4 Non-IT Third-Party Risks that Derail the Most Secure Companies (And What to Do About Them)
See More Details →Description
Third-party cybersecurity risks are essential to identify and mitigate, but they’re not the only risks to which vendors and suppliers expose your organization. Non-IT-related supplier disruptions, compliance failures, lawsuits, bankruptcies, and financial problems can be as damaging to your company as vendor breaches or ransomware attacks. So, which non-IT risks do you need to prioritize?
In this webinar, Bryan Littlefair, past Global CISO of Vodafone Group and Aviva, guides you through the four most important vendor, supplier, and partner non-IT risks to monitor.
Using real examples of vendor and supplier failures, Bryan shows you how to:
- Associate third-party risk types to IT and non-IT categories
- Align internal teams with the third-party risks that matter most to them
- Map third-party risk types and teams to monitor at each stage of the vendor lifecycle
A more holistic view of third parties – including IT and non-IT risks – will give your team better vendor and supplier visibility to mitigate risks. Register now to learn from an expert!
Intervenants
Bryan Littlefair
past Global CISO of Vodafone Group and Aviva
Transcript
Amanda: Okay. Oh, here we go. Amanda: Hi, everybody. Welcome. Welcome. Amanda: So, sorry for that two-minute delay here. Amanda: Your classic PowerPoint user error when sometimes it just simply doesn’t agree with you and you don’t know what to do, but delay the session for two minutes or so. Amanda: So, thanks for joining everybody. Amanda: Um, we’re going to be talking today about four nonIT thirdparty risks that can derail even in the most secure companies. Amanda: Um, and we’re very excited to have Brian Littlefare join us once more. Amanda: Hi, Brian. Amanda: How are you? Brian: I’m great. Brian: Good to be here. Amanda: Great. Amanda: Always a pleasure to have you. Amanda: And we have our very own Scott Lang here. Amanda: And we’re always happy to have him join. Amanda: He’ll be bringing us home towards the end of the session. Amanda: Um, so look forward to that. Amanda: And I’m Amanda. Amanda: I’m your host here at mostly all the webinars. Amanda: We also have Melissa that do this does this as well. Amanda: So, a couple of housekeepings. Amanda: I’m sure you have been here before, especially all the fans of Brian. Amanda: I I tend to see the similar names pop up. Amanda: Um, but just as a refresher, we’re all muted. Amanda: Um, but please utilize the Q&A, like specifically the Q&A question box because then your questions get lost in the chat. Amanda: So, use those. Amanda: We’re going to do the questions towards the end of the session how we typically do. Amanda: We’ll leave time for that. Amanda: Um, you’ll get the recording as early as tomorrow, if not sooner. Amanda: But we do really love when you guys ask great questions and and utilize, you know, Scott and Brian’s brain as much as you possibly can during this hour. Amanda: So, that’s about it from me. Amanda: I will leave you all to it. Amanda: Brian, I’m going to let you take it away. Brian: Right. Amanda: Oh my god. Amanda: Hold on. Amanda: So, sorry. Amanda: I forgot about the poll question. Amanda: See, this is what happens when you wait two minutes. Amanda: Okay, keep talking. Amanda: But everyone else, hey, answer this while you’re while you’re multitasking. Amanda: while you’re eating your lunch while you’re watching this. Amanda: Oh my god, I hope everyone woke up now. Amanda: I just screamed. Amanda: All right, continue. Brian: Great. Brian: Thanks. Brian: Hi everyone. Brian: And yeah, the PowerPoint error was on my side. Brian: So Scott’s going to be driving my slides for me. Brian: So thanks for that, Scott. Brian: So uh so those of you that don’t know me, I run a company called Cambridge Cyber Advisers here in the UK. Brian: Um I’ve been a security professional pretty much all my working career and I’ve run security for for lots of big multinationals, but equally smaller organizations as well. Brian: and I do work with, you know, the UK government and and governments around the world. Brian: And this is a a really interesting topic that we’re going to be discussing today. Brian: You know, mainly talk about cyber and information security, but but obviously being a CESO, your remitt is is wider than that. Brian: So, it’s great to give this this topic some air time. Brian: So, Scott, next slide. Brian: So, a little bit of of scene setting from me just in terms of what we’re going to be be talking about. Brian: So, if you think about third party risk management, certainly in the organizations I consult with it normally sits in the security function and then obviously rightly so being security professionals that sit within that function. Brian: Our focus is quite often on the cyber risk or the information security risk or the physical security risk that are presented from a supplier to our parent organization. Brian: But if we think about the term it’s third party risk management. Brian: It doesn’t really mention cyber or information security in there. Brian: So we need to be looking holistically. Brian: We need to be making sure that we’re we’re looking at the full risk position that any partner, supplier, broker, third party, fourth party, endth party can present to our organization. Brian: So, it’s really good to, as I say, give this some air time and start to look at what are some of those nonIT security risks that we need to be looking at. Brian: And I think, you know, one of the things that’s only going to continue and we have to kind of embrace it is that regulation is going to continue to drive this space forward and and obviously more and more industries and sectors are becoming regulated and and when they do Regulators obviously start to dictate how things happen because they want to standardize that approach. Brian: They want to make sure that things are happening in an appropriate manner. Brian: And you know certainly those entities and organizations that are regulated at the moment certainly financial services, telecommunications, utilities around the world, you know one of the big biggest risks if not the biggest risk is from the distributed supply chain. Brian: So quite naturally regulators are saying you need to get a grip on this. Brian: You need to be running an effective an efficient process and obviously an effective and efficient process doesn’t use Microsoft Excel. Brian: It uses obviously some some of the tools and technologies like prevalent that have been built in this you know in this space in mind you know purposely developed to be able to capture and present a clear risk position to to you the user and you know it’s really interesting you know I’m a big reader of the Verizon threat report and others that that are published around the world but you know we are starting to see the reason why the regulators are focused ing on this area there. Brian: 62% of system compromises came via this the the partner channel and obviously you know I’m not at blackout this year but I do go normally to to Vegas and and partake in in that conference and you know some of the conversations that are happening around there from people that are very well connected to the the darker side of security if you like you know their motivation to come via the the supply system is fundamentally they would typically have weaker security you know if you’re a big bank if you’re a big telco if you’re a pharmaceutical organization or even if you’ve just taken security seriously in your organization and you know being proactive with it. Brian: You know, you’ve pretty much got your stuff in order. Brian: You’ve got your systems, your processes, you’ve got a good and capable security team, but you have lots of suppliers that don’t and they have a connection into your network and that network connection is trusted. Brian: So why not use them to get to you? Brian: Uh so it makes perfect and logical sense. Brian: So that’s why there’s such a focus on on the supply chain going forward and And obviously today we’re going to be looking at the nonIT areas and ensure you know my objective of today if you like is to make sure that they get equal waiting you know that we’re not just focusing on cyber and information security. Brian: A strange thing to say for a security professional but obviously I’ve seen in in real life what can happen uh in terms of a a business disruption that can happen from a from a nonIT risk and I’ll I’ll talk about some of them throughout the throughout the session. Brian: Okay, Scott, next slide. Brian: So what I advocate and what I advocate to all of the the organizations I consult with is that we have a holistic and business aligned approach. Brian: So so what do I mean about that? Brian: So your third party risk management program has to be truly global. Brian: You know it’s there’s no point having it if you focused on on one country and you have another 62 countries out there where you haven’t really done it properly. Brian: So we need to make sure that we’ve got that holistic coverage everywhere and it needs to be business aligned. Brian: You know we’re doing this for a reason. Brian: Sadly, and I still do see, you know, organizations run a third party risk management program because they’ve been told to do so and they’re ticking the box, right? Brian: So, they use Microsoft Excel. Brian: Uh they send out a questionnaire to their suppliers once a year. Brian: They might look at the response a little bit, but they certainly don’t use that information to drive the business into some smart riskbased decisions. Brian: And, you know, I’m a real big fan of this approach. Brian: You can’t manage what you don’t measure. Brian: So, if you’re not measuring it, you’re not quantifying it, you’re not assessing it, and you can’t actively manage it. Brian: And we’ve already discussed about the focus that is coming from the the regulators into the board and the executive team and your organization. Brian: So that focus and and tension and the desire for information is going to start to trickle down into into your functions and organizations. Brian: And you need to have a a true credible and capable answer. Brian: And I’ve worked with uh organizations that have been blindsided by issues in their supply chain. Brian: You know, they’ve they’ve gone out and they’ve done their their question layers once a year and they’ve got the information back, but it hasn’t really truly informed them of the risk that a supply was posing to them. Brian: Then something happens and and obviously the audit team and the regulators and the investigators come back to your process and say, “Well, did you assess this company and you pull out the questionnaire, etc.”. Brian: And then and it’s then when you realize that you’re not really doing it properly. Brian: Um, and you know, it can be complex. Brian: It can be challenging. Brian: I’ve done this several times and and obviously every time I’ve been a CESO, we we’ve run this process in the organization. Brian: So, I’m certainly not saying it’s easy, but what you can do is obviously break it down into its its component parts and just make sure that you you’re getting the right process in place within your organization. Brian: You can’t really just capture it within the security team. Brian: It doesn’t really add any value. Brian: It’s how do you actually capture that information, add context from the security team, and then distill those messages into the business so that the business can react based on on what you’ve done. Brian: And I’ll help give that some cont text and and information and color as we go through the rest of the the presentation. Brian: Okay, Scott, next slide. Brian: So, what you know, one of the biggest challenges I see and you know, it’s it’s something worthy of discussion just to set the scene before we actually go into the nonIT risks is we call it third party risk management, but now we really have to go deeper. Brian: Uh many of the people that we would give a third party relationship to will further onwardly contract that service. Brian: They might use offshored uh service providers. Brian: They might use their own captives that they have in in other countries or in other locations, but we need to make sure or they might subcontract it as well, which is, you know, the the most typical aspect of it. Brian: And if we’re only looking at the supplier that we give the contract to and then they’re subcontracting our data to other organizations, then we’re not really following the full journey of the data. Brian: And and equally so, we have to make sure that we start to do that now. Brian: And you know, the more mature third party risk management programs actually really follow that data the end-to-end journey and actually truly understand you know at the negotiation and contract stages you know who is going to be involved in liazing manipulating working with my data to make sure that you’ve actually got that covered off and if you look at a lot of the compliance standards which we definitely cover off later in in the conversation that is the requirement you can outsource the responsibility for doing a task on your behalf and on your data sets but you can’t outsource your accountability, the accountability and the ownership of that data and that regulation sits firmly with you and you have to make sure you’ve followed that throughout the supply chain. Brian: So don’t just settle for third party ask the conversation get the details of you know who else is invol involved fourth fifth sixth but really got to go down into that level of detail okay Scott next slide right so let’s get into the meat of it hopefully we we’ve set some of the context and as as always this is just my opinion and you know feel free to disagree in the chat or you know ask questions in the Q&A but when I think of you know something that doesn’t involve it and how can it really disrupt a business even when they focused on this area the top four that I kind of come out with are operational compliance corporate social responsibility and financial they have the you know ability to to destabilize a supplier and therefore that has a knock-on impact to you. Brian: So when we’re talking operational, you know, maybe they lose the ability to, you know, service your business and and service the operation. Brian: What I’m thinking there is, you know, the biggest problem and yes, I’m going to use a security reason, but you know, what if they have a crypto malware outbreak? Brian: What if they have a, you know, ability or inability to service you? Brian: What if there’s an earthquake near their their site or there’s a flood or there’s a a strike or there’s political instability? Brian: There’s 101 reasons, both IT and nonIT, that we can come up with, but you know that has a a major opportunity to disrupt your business. Brian: And then then compliance, you know, completely unbeknownst to you, they do something that actually puts your data and your compliance at risk. Brian: And we’re going to get into each one of these as well, just to obviously get into the facts and some of the the the uh challenges and issues that that may may arise. Brian: And then if we look at, you know, corporate social responsibility, not everyone, obviously I’m sitting in the UK, the majority Majority of you guys in the call are are sitting in the the US. Brian: Not everyone operates to our standards of of ethics and what we what we would view as as corporate social responsibility, but we have a requirement to make sure that they do. Brian: And then finance obviously, you know, big and small companies fail every day. Brian: You know, and we we talk a little bit about that later on in the presentation. Brian: So, you know, these these are my top four and I see these happening day in day out. Brian: And obviously, if you look at these and you think of these and you think where is regulation going actually it’s kind of focused on these areas right so and that’s you know pretty much around the globe okay let me expand on why I think each one of these is is kind of important and kind of critical so some pictures you know if we think about what can cause an organization operational risk challenges well first one has to be covid right so no one saw it coming you know everyone went straight away pretty much to a work from home model uh policy and procedures within organizations were pretty much ripped up. Brian: So it caused a huge disruption and some organizations, well actually most organizations, especially those that have things like ISO 27,01 compliance would have had a pandemic flu policy. Brian: But honestly, how many people thought that it would have come into action? Brian: And how many people thought that it would actually introduce a complete new way of working with things like permanent flexible working and and offices shutting down, etc. and and companies getting rid of real estate and allowing their employees to work from home. Brian: And you know, if nothing else, that’s drastically changed the data model. Brian: You know, the data that flow how it flows around the organization. Brian: People used to be sitting in the headquarters or or a district office. Brian: They’d be on a corporate laptop, etc. Brian: You know, now that’s changed. Brian: You know, you’ve got bring your own device, um people sitting at home, but they still need access to those customer data sets. Brian: So, that introduces a different risk posture and it could definitely cause disruption. Brian: And so, obviously, COVID has to be as to be number one. Brian: And if we look at some of the you know political stability that we’re seeing. Brian: So if we look at uh Russia Ukraine for example again you know it was kind of it was coming and then it was happening then it wasn’t happening and then it did happen right and it’s had a pretty much a major impact but again we may see that from obviously from a a China Taiwan situation as well. Brian: And I’ve got several organizations that I consult with actually modeling you know what would happen if like what’s happened with Russia. Brian: sanctions are imposed and we can no longer actually do trade with China. Brian: We can no longer consume services or get products from China and you know that would have a pretty devastating impact. Brian: And then you have things that you know things like the sewers canal you know a ship uh wasn’t wasn’t navigated properly by the by the the captain or whoever was driving it at the time. Brian: Uh and it actually hit some hit the bank spun around and was lodged in the sewers canal. Brian: And then we had this huge backup of of ships behind it that obviously were using that as the as the shortcut. Brian: So physical products and physical services weren’t actually getting to their their destination and that was obviously causing huge challenges and again a huge operational risk. Brian: And then you have strange things like was happening here in the UK and I don’t know whether you’re all aware of this but we had a huge problem in in processed meat factories that we were buying in from Ireland and Italy and other countries as well where you know when we did DNA analysis on on those meats and burgers etc. Brian: and lasagnas and etc. Brian: There was horsemeat contained in them and this caused huge brand damage for for supermarkets etc. Brian: People you know walked with their feet and said obviously we’re not going to shop in your shop anymore. Brian: You’ve been feeding us horsemeat. Brian: So things like this can can have a you know a huge impact as well. Brian: Okay Scott, next slide. Brian: So I’m just going to expand on these a little bit just to actually these global events. Brian: They may be on distant shores. Brian: They may be far far away from from your organization and you may think it won’t have an impact but it can and it does. Brian: Um things like cosmetics giant Revlon you know in the US they filed for bankruptcy recently and you know one of the main reasons that they filed for bankruptcy was supply chain issues. Brian: They couldn’t get the raw materials to actually make their product. Brian: They couldn’t service their customer base. Brian: Therefore they couldn’t actually create a product to sell. Brian: Uh and obviously they went bankrupt. Brian: So this can actually have a huge impact. Brian: If you can’t get hold of the raw materials that you need to make your product, then you’ve got a big issue. Brian: And that doesn’t necessarily mean, you know, an organization’s got crypto malware. Brian: It might mean that your supply chain was from Russia or it was from China and regulations come in and you haven’t truly thought through, you know, how do I put some geographic resilience into my supply chain in advance? Brian: So, you know, we’ve got our supplies in fairly contentious uh countries, etc. Brian: So, we need to build that resilience in. Brian: So, if something should happen then obviously we’re not going to be you know in significant problem we can actually pull that um supplies in from elsewhere and I think you know very few organizations actually go really through that thought process and actually think these are a critical supplier to us and actually they focus on that supplier but they don’t actually think about well what happens if they went away what happens if we couldn’t work with them what happens if they went bankrupt and actually have those backup relationships in place straight away and I don’t think many people Certainly here in Europe, it’d be interesting to hear what happened in the US, but many people didn’t actually understand the true global impact of what was going to happen in Ukraine. Brian: Uh I’ve put one example in there. Brian: You know, they produce 54% of the world’s semiconductor grade neon. Brian: And this has had a huge knock-on effect with with uh companies like Intel, um Nvidia and others because they need that to manufacture their chips. Brian: So, you know, something happening far far away from from your parent organization can still have a pretty devastating impact on on you. Brian: you and it really is, you know, the job of the security professionals, the procurement professionals and working collaboratively with the business, not just to put these contracts in place for maximum cost reduction, maximum benefit, etc. Brian: It’s really thinking things through and actually saying, well, you know, what would happen if that we weren’t able to to transact with them? Brian: What’s our backup plan? Brian: And, you know, how easy is that backup plan in able to bring into force? Brian: Great. Brian: Next slide, Scott. Brian: And then let’s look at compliance risk. Brian: You know, compliance is only going to continue. Brian: You know, I’ve been in security for, you know, coming up for 30 years now. Brian: I know I don’t look at Thank you. Brian: But, um, you know, when I first started in security, yes, it was there, but now it’s everywhere. Brian: Uh, and, you know, it’s rare to see a country that hasn’t put some form of of data legislation in to protect their citizens. Brian: Uh, and actually, there’s over 60 around the globe. Brian: So, if you’re running a a global multinational organization, yes, this becomes a little bit of a challenge because you know, even though there is a lot of overlap between them, uh, each kind of has their own little nuance that makes it slightly different. Brian: And this is only one area of compliance around data. Brian: You know, you can look at a million other areas of compliance. Brian: And again, each country kind of takes its own approach. Brian: Uh, and it’s up for for us to figure out, you know, what are our requirements? Brian: What do we have to ask our suppliers to do? Brian: And ultimately, how can it trip up trip us up, right? Brian: What what are we looking for in terms of our key risk indicators to make sure that we don’t fall file of the regulators in our countries on how we handle data and you know things like backups here can be a real challenge you know if you’re pulling citizen data out to another country etc that can that can cause you issues and concerns okay Scott next slide just where we kind of expand upon that so as I say regulation has changed you know dramatically over recent times and I’ve already mentioned today that you know you can out you can’t outsource your accountabilities but you can outsource the responsibility but it you know it has to be done correctly. Brian: You have to think okay we are they are our customer we are accountable to them for effective security. Brian: You know they’re entrusting us with their data. Brian: You have an accountability to make sure that that trust isn’t misplaced and you need to make sure that you put in place the the right processes. Brian: Then you as a business are making you making a decision that you’re not going to do this this service whatever it is inhouse. Brian: It might be a call center. Brian: It might be managing data center or a service that is customerf facing for example but you’re making a business decision to give that to someone else. Brian: Now that might be for improved you know customer service it might be for a reduced cost but that’s a business decision that you are making. Brian: So then you have the accountability on behalf of your customer to make sure that that’s going to happen in the right way and that’s really where you know you have to get into the contract. Brian: You have to actually understand exactly how is this service going to be built who is going to be working on it which countries are going to be you know contained in the in the full service wrapper. Brian: Are there any third, fourth, nth parties as as part of this discussion? Brian: Because when you’re talking about compliance, that’s the length you have to go down to. Brian: You have to actually, you know, stipulate in in the contract. Brian: This is the role that you’re going to perform and this is the role that I’m going to perform. Brian: And any endp party agreements that are in place obviously have to be fully documented as well. Brian: And if there’s any change in that, then obviously that has to come back to the contract and be recoded in because you need that chain of custody throughout that contractual relationship. Brian: So that you know if there are any issues, if there’s someone in that supply chain that has a data breach that actually impacts your customer base, it’s absolutely devastating and obviously it’s a real concern from an organization. Brian: But from a compliance perspective, you’ve done everything that you can. Brian: You’ve done things properly and that’s really where you need to to focus on. Brian: And you know what I fully support and certainly what I’ve done is is really focus on what are those key controls that actually give you that day-to-day assurance. Brian: And again, I’m going to beat up Microsoft Excel here. Brian: So, if anyone’s using Excel on this call to to manage, you know, their thirdparty risk management, then I really implore you to to look at tools like prevalent. Brian: Obviously, I don’t work for Prevalent. Brian: I’m not a salesperson or anything like that, but I have used their tool in earnest to run supply chain security for me around run around the globe. Brian: And if you think about it, if you’re using Excel, you send out uh you know a questionnaire maybe normally once, maybe twice annually. Brian: that goes out to your your customer base. Brian: They fill it in. Brian: They send it back to you. Brian: It lands on the table of analyst A, B, C or D. Brian: They use their personal opinion and experience to understand what are the risks within this submission and then they codify it into Excel. Brian: It doesn’t introduce threat. Brian: It doesn’t it’s far away from real time. Brian: So, you know, a once a year assessment, if you think about how quick and fast things change within your own organizations, that’s Exactly the same for the people that are supplying you services as well. Brian: New management come in, you know, cost pressures are introduced, new product lines, services. Brian: They spin up uh you know uh outsource capabilities in different countries which you might not want your data to flow to. Brian: So really having your finger on the pulse you know near realtime information is is absolutely key. Brian: And I’d argue it’s a core requirement for for compliance because you know most of the compliance around the world has a requirement that you disclose or that you you know share information with the regulator in a timely fashion. Brian: If you’re on Excel, that’s going to be a real problem for you to actually achieve. Brian: So again, another beat up for Microsoft Excel there. Brian: Okay, Scott, next one. Brian: So corporate social responsibility. Brian: So you know a big area, a very passionate area for me and you know certainly when I’ve worked in the large multinational organizations, you know, a big focus it’s the right thing to do and you know it has to be set and you know baked in embedded with in the culture of the organization. Brian: So what we’re talking around here typically are things like child slavery you know um backhanders or you know bribes um doing things ethically for the environment so that you’re not polluting and you know poisoning rivers or putting you know really black smoke into the environment etc that you’re not obviously focusing on modern slavery or anti-moneyaundering or money laundering and all of those aspects so that’s the areas that I think you know can really impact an or organization from a CSR perspective. Brian: Okay, Scott, next slide. Brian: So, let let’s talk about this and you know, it’s a really interesting area and you know, as I said, I’ve run security for for large multinational organizations and to say uh that each country doesn’t embrace CSR principles and and ethics is putting it lightly. Brian: We have to accept that, you know, things are done differently to how we would expect it to be done from a cultural norm. Brian: But we need to do global business business, you know, our organization is going to start to operate in that way. Brian: So, you have to think about how you set it up from the success on the outset. Brian: So, again, we’re when we’re on boarding an organization, it’s not just about looking at their security policies. Brian: It’s not just about looking at their, you know, their patching policies and all of the things that we’re talking about today. Brian: You have to get under the hood of the company. Brian: You know, who owns it? Brian: Who are the key people? Brian: Who are the shareholders? Brian: Who can pull the strings behind the scenes on on this organization? Brian: And equally, what’s their their way of working and that’s where you need the threat intelligence. Brian: You know threat intelligence will give you all sorts of information about you know how does this company operate? Brian: What are their ethical standards? Brian: Because you know suppliers want to win business and you know lo and behold they won’t tell you the truth 100% of the time because they want to get this this business and contract down from you. Brian: So the onus firmly lands on your shoulders to make sure that you’ve got you know no CSR risks or no CSR responsibilities. Brian: You know if you’re making clothing for example or if you’re buying coffee or you know any of those types of examples, you want to make sure it’s fair trade. Brian: You certainly don’t want to be selling a product in in the US or the UK for example and then actually find out that it’s being manufactured by child labor. Brian: Well, that could easily happen if we think about some of the examples that we’ve talked about. Brian: If you place a contract with an umbrella organization and you assess them from a risk perspective, but then they outsource it to some sweat shop in in some, you know, different organiz geographic organization and that’s actually where your product is produced unbeknownst to you but you should have asked those questions you should have got into those details it’s still your accountability and your responsibility to make sure that’s covered off and I think you know there’s a huge focus on this area and rightly so and the brand damage that can occur you know you can we can all think about some of the headlines that have been in in our different geographies that have you know big companies Nike you know big supermarkets for example big coffee producers. Brian: Um they haven’t followed their supply chain effectively through. Brian: Uh investigative journalists have and they found out you know that ethical standards that they claim to you know abide by on their public facing statements don’t hold water and actually they have got child labor or they have got forced labor actually uh producing their product. Brian: You know they’re underpaying that labor you know and the markup is extensive when it actually comes to sell their product. Brian: So be fair. Brian: fair throughout your supply chain and make sure obviously there’s a a good percentage of the the the profits are actually being used ethically to make sure your your your product isn’t exploiting anyone. Brian: So I think that’s a really you know important area for us for us all to focus on. Brian: Okay, Scott, next slide. Brian: So financial risk um and I think you know nothing helps bring this to life more than than COVID. Brian: I don’t think you know certainly in the UK I was doing some research uh the more compan has failed during co than than any other time. Brian: And yes, they were smaller organizations that couldn’t weather the storm, so to say. Brian: But actually, it’s a it’s a huge issue. Brian: Organizations, certainly the ones that I normally consult with, they’re actually twisting their their way of working and actually wanting to work with smaller organizations. Brian: They want the ability to innovate. Brian: They want the opportunity that working with a smaller company might actually give them some, you know, opportunity to diversify away from the competition in the market. Brian: And I think it’s a real sad situation that so many smaller organizations actually closed with it within the within the COVID pandemic. Brian: But obviously there’s other situations coming through as well. Brian: You know, we’ve got monkey pox knocking on the door now. Brian: And you know, I think these waves of of pandemics and I’m certainly not a viologist or anything like that, but you know, if you look at this, they’re often compared to, you know, the malware world and the medical world and new strains, variants, etc. Brian: pop up all of the time. Brian: You know, either created by human or you know morphed from from the animal kingdom to to be able to affect us. Brian: So we have to get comfortable with this. Brian: So we need a we need a a model in place within your organizations to to adequately assess financial risk and you know it’s not typically the skill set of a security professional to be able to do that. Brian: So this is one of those areas where we have to recognize we have to work with the the rest of the business. Brian: Every organization you know with 10 plus employees will have someone that does finance on their half and they’ve gone down an entire different skill set in terms of academic learning capability and development etc to get to where they are and as cyber professionals we need to be able to tap into their knowledge and actually you know say this is the information that we’re getting on this supplier but again you know prevalent can help with that in terms of presenting information up to the security professionals if it’s pretty obvious you know that they’re not in a good financial position and all of those aspects so work collaboratively within your business work collaboratively within your organizations and I think you know regulation is is heavily focused on this area as well. Brian: Uh money laundering um I set up a service in in Vodafone uh it was in the African continent across you know most of the countries and actually banking outside of South South Africa isn’t very you know prevalent excuse the the the pun um and actually what we found is our mobile uh wallet if you like that we put on people’s phone phones became the main way that people bought and and you know sold services. Brian: They had their salaries paid into it. Brian: So essentially we replace banks. Brian: What we discovered obviously is you know not everyone is ethically motivated and you know huge attempts to to launder money through those platforms etc. Brian: So just because your product isn’t intended to be you know used in that way you have to really think through you know what are the unintended consequences of of a product and services and how can it be used and abused because you know that can be changed and that can cause brand damage as well and obviously how how much financial contingency do your suppliers have as well and how much how much debt are they they carrying there was the you know global financial crisis we all assumed that our banks were in a really healthy position and then you had the subprime mortgage situation that started in the US and then then spread across the world and then all of a sudden we realized that our superstable banks aren’t as financially stable as as we thought they were and all the governments had to to step in and to bail them out. Brian: So, you know, don’t just assume because it’s a big brand and, you know, it’s a household name that their financial stability is there because, you know, things change overnight from a financial perspective and, you know, we have to be able to to monitor and look into that. Brian: Okay, Scott, next slide. Brian: So, what this is my last slide because Scott’s going to present and then obviously we want 15 minutes to answer all of your your questions. Brian: So, so what do we do? Brian: what what to do differently. Brian: So, I’m a big advocate for anyone that’s listened to to some of my other webinars that security shouldn’t be a silo. Brian: It, you know, we can’t effectively just work within the security function. Brian: Um, I used to to walk into security teams, you know, when I was joining as a seesaw or working as a consultant and they’re all locked away behind speed gates or or locked doors, etc. Brian: They’re not embedded into the business. Brian: That that way of working doesn’t work anymore, you know. Brian: So, so get out the secure areas. Brian: You know, you can secure the data, but you don’t need to secure the area. Brian: As I always say, embed the security team into the the broader business and really tap into that nonIT expertise. Brian: We’re talking about nonIT risks. Brian: So, we need to work with, you know, the the HR team on on people aspects. Brian: We need to work with the the legal team on on on, you know, compliance aspects. Brian: And we need to work with the finance team on on guess what finance they have that that knowledge and experience that can really help us and you know what I found really useful is actually sitting down with each of these areas and actually saying you know how do we detect it what are our KPIs and and KIS that we should be putting in place you know what are the lead and lag indicators where we can start to see where something’s gone wrong or how do we detect when something’s starting to go wrong you know putting those into your your reporting platforms and being able to detect that early on is is reallyant important and really ensure that you’re working holistically across your you know supplier footprint. Brian: So what do I mean by that? Brian: So so an example from from my past is again if you’re in a a large multinational organization you may have three four 5,000 suppliers and you know suppliers are different in each country. Brian: So a small supplier in one country might be a major supplier in another and if you don’t know about that that can that can absolutely blindside you. Brian: So you need to know about your global business. Brian: And how do you do that? Brian: That’s where procurement becomes your your number one best friend. Brian: So you need to make sure that you’re really tapped into that procurement process and make sure that you’ve got your security controls embedded in that so that there no one can launch a new service on a credit card. Brian: No one can spin up a relationship with a supplier without it going through procurement and yourselves because that’s your governance. Brian: That’s your gate essentially. Brian: You can detect, you can make sure, you can get assessments and one of the KPIs we’ve talked about on on the the webinar is that there should be no cash flowing to a supplier when they haven’t gone through the due diligence process because because actually that can lead you open to compliance. Brian: You might be giving money to a you know a sanctioned organization or a sanctioned individual. Brian: You might be actually parti partaking in money laundering. Brian: So you need to make sure that you’re at the front end of the process and you’ve actually done that assessment and evaluation before any money starts to change hands. Brian: But then you can’t be the bottleneck. Brian: That’s where you need a tool like prevalent. Brian: to be able to rapidly get information on a supplier. Brian: Again, if you’re looking at the Excel world, business starts a relationship with a new supplier. Brian: They approach the security team, you know absolutely nothing about them. Brian: You have to send them your question, then you have to wait for a response. Brian: In the prevalent world, obviously, you go onto the the tool and the platform, and they’ve worked with, you know, hundreds of thousands of other customers who will likely have had a relationship with that supplier. Brian: And you get all of that information up front. Brian: So, you’re not starting from your blank Excel spreadsheet, you can start to build a picture really rapidly about, you know, how what what risk might this supplier potentially present to us and actually really work through the scenarios. Brian: And it can be quite uncomfortable for a security team that’s focused on cyber and information security and actually sit them in a room and go, what would happen if the sewers canal was blocked? Brian: You know, what would happen if China in invaded another country and we could no longer use them? Brian: What’s the impact of the sanctions on Russia? Brian: And you know, any business that we had with them because, you know, they do have impacts. Brian: You know, Ukraine still produced a massive amount of the world’s wheat. Brian: So, if you’re in a food production business, that would have had impacts. Brian: We’ve seen what’s happened to the g global price of energy and all of these things. Brian: So, each of these global situations that are happening in in each of our newspapers and, you know, news programs around the world, if you really think it through, each of them will have some form of impact on your organization. Brian: So, why not model that through in advance? Brian: Obviously, you’re not going to be able to do everything. Brian: You haven’t got a crystal ball, but really working with the business and actually saying, “Where are we going? Brian: What products and services do we have? Brian: What markets are we selling in? Brian: Where are we exposed to in terms of where we buy our our services from or our products from depending on what your businesses are? Brian: And how do you build resiliency into that?” Brian: And resiliency is the key word. Brian: You know, if something happens in one area, how can you be resilient against that? Brian: And that only works by actually being self-critical of yourself. Brian: by really analyzing all of that information and producing those playbooks so you’ve got that information at hand and obviously just monitor and manage you know those changes in global regulations it’s changing all the time you know every time I you know look at what’s going on from a regulatory perspective what’s going on in terms of how organizations work and working practices you know the news is filled with political instability at the moment and you know this is only going to continue and we have to get comfortable with that you know We can’t stop the world spinning and we can’t stop what’s going on or certainly most of us can’t. Brian: So what we can do is is manage our domain that we’re accountable for more differently and actually build that resilience in so we can minimize that business disruption. Brian: Okay, Scott, over to you and then we’ll get the the questions at the end. Brian: Yeah, Scott: sounds good. Scott: Brian, um, you know, everybody, I hope you really enjoyed Brian’s part of the presentation here. Scott: Very comprehensive view of, you know, all of those sneaky risks. Scott: that can, you know, creep up on you and might not be the ones we’re looking at every day because it’s always the breaches and the cyber attacks and whatnot that that kind of garner all the attention, but you know, as Brian kind of demonstrated and provides some instruct or uh examples of illustrations of is that, you know, all these other types of risks uh can impact our organizations in ways that maybe we don’t predict. Scott: And you know, if being a security professional myself, it you know, I’m not attuned to looking at the financials of a of a potential partner. Scott: I’m not attuned to looking at, you know, executive turnover and eco violations and things like that to determine, you know, whether or not there’s going to be some disruption in in the service that they provide. Scott: But it’s essential that that that we do kind of enlarge our concentric circle of risk out from cyber and data protection and privacy and things to include some of these, you know, hard to quantify type of risks to to to gain that holistic picture. Scott: You know, it sounds like such a trit uh phrase to use, holistic picture. Scott: But, you know, cyber might be, you know, 60 to 70% of the risk surface you’re facing with a with a third party supplier vendor, but it’s that other 35 to 40% that, you know, can sneak up on you and get you, you know, if you don’t walk watch too quickly. Scott: You know, the issue from our perspective is that, you know, a lot of companies try to do this and Brian talked about the the Excel example, uh, try and address their problem of managing thirdparty risk using spreadsheets and, you know, we know the problems with it. Scott: We don’t have to rehash that. Scott: You know, one of the biggest outcomes of using a spreadsheet, for example, or backed by a SharePoint or or or Teamsbased process, whatever, is that the data is outdated the minute you gather it and lacking any sort of recency or real-time element. Scott: You know, you’re always dealing with old data. Scott: You don’t have a good flow of information, you know, coming into the enterprise to help you recalculate risk, uh, you know, you know, risk exposure, likelihood, and impact of potential problems, whether that be, you know, a blocked canal somewhere or you know, a huge data breach at a tier one supplier. Scott: Um, you know, another thing complicating thirdparty risk management is that everybody’s starting to get involved in it. Scott: You’re probably feeling that pain. Scott: I bet, you know, if you sit in a security organization, all of a sudden procurement folks might be knocking on the door going, “Hey, we’d like to learn a little bit more about this or who are these guys?” Scott: You know, um, and the more manual and the less real time the inputs are to the process, the greater frustration, uh, that’s going to cast throughout the enterprise if those teams aren’t getting what they want from the assessment process. Scott: So, you’re spending tons of times, it’s tons of time, very manual, you know, not not really a whole lot to show for it. Scott: So, that’s kind of the the landscape of of the challenge in trying to do this the right way. Scott: You know, we see thirdparty risk um happening not just looking at it from an IT versus nonIT perspective, but also looking at it at every stage of of your relationship engagement with that third party. Scott: You know, and every one of these steps has some unique risk elements to it. Scott: You know, when you’re sourcing and selecting a vendor, you know, your procurement team is probably going to want to get a handle on their anti-bribery and corruption policies. Scott: They’re going to want to know, are they financially resilient? Scott: Have they been breached in the past? Scott: You know, once you’ve made a a decision on a vendor, you move to like the intake and onboarding side. Scott: Okay, great. Scott: What type of risks should we assess them for based on their interaction with our data, geographic um uh you know location or uh you know regulatory influence whatever uh you score the inherent risk they bring to you and that can be anything from you know how they touch and interact with your data to the level of access into your IT systems to whether or not they’re a tier one supplier if their widget is the key piece to your you know final final product you know then we conduct you know more comprehensive assessments and remediation of findings on any number of you of uh of of of regulations or frameworks to measure against for best practices. Scott: And then as Brian mentioned in the last point on his last slide, the monitoring and validation piece. Scott: You know, everything up to this point in the life cycle has been almost a point in time exercise. Scott: You know, we take a look at somebody before we select them. Scott: We we select them and we onboard. Scott: We do some inherent risk scoring to get a picture of what they look like. Scott: We develop our assessment strategy and maybe we remediate some findings. Scott: Well, all those are kind of, you know, unique um uh you know, kind of point in time activities. Scott: Well, monitoring by its very heart, by its very nature is a continuous exercise and that has to be performed on a regular basis to make sure that you know new risks are discovered in time and that they can be addressed um you know before they have some sort of downstream impact you know on your individual enterprise. Scott: But al excuse me you also have to interpret risk excuse me as more than just you know whether or not um you know they’re introducing cyber or financial or whatever types of risk to the enterprise but also how does their individual performance impact you know your service that you’re providing your customers right so that’s why it’s important to measure SLAs’s and performance again moving toward that more continuous approach and then finally tons of risk is presented during the offboarding and termination phase and we find that you know very few organizations have a disciplined and rigorous process uh a checklist if you will to go through um all the activities that have to be performed when you’re offboarding a vendor terminating a relationship to make sure that you know your data is not continually exposed it’s been destroyed final payments have been executed contractual agreements have been have been have been addressed uh and more so again you know IT versus nonIT risk great way to look at it but also IT and nonIT risk at every stage of that of that life cycle just further complicates you know matters as well. Scott: You know what I’ve done is I’ve kind of identified a couple of risk types that um are addressed by, you know, the the prevalent platform. Scott: And you know, I’m not going to go through these in exhausting detail, but I do think this uh speaks directly to the point that that Brian addressed about there being security and nonsecurity related risks. Scott: These different security domain areas are things that we track regularly, not just through the execution of third party vendor and supplier. Scott: assessments, but also through um intelligence feeds that are continually being pumped into the platform to validate the the the assessment results, but also provide that real time or continuous element or picture into updates on those vendors that can have some sort of material impact on you. Scott: So, the standard security stuff that you can see in the blue block there, but you know, business and operational risks, you know, does a merger and acquisition impact a um uh you know, a supplier relationship, you know, what’s their credit rating, their payment history, you know, are they, you know, bankruptcy risk, you know, things like that. Scott: You know, speaking directly to the CSR uh risk that Bren uh um Brian mentioned a minute ago, um you know, what are their ESG ratings? Scott: You know, are they listed on the US EPA’s equal violations database? Scott: You know, do they have a modern slavery statement? Scott: Are they committed to diversity and hiring practices? Scott: You know, these types of um uh risks that are, you know, non-quantifiable, but at the same time, really talk about the kind of business you’re doing business with. Scott: You know, you’re only as good as the people you do business with. Scott: You’re only good as the people you hang out with, right? Scott: So, you want to do business with good and ethical companies and that sometimes doesn’t come through in a cyber security assessment. Scott: Uh reputational risk speaks directly to that. Scott: And then finally, compliance risk. Scott: So, just a kind of a a sample of some of the risk types that the prevalent platform helps to address through assessment, continuous monitoring, kind of a onetoone correlation with with what Brian talked about uh you know, a minute ago. Scott: Again, my last slide, you know, what I wanted to kind of communicate here was that, you know, our approach to thirdparty risk management is, I think, comprehensive. Scott: Um, it’s, uh, very data driven. Scott: The objective is to get you as much continuous nearrealtime intelligence about your suppliers, whether that be from a cyber or a non-cyber perspective to help you make good riskbased decisions to unify it together in a single platform so that not just you, but also your procurement team, your risk management, team, your security team, your legal team, internal auditors, uh, and more can have the visibility they need to make, you know, good good decisions at every stage of the life cycle and do it in such a prescriptive way to where it takes the, um, variability out of the process. Scott: It gives you the information at the step that you need it and the intelligence so that you can make good informed decisions, move on to the next phase and uh, and ultimately reduce the risk a across that that life cycle with all the sources kind of behind you uh to help you do that. Scott: Um you know, we’ve we’ve written a white paper that really encapsulates a lot of what Brian talked about today. Scott: Um how to manage IT and nonIT thirdparty risks. Scott: Uh you can see it at the link there, but we’ll include it in um the recording email that we sent out to everybody uh either today or tomorrow as as Amanda said a little while ago. Scott: Uh and it’s a much you know very detailed kind of prescriptive checklist based approach that really reviews the the domains of IT and nonIT risk and then really explains the some of the strategies to align teams uh in your enterprise based on the risk they’re trying to u uh manage at the stage in the life cycle trying to manage it. Scott: So you know decent resource something I encourage you to take a look at but it’s a good accomp accompaniment to uh to today’s webinar anyway. Scott: All right so that’s what I wanted to share with you that’s kind of the prevalent approach to how we manage both IT and nonIT thirdparty risk uh throughout the life cycle and kind of you know what we can do to to kind of transform what Brian talked about into into some sort of reality. Scott: So with that, Amanda, I’m going to pitch it back to you. Amanda: Thank you. Amanda: Um perfect. Amanda: So I’m going to go ahead and I have one more uh poll question for everybody. Amanda: We’re curious as to whether or not you’re looking to augment or establish a third party risk management program for the remainder of the year. Amanda: Um or you know if you’re prepping for 202 we’d love to know about it. Amanda: Please answer accordingly because we will follow up um if you are interested in chatting with us regarding that. Amanda: So, I’ll leave that one up. Amanda: Um I’m going to start from the top. Amanda: So, let’s just remember the top is when you first started chatting, Brian. Amanda: So, it’ll be, you know, it’ll be your own quiz here of what you’ve already discussed. Amanda: Um but the first first question is when you were mentioning CSR um today, would you also group ESG in there as well or does it depend on the country? Brian: No, I mean it completely depends on the country. Brian: They mean the same thing, right? Brian: And that that’s the that’s part of the challenge. Brian: So in Europe typically it’s CSR, corporate social responsibility. Brian: In the US it’s environmental, social and governance, etc. Brian: You know, one of the things I would really love to happen is is regulators starting to talk. Brian: Um I put that map up uh obviously showing you know the the 60 plus different data regulations that are around the world. Brian: And it equally comes down to to compliance and ethics etc. Brian: There’s so much overlap over these things and the intent and the objective and the outcome is entirely the same. Brian: Uh it would be amazing if we could just as a globe just align behind a standard and a compliance regime and all of those aspects. Brian: I think it would make our our job entirely easily. Brian: So I think from a CSR and ESG thing they’re largely interchangeable. Brian: There may be a couple of nuance aspects contained within them but in terms of the principle of what we were talking around in the in the presentation there just different geographies and different reporting mechanisms right. Amanda: that pretty much answered multiple questions so I kind of went through um so the next one I think we can um focus on going back to ESG again so this person Indra Klein I’m going to call people out that have names because pay attention your questions being answered here um for orgs with a commitment to attaining and maintaining ES G goals and have third party relationships in which there may be GBS entities in the supply chain for example India Asia Eastern block countries any thoughts on how orgs can better monitor practices that may impact ESG reporting they’re saying thinking in terms of cultural practices nuances employment practices etc. Brian: Yeah I mean it comes down to the culture of the organization and and the and the controls. Brian: So so obviously Each organization has a headquarters. Brian: It has a CEO has a leadership team and it has, you know, a cultural approach that it wants its organization to to behave within. Brian: As I said, you know, if you’re if you’re a global organization and, you know, some countries were called out, many others exist, you know, where those practices aren’t embraced. Brian: And, you know, even some countries exist where it’s common for a bribe to be offered as part of the cultural norm. Brian: And then you’re trying to operate a company in that country. Brian: uh and you don’t want to behave in that way. Brian: Um so you you obviously have to set you know this is how our company is going to operate. Brian: You have to make sure that you recruit you have in the right way. Brian: Uh you bring in people with the the right belief system that actually aligns with your culture. Brian: You have to make sure that those people are on boarded effectively and have their training up front to say it might be a cultural norm within your country but this is the way we’re going to operate. Brian: And then obviously the control environment comes in from an organization. Brian: perspective and that’s where you know third party is is a key thing obviously to work with suppliers in that organization. Brian: You need the right financial and process controls in place to be able to get assurance uh over and above your employees to make sure that those processes are operating in line with your ethics. Brian: So it yes it does become more complex but but equally we often focus on some of these problem areas and problem countries but it doesn’t mean to say it can’t happen in other areas. Brian: You know bribery has occurred in in both of the jurisdictions on this call today predominantly. Brian: So, you know, it can happen in our home organizations as well. Brian: So, don’t solely focus on on an area you think it may occur. Brian: You have to focus everywhere because, you know, I’ve had situations in in in my career where employees, for example, have have set up their own organization to sell into their parent company, etc. Brian: They’ve got the the buying decision. Brian: Uh they obviously buy from their own company, etc., at an inflated price. Brian: and obviously they reap the rewards. Brian: So that isn’t a cultural way we want to work. Brian: So you have to think you know people may want to do that, people have done that and people will do that in the future. Brian: So what controls can you put in place to detect that that doesn’t happen right? Brian: So that’s it’s it’s basically again thinking it through in advance thinking you know if this happens how would we detect it and then obviously setting that behavior into your culture of your organization. Amanda: Well if that ain’t an answer I don’t know what is. Amanda: Um I have two from Jorge Barroso. Amanda: So Jorge, here we go. Amanda: Um what is the best way to assure operational risk by developing risk operational scenarios that involve technologies? Brian: Yeah. Brian: Well, I think it’s you know it’s really producing the the play what I call the playbook, what some companies will call the green book. Brian: You know, it’s the it’s the role play of you know what if and you know it what if something happens, how will we behave, who will be involved And obviously bring te technology into the mix. Brian: You know, I don’t know, Salesforce.com or or something like that. Brian: You’re heavily relying on that for your business process. Brian: Obviously, Salesforce doesn’t just run your CRM or your sales channels equally. Brian: They can run a banking portal now and and and lots of other services. Brian: So, if you’re heavily reliant on Salesforce from an operational perspective, then obviously you have to make sure you know what would happen if they were to go away. Brian: Um, and you I’m not certainly not saying that you would, you know, spin up a replica service and and pay for that in advance. Brian: You’d make sure that Salesforce have the right resiliency baked into their product and service. Brian: You’d want to understand their business continuity, their disaster recovery capabilities, and I’m sure it’ll sell you more services to make sure that that’s, you know, 100% nailed down from your perspective. Brian: But again, it comes down to the criticality of the the technology, you know, the level of resilience that you would build into that service. Brian: But, you know, if it’s core to your platform, it can’t go away. Brian: You need that 99.999 recurring percent availability then you have to bake that into the solution design right. Amanda: I have a bit more of a complex question here that I wanted to get through before we run out of time but um Rob Brickman mentioned your discussion of operational risk is largely from an outside in perspective external threats to business continuity etc after 20 years plus years in thirdparty risk management the single greatest operational risk I deal with is more um internal contract oh wait this This is really just him talking. Amanda: I’m sorry, Rob. Amanda: You threw me off here. Amanda: I thought this was a question, but he was just chatting. Amanda: Okay. Amanda: Um, Brian: he is he is he is absolutely right. Amanda: Finish. Amanda: Okay. Amanda: Okay. Amanda: Go ahead. Brian: He is he is he is absolutely right. Brian: You know, my my examples were all about, you know, what can happen outside the organization. Brian: But, you know, there is that threat from from inside and just not doing things correctly. Brian: I mean, what he’s what he’s talking around there is, you know, when contractual relationships put in place that it’s not truly thought through. Brian: You know, we’re we’re setting unclear expectations on suppliers that they can never deliver upon and that the relationship turns toxic. Brian: So, we do have that, you know, we have to look inside our organization as well to make sure not just that that process is followed that that Rob’s talking around to make sure that the contract’s set up for success, but equally around that insider threat. Brian: You know, you can have operational challenges that come from inside your organization that might not be nonIT as well. Brian: All right. Brian: So yeah, I’ll take that feedback, Rob. Brian: Yeah. Amanda: Um, let’s look at the second question from Jorge. Amanda: He says, “How can you summarize the compliance risk for third party risk management to avoid complexity?” Brian: Yeah, I think that’s that’s a challenge. Brian: You know, by its very nature, compliance is is is complex. Brian: Uh, as I said, you know, it’d be great if the regulators uh worked together. Brian: The way I’ve done it in a in a large global organization before is you can’t can’t operate your global business to 60 odd different data standards. Brian: So you have to pull the requirements of those standards and operate your business to the highest level of requirement of each. Brian: So it doesn’t matter where you’re operating, you’re exceeding those requirements. Brian: So for example, if you’re a financial services organization, the MAS in Singapore, the financial regulator will require that you disclose to them a security incident within one hour. Brian: In others, you might have 24hour time etc. Brian: So run your global business to one hour. Brian: It there’s no point trying to fragment it and understand all the complexities of the different you know requirement legislation. Brian: Find the most stringent and run your business to that requirement. Brian: That’s the only way you can run a global process. Brian: Right. Amanda: And I’m going to do one last question since we’re at 60 seconds before the end here. Amanda: Um this is Donna Eswick. Amanda: She says, “What is the recommended best approach to supplier segmentation?” Brian: So there’s two things that you might have been referring to. Brian: So supplier segmentation in terms of third party risk management is typically to put them into three distinct tiers. Brian: You know, tier one, tier two, tier three. Brian: And that detects dictates the amount of time that you focus with it on on each supplier. Brian: You know, if they’re a tier one supplier, they get more attention and focus, physical audits and and all such like. Brian: You may have been um you know, talking around how I segment the actual you know risk risk perspective in those aspects and um you know that’s a completely different conversation and a completely different webinar. Brian: So I’m hoping you’re talking around how we we tier them. Brian: So it’s typically, you know, three tiers and that dictates how much time you spend with them. Brian: Right. Brian: So, Amanda: perfect. Amanda: Well, thank you so much, Brian. Amanda: That’s all really what we have time for today. Amanda: If we didn’t answer your question, always feel free to just email us at info prevalent.net. Amanda: I just put in the um Oh, is it just to I need to do it to everyone? Amanda: I’m putting into the chat a link about the Verizon data breach um that Brian had mentioned so in case you guys were interested in looking at that a little bit deeper. Amanda: And I just want to re reiterate one more time that we will send the recording, we will send the slides and we will send the white paper that Scott just also recommended as well within the communications email. Amanda: So if anyone that ever registered for this, maybe you’re not even here right now, you will be receiving this as early as tomorrow, if not sooner. Amanda: So please stay tuned for that. Amanda: Check your am if you don’t see anything. Amanda: And that is all from us. Amanda: We hope to see you next time and have a great rest of your day everyone. Amanda: Thanks so much Brian and Scott. Brian: Bye everyone. Scott: Everyone, bye.
©2025 Mitratech, Inc. All rights reserved.
©2025 Mitratech, Inc. All rights reserved.