Extracción de métricas útiles a partir de la gran cantidad de datos sobre riesgos de terceros

Amanda: Veo que los números están subiendo. Hola a todos. Bienvenidos. Bienvenidos. Oh, ya es la hora. Veo que la gente está llegando. Hola a todos. Hola. Solo soy la voz. Hoy todos somos voces. Y voy a poner una pregunta en la encuesta mientras esperan. Y así es como nos gusta llamarlo. Hola, mientras esperan. Así que, cuando entren aquí, no duden en responder a esta pregunta. Bienvenidos. Soy Amanda, de Prevalent. Me dedico al desarrollo empresarial. Soy su presentadora. Hoy todos estamos fuera de cámara, igual que ustedes. Muy bien. Gracias por participar en la encuesta. Sí, la dejaré abierta un rato. Pero, como he dicho antes, soy Amanda, de Prevalent. Gracias por uniros. Veo que está llegando más gente, pero hoy vamos a hablar de la implementación de un enfoque eficiente de análisis de riesgos de terceros basado en métricas significativas. No podéis verme, pero estoy haciendo comillas con los dedos. Espero que todos estéis bien. Seguro que ya han estado aquí antes, pero voy a repasar un par de cosas de organización. Tienen el micrófono silenciado. Pero queremos que respondan a las preguntas de la encuesta, si es posible, y que también hagan preguntas en la sección de preguntas y respuestas que hay a continuación. Nos encanta recibir preguntas al final para nuestros anfitriones y nuestros coponentes, y esperamos poder responderlas si el tiempo lo permite. Pero sí, hoy hablamos con Brian Littlefare. Estamos muy emocionados de tenerlo aquí. Es el fundador y director ejecutivo de Cambridge Cyber Adviserss, antiguo director de seguridad de la información global de Vodafone y asesor de seguridad del Gobierno del Reino Unido. Se puede decir que es una persona muy importante en mi opinión y en la de todos los analistas de riesgos de terceros. Y, como bonus, también tenemos a Brenda Ferraro en línea, que probablemente intervendrá de vez en cuando con algunos datos y cifras interesantes, y la oirán más adelante en el programa. Estamos muy emocionados de tenerlos aquí y voy a dejar que Brian tome la palabra. Mañana podrán escuchar la grabación. Gracias por acompañarnos. Brian, adelante.

Brian: Great. Thank you and thanks for the introduction. So, hello everyone. It’s great to be able to to speak to you all. Um, first of all, as we said, we’re going to be discussing how to implement an efficient third party risk analysis approach based on meaningful metrics. And everyone’s probably asking, well, what is meaningful metrics, quote unquote, and we’ll get on to that shortly to to explain what those are. are right. So, we kind of covered me. So, a little bit of scene setting in terms of where we are and just kind of to explain what some of the the terms are and where where my perspectives kind of come from on this. First of all, let me just say uh you know I’ve been working as a CESO for you know 20 25 years and now I spend my time uh leading Cambridge Cyber Advisors and we spend a lot of time mainly in the boardroom mainly helping uh chairman chairwomen uh Ned executive teams really get their handle on, you know, the security posture of their organization, what’s working right, what’s working wrong. So, you know, that’s been really useful to me from an experienced perspective to see it from the other side of the table, so to say. I was always the CISO going in communicating and now I kind of sit on the other side to to help, you know, give my expertise to the board and and make sure that the CISO is kind of answering the right questions and the right things are going on, not just in third party assurance, but obviously plays a big role and I think from from my perspective you know third party insurance is really hard to do well it’s hard to do well uh part of the challenge is obviously it’s global if that’s the way your organization is structured so you you’re having to manage suppliers in in numerous different countries you know it’s not uncommon for you know large organizations to have three four 5,000 different suppliers ranging from people that handle your sensitive data on your behalf all the way down to people that give the kitchen supplies and and refill the bathrooms etc. So there’s a full dichotomy of suppliers that you’ve you’ve got to got to manage for your organization and each of those different suppliers has you know different contract in place with you a different relationship inside your organization and as your company or organization grows its reliance on the third parties is only going to increase as well. So that’s why getting a really strong foundational component in place so that as you have to scale the process scales with you you then it doesn’t become so much of a of a challenge or a battle. But I I think we all know it doesn’t always go to plan. I think if we all sat back and thought of, you know, large household name brands that have had security challenges, data loss, breaches, etc. R that have actually emanated from their supply chain. It wouldn’t take us too long for some of those names to pop into our mind. And I’m not going to put some brands up on the screen, but we can all probably think of those. And I think that that is kind kind of evident that you know those organizations would have had a good approach they would have had a well- resourced team well sometimes not always you know the size and scale of the company doesn’t always equate into that but you know they would have had people focusing on this so I’m going to try and unpick what some of the challenges that I’ve seen and it’s great to get Brenda’s views as well uh and help get into you know what are some of the opportunities for improving your maturity and some of the opportunities to improve and then hopefully look at some meaningful metrics But I think you know just an observation from my side uh as I said spending a lot of time in the boardroom I I see uh and I present at uh conferences and focus groups and discussion forums and the topic of those discussion forums is how do we tackle this chasm uh between the CISO and the board and you know that’s when you get CISOs talking not all of them have the relationship that they would really like with the executive team and the board. Uh some of them don’t feel like they have the right support. Some of them don’t feel like they’re getting the right amount of resource uh from the executive team to be able to effectively manage the risk. But actually sitting on the other side of the table, you hear the same things. You know, if you speak to the Neds and the board, they think that they’re not getting the right information from the CISO. They’re not understanding what the current risk position is. They can’t see, you know, the wood for the trees. They don’t understand what the problem areas are. And they want a bit of clarity in terms of, you know, this is where we are. This is the problems that we’re facing. And, you know, what do we want to do about it and whether we invest or not that’s a riskbased decision but you know the opportunity to contribute to that risk statement is is absolutely key. So I always advise putting yourself in the shoes of the the board and the executive team. You know very rarely have they got a security background but you know very often are they presented fairly technical data and metrics emanating from security tools and they’re kind of expected to to understand whether those metrics should be going up, down, left, right, whether they’re KPIs K eyes etc. And I think that you know as security professionals on on this call or risk professionals or procurement wherever you are we kind of have a responsibility to do some of that leg work and do some of that thinking and present a clear message upwards in terms of what’s our current status and and what are we doing about it going forward. So this is a little bit about what we can do to make things better, what’s within our own power to improve things going forward. Okay. So um third party risk management the known risk and and and why is that? And I think that you know third party risk management definitely presents a clear and credible risk to all organizations big and small. I was doing this uh same presentation to a UK based audience earlier on today and you know there’s a lot of questions around does the organization size and scale make a difference and and actually I don’t think it does right because you’re actually trying to achieve the same outcome irrelevant of size of the company right you all all organizations big and small use suppliers, you need to understand that the the threats and risks that those suppliers present to your business and you want to achieve achieve an outcome in terms of educating the business about what they might be and then also giving some options for for compensatory controls or or mitigating those risks. So I think that there’s definitely a risk presented to all organizations from from their supply chain. But I think every company has definitely their own approach. You know, if I was to spend time with bank A or bank B or healthare company A or healthcare company B they would have different approaches to third party risk management they wouldn’t always be drastically different but there would be nuances in one company on how they approach it and compared to the other and I think I’ve seen it done very well you know with excellent uh stakeholder management everyone in the company understands the process it’s not attempted to be bypassed because people see value from it and then unfortunately I’ve seen it done very badly as well where you know it’s viewed as a bottleneck you know lots of information goes into it. Very little actionable information comes out of it. The team are very stressed. They’re underresourced, etc. So, there’s definitely, you know, a right way to do it and a wrong way to do it. And we’ll hopefully get into what some of those are today and how can we improve it going forward. I think, you know, for those of you who heard me talk on this topic before, you know, the lower end of the maturity organizations, I I tend to say, are still kind of completing Excel spreadsheets, you know, very very long uh questionnaires for their suppliers to to fill in a manual analysis of those questionnaires. It’s purely based on, you know, the experience of analyst A or analyst B. And and obviously that can add delays. It can add different different answers. You know, if you were to put the same questionnaire in front of two analysts, they might interpret it in different ways. So, it’s around how can we go up that maturity curve and, you know, adopt some of the innovation that’s been going on in this space for a long time. And we’ll kind of cover off that whole maturity landscape and what that looks like. But I certainly think that you can’t rely on, you know, touching an organization once peranom and asking them to fill in a questionnaire and then putting those results in an Excel spreadsheet because organizations change multiple points throughout the year. You know, sometimes they might be profitable, sometimes they might be not profitable, sometimes they’re growing, sometimes they’re in a recession. And you know, some of those behaviors drive different business actions. You know, when when budgets are tight, resourcing is constrained, you know, costs are cut back, etc. So, it’s it’s important to understand when these dynamics are happening in the market and and how that can impact your supply chain. And we’ll we’ll get on to some of the tactics and techniques to to hook into some of that near realtime intelligence rather than relying on a single assessment day in the calendar year. So, I’ve put up three common challenges that I see and I’m going to break these down on the next couple of slides, but I just want to kind of point to what I call the the art quad quadrant in the middle. And I think that you know this isn’t a good place. This is not where you want to be. If these three different dynamics are operating on on your function or your team where you haven’t got a clear approach, maybe you’re suffering from resource constraints, whether that’s, you know, an appropriate budget to maybe do some on-site auditing or you haven’t got the uh resource in your team to manage your your tooling choice, whatever that is, and you haven’t got the right tools to to scale. to the amount of risk that you’ve got under management. So maybe you’ve got a couple of thousand suppliers and you have to having to run them on a spreadsheet. All of those have a possibility to impact the performance of the team and and the net effect of that is the business isn’t getting the outcome or the result that it needs. So the art quadrant is is definitely not where you want to be. But let me break these couple of areas down and we’ll have a bit of a conversation around it. So I think the approach is is absolutely key and you know different organizations position this team in their in their structure in different places and you know I have a personal preference where I believe it should be but you know it doesn’t align with everyone else’s so I think as long as it’s positioned in the right place for that individual company and it’s got the right investment and the right support then you know that that’s fine it will work but I think you know it needs a very clear strategy and I and I mean a strategy for the third party risk management function not just the CISO strategy not the IT strategy not the business strategy. There needs to be a strategic direction of how are you going to manage, assess, quantify, communicate the risk that’s presented by those whatever whether it’s 5, 10, 15, 5,000 suppliers that are in your portfolio. And it should be obviously strategic in nature. You know, why does this team of people exist? What what outcomes are we going to deliver and who are we going to deliver them to? What action is taken on our metrics and reporting? We produce them. Does does Does anyone actually read them? Is is any action taken upon them? And if not, why not? And and in some organizations I’ve been in, uh the third party research management team can can feel a little bit of a backwater. You know, does the business realize we even exist and what is the value that we add? And these are some of the questions I get asked a lot of times when I go in and things aren’t working very well. But it obviously needs to be set up for success. You know, the the stakeholder management is is absolutely key. You know, know that the stakeholder isn’t only the security function. It’s it’s the very broadest parts of the business. You know, each area of the business whether it’s from logistics into technology or research and development, they will all work with a certain different list of suppliers and they will present different risks and different opportunities to the business. And obviously a supplier in in one country in a large global organization might be minimal but in another country it might be huge. So it’s really important that you understand that. that whole global supplier approach and then obviously the clarity of reporting um you know giving clear insights to the business about what’s going on and what is the actual risk and then trying to actively and positively reduce false positives as well. So if you’re constantly pushing messages into the business which prove to be inaccurate or not entirely true then obviously that damages the reputation of the team. So there needs to be a big focus on when you do report it’s accurate and something in genuine needs to follow on as a as an ongoing requirement going forward. So the focus of the team needs to be strategic. There are absolutely times when it will be reactive where where the business comes to you and says, “Hey, we really need to do this new initiative and we’re taking on this new supplier and we need you to do some shortcuts and actually get this supplier assessed as as quickly as possible.” That that will always happen. But fundamentally, if your team is always being driven in that in that tactical approach, uh you’ll never get round to your strategic direction and obviously your your goal and focus should be to strategically manage the risk going forward and then there’s the whole resource for the area as well and I’ve seen third party resource management teams are one or two people uh and that might be okay right if you’ve got a really intuitive tool and you’ve got all of the uh the knowledge flying into a small team and it and it’s manageable then then so be it that works fine but equally seen teams of one or two people having to manage a couple of thousand suppliers using an Excel spreadsheet and being completely swamped and you know significantly behind on the on the assessment timeline you know not producing the the reporting and metrics etc. So there’s there’s definitely a place on that scale where you you’d prefer to be and I think that you know this team manages a significant portion of the strategic risk for the for the company. Uh you know we’ve seen what a breach in the supply chain can can do do to your organization’s reputation and brand. So it definitely has a very clear purpose and outcome and that strategy and purpose of the function should be translated into a target operating model where it’s clearly presented back to the business saying look this is the amount of risk that we’ve got under management. This is the number of suppliers that we’ve got under management. This is the current tooling that we’ve got. This is our current process. But have we got the right resource? Have we got the right target operating model that we need to be able to drive that that initi? strategically rather than tactical and firefighting and and obviously what we see sometimes is you know a team is put in place and the organization goes through rapid growth you know massive numbers of suppliers coming on board but the the team size has to remain static because that’s all it’s got the budget for and I think that that’s where you know having that very clear strategy having the very clear business stakeholders bought into the value that you deliver that means that obviously if if the team is becoming stretched by the increased work load on it then obviously you need to be able to grow to effectively keep that risk under under management going forward. So there definitely is a different approach and we’ll get on to that in a minute. So embracing the innovation in this space. So as I said I’ve been a CISO for you know over 20 years. I still work very closely in in the space and I’ve definitely seen the the evolution in this space uh for the teams that have been under my management. So so absolutely have I used Excel spreadsheets sheets before to manage third party risk. Yes, absolutely. Uh it was all that was available to me. And then obviously we went through different levels of maturity as different software was coming out things like putting in place uh GRC tools, governance, risk and compliance to kind of harmonize our governance activities and our risk and and our compliance regimes. They were very, you know, difficult to integrate, very complex to manage, etc. And then obviously with there’s a new breed of tooling coming out, there’s there’s purpose built to to manage this space of which prevalent is is one of them. And I think that you know starting to see organizations fully embrace this well there have been for some years really is a bit of a gamecher not only for the the teams that have to operate the community of suppliers uh but it actually changes the the whole approach because you know rather than having to go to you know every one of your suppliers you know normally a large percentage of those have already got profiles on these platforms and tools. So it significantly reduced which is the the number of questions that you have to ask. So the the plea is to to definitely if you are still using Excel to manage this then start to to obviously move away from that and embrace some of the innovation that’s been made available to us in this area. So I just want to baseline this and I realize I’ll be teaching some of you to to suck eggs but but actually at the boardroom it’s not and you have to recognize that it’s it’s really important to explain yourself and and make sure that everyone’s on the same page and you understand what you’re going to be talking about. And you know, in my personal view, certainly in this space, you know, a key performance indicator, if I’m looking at a KPI in this space, I’m looking at it to to measure the performance and effectiveness of my function. I’m looking at the processes, the the throughput, you know, how many failures and successes that we have going through the the testing cycles that we’re running. But it’s it’s it’s as it says, you know, how are we performing? Are we delivering? ing as the business would expect. Are we delivering to the outcomes that we want to deliver and are we most more importantly delivering a quality service? Uh we could certainly push reviews and cycles through the system, but if it’s not quality, then there’s no point doing it. So quality is is absolutely up there as well. And then we have obviously the the key risk indicators that kind of start to delve into and and look into, you know, how much risk are we currently exposed to and what risk treatments do we have to apply? across our supplier base and and obviously typically that would be segmented as well. So probably already knew that all of you but you know from a KPI and KRI perspective that’s that’s how I manage and measure them. So what what do I mean from meaningful metrics? So you know this this was from one of my uh accounts that I worked on many years ago and this was an actual dashboard presented to the board on third party risk and you know this was one page of I think about five or six And obviously the supplies are grayed out. It would have been a list of supplies in very very small font where you’d have to have a lot better eyes than I have printed on a piece of A4 paper and and then across the top there’s the the controls that are distilled from the security policy and then obviously a line per supplier going across all of the controls. And you can see that that’s fairly complex and this was a view that is presented to a senior audience. And what it what it is in my view is it’s complex. It’s busy. It’s it’s definitely not dynamic. It’s completely static and and obviously because it’s printed on paper, it’s it’s it’s non-clickable, but you can see uh obviously what a security analyst has to actually go through. These are I suppose the responses to the key controls because it certainly wouldn’t be all the controls uh within a particular supplier. And you can see that some are green, dark green, light green, some are yellow, some are amber, some are red, some are pink, etc. And obviously it’s the expertise of an analyst that has to kind of look across one of those lines and think well with all of that taken to into account where where actually is this supplier from a risk perspective and I suppose the the missing dynamic here is of course threat this this snapshot on the left is a a single point in time view of how a supplier was operating during those couple of days that it probably took them to to fill in uh the questionnaire but as I said there is another way um you know having organizations precomplete for the majority of questions that we’d want to ask them, you know, they much prefer it because honestly speaking to suppliers like I do, if you put yourselves in the shoes of a of a really big supplier, I’m thinking like, I don’t know, a HP and IBM and Oracle or a big outsourcer, think of the amount of differing types of questionnaires that they must get from all of their suppliers in different shapes, different formats, all loosely trying to achieve the same thing, but structured completely differently. And they have to spin up a a small industry just to try and respond to this plethora of requests coming from their client base. Obviously, it’s really important work, but there’s obviously a simpler way to do that and that’s where all of these new uh third party risk tools have really come into their their own because it’s really simple for the end user, which is all of you guys and girls on the call. It’s really easy to understand what it’s telling you because you can codify all of the requirements that you have from your security policy. So, what do you really care care about what has he got a little bit of flex on you know what are our tolerance levels on individual risk statements and when they’re all answered obviously I’m not trying to put risk analysts out of jobs who can do some really important work in this space as well but the tool will digest all of that and and obviously suggest the the risk ratings the past failures on on your behalf but what it does do is obviously it’s dynamic it’s it’s not a single day in the in a calendar year it’s pulling information from its knowledge community It’s pulling information from assessments that are done by other clients. It’s feeding in the threat angle and it allows the the the customer to to really drill down and and you know explore what’s behind that red box. What was the what was the question asked? What was the response? You know, what have we tried to to ascertain from that and how can we improve things going forward? I don’t know. Brenda, do you want to say anything on that slide or do you see that as well or?

Brenda: Sí, y lo que pensé cuando mostraste esta diapositiva es que la cuadrícula de la izquierda parece un juego de batalla naval. Me imagino a un CISO o a una junta directiva mirando eso y preguntándose: «¿Dónde vamos a tener que atacar?». Fue muy interesante. Pero estoy de acuerdo en que, en lo que respecta a disponer de métricas significativas y que las cosas sean sencillas y fáciles de entender, parece que debemos centrarnos en eliminar el ruido y asegurarnos de que lo importante y lo que realmente importa es lo que tienen delante nuestra junta directiva y nuestros CISO.

Brian: Sí, totalmente de acuerdo. Vale. Entonces, ¿qué métricas son las mejores prácticas para medir o, vale, qué grupos hay? Desde mi punto de vista, hay cuatro categorías y lo que voy a hacer es presentarlas, como ya sabes, con el título de cada categoría, y luego voy a poner algunos KPI y KIS que creo que son importantes tener en cuenta y que sin duda la junta directiva querrá evaluar. Y cuando digo junta directiva, incluyo también al equipo ejecutivo. Tanto si se presenta ante el director general y su equipo directivo como ante el consejo de administración, donde suelen estar también el director general, el director financiero y el director de operaciones. Creo que, desde el punto de vista del riesgo, es evidente que el riesgo va a ser lo más importante y lo que buscan es, obviamente, un cuadro de mando integral completo. Quieren que esté bien documentado y se base en una lógica sensata. Obviamente, tiene que ser cuantificable y, lo que es más importante, repetible. Con demasiada frecuencia veo que el proceso de riesgo no es repetible. Y si se introduce la misma cantidad de información en el proceso con dos analistas diferentes, se obtienen dos respuestas diferentes. Ahí es donde entra en juego la ventaja de la herramienta, porque se obtiene un proceso repetible. Si se introduce el mismo flujo de datos, se obtendrá el mismo resultado, con la única dinámica de que, si hay una amenaza superpuesta, el ángulo podría cambiar obviamente el panorama en cierta medida. Y creo que la amenaza es el vector móvil. Es lo que añade valor real al uso de una plataforma en línea. La herramienta, porque si solo te basas en cuestionarios que se rellenan y se te devuelven, eso es solo una visión única. Es la visión de esa organización. No es la visión de la comunidad. No tiene en cuenta toda la inteligencia de código abierto pública que existe. Por ejemplo, puede que haya una empresa que diga: «Oye, estamos totalmente al día con nuestros parches, pero esta herramienta de análisis de amenazas dice que tienen seis amenazas abiertas sin parchear en su sitio web público». Así que las dos cosas no tienen por qué estar correlacionadas. Por lo tanto, incorporar esa inteligencia a tus decisiones sobre riesgos es realmente muy útil para cuantificar, más allá de las políticas establecidas y las prácticas que se siguen, cuál es su cumplimiento real en el mundo real y, obviamente, dado que la postura de riesgo de las organizaciones cambia a diario, su posición frente a las amenazas también cambia a diario, es muy útil incorporar esa información a tu entorno. Y creo que, desde el punto de vista de la alianza, el cumplimiento normativo no va a desaparecer. En mi opinión, solo va a aumentar. Y, como sabéis, habiendo dirigido CISO globales para grandes organizaciones multinacionales, el régimen normativo y de cumplimiento puede ser muy complejo y, obviamente, vuestros proveedores desempeñan un papel clave en ello. Ya sabéis, aquellos que gestionan datos en vuestro nombre o que de alguna manera participan en uno de vuestros programas de cumplimiento. Y creo que lo que hay que decir es que la responsabilidad de gestionar el cumplimiento o la adhesión al cumplimiento dentro de su cadena de suministro recae absolutamente en usted, como organización matriz. No es una responsabilidad delegada que, solo porque tenga un proveedor que se ocupe de esa parte, el problema sea suyo. Sigue siendo absolutamente suyo y tiene que gestionarlos eficazmente a distancia. Y por eso todas estas métricas y áreas que quieres utilizar para construir una imagen coherente de eso, eh, el cumplimiento de los proveedores con respecto a esto, son realmente muy poderosas. Y luego también está la cobertura. Así que, ya sabes, tener esa cobertura absoluta de la huella de tus proveedores es realmente clave. Ya hemos hablado de que un pequeño proveedor en el Reino Unido puede ser un proveedor enorme para una unidad de negocio en los Estados Unidos. Y hay que entender eso para que se le hagan las preguntas adecuadas a ese proveedor, para no verse sorprendido por un incidente de seguridad de un proveedor. Es importante poder obtener esa información primero. Y creo que eso es lo que son los ojos y los oídos de la cadena de suministro para la empresa. Si uno de sus proveedores tiene un incidente de seguridad, es importante estar al tanto. Quieres poder comunicárselo a las partes interesadas de la empresa. No quieres que te pille por sorpresa al aparecer en la CNN o en Fox News o algo así y no estar al tanto. Por lo tanto, tener esa información y esos conocimientos y contar con esa cobertura es absolutamente fundamental. Brendan, ¿quieres decir algo o...?

Brenda: Ya encontré el botón de silencio. Sí. Mientras te escuchaba hablar, pensaba que, tras haber pasado por diferentes situaciones durante el último año y medio, la visión global y la perspectiva local se han vuelto cada vez más importantes. Y sin conocer el cumplimiento normativo basado en el contexto, la inteligencia sobre amenazas de los proveedores y el riesgo cuantificado y equilibrado de los que acabas de hablar, es necesario reflejar de forma exhaustiva, pero fácil de entender, esos tres aspectos con una perspectiva global para lograr la resiliencia. Me gusta mucho cómo lo has explicado.

Brian: Great. Thank you. So, I’m going to put up some KPIs and and K eyes just, you know, I’m not going to run through them all. Don’t worry. You know, I’ll just probably say a couple of KPIs and couple of K eyes on each each of these four areas. And, you know, these are they’re they’re not unique to me and obviously the none of them will be a wow, we haven’t thought of that before. But what it is is, you know, is understanding from both the CISO side and the board side what are some of the things that they want to hook into and And by all means, this isn’t an exhaustive list, right? So depending on the sector that you’re in, depending on the type of organization that you operate in, whether they’re really into the detail or they like the the high level view, it will change and it will be be dynamic. But but at a very high level aspect, you know, these are some of the key things that I would certainly like to pick out. So from a risk perspective, we’ve already touched coverage. You know, there shouldn’t be any supplier receiving revenue from your organization uh from your financ function that hasn’t been in some way, shape or form assessed by the third party risk management uh organization. It might have been a notification and a quick assessment done and decided you know that it’s not important for whatever reason but it should have gone through the process and the reason is because obviously if no assessment’s been done there’s there’s no understanding of the risk and and I do see that a lot. I see you know uh organizations not having a good handle on you know their coverage there being suppliers in place that that have an issue downstream and you know it comes back into the third party research team saying well what do you know about these guys and it’s like nothing they’ve never been assessed we didn’t know you were using them and this is a really important gap to close and it’s it’s you know the key thing here is that the business sees this as a valuable process because we all know especially with cloud-based services now it’s fairly easy for a business unit to spin up a relationship with an external supplier using a credit card and you know that would be fairly difficult for you know this this process to detect. So the business has to want to engage with it. So this is more of the carrot rather than the stick. It’s around come and engage with us because we absolutely offer value to you. And if they recognize that then they’ll obviously not try to bypass the process. And the second one is uh you know the number of suppliers that have completed the uh sorry the number of suppliers that have passed or failed the on boarding process. And and I’m more concerned here on on the failed the onboarding process because Often I see that as quite low and you know you have to ask the the question why because you know in especially in a large global organization but the same is true for a smaller you will definitely have organizations that that fail and you want to understand why that is and why that number is where it is on the scale. If it’s too high what’s going on if it’s too low what’s going on? And there’s definitely a sweet spot to be trying and achieved based on you know the nature of your business and the scrutiny that you put your suppliers under. But it shouldn’t be the case that no suppliers are are failing your process. It proves that you know if you have got failures then you’re asking the right questions and that doesn’t necessarily mean that you can’t work with that supplier. It’s you know you have to understand why they failed and you know what risk is presented from that and you know it’s our job to advise the business based on risk and they might choose to accept some of that risk but at least that risk is known is quantified and and can be tracked by us going forward. And then I think on you know the KR my side you know some of the the lagging indicators as well are really important. So the number of priority one security instance generated from the supply chain in the last quarter. So your supply chain will cause you security instance and if they’re not then you know are you have you got the right insights? Are you picking those up and and understanding what’s actually happening in your supply chain? You know that there’ll be things like uh employees leaving and the password for the service not being reset and it’s a whole plethora of things that can generate security incidents for your organization and it’s important that you know about them. It’s important that you understand and take the knowledge and the learning from those and apply those new knowledge and new learnings to your broader supply chain so that you don’t have a reoccurrence of the the same instance. So what’s actually happened in the past should be uh learned from and applied to what happens in the future. So you actually have a better process going forward and that’s really where I suppose the leading indicators come in. So the organization that have been through your process. Uh the number of vendors that within the supply chain that are carrying a high risk score and you know this isn’t abnormal to have vendors that are carrying a high risk score. It might be the the geopolitical risk that they present. It might be a parent company or a relationship etc. And you know a high risk score just means that obviously they they require extra diligence on an ongoing basis. So not just due diligence up front but diligence going forward and and equally understanding how that risk can be mitigated. So it may be having a secondary supplier. So if that vendor experiences difficulties, then obviously there’s another one to fall back on. But if you don’t know about those high risks or they’re not effectively managed, then that can obviously disrupt your your b your your business. And then I suppose a real uh critical one at the moment is, you know, if you’ve got if you’re a manufacturer and your your traffic goes through the sewers canal and you know, a big container ship blocks it, what are you going to do? So you know, you can’t you’ve got loads of ships stacking up. So, if you knew that your supply chain was coming through that canal, could you have mitigated that via having a a more local supplier that might be a higher cost on a day-to-day basis, but you could actually mitigate that risk going forward? And it’s really about just getting into the details and understanding those aspects as well. And then, of course, it’s the the net risk from each domain category within your supply chain. So, it’s it’s fairly normal to to categorize your supply chain, not just in is so you know tier 1 2 3 4 but actually category as well so things like I don’t know I’m a security professional so identity management service providers or physical gates etc and actually start to you know slice and dice your your information flow so you can actually understand for each of those domains have we got a single supplier dependency uh do we know that we’re going to have to terminate a supplier in that space and we have to start to look up a backup do we are we getting threat intel come through terms of geopolitical risk in that region that we have to mitigate. So really understanding and guarding the business based on your intelligence and insights and actually advising on that net risk is is really really key as well.

Brenda: Ryan, creo que, en pocas palabras, se debe a nuestro ecosistema. Creo que en la sección sobre cobertura vas a mencionar algo sobre los proveedores que no responden, ya que se ha vuelto más arriesgado que no respondan a las solicitudes para completar evaluaciones o mitigar riesgos. Y luego, la otra cosa que mencionaste para el KRIS es el riesgo de concentración, porque, como dijiste, podría causar un efecto dominó o un impacto basado en la cadena de suministro, tal y como mencionaste con el canal. Pero esas dos cosas son muy importantes y críticas para nuestro ecosistema actual.

Brian: Yeah, absolutely. Completely agree. Okay. Then there’s the the threat feed and and I I really would advocate, you know, if you haven’t got threat intelligence flowing into your supply chain, uh, information repositories at the moment to to look at how you can augment this capability on top because it delivers you know the real day-to-day insights in terms of what’s going on but I see you know certain sectors are mandated certainly in the UK uh and other and not subate in the the US regulatory requirements but for example if you work in financial services in the UK you are required by regulation to have threat intelligence coming into your organization what you’re not required to do is use it right so So as long as it’s coming in that satisfies the requirement but I see you know threat intel flowing into organizations at various different touch points and I see companies do an amazing job of distilling and disseminating that and getting it to the right people with context to action but equally I just see it hitting a brick wall and you know it flies into an email queue that people will periodically look at and you know it’s not really being given the credence that that it deserves. So I think you know a couple of things to look at is around you know the meantime to action. So when that int intelligent comes in, you know, it’s been uh certified as valid, it’s been certified as relevant, it’s had some context delivered, you know, and that’s disseminated into the organization. How quickly does that account team that’s responsible for managing that particular client or account, how quickly do they pick that up? How quickly do they action it? Because that’s one of the beauties of, you know, a third party uh risk team is that all the onus shouldn’t be on them. should be distilled into the organization to manage that. There’s certainly account managers that are responsible for individual clients etc. And you know there’s been a lot of effort to build up that relationship. So distill the information down to them add the context but certainly measure how quickly that action is taken on those as well. And then you know from a KRI perspective you know how many suppliers uh across the tiers whether it’s 1 2 3 4 have active uh high threat intel indicators coming in for them. And this could be for anything, right? You can have uh an entire country’s suppliers allocated as high threat indicators because of, you know, government instability or or something that’s going on in the region. But it’s really important that you obviously understand and just have that insight. And if you didn’t have this threat flow coming into your base, come into your information base, then it might just you wouldn’t understand it. You wouldn’t be aware of it unless something actually hits the news. So it’s around understanding, have you got the right information? flowing in. Is it being disseminated into the organization in the right ways? Is it being acted upon in the right ways both within your team and the broader business? And then obviously, are you driving resolution on that? You know, a threat is given for a reason. It it needs an action and it needs something to to either mitigate it or resolve it. And if it can’t be resolved, then it needs tracking as an ongoing risk. But, you know, having all of that information to be able to make that call is is really powerful. And then there’s then there’s compliance. uh my my favorite topic. It’s certainly not going to go away, but you know, it’s only going to continue to rise, but recognizing that your supply chain play such a pivotal role in in your compliance programs. And really for this, it’s just understanding who they are. What is the role that they play? Have you got the right governance over them? Are you tracking it appropriately? And have you got the ability to report on your broader regulatory requirements and compliance requirements, not just within what happens within your own organizational boundaries, but also within your supply chain as well. And here is where quality becomes absolutely key. And certainly in a compliance perspective, as Brenda was saying, you know, if you’ve got unresponsive client uh suppliers that are, you know, play a role in your compliance regime, then you’ve got a a definite real challenge and you need to address that. But quality is absolutely key here. If you’re getting, you know, the old saying is if you get garbage in, you get garbage out. So you need to really focus on the quality of the submissions, especially for those that are in play. from a compliance perspective. And then there’s the the the whole coverage aspect. So we’ve talked around a few of these already, but certainly no supplier should be receiving any payment that hasn’t been triaged or assessed. You absolutely need to to get that. It’s important that the the process doesn’t be seen as a bottleneck. So you need to measure your throughput, measure your time to onboard. And time to onboard from my perspective is isn’t the questionnaire being completed or the analysis being done in your platform. form. It’s, you know, the endto-end process where we engage with the supplier to either we’re comfortable or we’re not comfortable and they’re going into on ongoing diligence going forward and and tracking that and make sureing that it’s optimal. It it’s not that it’s quick, it’s that it’s done right and that the right questions are being asked and the right level of time taken to do it. But it shouldn’t become a bottleneck either. What you don’t want to see is this process being uh buil as a as a blocker to doing business. Uh it will obviously slow things down just in the nature of what you’re trying to do. You’re trying to understand a new relationship with a new supplier. Uh it can be sped up by using tools that already have a lot of that information in in the in the armory as well. And certainly that’s what should be looked at going forward. Right? So different lenses for different audience. So know who’s going to look at the information that’s coming out. And I see this all the time. I see the CESO’s dashboard being presented at a board level which isn’t the right thing to do. the CISO having been one and maybe it’s because I’m a detailed person but I wanted the detail. I wanted detail detail detail not to the nth degree but I wanted to be able to have the information at my fingertips that give me a good understanding of the security of the entire organization including the supply chain because ultimately that’s my accountability and my responsibility. Other people might have it as their job but it’s still my accountability to make sure it’s done right. So I need a lot of detail. The business doesn’t the business needs it to be quantifiable, relevant to their specific business unit. You know, if there’s a manufacturing division and they use a certain list of CL of suppliers, they don’t need to see the suppliers are relevant to them because they don’t use them. So, it has to be relevant to them. It has to be actionable, intelligent, and tailored to what they actually specifically need. And then the board needs something different. The board want the leg work doing for them. You know, they want a very clear view, consolidated, you know, grouped so that they can actually it jumps off the page what they’re being asked to to add input and guidance into. Um I don’t advise going to the board and asking them to make a decision on your behalf because obviously as security leaders you’re required to make those decisions. The board might want to challenge that decision or ratify that decision however they feel. But it’s certainly not good to go in there and say can you make this decision on my behalf. It should be look we’ve got this intelligence we’ve got this information or we’ve got this risk and this is how we’ve decided to manage it. Do you agree or disagree? But that that decision should definitely be made in advance. So really it’s about putting some time and effort into recognizing that this is very valuable information but it’s going to different audiences and how should we present that and again this is where the online tools can really help in terms of different lenses and different views that are that are actually designed and intended for those different audiences going forward. Okay. So my last slide before I hand over to Brenda to talk a little bit about prevalent. So why am I advocating meaningful metrics because this is such a critical business process. It’s not a security process. It’s not a technology process. It’s a business process and it means that the business can understand its risk and run as smoothly as possible. So it’s really important that this process end to end is fit for purpose. It has the account. It has the right strategy set up. You know it’s set up for success. It has the right resource. It has the right tools. But in my view, you know, the reporting aspect of it is as important as the capturing. Otherwise, you’re just capturing for no action. You know, reporting out in those correct lenses, getting the stakeholders engaged, getting them involved, getting them to contribute on what this process should look like, what are their requirements, what do they need from this process so they actually see value from it. And really, as with other areas of security, you know, we’ve seen automation drive across our patching and our vulnerability management, our ident life cycle management, JML, etc. And this is no different. You know, automated workflows to get access to intelligence and threat and and drive behavior within the organization. You know, that’s where moving away from Excel into these tools can can really help you as well. So, and I just add that, you know, the security team isn’t accountable for this end to end or regardless where this sits, it’s a business challenge and a business risk. And that’s why I really advocate that integration with the broader stakeholders. and the business going forward. Good. Thank you, Brenda. Over to you.

Brenda: Muy bien, genial. En la siguiente diapositiva, Brian ha hablado anteriormente sobre el cuadrante artístico y, en lo que respecta a las métricas, desde la captura hasta la presentación de informes, como acaba de mencionar, Prevalent proporciona el enfoque estratégico para recopilar y ejecutar frente a la gestión de riesgos, así como para diseñar el programa que satisfaga las necesidades de las evaluaciones incrementadas y aprovechar la innovación, aprovechando no solo la información contextual del aprendizaje automático, sino también la IA, de modo que podamos reflejar la información de riesgo utilizando la lente adecuada, como el CISO, la empresa, la junta directiva y otros. Así pues, la plataforma Prevalent le ofrece este proceso repetible que Brian ha comentado para cumplir con el riesgo cuantificado y equilibrado utilizando la inteligencia sobre amenazas de los proveedores y las redes superpuestas, e incluye no solo las evaluaciones, sino también la información de supervisión cibernética empresarial y financiera. Por lo tanto, recopilamos todo ese contenido y eso impulsa la comprensión del cumplimiento que debe incluir en esos informes, así como la visión global de la resiliencia, todo ello utilizando la plataforma y el personal. En la siguiente diapositiva de hoy nos centramos principalmente en el último punto, que es el de informar y gestionar, y parece que mis diapositivas están mezcladas, así que pasaré a la siguiente. Así pues, para que sea inteligente, el enfoque basado en datos, exhaustivo y contextual se centra en las métricas. No obstante, para que sea unificado, proporcionaremos transparencia en materia de riesgos, ofreciendo una ventanilla única en la que todos sus programas pueden tener información integrada en la plataforma y todos tienen la misma voz. Le proporciona lo que necesita saber en todos los niveles. Y luego, para el enfoque prescriptivo, nos aseguramos de que sea ágil, basado en la acción y que desencadene lo que es importante para llevar a cabo esa acción. Y en la siguiente diapositiva, somos su socio de confianza. En este caso, somos líderes en el cuadrante mágico de Gartner y somos el proveedor de redes de más rápido crecimiento con la mayor biblioteca de evaluaciones. Y utilizamos la armonización y la normalización de toda la información de contenido que puede recopilar, ya sean evaluaciones o inteligencia de amenazas. Estamos aquí para ayudarle a madurar su programa con la innovación que hemos implementado y con el respaldo de nuestros socios y clientes de confianza, que siempre nos dan ejemplos de lo que está sucediendo en el campo, junto con Brian, sobre exactamente hacia dónde debe dirigirse nuestra plataforma. Así que le cedo la palabra a Amanda. Creo que hay preguntas y tenemos unos 11 o 12 minutos para responderlas.

Amanda: Sí, lo hacemos. Y gracias a todos por participar. Se lo agradecemos mucho. Hasta ahora tengo unas seis preguntas. Empezaré por la primera. Esta es para Brian. ¿Cuáles serían, en tu opinión, los cinco principales vectores de riesgo de terceros?

Brian: Sí. Bueno, ya sabes, cinco que se me ocurren ahora mismo. Quiero decir, sin duda mis dos principales prioridades en términos de, ya sabes, asegurarme de que todos tus proveedores sean evaluados. Siempre defiendo el riesgo neto porque, obviamente, hay un riesgo bruto y se aplican planes de tratamiento, y es necesario comprender bien, una vez hecho todo eso, ¿cuál es el riesgo al que seguimos enfrentándonos? Yo pondría la información sobre amenazas que nos llega como una de las cinco cosas más importantes. Así que te diré tres que se me ocurren ahora mismo. Son las más importantes que yo defendería. Asegurarse de que todo el mundo está en el sistema, asegurarse de que se evalúa y luego asegurarse de superponer eso con la información sobre amenazas. Correcto.

Amanda: Perfecto. Y la siguiente es otra clasificación. ¿Cuáles son los cinco principales riesgos de terceros ideales para informar al consejo de administración?

Brian: ¿Los cinco principales qué? Lo siento. Los cinco principales riesgos de terceros son ideales para los informes a nivel directivo. Así que, desde el punto de vista de los KRI, volvería obviamente a estos aspectos, si es posible. Creo que, a nivel directivo, los indicadores rezagados y adelantados son realmente clave para la junta directiva. ¿Qué ha pasado en el pasado y qué has aprendido de ello? Una junta directiva será muy indulgente si algo ocurre por primera vez. Y, obviamente, la organización tiene que aprender de ello. Será menos indulgente si vuelve a ocurrir. Por lo tanto, se trata de cómo se obtiene esa información y se aplica a lo que va a ocurrir en el futuro. Ya hemos hablado del riesgo neto. La información sobre amenazas es absolutamente clave, porque, sin duda, también he visto algunos de los informes más habituales. Se trata de lo que sabemos sobre este proveedor y lo que hemos recopilado de la comunidad. Por lo tanto, se trata de conseguir que el poder de esa comunidad trabaje a tu favor. Por eso, en materia de seguridad, también utilizamos toda la inteligencia de código abierto. A la junta le encanta ver ese tipo de cosas porque añaden contexto. Añaden una justificación de por qué se pide cambiar lo que actualmente es el statu quo. Así que esas son las cosas que yo cubriría. Bien. Entonces.

Amanda: perfecto. Y la última pregunta de este pequeño tríptico es: ¿tienes alguna sugerencia sobre la mejor manera de crear y automatizar un proceso para la salida de proveedores?

Brian: Sí. Por lo tanto, la salida de un empleado es tan importante como su incorporación. Y he oído a Brenda hablar de esto también. Sé que ella también lo ve así, porque la salida puede producirse por múltiples razones, pero, independientemente de ello, se está rompiendo o reduciendo el servicio que se presta a ese proveedor concreto, aunque haya habido una relación histórica. Se han creado cuentas. Puede que haya redes conectadas entre sí. Sin duda, ha habido flujo de datos entre las diferentes organizaciones. Y hay que entender cómo es eso y hacer un seguimiento como parte del programa. Así se sabe a qué se ha dado acceso o qué se ha concedido a ese cliente o proveedor, porque obviamente hay que pedir que se devuelva. Sabes que en realidad no tienes que pedir que te lo entreguen, o quizá sí, dependiendo de lo que sea, pero tienes que saber que se está eliminando de la manera correcta, que la relación se está modificando, ya sea porque se ha terminado o se ha reducido, etc. Por lo tanto, pensar detenidamente en cómo es realmente tu proceso de terminación es tan importante como tu proceso de incorporación. Brenda, no sé si quieres añadir algo al respecto.

Brenda: Sí. No, estoy totalmente de acuerdo con eso. Y también, desde la perspectiva de la pregunta anterior sobre cuáles serían los cinco principales KIS, los que yo recomendaría a un nivel más profundo que el que mencionaba Ryan, me centraría en el riesgo del desarrollo de software y dispositivos móviles. También me centraría en los riesgos relacionados con la gestión de identidades y accesos. El otro es el de los proveedores que no responden y, a continuación, el cumplimiento de cualquier componente normativo, solo si existe algún riesgo en ese sentido. Y, por último, el que cambia y se modifica de un KPI a un KRI es el cumplimiento general del programa dentro de su empresa, independientemente de si utilizan o no el programa de gestión de riesgos de terceros. Ese sería un riesgo que yo convertiría en un KRI. Pero sí, en lo que respecta a la salida y la incorporación, estoy completamente de acuerdo. Es igual de importante y hay que tener los controles y equilibrios establecidos y funcionando de forma cohesionada con los demás departamentos para asegurarse de que todo se desactiva, se destruye si es necesario, etc.

Amanda: Gracias, chicos. Y, para que lo sepáis todos, tenemos otra pregunta para la encuesta que no he podido publicar a tiempo, pero mientras seguimos hablando de otras cuestiones, por favor, respondedla. ¿Tenéis pensado ampliar o establecer un programa de gestión de riesgos de terceros este año? En otras palabras, ¿tenéis algún proyecto en marcha en el que podamos ayudaros? Muy bien, lo dejaremos ahí. Continuaremos con las preguntas. La siguiente es: ¿qué recomendarían como buen desencadenante para iniciar reevaluaciones periódicas, probablemente para Brian?

Brian: Sí. Entonces, dependiendo del nivel en el que se encuentre el proveedor, deberías tener un calendario de evaluaciones para el futuro. Y creo que, basándose en el perfil de riesgo, hay que decidir si se va a auditar al proveedor por cuenta propia, quizá de forma física, o si se va a auditar a través de un proveedor de confianza que realice la auditoría en nombre de la empresa. Pero creo que los desencadenantes son los cambios en las circunstancias o en la relación con ese proveedor. Así que, si vas a hacer algo nuevo, si vas a hacer algo significativamente diferente con ellos, tal vez hayan cambiado de ubicación, hayan decidido deslocalizar algunas de sus operaciones o hayan pasado por algún cambio empresarial, o haya alguna información sobre amenazas que tal vez no te guste. Por lo tanto, creo que esa lista es potencialmente interminable. Se trata simplemente de comprender que tienes esos eventos desencadenantes codificados en tu proceso, de modo que si ocurre A más B más C, entonces queremos volver a examinar a ese proveedor y comprobar que nos sentimos cómodos, pero eso no invalida, obviamente, las evaluaciones y revisiones periódicas que ya deberías tener establecidas, que son una especie de desencadenantes para una revisión fuera de ciclo, ¿verdad?

Amanda: Perfecto. Eh, esta pregunta se basa en lo que decías sobre la autocertificación, alguien te pidió que lo aclararas un poco más.

Brian: para la autocertificación. Sí. Quiero decir que habrá niveles y proveedores dentro de tu estructura a los que sabes que no vas a poder llegar tan rápido como te gustaría y, como sabes, bromeé diciendo que obviamente hay gente que se encarga de los suministros de cocina o de los baños, pero no siempre es así, porque el personal de limpieza de tu organización también puede suponer un riesgo y necesita una investigación adecuada, etc. Así que no siempre son el nivel más bajo. Se trata de algunas iniciativas o servicios que tienes en marcha y que no consideras críticos para tu negocio. Ya sabes, no están conectados a tu infraestructura. No tienen acceso a datos, etc., por lo que puedes pensar: «¿Tenemos que visitar esta empresa inmediatamente o podemos confiar por el momento en que respondan a nuestras preguntas y proporcionen algún tipo de autocertificación? Quizás solo comprobemos el cumplimiento normativo, las acreditaciones, la reputación y la amenaza, etc.». De eso se trata el tarado. Ya sabes, las empresas con las que necesitas pasar más tiempo y las que necesitan menos, pero en realidad tienes que centrarte en todas ellas, ¿verdad?

Amanda: Y la última pregunta. ¿El informe debería basarse en el riesgo inherente o en el riesgo residual?

Brian: Sí, es una buena pregunta y creo que eso va a depender, en cierta medida, de la organización y de cómo gestiona el riesgo internamente, pero desde mi punto de vista, se trata de un riesgo residual e inherente. Es absolutamente importante y, sin duda, si fuera yo, informaría sobre ambos, porque muestra la trayectoria del riesgo y, de hecho, muestra que esto es con lo que empezamos, esto es lo que hemoshemos hecho, esto es lo que hemos aplicado, estas son las medidas de mitigación que hemos puesto en marcha y este es el riesgo que nos queda, y eso te da una visión del riesgo residual que se está gestionando y sabes que siempre se pueden aplicar más tratamientos de riesgo, pero entonces se convierte en una decisión empresarial y quizá requiera más inversión, quizá requiera la incorporación de otro proveedor, etc. Así que creo que el objetivo de los equipos que llevan a cabo este proceso es, en última instancia, proporcionar a la empresa la información que necesita para tomar esas decisiones basadas en el riesgo, y puede que las acepten, lo cual es perfectamente plausible, o puede que decidan mitigarlas, pero al menos han tenido la oportunidad de contribuir, porque tú lo has captado y lo has transmitido a la cadena hacia ellos, y creo que eso es lo importante, ¿no?

Amanda: Por supuesto. Bueno, eso es todo por hoy. Muchas gracias a todos por participar. Brian, eres increíble. Gracias por hacerlo desde el otro lado del charco, como se suele decir. Siempre nos encanta que nos enseñes cosas sobre este tema, así que te lo agradecemos mucho. Para todos los que quedáis, mañana recibiréis esta grabación en vuestro buzón de correo electrónico. No dudéis en verla y compartirla con quien queráis. Y seguid atentos a nuestros próximos seminarios web. Tenemos un mes muy ajetreado por delante y estamos muy emocionados. Así que búscanos en LinkedIn o asegúrate de formar parte de nuestras comunicaciones y, si tienes alguna pregunta, soy Amanda Fina, de desarrollo empresarial aquí en Prevalent, y Brenda y Brian. Muchas gracias de nuevo por participar. Os devolvemos un minuto de vuestro tiempo.

Brian: Gracias.

Brenda: Gracias.

Amanda: Adiós a todos. Cuídense.