Healing the Wounds of Third-Party Risk

Peter Schumacher: All right, welcome and thank you for joining our webinar today. Healing the wounds of thirdparty risk management featuring Keith Likton Walner. Keith is the senior manager of security risk management and governance at Fizer. We’re also joined today by Prevalent’s very own Brenda Ferraro who is our vice president of thirdparty risk. My name is Peter Schumacher. I’m your webinar host for the day. I’ve got a couple of housekeeping items to cover before we officially get started. So, first of all, this is a reminder that all attendee lines are muted. We don’t we do that in an effort to cut down on background noise like dogs barking, your kids screaming, and my personal favorite, toilets flushing. So, however, in an effort to keep this in this session interactive, we do invite you to submit your questions using the Zoom console. So, please do that. Time permitting. It’s At the end of the hour, we’re going to host a live Q&A. Today’s webinar is being recorded and we plan to deliver that recording to your inbox by tomorrow morning. I know you didn’t join to see my face or hear my voice. So, at this point, I’d like to turn things over to Brenda and Keith. Thank you so much for joining us today. And Brenda, please take it away.

Brenda Ferraro: Thank you. So, I’m sure that all of us are feeling a little bit up and we’re navigating our new work life balance and before we get started I’d like to extend prevalent and also from Keith our heartfelt well wishes to all of you um today’s webinar is going to Peter I think you’re not on mute you might want to put your phone on mute there we go so today’s webinar is going to bring those of you who are beginning to discover or already know that third-party risk is an evolutional type of situation where over the past year a lot of things have changed. A lot of companies have come forward with ways to approach how you are in that journey and the maturity. And so what Keith and I decided to do was to take this webinar and because we’re we I used to work in the healthc care field and Keith is in the pharmaceutical and healthc care space today. We took a theme with regards to the health care and we’ll talk about the processes of the logical steps that normally happen if for say you were going to go to the hospital. You would be triaged. You would be identified with a diagnosis. You would then have protocols for healing those situations, support, um some of the metrics and the machines that would tell you if you’re on the right track or need to reset. But I’m sure like Peter had said at the beginning, you weren’t here to listen to him. You’re also not here to really listen to me as much as you are to Keith. So, we will get into do introductions real quickly. So, Keith, you know a lot of people, but there are probably some people on this call who don’t know you. So, can you give us a a brief introduction to your history and your career, what you’re doing at Fiser today, and then maybe a fun fact.

Keith Likenwaller: Sure. Uh, so my name is Keith Likenwaller. I’ve uh spent about 15 years in the infrastructure Fortune 500 realm um serving just about every team that you could think of that exists in every company um or managing those organizations. Um and I got tapped on the shoulder to start a riskmanagement department um in a Fortune 500 uh in 2004 which started my career journey and one of my first challenges was to put risk controls around our third parties. Um so I’ve been playing in this space for about you know 16 plus years. Um and in that journey uh And I think you’ll hear today a lot of things that uh you know, we fight all the same battles. They’ve been different in different sectors and different companies I’ve been in over that journey. Um and hopefully some of these tidbits that we’ll share today will help give you reassurance that uh you’re you’re fighting what everybody else is. Um and also some ideas of how maybe to think about approaching uh some of those tough challenges uh as you continue to take your program and and activities in a positive direction. Um as Fun fact, uh um some of my favorite things to do, I I I love the outdoors, especially the woods. Uh so I spend a great deal of time with youth of today uh in the scouting program. Um but uh I also got my wounds from that. Uh I have been stung uh dozens of times, including this past weekend, uh by uh some of those hornets that are in the backwoods, uh which I swear are much more potent than the ones you find in your local community. So uh been a a challenging wound for me.

Brenda Ferraro: Nice. Well, thanks for that information. As for me, um I was quickly introduced at the beginning. I’m the VP of thirdparty risk at prevalent. I’ve worked at Charles Schwab, eBay, PayPal, Etna, and across the communities with a quest to help companies to mature their thirdparty risk program focusing on risk data decisions and how to leverage the prevalent platform. I’m pretty much the voice between the customer and the product so that we can make them talk to each other and do what’s right. As for a fun fact for me, I too am a nature person. A lot of people don’t believe that, but I love to go and gallivant and hike in the in the trees and in the forest or along creeks. And I’m highly allergic to ants. So, you have the hornet problem, but I can be standing in one spot, not look down, notice that I will hear an ant kill, and all havoc can break loose. So, what we’re going to be talking about today with regards to boounds and being proactive with um making sure that if any incident’s going to occur, we know what we need to do in advance. Um needless to say, with every risk program, there’s the potential to get bit. So, we’re going to give you some of those takeaways and techniques to put into implementation moving forward. So, Keith, the first thing, like for an example, how we talked about the the hospital and you go to the hospital and they’re going to triage and find out what the issue is. That is if you’re not having to go directly into surgery. What are the different types of triage um techniques that you used for your program maturity to understand exactly what you needed to evolve or mature from a talent uh tool or a technique perspective?

Keith Likenwaller: Sure. Uh thanks Brenda. I think the most important part of triage in my mind is um circling yourself with the right skill. skills to do that. Um, and I I’ll use some very pointed examples. Um, first of all, uh, triaging means circling to me about if you want to understand your maturity, um, you need to first of all surround yourself with people that are trying to achieve and take their program to the levels um, that you’re dreaming of going. Um, so finding somebody with a program stronger than yours um, is excellent. Finding people that are fighting the same battles that you are, excellent. um finding a partners that can actually help you conquer the channel that has helped others mature. That’s an excellent step as well. So, in my mind, if you’re looking at maturity and how to triage your program, the first and foremost goal is get out there and find yourself some good partners and some good um individuals in other peer companies both in and outside of your sector where you can exchange ideas, discuss challenges um and use those those ideas to triage your example. I love to have a partners where I can take the things that are repeatable and have matured in our environment um like the collections of questionnaires and etc and outsource those activities so that I can focus my core staff on the activities that are going to reshape and take us to new levels of maturity. Um I think it’s really important that uh you think about different ways of approaching things um because without change um this environment is one that is I thought it was going to mature when I started in it. I think it’s still in a lot of places a infancy of maturity that needs to be driven. Um the challenges of the data management and etc just continue to explode.

Brenda Ferraro: Yeah. I think that one of the things that’s interesting about triaging is when you have a program if you’re starting out in an infancy level or at the very get-go, a lot of companies are using spreadsheets and that can become a pain. So, automating that collection is one thing. And I liked how you talked about the fact that getting in touch with other peers of likemindedness that can help you to learn from what they’re doing versus things that you may not have thought about is also something that’s really key um to maturing your program as well. And then running mature assessments on your program to see where you might be within the industry or for yourself so that you can determine what areas to focus on that’s going to give you the most return on investment. Would you agree with that?

Keith Likenwaller: I I absolutely do and I think I’ll add one other thing. I think there’s a fallacy out there that you need to be talking to people of your same size or or same sector. I actually think you benefit from doing the opposite. I think I’ve learned the most from small small companies or medium-siz companies that are struggling the same way. Um, you know, have being the pleasure of being in a large corporation, the challenge is automation becomes even more critical. Um, because we’re talking hundreds of thousands of of potential engagements um that we need to make sure are in our risk appetite. Um, but the challenges in a median company are no different. They may only have a hundred vendors, but the answer is is they have a lot less resource capabilities. Um, to do it. So all of those same factors are necessary to build out a program of automation of reassessing your scenarios, your situation, and really being able to quickly determine is this a space I want to spend um a short amount of time to make sure is okay or do I want a disengagement? Do I need to go deep? Um because it’s that important to the company’s success and the business’s um goals,

Brenda Ferraro: right? Agree with that. So let’s kind of move on to the next scenario. IO. So, you’ve done a great job at making sure you know where your program is within your own company. You’ve identified some of the areas that would require improvement from an overall program perspective. But once you’re done with that triaging of your program and your performance indicators, how do you diagnose what assessments to even start with or what profiles to use or determining your tiers or what’s really riskworthy? What did you do for that?

Keith Likenwaller: It’s absolutely a journey. Um, but what I did was really leverage talking with peers and partners in other sectors to say, well, what what are the triggers they’re using to identify? I believe strongly that if you want to set your tiers of risk, sitting down with the business, sitting with peers, getting all the data that you can collect to say, well, what lists do we have? What triggers do we have that we could get data from? And what I found over this journey is especially in the last few years where this has been a space that I think has been really getting a lot of attention to talk about removing the languages differences between companies. There’s definitely some themes of sources. Um the themes that I’m seeing really jumping out that are really helpful is the first one is is your firewall logs. Um a lot of companies have different firewall programs connecting themselves with partners and etc. And they can call it anything they want to call it, but the answer is those rules where you’re connecting two companies together. That’s a pretty important place to keep track of the uh connectivity and keep track of is that partner that you’re now letting basically inside of your doors um operating a safe environment? Um so I’m seeing that you’re evaluating those properly. So that’s just one example, but we’ve done things to look at sitting down with a business to say what are the uh manufacturing products that we make that generate the top revenue. Make sure we understand the supply chain from the beginning to we get paid. Um look at the entire supply chain and all vendors involved for those critical steps. Um as well as going back and looking at your data um in your DLP program if you have any type of external traffic analysis capabilities. Look what’s going out of your email system. Understand what’s flowing and seeing what companies are probably you’re interacting with in large volumes andor with highly sensitive information. um can really tell you where you probably want to make sure you have a clear understanding of the risk level you’re operating with. So those are just a few examples, but I found that there’s a lot of themes as you start talking to others of what’s triggering for them. You see compliance themes. Um but when everybody says, “Well, what’s my top vendors?” Um some of these other things I’ve mentioned I found is great ways to get data, take the lists, share the lists with the proper business people inside, discuss them, and then launch your your program’s capabilities against the ones that make sense.

Brenda Ferraro: Yeah. I noticed that when um the journey first started between the two of us working together um as peers, you had an information classification model and you had a taring approach and you had key controls that were really important to your organization. Are you finding that those are changing at all with regards to how we’re having to do work life balance and work from home or did you find that the controls that you had in place still stand true and you’re adding a couple more just to facilitate those um mechanics of risk management and mitigation for those other items?

Keith Likenwaller: What I’m finding is as we mature to really understand the risks that are important to our current business. Um it changes the vendors that I want to look at but the controls are standing the test of time. Um I I think the basic controls or hygiene um are controls are really do the basics well and be prepared to respond if an incident occurs is still a philosophy that I think has been um coming to light as a good company’s going to do those as they do those they will be in a good position um and I want to be partnered with companies that are doing industry best practices staying true to those basic controls and are prepared to respond in the case of an event or in the likelihood that everyone will have an event at some point in time. How you respond is really important.

Brenda Ferraro: And for your key controls, um, did you go with a standard questionnaire or are you using multiple questionnaires and and threat intelligence for your risk identification?

Keith Likenwaller: We started out with a key questionnaire that’s common in our sector. Um, I think that’s a great place to start. Um, but I think as time progresses, um, we’re maturing and working our way to be able to handle multiple questionnaires because there’s just so many vendors you’re working with um so many partners you’re working with um and I see them as synonymous um and if they have for example a SIG light completed um the important thing for the business is to get the knowledge of what controls are of concern for discussion and what is not worth time discussing because it appears to be in solid standing. The faster you can figure out that the more you can help your business get to the objective they’re out for. So to me, it’s take whatever questionnaire you can, but you need to in scale size be able to know there’s only certain questionnaires that you’re prepared to really analyze and review quickly. Um, but if the vendor or partner has a SIG or a different one um, and you’re familiar with it, take it, use it, save them the time, quickly get down to what are the controls we should discuss that in this engagement um, bring risk to your business.

Brenda Ferraro: Yes. So compensating controls of accepting information gathering from other standards having context applied to those items for meaningful relevance. I completely agree with that. So I I think Keith at this time we were going to ask the listeners if there was any techniques that they might have been using for this particular area of strength um or emerging stronger that we might want to talk about. So in your chat box if um Peter you wouldn’t mind look and see if anybody enters in some other techniques that they have been using for assessment profiling, determining tiers, um using compensating approaches for controls such as uh questionnaire gathering or information gathering and making sure that things are meaningful and relevant for the appropriate type of due diligence. So, Peter, let us know if you get anything in the next couple minutes, but Keith and I will ponder back and forth. Until then, if need us to.

Peter Schumacher: Yeah.

Peter Schumacher: Okay, I’ll let you know.

Keith Likenwaller: Yeah, Brenda, I’ll add one other space that we found very valuable to find data while people are thinking and putting in ideas. Um, many don’t realize how much great data is in your whatever PO system you use, Oraba or one of the other majors. Um, if you’re using any type of PO system or your procurement department, uh, tracking for smaller companies, uh, look there closely. Um, there’s a lot of data elements there about what material type uh a company’s providing. There’s a lot of standardization in that in the bigger systems these days that can really help you trigger on buzzwords for both those companies. It’s not worth your time to really go after. Um the real value of a cyber risk against let’s just say the lawnmowing service um is not there. Um but in the same right I found in some of those PO analysis um some great nuggets of zones of our company where I can find the vendor list that the business doesn’t even realize they have. Um, so searching for that data can be highly valuable. We’ve also found uh looking at that data. I’m not a big proponent on doing it strictly on the dollar amount spent. Um, because sometimes the smallest little company with a small contract can bring huge risk. Um, but sometimes you got to cut it at a place for this year. So don’t be afraid to say I’m going to look at the the high dollar amount ones first and then I’ll go a little deeper on some other criteria later. I think really building out a triaging program is about flexing it every year and making sure that by that you’re really looking at your business in a couple of different ways. Um so we carefully track the analysis we’ve done and how we’ve triggered those so that we can really look for well what ways have we not looked at data that might bring us um a app zone that we haven’t really kept a good eye on. So, it’s all about finding that top 10 or 20% of your fleet of vendors and partners that are really important to the success of your company.

Brenda Ferraro: Yeah, Peter, did we get anything in?

Peter Schumacher: So, looks like we have a quiet audience this morning. Uh, which is surprising because we’ve got quite a few folks on here, but uh, yep, nobody wants to share um examples of how of how they identify their critical vendors. No worries, we have much to talk about. There will be other opportunities hopefully within our time. So the other things that we need to talk about is of course treatment protocols. So many many of the customers that we have or that I’ve spoke to scale and compliance is big. Um Peter, how are not Peter because Peter you’re helping us with the questions but Keith how are you addressing and tracking all of how the business is retaining or or understanding how to scale all the work that has to be done? because there’s a lot.

Keith Likenwaller: There’s absolutely a lot. Um and that’s a problem that everyone I’m talking to from small, medium to large companies all express the same concern. Um I think there’s a couple fundamentals um to a program success that you want to align with with your leadership. Um the the first one is really keeping the accountability with the business. In the end, cyber security risk and assessments on vendors and partners are are really about um helping the business make good decisions. I always like to say cyber security is one of 18 risks that should be managed with a good partner or third party. Um and in sometimes it is the right decision for the business to say we’re going to um take on some risk in cyber security because of uh the vendors just that unique and that excellent at the other parts um that they need. Um and that’s something why it needs to truly be the business ownership. So establish that first, think that through and establish that with your leadership. With that in mind, I think it’s crucial that try to make everything as reusable as possible. We assess vendors on the vendor basis. Um, and then we apply that assessment to multiple engagements we may have with the same vendor or partner. Um, which means if they fail what we have a leading indicator of a question that they’re failing a certain control that we feel is likely inadequate um to our normal expectations. Um it may not apply to the first engagement with that vendor and that’s fine but we will still show that control as a control gap um as a risk that exists. Um it will be say not applicable to that current engagement but the next engagement comes along and they need to ask themselves that same question. Did they fail that particular item? This is a way to really look at uh scaling as well as making sure that you’re in compliance with the engagements and the activities going on. that you’re specifically looking at at that time.

Brenda Ferraro: Yeah, I think with an audit perspective in mind when when we look at gathering information, we want to make it so that it’s visible to different department. So say for example, it’s procurement that wants to see if I am vetting five different third parties against each other to do a selection process, I want to be able to see what I need to know on the heavy lift after I select that particular third party if there’s going to be a lift. to help them bring their security posture to the maturity level of your company. The other thing is service level agreements. So having the key performance indicators and the risk indicators to say here’s how long it’s taking to gather information or here’s how fast they’re mitigating their risks. Those are things that we’d have to look at as well for compliance. But the the the accountability that you talked about with regards to the business units, not all companies have that. Their thirdparty risk management team is still doing the account ability and and taking that journey. You and I have been lucky in some of our companies that we’ve worked because the business units already recognized that they were required to have accountability to help with that heavy lift if there was one for security posture and risk mitigation, but there are some that don’t. So, what was the technique that you used in order to um change the culture for the business units andor procurement to take accountability for either selecting or risk mitigation?

Keith Likenwaller: Yeah, Brenda, that that’s absolutely an excellent point. There’s a technique that I’ve kind of I’m going to say stumbled through um that I’d love for others to hopefully benefit from. And the technique revolves around um in the case of thirdparty risk management, I make sure that I’m actually bringing some business people into my program and my toolbox, people with some business background. I ironically have um kind of a wide array background um as managing restaurants and uh helping my wife actually manage uh funeral homes in my past. Um but those businessoriented backgrounds have allowed me to really take um a different approach when I deliver or have my organization delivering a risk as the assessment completes. It doesn’t just say this control is delinquent. We really move into that next realm where we’re saying this control appears to be inadequate to our norms. Here’s how this control could manifest itself into a problem not only from compliance but operationally. Um, and what I found over time explaining to the business with examples of even the simplest things of this company lacks a strong change management program and how that operationally could hurt them. Meaning they are more likely to make a change that would actually cause an outage. They’re more likely to be down for a longer period of time because they don’t have a log to see what was the last three changes made. Um, all of a sudden makes the business interested in saying I really do care about these cyber controls. Um and it allows them to be a start engaging. So even if you don’t have the commitment that the business is accountable um sometimes just the way you deliver the risk response can help them feel more ownership and engagement and that’s where you can start making that culture change happen and they’ll take more leadership ownership because they feel that they are truly at risk.

Brenda Ferraro: Yeah, I think that um you’re very accurate with regards to knowledge is power and presenting the risk content in a digestible format such as maybe a risk summary report to tell them here’s what we found and here’s what we’re going to mitigate and then starting to report up to those business units to say you know what we’ve got all of these different vendors that are doing services for you. Here’s where they’re weak. Here’s where they’re strong. Here’s where you have way too many vendors doing in the same service where some of them have maturity in their security posture and some of them don’t. So those reportings and metrics are really important. So let’s talk about monitoring for success, Kri and KPIs. What are the things that you look at at Fizer to know whether you need to tweak or enhance your program or whether your risks seem to be going ary and not being attended to?

Keith Likenwaller: Yeah. So there’s a couple of things I’d really like to lay out there with this one. Um, monitoring the health of the organiz uh of the program and how it’s running. Um first thing any metric program I think gets a lot simpler to build um when you really start saying okay everybody says you got to have SLAs’s you got that but also just think about it you need some metrics that support you both on operational activities you know how many you know requests are you getting are we getting the requests uh collected within you know two weeks at least 50% of the time. Setting those goals and understanding how to measure those on an operational level is necessary. But you also want to definitely take a step back and look at what can you do to make sure that you are looking at uh more of the strategic level um that you would actually share with your senior leadership or even to your board of directors. Uh some of these can be quite simple of looking at you know are we succeeding in if we said there were 400 vendors with the risk level that’s appropriate to review, are we at least getting 90% of those back? Um, one of the things that I have learned over the journey, and it doesn’t matter what company I’ve been talking to or the companies I’ve been running the program in, getting vendors to reply is difficult. It is an uphill battle. The company contacts with that vendor change constantly. The vendor’s contacts change constantly. The engagements that we’re involved in with the given company change every day. Um, and the number of special cases you can run into are just endless. So, setting realistic expectations with leadership to say, “Hey, I’m going to say here’s 400 I want to look at, but I may really only achieve 300.” Um, and there’s going to be dozens of reasons for that other hundred. And you can spend all your resourcing on tracking and chasing that last hundred and being compliance checkbox. I’m going to get every one of them. Or you can say, wait a minute. Have I exhausted the risk here to a reasonable degree and am I better off starting to spend my resources in another launch of a space where I have not looked before? Um, and I’m very careful to find when am I getting diminishing returns on my resources. So having a metrics that watch that, watch where you’re spending your time and turn around and say, “Wait a minute, I think I’ve gone far enough here. Um, even though I’m not 100% complete, it’s time to really turn some resources over to another launch zone that I want to focus on for my next wave. Logically breaking things into waves is another technique that I have found extremely valuable in helping the staff focus to a point, declare success, move on.

Brenda Ferraro: Yeah. And I think that change is inevitable. That’s basically what you’re saying is things adjust constantly. and look at where we’re living in now. So I totally agree with that. The other thing is that um a lot of companies are starting to use managed services or what we call the risk operations center to help uplift the scalability or monitor for success based on taking the administr verifying the information that’s coming back is accurate or it’s not um erroneous to what you’re trying to determine for risk. And then making it so that companies don’t necessarily have to relieve the resources that were doing thirdparty risk from nuts to bolts, but making it so that they turn into risk managers. So they’re really looking at the risk and identifying those and putting those risks into a program that they can track to closure and having a more continuous evaluation approach. So what kind of an evol evolution have you taken with regards to uh identifying risk and then moving that into a holistic risk management and risk mitigation um technique and fundamental?

Keith Likenwaller: Sure. Um first of all, I think it always starts with having a set of criteria to say um and I don’t think the size of company matters. Um because in my conversations it’s been more around every company has less resources than they could possibly do to look at their entire fleet of the third parties. Um so it’s really about setting us criteria that’s good for your business, your business model that says what are the things that will be absolutely necessary for us to keep an eye on. Every sector has their own regulations. So understanding what are the triggers of those regulations that are drive your particular company um is criteria that should go into your selection process um for you know really driving that. But I do think it’s also about Don’t forget about the operational importance. Um really helping to say what are the kind operational activity criteria that really will trigger us to say this is absolutely important to us. So getting those worked out with the business, getting them with examples that relate to the various business units that you support um are critical to in my mind helping you to select where to focus when you actually start analyzing data. Um I believe you know having in corporate policies you know what things should be evaluated and why um but in the end um risk governance oversight um needs to take the third party risk management program and say now let’s look at the data of what actually’s happening in the company and help the business look where they may not have truly watched every comp every third party they should have and really analyzing that but uh it is imperative I think as we do this um when you’re tracking risks. Um, start small and grow. Start with tracking most critical identified vendors. Um, and then after you’re tracking those, track the critical vulnerabilities that the critical controls that they’re failing um that you want to track to closure. Um, I start there. Um, with that list, oftentimes what happens, it becomes very quickly from the data. We thought we were looking at the top, you know, couple hundred vendors um, that were identified. As we go and peel the onion back and actually do the evaluation and talk with the business about the controls, we find some of those vendors are no longer top tier critical. They’re actually only a medium. Um, and that’s okay. Um, make sure you store that knowledge um, so that you can make decisions on with it later. Um, but keep adjusting and that’s where I think it’s really critical to have look at where what pieces with automation and outsourcing like collection that you can do that allows you to have more flexibility to change. Um, this COVID time is a great time. We have certain pieces and parts we’re obviously very focused on as a company. Um, and because of that, um, a third party risk management program needs to be ready to turn on a dime and say, “Well, you know what? I was going to assess these vendors, but that business unit has a much more important priority for the next four months. Um, so I’m going to turn over here and work on this other business unit and help them out.” Um, So being able to flex and turn, I think having a good partner to do those collections and etc. Um and automation toolbox with workflow allows you to change direction. Um and being agile like that I think is extremely important to the success of your program.

Brenda Ferraro: Yeah. And I first of all thanks to Fizer for being one of the pharmaceutical companies that is helping us to get out of the situation that we’re in. So for um the facilitation that you’re talking about with regards to having machine learning or artificial intelligence or tying your risks together. A lot of companies look at questionnaires for their holistic approach which can give them the trust portion of their assessment of course. And then you’ve got some companies that are using different threat intelligence reports and tying those two content items together to say well this is what the company said they’re doing for risk and here’s what we’re finding in the open-source feeds. Um I know that some companies are using one solution such as prevalent to do all of that. But from a a perspective of yours, it’s also important to have the flexibility to have data that can come out of prevalent so that you could put it into I think you have maybe a Splunk environment or something to that sort that you’re able to take and correlate that information for your enterprise risk management approach as well, right?

Keith Likenwaller: Yeah, correct. I I I think you really have to look at it as thirdparty risk management again is one of the risks that you’re managing as a risk officer in a company to really do it well, you need to have those things all in a common place so you can enrich um the various activities. Um, one of the biggest value chains we’ve had with the thirdparty risk management program is really keeping a close eye on the vendors and partners that are reporting that they’ve had significant outage or or ransomware or malware or um potentially even a small breach over time. As they report those things, it’s looking back to say, well, what indicators do we have either with the public information um toolboxes that we have that watch public information for us and provide reports and correlating that information with questionnaires that indicate control failures and etc. And over time, it’s giving us a better picture into from that data what type of controls normally actually are violated or not in good standing most often and which ones of those are actually causing um as root major contributors to actual incidents. And being able to watch that helps you know, you know, which controls do you really want to stay on top of um and which ones are you going to respond um I want to say with more of your valuable resources to discuss with the business.

Brenda Ferraro: Yeah, having that playbook and and a approach to taking to those risks is really important. And I would think that if you preconfigure your risk recommendations to those different techniques that you use, whether it be questionnaire or thread intel or both. And then having the risk identify and talk to each other if it’s actually a risk or not. And then those risk ratings would then be able to tell you if it’s important or not to address based on your engagement. I think all of those things are critical to have in in a flexible platform or a solution that’s going to help you get that data.

Brenda Ferraro: So going into I believe this is our last qu our last question before we go into teach I am speaking real well today. Key takeaways. Have you ever done like pig Latin where you change all the letters and it’s kind of like I’m gonna start talking like that in a second, but we’re going to talk about gaining therapy from your support system. So, as you’ve gone through triage and protocols and healing and monitoring that healing and the approach, being forward thinker um and an innovator, uh we talked about this a little at the beginning where you will have a support system of other companies that are different industries. So what are your thoughts on support systems?

Keith Likenwaller: Yeah, I have found this, you know, support systems as we’re calling it invaluable um in all aspects of maturing the program and managing the program and getting the ROI on the program um that leadership holds me to bring to the table. Um and in doing that, I think there’s a couple of key components um um first and key component is uh lowering your own stress. Um by just being able to know that everybody’s fighting similar battles. Um I I think that starts making you realize okay I can do this but I’ve got some support structure out there and that support structure quickly comes in ideas. Um every company’s got their own internal politics, their own journey that’s brought them to where they are today and the journey that’s going to take them to tomorrow. And I what I learned over time is the politics and the compliance laws that they might be subject to, the focus of their leadership at that time um is going to make certain things or certain vendors or partners more important to uh deal with appropriately um and really evaluate them well. Um but listening to what other companies are doing, listening to what they the decisions and what really drove them to make that decision um has really been valuable to help put together a good support system and a good set of ideas to really write out my own road map for the program that I’m driving. Um, and as I do that strategically, um, there the things I really find that are fundamental to success that, uh, you know, back to the basics. I always like to say, um, one of the biggest challenges is just keeping the knowledge that you gain in a way such that you can reuse it. Um, and recogn that data becomes stale faster than you can possibly maintain it.

Brenda Ferraro: Yeah. As soon as you’re done populating it,

Keith Likenwaller: the perfect example of that is

Brenda Ferraro: Oh, go ahead. The hardest thing in the world to deal with.

Brenda Ferraro: Go ahead.

Keith Likenwaller: Sorry, Brandon. Yeah, contacts are probably the hardest thing to deal with to maintain. Um, it’s difficult inside your own company. Um, but when you start talking about all of the sales rep representatives etc. between vendors and everything that change uh on a given day, week, month or year. Um coming back, you know, after an appropriate amount of time and saying, “We still have a firewall exposure between this partner and I, so I want to re-evaluate them.” Um probably nine chance out of 10, the people involved when I evaluated them, you know, a year ago or a year and a half ago is probably still not going to be the same people. Um so, having excellent documentation on what you’re actually trying to achieve, sharing those kickoff messages very cleanly, crisply, um, and just being prepared to document and chase and having backup contacts for all the different parts and pieces um, can save you a lot of time down the road. So, think about what you may need in the future. Document that stuff as you’re doing your events now so you can come back and use it later. Um, can save you a lot of time.

Brenda Ferraro: Yeah, I like watching how you and other clients talk to each other about your evolutionary approach and your journey because you always learn something from each other. So, thank you for participating in those types of either whether it’s an HISAC or it’s a workg group or it’s some type of a a peer-to-peer group. So, let’s talk about key takeaways um real briefly. What are the the top things that you want people to take away from what we’ve talked about today so that they don’t end up learning from the the speed bumps that we’ve we’ve had to go through in the past.

Keith Likenwaller: Yeah. So, I think there’s there there’s probably four that I want to bring highlight to that I would just say uh as you’re thinking about your own program, think about how these might be altered in order to take you to the level of the maturity that you want to achieve. Um the first one is uh think about your outsourcing and automation activities. Um look for partners that can do the collections for you so you can really take your talented resources that know your business and know your company um that are on your teams or or yourself and really make sure yourself you’re focusing on really the discussions that are at the end of the journey. I try to really drive out the collection work and the actually we automated um the actual after collections to the draft report comes out in automated language. instantaneously. Um, and with that type, then we can focus on does this apply to this engagement? What do we have to educate the business about? Those are the high value conversations that really require your internal knowledge to really be effective with. So, focusing your resources there means automation and outsourcing of collections and those kind of activities really help you get full value out of your internal resources. Um, the other takeaway is is um we have found tremendous value in mapping our questionnaires um to the controls that they actually indicate are probably lacking um or are not at a maturity level of our desire. Um so if you take and have key questions that actually identify the control failure rather than just try to gather everything um a I think you can find that you’re the business appreciates focusing on there’s only 50 questions to answer not 500. Um, and really focus in on the con the questions that will actually cause the business to say, you know what, I might decide not to use this vendor. Um, I highly doubt that businesses will generally say, well, they don’t do background checks all the time. I don’t think it’s going to change their selection of vendor, but I do think when we start talking operational controls, a lack of a change management program is a much bigger deal to the success and ongoing relationship between a vendor and that you’re using. So, making sure that you actually are targeting the controls that actually could cause change. Especially with retrofit, there’s a high expense for the business to change out an existing vendor to a new vendor. Um, there’s going to have to be a good reason to do a change out or push the vendor for a control change. Um, when you’re tiering your vendor, be creative. Look for the data, your procurement systems, um, your PO systems, your DLP system, systems, your firewall rules, all opportunities of data that could help you select which companies or partners are probably most important to you or um are actually handling data that you really say, I really should have a good evaluation on file. And then uh partnerships internally especially um but also with your partners uh like Prevalent or other vendors that you utilize in your toolbox. Um partner with your financial and procurement departments really understand what their challenges are, really spend the time to develop educational material. Um, they’re in conversations every day. And, uh, if you can develop them into being that workforce and partner that is saying, “Wait a minute, this one really scares me because of something Keith taught me.” Um, it’s an awesome opportunity to get that phone call and go, “We got an opportunity that didn’t get caught some other way, but we should really talk talk this one through. Um, so being able to catch those special situations I talked about earlier. Um, it’s really important to do a good education to your internal partners in procurement and PO. Um, we get tremendous value at this point by having certain questions that are asked with the PO process um that actually trigger us to say based on the way they answered that question, we should have an evaluation on file. We see it or we don’t. And then we make the appropriate followup to them to say even if there is on file and there was a gap in their previous evaluation, we make sure that we communicate again that that is a gap that they should uh acknowledge and think about should they want to have a security conversation.

Brenda Ferraro: Yeah, I would agree with those four and then the three that I have or maybe four. One of them is conduct a maturity assessment on yourself that um you can use to identify all the great things that you’ve done. done to create the program and any improvements that you might want to look at in advance of you know planning your next year. The other thing is have a flexible platform that can collect data in multiple facets and report that data out and provide chaser email notifications and responses for reports of what’s not going right so that you can tweak your program and your risks. Um have a platform that correlates the information or can give you the data so that you can correlate it somewhere else such as what Fiser does. and then share it like you said companywide so that if finance needs to see it, legal needs to see it, privacy needs to see it, they can look at it in the view that’s important for them. So, thank you so very much, Keith. I think we’re going to have a little bit of time for um Q&A about 10 minutes. So, I’m going to hand it back over to Peter for a polling question and then um for us to answer some specific questions from the audience.

Peter Schumacher: Thanks, Brenda. Um yep. So, at this point, I’m going to launch a poll. This should pop up on your screen uh any second, but for those of you waiting for it, it’s are you looking to augment or establish a third party risk program this year? So, yes, no, or you’re not sure. Um we did get several questions that have come in. So, I’ll get right to those. Um along the lines of what you just spoke on on your uh your key takeaways, Brenda, there’s a question here that’s that’s is there currently a third party assessment maturity model? So, you talked about thirdparty assessment maturity and and certain maturity assessments. Is there a model?

Brenda Ferraro: Yeah. So, there’s a couple different models. The one that Prevalent takes is we have a a CMMA model that and that CMM model is built into the the pro protocol. So, you go in and you basically take the questionnaire just as if your vendor was filling out a questionnaire and then you get this glorious report that comes out that tells you here’s where you are with maturity on that um continuous maturity model. Um we’ve used our expertise across our systems and resources. And I believe Fizer even took that maturity model um assessment and found some things that would be you used in the future for you to take a look at from a return on investment perspective of where to spend your time.

Keith Likenwaller: Yeah, absolutely, Brenda. I mean, we did do that uh part of uh prevalence offering to us. Um and uh definitely have several things we’ve added to our roadmap uh over the next year or two that we’re going to take some focused time into. um when doing that model and and really looking at how to assess yourself, one of the first steps that I think as you before you even start saying what’s all part of a program and what’s um if you have a questionnaire or a method that you’re looking at um the first thing I always uh say to do it is experience yourself. Um so one of the things I did as soon as I got the first version 10 stood up is I actually went and put a request in to assess myself Fiser itself through the same process that I’m expecting my partners to go through and I was the customer and really going through that is enlightening to know are you balanced? Are you asking the right questions? Are you actually able to answer the questions correctly yourself? Do and how much did it take you to actually gather and do that? It’ll help you understand what your partners are struggling with to do because you’re going to find yourself struggling with some of the same problems. So sometimes just practicing and doing it yourself ironically on yourself is one of the biggest returns you can do um to really say you know did this end up where I wanted am I operating where I want and it it gives you one other strong statement that you can give back in your maturity and measuring of yourself is you helps you design your forward directions and controls to say I’m expecting my partners to have the same controls that I meet when I build it internally. That’s a powerful statement when you’re sitting with a business. You’re not asking more of them. You’re asking them to meet the same things that you expect if we built this internally.

Brenda Ferraro: Yeah. And I think that’s an appropriate way to say three different phrases that come to mind. Drink your own Kool-Aid first. Eat your own dog food first. Or what I like to say is eat your own caviar first because dog food’s not so good. Sometimes caviar is not good either, but that’s kind of how I put it. What else do we have, Peter?

Peter Schumacher: So, we’ve got a comment, I think, related to uh the the conversation you tried to get started around how do you identify your critical vendors. So, I’ll read that comment and see if it sparks any more discussion. So, it says, “We are attempting to profile our vast vast network of vendors by sending out an information gathering survey and comp uh coupling the results with cyber intelligence. The survey will help us stratify the vendor vendor by data shared if any. location of the data, connection method, and the use of subcontractors.

Brenda Ferraro: Yeah, I think that’s a really good approach. Oftent times, if you don’t have the ability to get an intake form that’s going to give you the attributes that you need to know in order to do the proper due diligence, it is okay to go to your vendors and ask them for that information and then use thread intelligence to prioritize who you want to go address. And then as you’re changing your culture in your company, if your company doesn’t have business unit accountability or bad procurement data, for point of contact. I think that’s the best approach to take. What do you think?

Keith Likenwaller: It’s an excellent approach. I mean, going out there and trying to make sure you understand how the engagement is working um and getting the that initial data um is is an awesome way of screening to find out where do we really want to go deeper. Um I think uh understanding the controls you anticipate to find as failures. This is where you can go to your partners and a couple of questions and really planning out that screening questionnaire can actually launch you into a place where you have the best intel to say this is where it makes sense for us to really do a deeper dive. Um so thinking about what controls um you really scare you and would trigger you to want to do a deeper dive um getting an indicating question of that as part of a company’s program with that I’ve seen a couple companies do what’s being described um because they didn’t have the internal data. Um and uh I’ve seen some good turnaround on that. Um so I’d encourage you to if if that’s what you think is going to work for you, go for it. Give it a try. Scale it up. Start small. Make sure you got the right questions so you don’t have to go back to the comp vendors multiple times. And then uh make sure you get a a good good coverage across your fleet. And then make a direction indicators from that that you get leader ship buy in to go ahead and go forward with your program.

Brenda Ferraro: Agreed. What else do we got, Peter?

Peter Schumacher: Uh, next question is, what are the other areas you that you consider outside of cyber?

Brenda Ferraro: other risk areas?

Brenda Ferraro: Yeah, business intelligence is becoming very very important so that you can see if there’s been any changes in their company or some financial constraints that they’ve fallen into. Um, a lot of uh the thread intelligence capab abilities out there today have cyber intelligence and that’s really important and it gives you information that you need to know from an open-source feed intelligence perspective but business unit in or business intelligence is just as important especially for your high-risk so I would I would add that as as part of it what do you think Keith?

Keith Likenwaller: oh absolutely I mean business intelligence that’s goes back to my comment about become a partner with procurement um nine times out of 10 they have some of those services that they have bought into and they have some of that data. Um, and I have personally seen cases in my 16 years where um the business indicators are there that the business isn’t as financially sound as it used to be and then you start seeing the corners cut the end of life servers online the etc that end up becoming operational impacts or breach risks. Um, I’ve seen some of those over my journey especially the operational. So, keeping an eye on those other risk indicators that add together. I call that compounded risk um is absolutely in a mature program a great place to be.

Brenda Ferraro: Agreed.

Peter Schumacher: Great. I think we’ve got time for two more questions hopefully. Um we’ve got several here, so apologies if we don’t get to yours u before the end of the hour, but um we’ll get right right along here. Can you share some examples of automation in moving away from spreadsheets? So Keith, you want to talk about how you did that?

Keith Likenwaller: Sure. Um, probably there’s two parts to the automation that we are getting the biggest values out of. Um, obviously the automation of collection is important, but on top of that, the workflow automation in the toolbox we found is critical to really be able to pass the knowledge from coordinating the collection off to the assessor that actually the security assessor that’s going to actually determine if it’s a risk or not, review the report and deliver it the message to the business. Um being able to hand that stuff off, cleaning. So a workflow is critical. But probably the number one automation point that has returned value um to increase our capacity of you know a security assessor being able to do more assessments in this in the same a year um really comes around taking the time to map your questionnaires so that if they a vendor provides I’m going to say the failure answer to the questionnaire um for question number 10 that indicates a control failure to pick your favorite control um automating the response or the risk response that would generally be said by the security professional with the example and actually putting that into your tool So that by the time you end up getting the answers to the question, your assessor is not looking at the 200 questions that were asked. They’re looking at the five critical controls that are not up to snuff.

Keith Likenwaller: They’re not evaluating a big pile of paperwork. They’re actually focusing in saying, “Here’s the five. Let me talk to the business about them.”

Brenda Ferraro: So the auto magical representation, that automagical representation where it shows you, here’s what you need to go and research versus Don’t evaluate the entire document that came back to and all the responses that are in there, but here’s what we’ve identified through the platform. That’s important for you to go and address.

Keith Likenwaller: Yeah. I provide all of the failures to the business and say you should be fully visible. Y

Keith Likenwaller: um but these are the ones that we have found we think you should be most concerned about and here’s why. Right?

Keith Likenwaller: And we get a lot of tra a we save a lot of resource by focusing the conversation. B we get a lot of traction and respect. I have found over time in multiple businesses I’ve been and where the business says, “I really appreciate the fact that you help me focus in where where it’s probably the most important to me.”

Brenda Ferraro: So translation, you’re filtering out the noise and focusing on what’s important. Yep.

Keith Likenwaller: Yeah.

Brenda Ferraro: Do we have time for one more, Peter?

Peter Schumacher: We’ll squeeze this last one in. Apologies that we’re going over, but when you receive notice of a third party breach, which arm of the organization takes the lead on any follow-up interaction with the vendor? Is it privacy? Is it infosc? Is it legal, etc., or does It depend?

Brenda Ferraro: where I was before prevalent. It was the third party risk management group that would do the coordination work between us and them. Keith, is it different for you?

Keith Likenwaller: It is different for us. Um, we have a set process that manages the the incident. Um, breach or non-breach, you know, there’s all procedures for all of that. Um, but getting tied into those procedures, the third party risk management team is tied in and we actually there’s two phases in my mind to that. response. There’s the immediate response. Are you at risk? Has your data been compromised as your company? And is your internal because the firewall openings that you may have with that partner, are you at direct risk internally that you need to start checking? Is the adversary also gotten a foothold with you uh because of that situation? Getting through all of those items quickly. That’s a response organization thing and let the people that do that do that best. Um but being part of making sure they have all the of the control failures that you’ve seen as you’ve evaluated that vendor or partner in the past. Having that data visible to them immediately and then being notified that that is going on and then at the appropriate time which may literally be a month later actually re-evaluating that vendor and saying did they did they did they take their controls to a new level that’s appropriate um or do we have a continued problem of risk here that we should be working on with the business? So I tend to engage age a little later. I make sure the data that I have is immediately available to the organization responding. However, because they should have all intel that that would help them.

Brenda Ferraro: Well, as always, Keith, it’s been a pleasure and thank you so much for allowing us to be on the journey with you. And Peter, I will hand it over to you to finish out the call.

Peter Schumacher: Thank you so much. Um, thanks everyone for attending. Uh, as a reminder, we will be we were recording this and we will send that out that recording out tomorrow morning. Uh, So, thank you to Keith for all the the great insight and sharing. Uh, I hope everyone found this valuable and thank you Brenda as well. Um, we’ll see everybody next time and enjoy the rest of your day. Thanks.

Keith Likenwaller: Stay safe.

Brenda Ferraro: Thank you.