s a lot of focus from the governments across Europe to to you know stress test companies from a red teaming or an ethical hacking perspective and actually moving away from policies and procedures and saying, “Well, well, how actually would you perform if you were hacked or attacked?” And, you know, getting that insights and that learning is a lot more insightful on how to move forward from a from a risk perspective. And then getting that that coverage, you know, I’ve seen it happen a lot where organizations think that they’re not impacted by an issue, but they actually are because they haven’t understood their entire footprint from a supplier perspective or a geopolitical risk perspective. So, you know, think about the these these buckets. Think about how you’re communicating with your board and do you actually fit into into these broader areas. So this is my last slide before I kind of hand over to Scott and you know we want to leave you know a fairly uh decent chunk of time to to get into some of the questions that we can see flowing in. So what do I think of some of the the trends dynamics and futures and how does that kind of impact how we engage with our executive teams and and and move things forward in a positive footprint. Static information is obsolete. Right. Hopefully, you’ve picked up that that’s my personal view, but I see it time and time again, and I know there’ll be several people on this call thinking, you know, we we’re using a static process. We’re not happy using a static process, but we can’t get the buy in to be able to move forward. And hopefully some of the arguments around you can’t model threat, you don’t know what others are doing, you know, your data is out of date as soon as you captured it, etc. And, you know, it’s an expectation from your customers that you take security seriously.
Brian Littlefair: You know, we have to start to move forward and embrace some of the enhancements that have been made in this technology to to actually you know get that capability and and I see you know more and more organizations recognizing that you need that near realtime view and you know those examples that I used around you wouldn’t run a security operations center on manual processes you wouldn’t run a a manual data loss prevention platform and all of those aspects and third party risk management is no different it’s a number crunching exercise and you need the tools and platforms to help you crunch those numbers for you and prevent a real time or near realtime view of what your current risk exposure is. And I think you know threat absolutely changes changes everything. And you know I saw it happen with my own eyes. I was on a a trade and investment miss mission in in Israel and as everyone knows lots of security technology is developed out there and you know it was a global trade and investment mission and there was CISOs there from all over the all over the globe and then blue yonder hit. And you know that was a fairly catastrophic incident for some but but not all. And and I saw you know a full plethora of responses to that. I saw people running for planes because you know their their mothership organization was calling them back because things were collapsing to people just check checking a few applications and saying you know yes there’s a threat. We don’t think it’s a risk to us. We know our patch status. We know the patch status of our suppliers. So getting that real time view can actually you know, stop significant cost, significant investment, or certainly offset it because you’re not having to treat every threat as an instant and and drive things forward from that from that perspective as well. So, I thank you for my time. Thank you for your time. I can see lots of questions coming in. I’m going to hand over to Scott who’s going to talk to you around, you know, the a few slides on the prevalent platform and then we’ll get into the Q&A. Scott, over to you.
Scott Lang: Hey, that’s great. Thanks so much, Brian. And if you could advance to the next slide, please. Um, you know, one of the big takeaways that I took for Brian’s presentation is the inherent level of complexity to understand risks as they are presented to the organization in whatever format at whatever stage of the third party life cycle that your vendor suppliers are in and then presenting that meaningfully back to decision makers, leaders, executives, board members or whatever. That takes a solution that addresses risks at those different levels. You know, the last thing you know we want to end up doing or that you want to end up doing is presenting a set as Brian said of disperate data that doesn’t really tie together or make any sense or you know doesn’t have any kind of context to it and that’s how and what prevalent specializes in is the context that you need to understand risk at every one of these stages and present it in a meaningful way back to you know senior leadership in the organization not just to manage you know ongoing incidents but also to show proactivity and discipline and rigor in the process uh to address potentially um you know compliance and audit requirements as well. And that approach has some some derivative benefits as well, including less cost and risk when you’re selecting new vendors. If you’ve got good visibility into the risk postures that those vendors bring, uh, inherently um, you know, a faster onboarding process to, you know, as you get more intelligence and insight over a vendor’s, you know, security and data protection and business resilience policies, you know, you reduce some downstream risk by getting that picture early on in the cycle. Um, um, You know, the next piece of it is not just looking at the periodic risk assessments that you do during uh onboarding and due diligence or during contract renewal, but perhaps you know in between those uh you know detailed internal controls assessments. What type of intelligence do you need to make sure you’re on top of whatever you know persistent threats that you know uh that you’re facing in your extended supply chain and then incorporate that context, collate it and then you know be able to use it to validate the presence of internal controls. at those vendor sites or validate that you know they they’ve got the right policies in place. Um uh and then it also extends to uh you know a vendor’s ability to deliver. It’s not just about um you know a cyber security, information security, data privacy, business resilience problem that a vendor or supplier could face. It’s also about their ability to just simply deliver on expectations whether those would be KISS uh KPIs the things that that that Brian has has presented on thoroughly in the past. And then finally, you know, the risk stage that most companies just don’t pay enough attention to is offboarding and termination. We do tons of due diligence before selecting vendors. We, you know, assess the inherent risks that those folks bring to our organizations. We deliver good reporting. We we, you know, recommend remediations. You know, we follow them through the life cycle. But then when that relationship ends, um, you know, very seldom does an organization follow that prescriptive process to say, okay, you know, what are your data destruct destruction policies. Is our data destroyed? Have final payments been made? Have we met all of our reporting obligations? And more. You know, all of these types of things are going to come up at some point from a board when an offboarded vendor, for example, uh suddenly becomes a a risk because, you know, they didn’t follow the proper protocols to destroy your data, for example. And this has benefits throughout the enterprise from procurement to security to risk management to compliance and more. Next slide, please, Brian. Um you know what I think you’ll find um in in in the prevalent approach is that we you know absorb, assess and analyze risks from literally hundreds and thousands of different sources. Not just completed assessments that vendors complete but also you know half a million sources of um outside or external threat intelligence and we bucketize those into you know these six buckets that you see in front of you. Now these are just representations. Yeah, there’s more than this. Um it’s all I could fit on a on a slide. Uh but we look at risk holistically, not just uh the most obvious data privacy and protection risks, but we also look at things like health and safety and ESG ratings and more. So you have a full view of the risks that those vendors, suppliers and third parties are presenting your business. So when there’s a a reputational problem for a supplier who’s been using, you know, forced labor overseas to um produce, you know, an input into your process, you know, you you will have that visibility. to be able to respond to it accordingly. Next slide, please, Brian. You know, at the end of the day, our process is really three-fold. What we’re trying to help you accomplish is this is that, you know, we help make you smarter with a datadriven, comprehensive, and contextual approach to risk intelligence. Give you the inputs that you need uh to make, you know, good uh risk based decisions. Unify what normally is a whole disparate set of siloed tools that are used to kind of consume this information report on it uh and unified into one solution to to you know so everybody’s singing from the same himnil as we say and finally be very prescriptive in our approach with built-in intelligence risk response and plans remediation guidance and more to you know accelerate the process of thirdparty risk management and reporting you know to the board and executives and ultimately kind of close the loop on um on those potential risks could impact your environment and really that’s it that’s our approach is, you know, how we take information from all these disparate sources, uh, you know, translate it into a meaningful, uh, fashion that you can utilize and then that translates to, you know, actionable steps to take to remediate risk, uh, down on the other side. So, that’s our approach. Uh, Amanda, I’ll pop it back over to you if you want to open it up for questions.
Amanda Fina: Yep, sure will. I have a poll question myself here that I will throw up on the screen. Um, are you guys looking to establish a third-party risk management program in 2022? We’re curious about that. Please again be honest with that answer. And we did have a question in the beginning of the session here that I’ll hand it over to Brian for. And Juliana had asked, “Do you view thirdparty risk management and procurement as separate departments with separate channels to the board?”
Brian Littlefair: Yeah. Well, I do. Yes. I mean, obviously there’s some overlap in terms of what the from a risk perspect perspective what security and procurement are trying to deliver but then there’s significant other areas that there isn’t an overlap in right so procurement are there to to buy products and services you know get effective um leverage from a spend perspective so I think you know they need their own communication channel to the board what I think doesn’t work is from a risk perspective if we’re getting two single or two different views of risk from a supplier perspective and you know what I see happen a lot is you know organizations especially the larger organizations are using you know the large ERP platforms across their procurement space and in that there are obviously capabilities to you know talk around suppliers and you know interactions with suppliers and and sometimes they’re utilized to you know gauge a level of risk and and and those aspects. What we need to do is is is harmonize or integrate those platforms together so that we’ve got a single view of supplier risk across the organization because If procurement have a view and then security have a view and never the twain shall agree then I don’t think that’s good from a from a business perspective not to have that alignment and agreement. So I think uh watch the the webinar I did on procurement because it talks around you know how the chief procurement officer and the chief security officer you know have a lot of you know commonality in their objectives and what they’re trying to achieve and I think that will certainly help you know crystallize what my thoughts are and how you can converge that that communication channel to the board, right?
Amanda Fina: And if you’re interested in that webinar and if you wanted to see it and want quick access, just email me. I have my email in this thread of chat here. Uh so I will happily find that for you. Uh next question is uh a question for Brian. Can you please discuss briefly on the best practices how to categorize the criticality of these third party vendors?
Brian Littlefair: Yeah, so I mean it all comes down to what they’re doing for you and the impact that can have on on the parent organization. So, I mean, it’s probably a poor example, but you know, every every organization needs to procure, you know, kitchen supplies, needs to procure procure bathroom supplies and all of those aspects. They’re they they’re going to be a supplier to your organization and a strategic supplier, but they may not necessarily present the the level of risk that, you know, someone that’s running your data centers will. So, it’s important to get that categorization correct so that you know where you’re going to spend most of your time. But then, then equally, you know what I would say on the back end of this example is I’ve seen organizations breached by their kitchen supplier, right? Because you know there’s a a dedicated connection between the two organizations. So you’re certainly not discounting or ignoring organizations in a lower tier. You you’re still going to require them to, you know, have a certain baseline level of security, but it’s it’s recognizing that you can’t get round all of your vendors from a security perspective or certainly you couldn’t. And and that’s why again evangelizing tools like what we’re talking about today because once you’ve categorized them you can start to get that threat feed that information you know how how seriously do they take security are they likely to present as a risk so I think you know to categorize them you know really really important have access to our network have access to our customer data model our customer data on our behalf interact with our customers on our behalf you know they’re they’re critically important and then move down from there.
Amanda Fina: definitely and we have something just slide like that here too if that’s what you’re initially just looking to do and we can definitely talk about that. If you want to look to figure out having to profile and tear your vendors, reach out to us. That would be great. Um, next question is uh a question for Brian. Okay. Risk assessors typically rely on sock reports to evaluate the vendor controls. Is this a good approach such as critical Oh no, that was two different questions. Sorry. Um, that was a part two of the other one. Let me repeat this one again. Uh, question for Brian. Okay. Risk assessors typically rely on sock reports to evaluate the vendor’s controls. Is this a good approach?
Brian Littlefair: I think it’s a reasonable approach. And you know, I sympathize with the Google’s, the AWS’s, the HPs of this world, right? Because if you think about it, you know, they’ve got th tens of thousands of of customers. Each one of those customers wants to assess their their security, their approach, and and you know how they handle things. Um you know everyone wants the right to audit all of these aspects and you know they just can’t possibly do that because they have you know customers that share environments if they haven’t paid for dedicated environments. There’s data centers with other companies data involved etc. So they can’t open their doors to everyone to come and have a roam around and you know see how cables are plugged in etc. So I think that’s where sock reports and sock two reports etc come into their own because it gives you that base level understanding of you know how do they approach security and how seriously do they take it what are some of the challenges and issues that they had but I certainly wouldn’t rely purely on on sock reports you know and I think that’s where again you know prevalent in those aspects you can get that open-source information that oint capability to actually understand well they say they do this in their sock report but they’ve had a public facing vulnerability for 30 days and their policy says they should have fixed it in 24 hours so So, you know, you can hold people to account from their sock reports by using platforms such as this because, you know, what people say versus what they do are sometimes different. And that’s where I personally utilize those capabilities. But, you know, that’s my example of, you know, if a large organization has to service lots of customers, that’s where, you know, soft requirements are, you know, needed and required, right?
Amanda Fina: Something else we help with, I’m just shameless plug. Shameless plug here.
Brian Littlefair: Yeah. I’m teeing you up here. Right.
Amanda Fina: Absolutely. Well, it looks like that might be all the questions that we have for the both of you. Um, anyone else have anything that they are looking for as far as resources, wanting the slides? I know a lot of you have been asking for those or wanting to see other things that we had done with Brian and we featured Brian on. Please reach out to me. I’m trying to catch up here. Um, but I’m going to put my email in one more time. For anyone that wants to chat about anything we covered, please feel free to reach out so you have someone directly to talk to. Um, and I think that that’ll be it. I think we’ll just close five minutes early. Give you guys back some time on your day. And I really appreciate both of you. Always great to see you, Brian. Always great to see you, Scott.
Brian Littlefair: Great. Thank you, everyone. Enjoyed the discussion. Thank you very much.
Scott Lang: Thank you so much.
Amanda Fina: Bye.
Scott Lang: Bye now.
©2026 Mitratech, Inc. All rights reserved.
©2026 Mitratech, Inc. All rights reserved.