How to Align Procurement with Third-Party Risk for Successful Vendor Management

Host/Moderator: So, what you’re here for today is because Prevalent brought us an amazing speaker and presentation to co-present with them. We’re talking about aligning thirdparty risk management with the procurement team. And I tell you, this is the most top of- mind topic that we get. Whether you’re talking about sustainability, ESG, diversity, equity, inclusion, every single time you have any of those conversations, third party risk comes into those conversations as well. So, I’m going to introduce you and ask to come on screen. But first, there’s Brian Littlefare, who’s the founder founder and CEO of Cambridge Cyber Adviserss, also known as CCA. 25 years experience leading teams with information and cyber security. He specializes in advising executive teams and boards of some of the world’s largest organizations on their security strategy as well as providing security consultancy guidance and mentoring to the chief information security officer community. So, I’m really excited. He holds several patents as well in the information security space and as a regular keynote speaker at security events. Joining him today is Alistair Parr. And Alistister is not going to be coming on screen today. And so Alistair is going to be that mystery voice behind the screen, but he’s responsible for ensuring that the demands in the market space are considered and applied innovatively within the prevalent portfolio. He joined Prevalent from 3GRC where he served as one of the founders and was responsible for and instrumental in defining products and services. He has 12 years of experience in product management, consultancy, and operation. deliverables. Earlier in his career, he also served as the operations director for global managed service provider IntelliScure where he was responsible for overseeing effective data protection and risk management programs for their clients. So, didn’t I tell you these are two of the most amazing executives we could get in here today? So, Brian, welcome on screen and Alistair, welcome by voice.

Brian Littlefair: Thank you very much. Alistair Parr: Thank you, Dawn. And hello, Brian.

Brian Littlefair: Hey, Alistister. Right, so So hello everyone. My as been introduced, my name is Brian Littlefair. So it’s great to be able to spend this time with you. And both Alistister and myself are joining you from the other side of the pond, so to say. So we’re both dialing in from from the UK. Um and I’ve been a senior security leader for some pretty large multinational organizations. And one of the things I quite often observe either whether in companies that I’ve worked in or now consulting for is I still see this gap between the security teams and the procurement function. And my whole pitch today is about how we can close that gap down. And hopefully I’ll outline some of the benefits and and Alice is going to complement that with with his experience as well. So if we move on to the next slide, we can talk about setting the scene, which I think is really important. Uh and we can’t avoid the the coid9 pandemic that we find ourselves in today, but co 19 has really changed the world of a chief information security officer. Um The policies for a pandemic flu have always been a staple form of their policy suite. But no one actually expected them to be invoked and even if they were invoked, they were intended and written for a very short period of time. Nothing like the duration that we’re seeing at the moment. So some of the things that they had to do, they had to rapidly change, you know, how data is flowing around an organization. They had to turn, you know, very interim risk acceptances that they thought would only be for a few weeks into, you know, 6 months, a year, 18 months, and actually looking like some of them are going to be permanent going forward. The policies and standards, which are typically the lifeblood of a security organization, it dictates to the business how they need to operate to remain secure. Well, a lot of them just weren’t relevant anymore in the situation we were finding ourselves in. So, actually, as a security function, their world pretty much turned upside down. And organizations had to react. They had to react to survive.

Brian Littlefair: Uh, and know some did a very good job of it and they’re still around but others you know just couldn’t change quickly enough and that’s really impacted their business and what we’re seeing now is an industrialization of some of those temporary measures that had to be put in place. They’re actually having to be made permanent. We were just discussing in the plenary room before coming on onto the call with all of you that you know some organizations are being very flexible strategically with where they staff work, others want them back in the office and and really it’s the job of the security function to to knit all of those different working styles and and arrangements in place and deliver some form of secure working. But I still think there’s a very close relationship with the procurement function that can really help driving this forward. But to compound the COVID 19, there’s another dynamic at play. U we’ve seen an absolutely unprecedented level of rise of on security tax on on organizations of all shapes and sizes and around the globe. So whether you’re in the US or the UK, whether it’s the NSA or the National Cyber Security Center here in the UK, they’re all sending out guidance to their enterprise and and business colleagues to actually say, “We are under attack. You are under attack, and we need to shore up our security”. And that supply chain is one of the most viable attack vectors into any organization. A large global organization might have 2,000, 3,000, 5,000 suppliers that it’s managing and and several of those suppliers might be connected onto their network permanently with with trusted employees. So when you’re actually a hacker or an attacker, you can actually try and compromise the parent organization, but it’s in some ways and shapes and forms, it’s going to be a lot easier to get into that organization via its supply chain, via some of those smaller companies that it trusts that don’t spend as much security on that parent organization. So some organizations are actually getting targeted because they’re heavily connected and interconnected. with other organizations. We see that coming through from our threat intelligence.

Brian Littlefair: So, if we put these two things together, the the pandemic of COVID 19 and then this unprecedented level of attacks that we’re seeing, it’s it’s pretty much the perfect storm. There’s massive change, there’s massive disruption compounded by those attacks that are coming in from all angles. And and really, we just can’t ignore that. We have to orchestrate change. We have to be able to react accordingly. And actually, we have to expect our supply chain to step up and start to implement security controls like what would we we’d expect to see in our parent organization and that’s what I see really changing going forward. So if we move on to the the next slide um using that as context we can see why organizations are nervous about risk from the supply chain and it’s one of the most frequent conversations that I have with companies because it’s a it’s a really difficult risk to manage. You’re trying to understand the security status of many thous0 thousands of your suppliers and and how does that impact you if they have an issue? Uh you know if they have a security challenge in their organization, what is the the downstream effect on you as a parent organization? Can you still deliver your services and products to your customers? And it’s actually a lot more than you know pure third party. It’s fourth party, fifth party depending on your sector. We often call it third party risk but we all know that some of our suppliers sub the work that we give to them. So actually it’s trickling down and creating an ever more complex picture. And we really need to understand how we can get ahead of that curve and you know use innovative tools and capabilities to help number crunch all of that data and present us a really clear picture of what our risk exposure is. And regulators and governments have they’ve watched this situation unfold. They’ve noticed the rise in security events and incidents. They’ve seen big and small organizations alike compromised by their supply chain.

Brian Littlefair: and they’re actually starting to really regulate about, you know, here’s our expectations, here’s what we need you to do and being very prescriptive around what an organization has to put in place so that they can effectively manage that risk from the supply chain. But if you’re not in a heavily regulated uh industry, if you’re not in health or in finance for example, where the regulator gives a lot of pressure to you, but you can use it as a really good leverage tool to actually enact a program like this. What happens if you’re just in a normal uh siloed function that isn’t uh imposed on by the regulators and you still have to do this because obviously it carries a cost. It can be complex to implement depending on the complexity of your organization but ultimately it comes down to just doing the right thing. Your customers entrust you with with data and ultimately that’s the target of of any attack. So I think that organizations have a personal accountability to do what they can to protect that data and that means protecting the supply chain as well. But many companies have been managing third party risk for a long time. Certainly aspects of it has always been done within procurement as well. And that’s where we’re going to focus the time of the rest of the conversation. How do we tap into that procurement knowledge which obviously I know all of you on the call have and how do we leverage that within the security messaging and and obviously it’s up for you guys and girls to actually take this messaging back to your security teams and say, “Hey, I had this fantastic conversation and you know, we’ve got a lot of common interest and we should be working closer together. And if we can achieve that outcome and goal, then it’s all for the greater good. And I think very few organizations would confidently claim that they’re 100% confident that the supply chain doesn’t present any risk to them. It doesn’t matter what tool or what process you’re running. There’s always the unknown and something can always happen. So, we’re not really going to get a, you know, a good clear understanding of that going forward. But you can significantly reduce that exposure.

Brian Littlefair: And what we need to do is we need to move away from Microsoft Excel. So, this isn’t a dig at Microsoft. Microsoft Excel is a great platform. It’s a great tool, but it’s not for managing third party risk. And I see it used time and time again where big spreadsheets are produced. It can’t do the analysis. It can’t inject the threat lens that is becoming really, really important now. It’s not designed to manage third party risk. So, if you’re using Excel to do this within your organization today, hopefully we can present and show you that there’s a different way to actually do uh to handle this this issue and challenge. Alistister, anything to add on that slide?

Host/Moderator: So, Brian, we just launched the poll. So, folks, if you could go to the front screen and it says, “Are you looking to augment or establish a third party risk program in the coming months? Yes, no, or I’m not sure”. If you could click on one of those and submit, you know, give us an idea of how many of you have a program, looking at a program, or maybe we have a few of you who don’t think this is a big risk area. You never know. But Brian, you’re absolutely spot on on knowing your third parties, your fourth parties, your fifth parties. I had a CPO event yesterday and we had about I know 35 CPOS. They cannot identify their fourth parties.

Brian Littlefair: Yeah. Host/Moderator: And the suppliers don’t want to share who their suppliers are. And so that is a huge gap and a huge amount of risk. So as soon as the results come up, we will populate those and let you all see them. And then I’m going to go back off camera and hand it back over to you, Brian. Alistair Parr: Great. Thank you, D. We’ll come back to that in just a moment. It’s interesting, Brian, because we’ve seen something very similar. So, with the advent of uh of COVID, and we appreciate that’s affected everybody over the last 18 months or so, is that uh there’s been a significant emphasis on supply chain resilience broadly speaking. Now, it’s lured a lot of the CESOS we’ve spoken to in a false sense of security as they assume the third party chains being managed effectively either by procurement or for infosc downstream. But the reality is resilience is as you’ve highlighted just a small component of the broader picture. As much as we’re understanding if there’s some degree of business resilience in relation to COVID and disaster recovery specifically, it doesn’t touch on some of the broader elements that I think you’ve been insinuating and referencing. So the infoset components, the the supplementary data that you can get to help illuminate gaps, contextual information, etc. A lot of that is has been somewhat left left in the ephera compared to this resilience focus and the CESOS are there assuming these third party programs are robust and mature because they’re getting all this data in but it’s not truly reflective of their risk posture. So to go for this we we very much recommend and strongly suggest that all the components of your third party program are being considered beyond just resilience as a a current hot topic.

Brian Littlefair: Great. Thanks Alistister. So looking on the next slide you know it it’s fairly common in the clients that I see and I see it a lot to observe the third party risk team and the procurement teams they run separate and distinct processes. Now, that might be right, and I’m certainly not advocating that they need to use all of the same platforms and tools for everything that they do because security teams are going to have tools that the procurement teams don’t have to interact with and vice versa. But these two process are operated by different teams, of course, running different tools, different processes. They deliver a different risk lens on suppliers up the management chain. And that’s what I have a problem with, you know, that that message on the risk profile of a supplier to the parent organization needs to be harmonized. So if the procurement team are are doing some analysis on suppliers and the security team are doing analysis on suppliers that should arrive at a common data set. What you can’t have is the security team having a perspective that supplier X is inherently risky but the procurement team thinking they’re okay because this just confuse both the internal stakeholder and it confuses the supplier because you know the procurement team are saying yep we’re good to go with you and the security team are thinking well actually we’ve got a bit of a challenge with this supplier. So, you got the same company potentially going to the to the same supplier by two different routes and never the twain shall meet. And that might sound obscure and you might think it doesn’t happen. I see it all the time. So, you know what I’m advocating is we produce a single lens on on suppliers whether it’s third party and going down to the fourth and fifth party as we’re discussing today. That’s really important as well with all the resource and budget challenges that organizations are facing and hits both the procurement team and the security team. There’s no point doubling out the effort on this. You know, it’s around how do we converge and tap into that experience that’s sitting broader in the organization because we’re all trying to get the same outcome, right? We’re trying to understand how risky is this supplier to us and you know understand the suppliers better and understand you know are they potentially going to have an issue? Are they good at security? Are they bad at security? I think that’s what it fundamentally boils down to and you know if you have to use this supply because they’re niche, but if something goes wrong, how are you going to put some business continuity in place so you can roll to another supplier or you can back up that service that comes into your parent company? So, these are all vital questions that I think these three teams, whether it’s your security team and your procurement team definitely, but if you’re a larger organization, you’ll have a risk team as well. And it’s about converging those views to get that that common lens going forward. And Alistister, if you can just move on to the next slide, then I’ll just discuss this and then bring you in what I’m starting to see emerging, but it’s in the the larger organizations in in regulated sectors and and actually larger organizations that are unregulated or in my personal view what I experienced in my client base are a little bit behind the curve and trying to catch up with this view. But I see organizations that have embraced the objective of trying to get effective and holistic risk management. They’ve already identified that there’s more than one team within the organization that can contribute to getting that istic view and what certainly I’m advocating to my clients that I speak to is that you know that alignment with the procurement team that we identify the common and shared objectives that very clearly exist between the two teams and provide that single view of the supplier for internal consumption because you don’t want that that distinct and different messaging going up the supply chain. What this enables is obviously those internal decisions that are evaluating and weighing up whether that supplier remains is changed gets more business gets less business etc. That’s all done on an aligned risk position, not differing data sets. So Alistister, have you got anything to add on that?

Alistair Parr: Yes, Brian. No, very interesting. So again, something that we see quite often as part of that um divergence is driven by the fact that each of these teams are consuming very similar data, but the level of detail that they need varies for each of the data sets. So you have the procurement teams focusing more heavily on some of the uh the compliance aspects, ESG of course, uh anti-briing, corruption, modern slavery, etc. And then the security team naturally diving into more information around their cyber posture, etc. Now, they’re still tapping from the same sources, but the level of detail each of them need from their respective work streams differs, and that’s a key driver of what we’ve seen some of this divergence relate to. But something we’ve seen working quite well, and it ties into exactly to what you’re saying with the the common objectives and and the alignment is that convergence of building that centralized data set, but providing the means and mechanisms for each of those respective teams to consume just the right level of detail that they need for them to to drive their business function. That way they don’t feel like they’re they’re winging through trile in order to to extrapolate what they need and and that’s a real art. So that’s the problem we’re seeing a lot of people trying to solve at the moment is converging that data set by all means but then also enabling people to extract the right level of detail from that converg data set. So it’s very interesting.

Brian Littlefair: Good. No, I completely agree. Okay, I want to share with you a slide and you know this is what I show security professionals just so and get a a sense of the messaging that I’m telling CESOs. You know, I get to mentor a fair few of them. I get to talk at a lot of security conferences and, you know, I try to be a little bit provocative and actually challenge the status quo so that we can actually drive and enact change because there’s a lot of things that that aren’t where they need to be from a security perspective. So hopefully you’ll you’ll you’ll get the messaging. But if we look at some of the primary objectives that we’re trying to deliver here, you know, the procurement and the security team should be your new best friend. You know, uh the The objectives that I see coming out of a procurement function in a typical large multinational organization are very aligned to that of a security function. You can see in terms of you know what they’re actually trying to do and what they’re trying to actually drive. Um so pace for example procurement as you all know want to go fast. They can’t afford to to stifle that business agility by long drawn out processes. Third party risk you know can’t be one of those uh decisions that take too long to actually decide, but actually it’s a fairly juggernaut process in a lot of organizations that we see and it can be incredibly slow to find the information on on the risk a particular supplier presents and in a lot of cases we see you know transactions and workflows going to suppliers before the assessment processes are finally concluded.

Brian Littlefair: So actually we’re actually taking on board a supplier that we don’t know the risk that they present to us and we see some organizations taking 90 100 120 days to conclude that decision-m process on a particular supplier and it really depends on you know where you are in terms of your maturity in this space and actually as I said before whether you’re running an Excel questionnaire based process or you’ve invested in a in a capable tool obviously I’m going to have to pitch prevalent here because it’s a great platform but you know being near real time and actually being prepopulated with a lot of the information that you’re going to want to know in your questionnaires anyway but then equally bringing in that open-source intelligence that does security professionals call and that threat lens so that if one of your suppliers has a major issue you actually get notified by it and you can start to understand the impact of it at the same time it’s on the news your Excelbased processes can’t do that so you know what we need to do is move from a very legacy long juggernaut duration process into a cloud-based near realtime capable of actually getting that information on suppliers very very quickly. So What we don’t want to do is as security professionals is slow down any of the procurement teams. We don’t want to slow down the the process etc. We’re very interested in pace. So as you as security professionals, you’re very interested in obviously concluding the deal. We’re very interested in analyzing the risk from that deal and and getting data that supports you in getting to that information as quickly as possible as well. Um financial governance, you know, you procurement professionals want to centralize that spend with as few suppliers as possible because obviously you get to leverage that. You know, you’re a bigger fish with that supplier and that means you get to influence maybe their product direction depending on the size of the organization. So, it’s about centralizing that spend into a few domains as possible. Security professionals love that, right? Complexity is the enemy of security.

Brian Littlefair: If something is simple, if it’s using as few players in the game as possible, then we can design a security model that protects around that. If it’s, you know, several thousand suppliers and that’s all subbed down into a very complex world. You can understand assessing the risk can be quite a challenge in that area. So that consolidation of vendors that financial governance that goes across the board that’s another major driver and objective that we all share. And then there’s the global coverage. So from a coverage and a geographic, you know, the vendor nuances are always there. And one of the challenges that I always see in large global multinational organiz organizations is that a particular vendor or supplier might be a small fish to the UK but they might be huge to the Indian business and if you’re using an Excelbased process you know getting that correlation and actually understanding that this supplier might be small to us over here but actually we need to know that they’re actually massive to our Indian business and being able to ensure that they get the right assessments that the right risk etc is done on top of them so we all want to work globally the security team wants to know about every supplier. There doesn’t want to be any holes. They want to be able to tear them and understand, you know, everyone that supplies, you know, the major data centers down to the people that supply the toilet rolls for the bathrooms. We might not spend as much time with each of those suppliers because they present a different risk profile, but we want to know about each and every one of them. So, we share that common objective that we want a global approach. We want to know about it. So, that’s another key thing that we knit together. And then there’s the whole knowledge sharing piece. So sharing is a challenging word for security professionals because you know we like to think that you know we’re working on something really secretive and we can’t share it etc. So we’re coming to the sharing game late I think but you know certainly procurement professionals have been there a lot longer than the security perspective and you’ve been working with suppliers a lot longer than security have been as well.

Brian Littlefair: So you guys and girls have a lot of valuable knowledge that you can actually share with your security colleagues. You have those insights. You have your communities of interest very firmly established that are like SIG, you know, knowledge sharing, collaboration, sharing, best practice, all of these things where you glean this knowledge are really valuable to portray back into the security teams as well. And the other thing I call out is risk reduction. Obviously, I view security as risk. You know, you could easily be called the chief risk officer and obviously we’re seeing a lot of trends where the security teams report into into CRO and and the risk function as well. Security is all about managing risk. You have a seesaw in front of you. You either take it that way or that way depending on, you know, the controls or the technology or the the people that you employ, but ultimately you’re trying to get on the right side of that risk discussion. You know, and procurement aren’t just there to get the lowest price. You know, the old mantra, you buy you you buy it cheap, you pay twice. You know, risk plays a really key role in you achieving your objectives as well. So, we can align on those risk outcomes. What are your your objectives when it comes to risk. Here’s our objectives when it co comes to risk. We can put those waitings into the RFP processes etc. And we can get those lenses back from our suppliers and we can feed that into our enterprise risk channels and we can have a lot more enriched views on the suppliers that we’re actually using. Then it comes down to you know quality processes and procedures. Every procurement function that I’ve seen in a larger organization it’s a very tight ship. There’s a lot of accountability Within procurement, there’s a lot of responsibility within procurement. You know, typically all global spend is centralized under their remitt. Therefore, mapping our security requirements as a security professional into that process is a really good thing to do. Um, you know, you’re very tight shipped.

Brian Littlefair: You know, the the processes and procedures that you follow, the expectations you have on the suppliers that you work with, you know, it’s best practice to inject not thousands but, you know, the basics levels of security control. that we’re expecting our suppliers to adhere to so that they know upfront this organization takes security seriously. If we work with this organization, there’s going to be expectations that we do security properly. They recognize that the supplier presents a risk to them and they want to make sure that the right things are being done. So I think that collaboration around that space is is really really important as well from a security but equally from a procurement perspective as well. I think there’s significant advantages to be gained by the chief procurement officer and the chief security officer and the teams below them and then the people actually on the ground doing the day-to-day job to recognize this synergy and start to collaborate a lot better than I see on a day-to-day basis. Anything to add?

Alistair Parr: Yes, I love this slide. Thank you, Brian. So, there’s a few things I always think about when I see this and and I hear about the the synergies that you’re referring to is procurement has the the enviable position of being able to negotiate with ires usually and quite often when you get to the information security teams later downstream, it’s postcontract selection to some extent uh and you’re playing catch-up when you get a list from procurement of of third parties to deal with. So it’s invaluable having that access and interaction and that synergy with procurement at the forefront of that contractual negotiation and engagement. So all the best programs that we’ve seen leverage of course everything that you have on the slide, but also that uh that involvement at the contract definition stage to make sure that information is forefront in the mind and a key contractual obligation as part of anything that’s being negotiated and that’s very very valuable. The other

Brian Littlefair: sorry. Alistair Parr: no. Brian Littlefair: I was just going to say on that contractual point you know I see lots of organizations where it’s not present at the moment and they’re trying to obviously retrofit those into those contracts but you know it’s not the end of the world but you know it needs factoring in that when we renewing with this client you know these controls need embedding in as well but you know, so many contracts exist out there sadly without the security requirements built in and that’s a bit of an exposure at the moment, right?

Alistair Parr: Absolutely. And the other thing I’ I’d second on that is the uh the context and I think you’ve touched on it definitely in this slide as well, but the the context that you can capture through that procurement process, understanding why are we using a supplier, what’s the advantage as you highlighted we buying them for any particular territory for India, for APAC, etc. This is all useful information that helps to drive effective contextual interpret ation of risks downstream. So making sure that we can capture that information up front is is a great valuable tool from that synergy.

Brian Littlefair: Yeah. Yeah. Okay. So moving on to the next slide. Let me let me talk about three of the common mistakes that I see materializing in in reality. And you know I’ve got a slide on each of these. So I’m just going to you know highlight them and then we’ll kind of move on. But the first one is what I call the security silo. And you know security teams need the procurement teams and other teams within organization to to break out of this silo. You know, I I don’t support the security silo at all. If your security team is sitting behind speed gates or, you know, big glass windows and they’re not contactable or approachable by the broader organization, that is absolutely the wrong thing to be doing. You know, the security teams need to be outside of the sub gates and need to be embedded into the broader functions. And we’ll talk about that in in a little minute. And then there’s the, you know, the not invented here approach, you know, security didn’t think about it. It’s not the right thing to do. So, I do see this presenting a lot and this is where I like to challenge security teams and be a little bit provocative as well. You know, they’re not tapping into and leveraging that broader talent like procurement that exists in the broader area of the business. But that that is to detriment of the company and that needs to be resolved as well. And then there’s you know using security reasons for keeping other relevant stakeholders off security tools and you know there are some fairly sensitive security tools. You know there’s tools that can read everyone’s email if you’ve got the right access and permissions to do it. So, you can’t share all of the security tools, but you know, third party risk is something that should be shared around the organization and we the security teams need to get comfortable with with doing that as well. So, let’s spend a little bit of time on these points. Uh so, if you move on to the next slide, um I personally think the power of an effective third party risk program is is knowledge sharing and dissemination out into the business. business and you know there’s there’s two things I advocate for this there’s the third party risk and then there’s the threat intelligence you know if you’ve got the these really enriched data sets and really important to the broader business but they’re kept within a single team you know the value is is really eroded you know it’s not like it’s if you think about some of these organizations that have been hacked they’ve had the right security tool in place and all of the lights and bells might be going off but if there’s no one actually there to to drive that information into the organization then there’s going to be problems. So this information is gleaned, it’s analyzed, it’s segmented, it’s categorized, you know, it’s related back to the business. So it needs to be shared. So I am a huge advocate of of embedding security into the business and you know third party risk is a great examplar process to actually achieve this working with procurement and working with others whether it’s the risk function or or the broader business and in actually embedding your team into their facility. So you know procurement sometimes certainly in Europe might be centralized in in some countries that have a lower tax bracket for example. So you might find that your entire procurement function is in Ireland or your entire procurement function is in Luxembourg regardless of where you are and and actually there’s a fair few US companies based there as well. It’s not just us Europeans that do that. But what that actually means is you might have a procurement function that’s separate to the mothership and you know you’ve still got to tap into that. It’s it’s no use just communicating over email and trying to forge relationships over video conference etc. So I see the more mature approach is is recognizing that the business has made a decision to base the the main body of its procurement function in that in that area or even in the US you know it might be in a different state or it might be somewhere else etc. But then the security team needs to base people with those people you know if we’re talking about collaboration if we’re talking about sharing if we’re talking about objectives. Then when the security team is recruiting, it needs to recognize that some of its team that are specializing in this area needs to be colllocated wherever the the you know the procurement function is. So it’s about knocking down the walls whether physical or virtual that exist between the teams and actually linking them together in the same location so that they can build those interpersonal relationships. They can share the information that is you know vital between the two areas and actually start to build a common objective. pool going forward. So, you know, break down the silo, integrate, and embed. That’s certainly what I’m saying. Alistister, anything to to add on that one?

Alistair Parr: No, I think that’s absolutely spot on. Thank you. Brian Littlefair: Cool. Right. So, on to the next one. Um, you know, I really like this one. So, security teams, they absolutely need to recognize that they are only part of the broader puzzle around risk and governance. All too often, security teams think they are the be all and the end all and they own the full risk lens. the full risk picture. That is absolutely not true and you only have to look at the you know the very top risk register of an organization typically you know 10 12 strategic risks that can absolutely topple that that company and it you know it’s different depending on the organization it sector etc. So it it is completely different and it’s fairly common to see you know two maybe three security things on that risk register but it certainly doesn’t own them all. So risk is broader than just the security team and there are very some very other big players within the typical organizational construct that we see and if we’re not tapping into that and leveraging that expertise and knowledge then in my view we just quite simply don’t have a holistic view of risk that we’re all trying to achieve it’s that simple so the the power of collaboration the power of knowledge sharing goes beyond our internal collaboration tools you can’t achieve that over over link and zoom and you know whatever collaboration tool you’re actually using internally but you know, formalizing those relationships, formalizing those common approach approaches and actually embedding them within business processes certainly what I try to achieve. And when I was, you know, a global chief information security officer and I sat down with my equivalent in the in the procurement teams, what I recognized is there was such a significant overlap as we explored, you know, our various different remits and actually you can procurement teams can make the CISO’s job a lot easier. You know, as we’ve just been discussing, you can mandate that there’s required stage gates within the processes that you run that have to have some form of security approval to proceed because you know the security teams can help with anti-moneyaundering. They can you know find out who actually owns companies and do the due diligence and acquisitions and these are all things that we can collaborate and and work on. But but actually from a supplier perspective, you know, getting those assessments done and that risk decision done very very quickly. We we both share that common objective. So What I’m ultimately saying is we all have to identify, you know, all the areas within your individual business that can complement both the procurement and the security process that we’re both trying to drive as quickly, as cleanly, and as efficiently as possible. And actually, only then can you get all of those puzzle pictures together to make the full jigsaw within your organization from a risk perspective.

Brian Littlefair: Okay, Alistister. And if you just move on, u create the single pane of glass. I call this the the holy grail. you know from an organizational perspective you know it’s the one thing that lots of people are actually aiming towards but few rarely achieve I see lots of new tools coming into organizations I don’t see as many old tools leaving so ultimately what we’re doing is we’re adding to that complexity picture and I think what we do need to do is you know work together as a procurement risk and security function and actually decide upon you know how can we get to this single pane of glass that’s you know gives us the right focus on achieving that common strategic objective to get that single risk lens on a supplier. It can certainly be done and I think the benefits are clear and I have seen it done very well but I’ve also seen it done very poorly. But you know the business needs a very clear guiding light from both of these teams on on who they can and can’t work with. Security is one of the major players. Procurement is one of the major players but there’s several others that should be involved as well. And I think that that shared knowledge pool that data lake if you like we’re very used to talking about data lakes in IT and technology but this is a knowledge lake if you like on whatever your internal vernacular might be and your acronyms you know that’s what we’re trying to actually achieve and then the challenge is there might be you know many different tools in play security tooling isn’t going to meet all of the procurement team’s objective and the procurement technology isn’t going to meet all of the security team’s objective but the underlying risk data as I’ve said before you know that is used as a business decision platform so we need to get that common view that common lens and I think That’s what’s missing in a lot of organizations and I think certainly some of you on the call if you actually reflect back into your own companies and think you know from a procurement perspective you know do we have a completely aligned view with our security functions on the risk of individual suppliers and I imagine some of you will and I imagine some of you won’t but those of you that don’t need to start that transition to understand how you can actually achieve that and then if we look at the uh the next slide you know aligning on metrics and reporting is is absolutely always important. It’s it’s how we communicate and disseminate knowledge to the broader business and those relevant stakeholders. I like to call them meaningful metrics and I think they’re really important here and I think that certainly in security functions and you know I’m less u conversant on all the metrics that are flowing out of a you know a procurement function but security functions have a a a typical approach to produce very complex very technical metrics. And you almost have to be a a security professional to to diagnose whether this metric should be going up or down, whether it should be going left or right, whether green is good or green is bad, etc. So, we need to remove the complexity from the messaging that we’re sending into the business. And I think you know both procurement and third party risk, if you boil everything down, what the both teams are actually doing, you’re left with vendor performance management and risk reduction, which we’ll get onto the next slide. These are pretty much single metric. met you know there’s a lot of data behind them but actually the very clear metrics in going into the business and at a glance you can actually see if there’s any issues and you might want a deeper dive but it’s actually understanding how we can simplify and clarify that message from a metrics perspective and I think you know jointly and collaboratively we should be focusing on delivering these very high level insights you know wherever possible using the same tools like like prevalent for example and they can really help with analyzing and number crunching and producing very clear view of actually you know this supplier’s threat profile has changed you need to take a look at that and again excel spreadsheets can’t really do that for you so that’s really important as well Alistister anything to add on metrics or.

Alistair Parr: yeah it’s certainly interesting so it ties to some of the uh the observations you had previously which is the challenge with some of these metrics is that we’re trying to get quality on third party data at volume and that’s very difficult you know there’s not over staff procurement teams or infoset teams so trying to get that quality volume is driven by contextual and proportionate risk management, making sure you’ve got the breadth and depth across the supply chain. It’s it’s very problematic. So, I always find it very interesting people talk about metrics and reporting broadly speaking and also that single pane of glass is that you’re not going to be able to get a coherent view and cohesive view of your third party estate unless you have got that single pane of glass you referred to earlier on and you got that that synchronicity really between both procurement and infosc to have all the facts necessary to make determination and you then in turn of course reduce risk.

Brian Littlefair: Yeah, it’s very interesting. Brian Littlefair: I completely agree. So like as you just said reduce risk. So you know the next slide you know it’s all about reducing risk. I mean that’s fundamentally what you know I think security teams and procurement team shares you know you’re trying to derisk the supply chain we’re trying to derisk the supply chain. The you know some of the metrics and drivers and tools that we use in terms of you’re trying to leverage costs we’re trying to leverage security. So we recognize that There are differences but reducing risk is obviously the priority that we share between the two teams and and risk is the universal business language across all the departments. You know risk exists in HR, sales, finance at some level we’re all accountable for managing risk. So in this context of you know third party risk and procurement some of the key areas I’ve kind of pulled out that we should focus on and mapped out on this slide and I’m not going to go through all of them because there’s a lot of them but you know I’ll highlight a few. So mapping the global supply chain. I can’t emphasize this enough. We’ve discussed on it a little bit. But as a procurement function, I imagine you share the view of a security professional that is, you know, you want to understand where every dollar, every pound, every euro from your organization is being spent and whether you’re getting maximum benefit from that cost. I.e. do you centralize that cost down on a on a few suppliers to get that better leverage. From a security perspective, it’s really critical that we know every single supplier that you know, connected to our company from a financial perspective, a logical perspective or a physical perspective. Have they got staff coming into our our premises, etc. You know, a security professional needs to know all of that things to discharge their accountability and and fundamentally to do their job well. So, we need to know about everyone. That’s really, really important. It needs to be ongoing and it needs to be real time. And you know, that real time perspective is where organizations struggle. And I imagine if Some of you on the call went back to your companies and said, “Look, if we pick a particular supplier and we focus on them, you know, how near real time are we on changes, fundamental changes within their organization that might impact the security or the relationship with us?” You know, do we find out about it quickly? Do we find out about it in, you know, a monthly touch point? Do we find out about it at a quarterly business review? Do we find out about it every six months? Do we find out about it annually? And obviously that’s going to change depending on the importance of that supplier to you because you can’t sit down with every supplier every month. So it depends on the criticality of that organization to you. But the game changer are tools like prevalent that you know already have this information mapped within their platform. They can present that back to you. You don’t have to go and hunt it. You don’t have to come and find it. It comes through as alert to the right people within the right teams and actually saying, “Hey, something’s shifted. You need to take a look at this and understand the potential impact on on you and your organization going forward. And I think that’s that is the drastic shift from security teams and procurement teams having to go out to factf find to the facts coming in to you and your organization. So that time lag and that delay is drastically reduced. The risk window is reduced. So you know moving your processes forward and maturing them as the organization matures in general but focusing on getting as near real time as possible so that we both functions and teams have that near a real-time view of the risk going forward. So that’s really really important. We all need to be able to react to global events. You know, there’s been a few events recently which you know have really impacted some things. Think about the Suez Canal being blocked. Think about there was a shortage in in microchip supplies in coming out of China and and and Japan and Korea where typically they’re produced. There’s obviously been a large impact on suppliers in different geographies due to the COVID pandemic etc. So and certainly over in Europe we’re having issues in in in the UK at the moment with some of our typical products that we’d expect to see on our supermarket shelves like beer are noticeably absent because you know we haven’t got enough truck drivers because we’ve decided to reduce the number of people that can come into our country from Europe. So all of these things have an impact on some organizations depending on the sector that you’re in. But how effectively have they been planned out? How effectively have you, you know, worked through of how the likelihood of this occurring? ing and you know how do you mitigate that risk or deviate that risk how do you keep having those business continuity discussions so the focus in my opinion has to be even though I’ve mentioned it hundreds of times in this thing is is move away from supplier and move towards partner getting those strategic relationships in place with your key I’m going to say it again suppliers but you know getting into that you know we understand you you understand us you know you’re critically important to us we need to understand what’s going on within your business and anything that potentially might impact that. So, it’s getting that very close-knit community with your with your supply chain is the ultimate goal. And obviously in a large global organization, you can’t do that with all of your suppliers, but you certainly can with your strategic partners. Alistister, anything to add on that one?

Alistair Parr: Yeah, there’s something you said that really resonated with me, which is about the fact that proportionate risk management and proportionate spend really are intrinsically aligned and they go hand in hand. Uh, and I we certainly always see that even taking the example of concentration risk. Certainly from a risk standpoint, you can see where there might be uh potential risks and impacts based on global events etc. which is very very meaningful but equally so from a spend and analytic standpoint where you have concentration you might get risk reductions etc. They’re aligned but there are certain situations where they may not necessarily complement each other. So it’s always interesting seeing where companies find this healthy middle ground really between reducing cost by increasing spend and then offsetting that concentration risk. So it’s a an interesting topic.

Brian Littlefair: Good. So, I have a slide here that I just used to wrap up, but you know, I’ve I’ve I’ve summarized enough on the the last few slides, I think, and I want to move on to to Alistister to give you a quick overview of, you know, the the prevalent platform. So, Alistister, over to you. Alistair Parr: Thank you very much, Brian. So, we’ve obviously talked about a lot of interesting things today, and it’s been very insightful for me, Brian. Thank you for that. But the way prevalent approaches and addresses these particular issues is that we we understand that there needs to be this cohesion between the respective teams and that third party risk management is a broader life cycle. So as you see the very very start there where you’ve got the sourcing and selection process intaking on a boarding process where you have procurement driving some of these these actions and then starts feeding into the ongoing risk management lenses inherent risk management assessing remediate ongoing monitoring data over points in time conducting validation exercises uh and then through to broader performance management of third parties, measuring SLAs’s etc. and then finally offboarding at the end of contract term. There’s a full life cycle of third party risk management and broad broadly speaking third party management that has multiple parties with an invested sense of what they have to do. And the way that prevent likes to approach this is we tend to split it between people, technology and processes to help drive that moving forwards. So using the core technology itself, the prevent platform, the SAS platform itself, we can accelerate streamline, as you rightly highlighted, Brian, whether you have those efficiencies by leveraging and tapping into intelligence networks, whether that’s pre-completed assessments or broader monitoring feeds and data to help you select and source up front through to the detailed focused uh risk management platform where you can use some of this monitoring insights in conjunction with assessments to drive remediation, track and audit any validations that you’ve been doing, track SLAs, etc., and provide that single pane of glass and that really becomes the backbone of a good effective program having something that can support and facilitate that entire life cycle. Of course, people need support in order to do that in order to drive it whether it’s internally through your own teams or of course we can support you using our managed service teams. So that’s a case of collecting data on boarding conducting analysis driving risk remediation and doing validation exercises. There’s a host of teams available there who are doing it at scale. So dealing with vendors globally across the board and understanding the nuances and with those we can certainly offset and support you in driving some of the challenges that you face for even a subset of those areas. Now a good program we see obviously incorporates program management program design. So something that we’re strongly focused on is that professional services element to understand how mature is the program from a procurement lens from an infosc lens helping define and refine that building things like third party policies which is something that’s interestingly often overlooked and involves multiple parties procurement in legal etc in that workflow through to optimizing whatever’s in place uh and then driving success through that and making sure it’s a a truly cohesive program end to end. So when we actually look at that as in who’s actually getting some tangible benefits from this uh the life cycle itself has multiple participants as I said you know you’ve got the uh you’ve got the business itself you’ve got procurement you’ve got IT SEC uh risk vendor management legal compliance. There’s multiple teams who are have a vested interest in making this all work. And the workflow that we follow is focused on trying to provide benefits to each of those. So they have a vested interest in driving that program. It’s about offering them something of value so that they interact and then drive that process forward. And then finally, when we actually start looking at what the prevalent TPRM process is, it’s fundamentally smart, unified, and prescriptive. We try and prioritize risk in the right way. We try and make the information that we collect contextual and comprehensive enough so that each team has some advantage and value and then ultimately make it prescriptive so we could be consistent with our risk ratings. So we could be consistent with our remediation plans and our workflows. Uh the platform itself and the methodologies we follow means that we want to try and take the the quality that we’re building in these silos of teams making it a single pane of glass and making it repeatable. So as people move around and situations change we can be consistent in our tracking methodologies. So, we have a couple of minutes left, so we’ll just take a a few questions. If you do have any questions, please feel free to ask away in the Q&A section. Uh, but I do have one question that’s coming through and I’ll present it to you, Brian, if if I may. So, the first question I’ve got here is CPOS and CRO’s, how do we actually get them to talk to one another?

Brian Littlefair: Yeah, I mean, it’s a strange question, isn’t it? Because, you know, talk, grab a coffee, pick up the phone and things like that, but it doesn’t happen in large organizations and, you know, it doesn’t happen as much as it should do. But you know hopefully today I’ve put across a bit of a case outlining you know risk is the common language but there are a lot of shared objectives that both teams are trying to drive and I don’t think you know certainly some security people I’ve spoken to they don’t it’s not immediately apparent to them. So highlighting it and say look we’ve got a lot in common we we share a lot of common objectives both trying to achieve the same thing let’s have a conversation but I’ve seen organizations go down the route of shared objectives between common areas. So maybe the CISO and the chief procurement officer do share a common objective. You know people are sometimes motivated by the bonus payment or the performance at the end of the year. So I’m not a great fan of that personally because I think you know the the individuals were all grown-ups. We should recognize that we need to collaborate for the effective outcome of our you know our business but equally our customers and and our suppliers as well. So hopefully today there’s been a few teasers which can be used for opening those conversations with the security function. and and hopefully they’re receptive to it. Right. So,

Host/Moderator: yeah. So, Brian, then one of the questions came in. They said, “We have a CISO, which is chief information security officer. We have a risk organization, and yet procurement’s told they’re responsible for third party risk. How do all three of those fit together?” Brian Littlefair: Yeah, I mean, in a lot of companies actually, you know, I don’t think it really matters where the third party risk function actually is, you know, physically cited, but regard of that triangle. You know, those three players remain the same. So, you know, in some organizations the CISO is respon responsible for third party risk and in others the proc the chief procurement officer, but in others the CRO and I see that flavor mix a lot, but that triangle remains the same, right? It was on my second or third slide, procurement, security and risk. You know, those same conversations need to happen depending on who actually owns the accountability for delivering the program, right? But I think certainly from a procure perspective. If you do own a third party risk, then it’s more important to to tap into those other people and those knowledge pools to make sure you’re getting the right outcome. Right.

Host/Moderator: Good. And then we’ve got time for just one quick question. It says, do you think the CISO CRO feel that they are held to stricter performance level than the CPO? Could this be a factor that keeps the risk side aloof and uncooperative unfortunately? Brian Littlefair: Yeah. No, I I I definitely think that may be the case uh for some organizations, but I think, you know, breaking down those barriers and those walls. You know, when when I my first CISO position, I had a, you know, a really nice big office with glass walls and then I had my business manager sitting outside and then there was a a speedgate that only the security team could get through. So, people had to interact with me via a ticketing system or a phone call or email and things like that. And the first thing I did was rip down the speed gates and get everyone out of their offices. And I think that, you know, I’m a big fan of collaboration and and and hoping and I’m I’m positively seeing that change in the security professionals and industry. But you know, a lot of security people come from the military, a lot of people come from the police force and and those types of backgrounds. So work with them and help bring those qualities out of them, I think, is the guidance I would give. Right. So,

Host/Moderator: okay, we are out of time, but Brian, um, we have had a request if you could clone yourself. We’d like one of you over here and available to us at all times. Brian Littlefair: Yeah. Okay. Yeah, not a problem. Happy to. Yeah. Host/Moderator: So, Alistister and Brian, I want to thank you for today’s wonderful power hour. I love this topic. I am passionate about their pretty wrist. So, I can’t thank prevalent enough for bringing both the great speakers and the content and I just want to thank all of you. Thank all of you for for participating. We will be sending a link out to today’s webinar. It’ll include all the slides, the recording share widely across your organization and it will also be housed in the SIG resource center for the next two years. So, at any point you can send your team to the SIG resource center and download and replay it. So, in the meantime, Brian, I know it’s late over there for you and Alistister. Have a wonderful evening. The rest of you have a great morning or afternoon. Alistar and Brian are geniuses. That also came through. So, that’s a good way for you to go off and maybe find a a beer someplace and relax now.

Brian Littlefair: I have to find one in the shops. You know, supply chain issues. But anyway, thank you for everyone’s time, right? Host/Moderator: Thank you everybody. Alistister, thank you. Alistair Parr: Thank you. Cheers. Byebye. Bye. Bye. Host/Moderator: Bye everyone.