Distiller des mesures utiles à partir de la pile de données sur les risques des tiers

Amanda: Je vois les chiffres grimper. Bonjour à tous. Bienvenue. Bienvenue. Oh, nous sommes maintenant à l'heure pile. Je vois que les gens arrivent petit à petit. Bonjour à tous. Bonjour. Je ne suis que la voix. Aujourd'hui, nous sommes tous des voix. Et je vais vous poser une question pendant que vous attendez. C'est ainsi que nous aimons l'appeler. Pendant que vous attendez. Alors, pendant que vous arrivez, n'hésitez pas à répondre à cette question. Bienvenue. Je suis Amanda, de Prevalent. Je travaille dans le développement commercial. Je suis votre animatrice vocale. Aujourd'hui, nous sommes tous hors caméra, tout comme vous. Très bien. Merci à tous d'avoir participé au sondage. Oui, je vais le laisser en ligne pendant un petit moment. Mais comme je l'ai déjà dit, je suis Amanda, de Prevalent. Merci de vous être joints à nous. Je vois que d'autres personnes arrivent, mais aujourd'hui, nous allons parler de la mise en œuvre d'une approche efficace d'analyse des risques tiers basée sur des indicateurs significatifs. Vous ne pouvez pas me voir, mais je fais des guillemets avec mes doigts. J'espère que tout le monde va bien. Je suis sûre que vous êtes déjà venus ici, mais je vais passer en revue quelques points d'ordre administratif. Vous êtes en mode silencieux. Euh, mais nous aimerions que vous répondiez aux questions du sondage si possible et que vous posiez également des questions dans la section Q&A ci-dessous. Euh, nous aimerions avoir quelques questions à la fin pour nos hôtes, euh, et nos co-panélistes, et nous espérons pouvoir y répondre si le temps le permet. Hum, mais oui, aujourd'hui, nous discutons avec Brian Littlefare. Nous sommes très heureux de l'accueillir. Il est le fondateur et PDG de Cambridge Cyber Adviserss, ancien CISO mondial de Vodafone et conseiller en sécurité auprès du gouvernement britannique. On peut donc dire qu'il est assez important à mes yeux et à ceux de tous les analystes de risques tiers. Et en bonus, nous avons également Brenda Ferraro en ligne, qui interviendra probablement ici et là avec quelques anecdotes et chiffres amusants. Vous l'entendrez plus tard dans l'heure. Nous sommes vraiment ravis de vous avoir ici et je vais laisser Brian prendre la parole. Vous recevrez cet enregistrement demain. Merci de vous joindre à nous. Brian, c'est à vous.

Brian: Great. Thank you and thanks for the introduction. So, hello everyone. It’s great to be able to to speak to you all. Um, first of all, as we said, we’re going to be discussing how to implement an efficient third party risk analysis approach based on meaningful metrics. And everyone’s probably asking, well, what is meaningful metrics, quote unquote, and we’ll get on to that shortly to to explain what those are. are right. So, we kind of covered me. So, a little bit of scene setting in terms of where we are and just kind of to explain what some of the the terms are and where where my perspectives kind of come from on this. First of all, let me just say uh you know I’ve been working as a CESO for you know 20 25 years and now I spend my time uh leading Cambridge Cyber Advisors and we spend a lot of time mainly in the boardroom mainly helping uh chairman chairwomen uh Ned executive teams really get their handle on, you know, the security posture of their organization, what’s working right, what’s working wrong. So, you know, that’s been really useful to me from an experienced perspective to see it from the other side of the table, so to say. I was always the CISO going in communicating and now I kind of sit on the other side to to help, you know, give my expertise to the board and and make sure that the CISO is kind of answering the right questions and the right things are going on, not just in third party assurance, but obviously plays a big role and I think from from my perspective you know third party insurance is really hard to do well it’s hard to do well uh part of the challenge is obviously it’s global if that’s the way your organization is structured so you you’re having to manage suppliers in in numerous different countries you know it’s not uncommon for you know large organizations to have three four 5,000 different suppliers ranging from people that handle your sensitive data on your behalf all the way down to people that give the kitchen supplies and and refill the bathrooms etc. So there’s a full dichotomy of suppliers that you’ve you’ve got to got to manage for your organization and each of those different suppliers has you know different contract in place with you a different relationship inside your organization and as your company or organization grows its reliance on the third parties is only going to increase as well. So that’s why getting a really strong foundational component in place so that as you have to scale the process scales with you you then it doesn’t become so much of a of a challenge or a battle. But I I think we all know it doesn’t always go to plan. I think if we all sat back and thought of, you know, large household name brands that have had security challenges, data loss, breaches, etc. R that have actually emanated from their supply chain. It wouldn’t take us too long for some of those names to pop into our mind. And I’m not going to put some brands up on the screen, but we can all probably think of those. And I think that that is kind kind of evident that you know those organizations would have had a good approach they would have had a well- resourced team well sometimes not always you know the size and scale of the company doesn’t always equate into that but you know they would have had people focusing on this so I’m going to try and unpick what some of the challenges that I’ve seen and it’s great to get Brenda’s views as well uh and help get into you know what are some of the opportunities for improving your maturity and some of the opportunities to improve and then hopefully look at some meaningful metrics But I think you know just an observation from my side uh as I said spending a lot of time in the boardroom I I see uh and I present at uh conferences and focus groups and discussion forums and the topic of those discussion forums is how do we tackle this chasm uh between the CISO and the board and you know that’s when you get CISOs talking not all of them have the relationship that they would really like with the executive team and the board. Uh some of them don’t feel like they have the right support. Some of them don’t feel like they’re getting the right amount of resource uh from the executive team to be able to effectively manage the risk. But actually sitting on the other side of the table, you hear the same things. You know, if you speak to the Neds and the board, they think that they’re not getting the right information from the CISO. They’re not understanding what the current risk position is. They can’t see, you know, the wood for the trees. They don’t understand what the problem areas are. And they want a bit of clarity in terms of, you know, this is where we are. This is the problems that we’re facing. And, you know, what do we want to do about it and whether we invest or not that’s a riskbased decision but you know the opportunity to contribute to that risk statement is is absolutely key. So I always advise putting yourself in the shoes of the the board and the executive team. You know very rarely have they got a security background but you know very often are they presented fairly technical data and metrics emanating from security tools and they’re kind of expected to to understand whether those metrics should be going up, down, left, right, whether they’re KPIs K eyes etc. And I think that you know as security professionals on on this call or risk professionals or procurement wherever you are we kind of have a responsibility to do some of that leg work and do some of that thinking and present a clear message upwards in terms of what’s our current status and and what are we doing about it going forward. So this is a little bit about what we can do to make things better, what’s within our own power to improve things going forward. Okay. So um third party risk management the known risk and and and why is that? And I think that you know third party risk management definitely presents a clear and credible risk to all organizations big and small. I was doing this uh same presentation to a UK based audience earlier on today and you know there’s a lot of questions around does the organization size and scale make a difference and and actually I don’t think it does right because you’re actually trying to achieve the same outcome irrelevant of size of the company right you all all organizations big and small use suppliers, you need to understand that the the threats and risks that those suppliers present to your business and you want to achieve achieve an outcome in terms of educating the business about what they might be and then also giving some options for for compensatory controls or or mitigating those risks. So I think that there’s definitely a risk presented to all organizations from from their supply chain. But I think every company has definitely their own approach. You know, if I was to spend time with bank A or bank B or healthare company A or healthcare company B they would have different approaches to third party risk management they wouldn’t always be drastically different but there would be nuances in one company on how they approach it and compared to the other and I think I’ve seen it done very well you know with excellent uh stakeholder management everyone in the company understands the process it’s not attempted to be bypassed because people see value from it and then unfortunately I’ve seen it done very badly as well where you know it’s viewed as a bottleneck you know lots of information goes into it. Very little actionable information comes out of it. The team are very stressed. They’re underresourced, etc. So, there’s definitely, you know, a right way to do it and a wrong way to do it. And we’ll hopefully get into what some of those are today and how can we improve it going forward. I think, you know, for those of you who heard me talk on this topic before, you know, the lower end of the maturity organizations, I I tend to say, are still kind of completing Excel spreadsheets, you know, very very long uh questionnaires for their suppliers to to fill in a manual analysis of those questionnaires. It’s purely based on, you know, the experience of analyst A or analyst B. And and obviously that can add delays. It can add different different answers. You know, if you were to put the same questionnaire in front of two analysts, they might interpret it in different ways. So, it’s around how can we go up that maturity curve and, you know, adopt some of the innovation that’s been going on in this space for a long time. And we’ll kind of cover off that whole maturity landscape and what that looks like. But I certainly think that you can’t rely on, you know, touching an organization once peranom and asking them to fill in a questionnaire and then putting those results in an Excel spreadsheet because organizations change multiple points throughout the year. You know, sometimes they might be profitable, sometimes they might be not profitable, sometimes they’re growing, sometimes they’re in a recession. And you know, some of those behaviors drive different business actions. You know, when when budgets are tight, resourcing is constrained, you know, costs are cut back, etc. So, it’s it’s important to understand when these dynamics are happening in the market and and how that can impact your supply chain. And we’ll we’ll get on to some of the tactics and techniques to to hook into some of that near realtime intelligence rather than relying on a single assessment day in the calendar year. So, I’ve put up three common challenges that I see and I’m going to break these down on the next couple of slides, but I just want to kind of point to what I call the the art quad quadrant in the middle. And I think that you know this isn’t a good place. This is not where you want to be. If these three different dynamics are operating on on your function or your team where you haven’t got a clear approach, maybe you’re suffering from resource constraints, whether that’s, you know, an appropriate budget to maybe do some on-site auditing or you haven’t got the uh resource in your team to manage your your tooling choice, whatever that is, and you haven’t got the right tools to to scale. to the amount of risk that you’ve got under management. So maybe you’ve got a couple of thousand suppliers and you have to having to run them on a spreadsheet. All of those have a possibility to impact the performance of the team and and the net effect of that is the business isn’t getting the outcome or the result that it needs. So the art quadrant is is definitely not where you want to be. But let me break these couple of areas down and we’ll have a bit of a conversation around it. So I think the approach is is absolutely key and you know different organizations position this team in their in their structure in different places and you know I have a personal preference where I believe it should be but you know it doesn’t align with everyone else’s so I think as long as it’s positioned in the right place for that individual company and it’s got the right investment and the right support then you know that that’s fine it will work but I think you know it needs a very clear strategy and I and I mean a strategy for the third party risk management function not just the CISO strategy not the IT strategy not the business strategy. There needs to be a strategic direction of how are you going to manage, assess, quantify, communicate the risk that’s presented by those whatever whether it’s 5, 10, 15, 5,000 suppliers that are in your portfolio. And it should be obviously strategic in nature. You know, why does this team of people exist? What what outcomes are we going to deliver and who are we going to deliver them to? What action is taken on our metrics and reporting? We produce them. Does does Does anyone actually read them? Is is any action taken upon them? And if not, why not? And and in some organizations I’ve been in, uh the third party research management team can can feel a little bit of a backwater. You know, does the business realize we even exist and what is the value that we add? And these are some of the questions I get asked a lot of times when I go in and things aren’t working very well. But it obviously needs to be set up for success. You know, the the stakeholder management is is absolutely key. You know, know that the stakeholder isn’t only the security function. It’s it’s the very broadest parts of the business. You know, each area of the business whether it’s from logistics into technology or research and development, they will all work with a certain different list of suppliers and they will present different risks and different opportunities to the business. And obviously a supplier in in one country in a large global organization might be minimal but in another country it might be huge. So it’s really important that you understand that. that whole global supplier approach and then obviously the clarity of reporting um you know giving clear insights to the business about what’s going on and what is the actual risk and then trying to actively and positively reduce false positives as well. So if you’re constantly pushing messages into the business which prove to be inaccurate or not entirely true then obviously that damages the reputation of the team. So there needs to be a big focus on when you do report it’s accurate and something in genuine needs to follow on as a as an ongoing requirement going forward. So the focus of the team needs to be strategic. There are absolutely times when it will be reactive where where the business comes to you and says, “Hey, we really need to do this new initiative and we’re taking on this new supplier and we need you to do some shortcuts and actually get this supplier assessed as as quickly as possible.” That that will always happen. But fundamentally, if your team is always being driven in that in that tactical approach, uh you’ll never get round to your strategic direction and obviously your your goal and focus should be to strategically manage the risk going forward and then there’s the whole resource for the area as well and I’ve seen third party resource management teams are one or two people uh and that might be okay right if you’ve got a really intuitive tool and you’ve got all of the uh the knowledge flying into a small team and it and it’s manageable then then so be it that works fine but equally seen teams of one or two people having to manage a couple of thousand suppliers using an Excel spreadsheet and being completely swamped and you know significantly behind on the on the assessment timeline you know not producing the the reporting and metrics etc. So there’s there’s definitely a place on that scale where you you’d prefer to be and I think that you know this team manages a significant portion of the strategic risk for the for the company. Uh you know we’ve seen what a breach in the supply chain can can do do to your organization’s reputation and brand. So it definitely has a very clear purpose and outcome and that strategy and purpose of the function should be translated into a target operating model where it’s clearly presented back to the business saying look this is the amount of risk that we’ve got under management. This is the number of suppliers that we’ve got under management. This is the current tooling that we’ve got. This is our current process. But have we got the right resource? Have we got the right target operating model that we need to be able to drive that that initi? strategically rather than tactical and firefighting and and obviously what we see sometimes is you know a team is put in place and the organization goes through rapid growth you know massive numbers of suppliers coming on board but the the team size has to remain static because that’s all it’s got the budget for and I think that that’s where you know having that very clear strategy having the very clear business stakeholders bought into the value that you deliver that means that obviously if if the team is becoming stretched by the increased work load on it then obviously you need to be able to grow to effectively keep that risk under under management going forward. So there definitely is a different approach and we’ll get on to that in a minute. So embracing the innovation in this space. So as I said I’ve been a CISO for you know over 20 years. I still work very closely in in the space and I’ve definitely seen the the evolution in this space uh for the teams that have been under my management. So so absolutely have I used Excel spreadsheets sheets before to manage third party risk. Yes, absolutely. Uh it was all that was available to me. And then obviously we went through different levels of maturity as different software was coming out things like putting in place uh GRC tools, governance, risk and compliance to kind of harmonize our governance activities and our risk and and our compliance regimes. They were very, you know, difficult to integrate, very complex to manage, etc. And then obviously with there’s a new breed of tooling coming out, there’s there’s purpose built to to manage this space of which prevalent is is one of them. And I think that you know starting to see organizations fully embrace this well there have been for some years really is a bit of a gamecher not only for the the teams that have to operate the community of suppliers uh but it actually changes the the whole approach because you know rather than having to go to you know every one of your suppliers you know normally a large percentage of those have already got profiles on these platforms and tools. So it significantly reduced which is the the number of questions that you have to ask. So the the plea is to to definitely if you are still using Excel to manage this then start to to obviously move away from that and embrace some of the innovation that’s been made available to us in this area. So I just want to baseline this and I realize I’ll be teaching some of you to to suck eggs but but actually at the boardroom it’s not and you have to recognize that it’s it’s really important to explain yourself and and make sure that everyone’s on the same page and you understand what you’re going to be talking about. And you know, in my personal view, certainly in this space, you know, a key performance indicator, if I’m looking at a KPI in this space, I’m looking at it to to measure the performance and effectiveness of my function. I’m looking at the processes, the the throughput, you know, how many failures and successes that we have going through the the testing cycles that we’re running. But it’s it’s it’s as it says, you know, how are we performing? Are we delivering? ing as the business would expect. Are we delivering to the outcomes that we want to deliver and are we most more importantly delivering a quality service? Uh we could certainly push reviews and cycles through the system, but if it’s not quality, then there’s no point doing it. So quality is is absolutely up there as well. And then we have obviously the the key risk indicators that kind of start to delve into and and look into, you know, how much risk are we currently exposed to and what risk treatments do we have to apply? across our supplier base and and obviously typically that would be segmented as well. So probably already knew that all of you but you know from a KPI and KRI perspective that’s that’s how I manage and measure them. So what what do I mean from meaningful metrics? So you know this this was from one of my uh accounts that I worked on many years ago and this was an actual dashboard presented to the board on third party risk and you know this was one page of I think about five or six And obviously the supplies are grayed out. It would have been a list of supplies in very very small font where you’d have to have a lot better eyes than I have printed on a piece of A4 paper and and then across the top there’s the the controls that are distilled from the security policy and then obviously a line per supplier going across all of the controls. And you can see that that’s fairly complex and this was a view that is presented to a senior audience. And what it what it is in my view is it’s complex. It’s busy. It’s it’s definitely not dynamic. It’s completely static and and obviously because it’s printed on paper, it’s it’s it’s non-clickable, but you can see uh obviously what a security analyst has to actually go through. These are I suppose the responses to the key controls because it certainly wouldn’t be all the controls uh within a particular supplier. And you can see that some are green, dark green, light green, some are yellow, some are amber, some are red, some are pink, etc. And obviously it’s the expertise of an analyst that has to kind of look across one of those lines and think well with all of that taken to into account where where actually is this supplier from a risk perspective and I suppose the the missing dynamic here is of course threat this this snapshot on the left is a a single point in time view of how a supplier was operating during those couple of days that it probably took them to to fill in uh the questionnaire but as I said there is another way um you know having organizations precomplete for the majority of questions that we’d want to ask them, you know, they much prefer it because honestly speaking to suppliers like I do, if you put yourselves in the shoes of a of a really big supplier, I’m thinking like, I don’t know, a HP and IBM and Oracle or a big outsourcer, think of the amount of differing types of questionnaires that they must get from all of their suppliers in different shapes, different formats, all loosely trying to achieve the same thing, but structured completely differently. And they have to spin up a a small industry just to try and respond to this plethora of requests coming from their client base. Obviously, it’s really important work, but there’s obviously a simpler way to do that and that’s where all of these new uh third party risk tools have really come into their their own because it’s really simple for the end user, which is all of you guys and girls on the call. It’s really easy to understand what it’s telling you because you can codify all of the requirements that you have from your security policy. So, what do you really care care about what has he got a little bit of flex on you know what are our tolerance levels on individual risk statements and when they’re all answered obviously I’m not trying to put risk analysts out of jobs who can do some really important work in this space as well but the tool will digest all of that and and obviously suggest the the risk ratings the past failures on on your behalf but what it does do is obviously it’s dynamic it’s it’s not a single day in the in a calendar year it’s pulling information from its knowledge community It’s pulling information from assessments that are done by other clients. It’s feeding in the threat angle and it allows the the the customer to to really drill down and and you know explore what’s behind that red box. What was the what was the question asked? What was the response? You know, what have we tried to to ascertain from that and how can we improve things going forward? I don’t know. Brenda, do you want to say anything on that slide or do you see that as well or?

Brenda: Oui, et quand vous avez montré cette diapositive, je me suis dit que la grille de gauche ressemblait à un jeu de bataille navale. Je peux donc imaginer un responsable de la sécurité des systèmes d'information ou un conseil d'administration qui regarde cela et se demande : « Bon, où allons-nous devoir attaquer ? » C'était vraiment intéressant. Mais je suis d'accord sur le fait qu'il est important de disposer de mesures significatives et de présenter les choses de manière simple et facile à comprendre. Cela semble être la meilleure façon de faire le tri et de s'assurer que ce qui est important et pertinent se trouve devant notre conseil d'administration et nos RSSI.

Brian: Oui, tout à fait d'accord. D'accord. Alors, quelles sont les meilleures pratiques en matière de mesure, ou plutôt, quels sont les groupes concernés ? De mon point de vue, il y a quatre catégories et je vais vous les présenter en vous donnant leur nom, puis je vais vous donner quelques KPI et KIS qui, selon moi, sont importants à prendre en compte et qui intéresseront certainement le conseil d'administration. Et quand je parle du conseil d'administration, j'inclus également l'équipe de direction. Que vous fassiez votre présentation au PDG et à ses proches collaborateurs ou au conseil d'administration, où le PDG, le directeur financier et le directeur des opérations sont généralement présents, je pense que du point de vue des risques, ceux-ci seront au centre de l'attention et que ce que l'on attendra de vous, c'est évidemment un tableau de bord complet. On voudra qu'il soit éclairé et fondé sur une logique sensée. Il devra évidemment être quantifiable et, surtout, reproductible. Je constate trop souvent que le processus de gestion des risques n'est pas reproductible. Et si vous soumettez la même quantité d'informations au processus avec deux analystes différents, vous obtenez deux réponses différentes. C'est là que l'outil prend tout son sens, car il permet d'obtenir un processus reproductible. Si le même flux de données est saisi, vous obtiendrez le même résultat, la seule variable étant la présence d'une menace superposée qui pourrait évidemment modifier quelque peu le tableau. Et je pense que la menace est le vecteur mobile. C'est ce qui ajoute une réelle valeur à l'utilisation d'une plateforme en ligne. Parce que si vous vous contentez de remplir des questionnaires qui vous sont renvoyés, vous n'avez qu'un seul point de vue. C'est le point de vue de cette organisation. Ce n'est pas le point de vue de la communauté. Elle ne tient pas compte de toutes les informations publiques disponibles. Par exemple, vous pouvez avoir une entreprise qui dit : « Nous sommes parfaitement à jour dans nos correctifs, mais cet outil d'analyse des menaces indique qu'il y a six menaces ouvertes non corrigées sur leur site web public. Les deux ne sont donc pas nécessairement corrélés. Il est donc très utile d'intégrer ces informations dans vos décisions en matière de risques afin de quantifier, au-delà des politiques mises en place et des pratiques adoptées, ce à quoi ressemble réellement la conformité dans le monde réel. Et bien sûr, comme la posture de risque des organisations change quotidiennement, leur position face aux menaces change également quotidiennement, il est vraiment utile d'intégrer ces informations dans votre environnement. Et je pense que du point de vue de la conformité, celle-ci n'est pas près de disparaître. À mon avis, elle ne fera que s'accroître. Et vous savez, ayant dirigé des RSSI mondiaux pour de grandes organisations multinationales, le régime de conformité et de réglementation peut être très complexe et, évidemment, vos fournisseurs jouent un rôle clé à cet égard. Vous savez, ceux qui gèrent des données en votre nom ou qui sont impliqués d'une manière ou d'une autre dans l'un de vos programmes de conformité. Et je pense que ce qu'il faut dire ici, c'est que la responsabilité vous incombe entièrement, en tant qu'organisation mère, de gérer la conformité ou le respect de la conformité au sein de votre chaîne d'approvisionnement. Ce n'est pas une responsabilité déléguée, ce n'est pas parce que vous avez un fournisseur qui travaille sur ce point que le problème leur appartient. Cela reste entièrement votre responsabilité et vous devez les gérer efficacement à distance. C'est pourquoi tous ces indicateurs et domaines que vous souhaitez utiliser pour dresser un tableau cohérent de l'adhésion de ce fournisseur à ces normes sont vraiment très puissants. Et puis, il y a aussi la couverture. Il est donc essentiel d'avoir une couverture absolue de l'empreinte de votre fournisseur. Nous avons déjà évoqué le fait qu'un petit fournisseur au Royaume-Uni peut être un fournisseur important pour une unité commerciale aux États-Unis. Et vous devez comprendre cela afin que ce fournisseur se pose les bonnes questions, afin que vous ne soyez pas pris au dépourvu par un incident de sécurité impliquant un fournisseur. Vous voulez être en mesure d'obtenir cette information en premier. Et je pense que c'est là les yeux et les oreilles de la chaîne d'approvisionnement pour l'entreprise. Et si l'un de vos fournisseurs est victime d'un incident de sécurité, vous voulez être en première ligne. Vous voulez pouvoir communiquer cela aux parties prenantes de l'entreprise. Vous ne voulez pas être pris au dépourvu par une information qui apparaît sur CNN ou Fox News ou quelque chose comme ça et dont vous n'avez pas connaissance. Il est donc absolument essentiel de disposer de ces informations et de ces enseignements et d'avoir cette couverture. Brendan, voulez-vous ajouter quelque chose ?

Brenda: Je trouve mon bouton « muet ». Oui. Donc, en vous écoutant parler, je pense qu'au fur et à mesure que nous avons traversé les différents scénarios de l'année dernière et des deux derniers mois, la vision globale et la perspective locale sont devenues de plus en plus importantes. Et sans connaître la conformité contextuelle, les informations sur les menaces provenant des fournisseurs et les risques quantifiés et équilibrés dont vous venez de parler, il faut que ces trois éléments soient pris en compte de manière exhaustive, mais faciles à comprendre, avec cette vision globale pour assurer la résilience. J'aime donc beaucoup la façon dont vous avez présenté cela.

Brian: Great. Thank you. So, I’m going to put up some KPIs and and K eyes just, you know, I’m not going to run through them all. Don’t worry. You know, I’ll just probably say a couple of KPIs and couple of K eyes on each each of these four areas. And, you know, these are they’re they’re not unique to me and obviously the none of them will be a wow, we haven’t thought of that before. But what it is is, you know, is understanding from both the CISO side and the board side what are some of the things that they want to hook into and And by all means, this isn’t an exhaustive list, right? So depending on the sector that you’re in, depending on the type of organization that you operate in, whether they’re really into the detail or they like the the high level view, it will change and it will be be dynamic. But but at a very high level aspect, you know, these are some of the key things that I would certainly like to pick out. So from a risk perspective, we’ve already touched coverage. You know, there shouldn’t be any supplier receiving revenue from your organization uh from your financ function that hasn’t been in some way, shape or form assessed by the third party risk management uh organization. It might have been a notification and a quick assessment done and decided you know that it’s not important for whatever reason but it should have gone through the process and the reason is because obviously if no assessment’s been done there’s there’s no understanding of the risk and and I do see that a lot. I see you know uh organizations not having a good handle on you know their coverage there being suppliers in place that that have an issue downstream and you know it comes back into the third party research team saying well what do you know about these guys and it’s like nothing they’ve never been assessed we didn’t know you were using them and this is a really important gap to close and it’s it’s you know the key thing here is that the business sees this as a valuable process because we all know especially with cloud-based services now it’s fairly easy for a business unit to spin up a relationship with an external supplier using a credit card and you know that would be fairly difficult for you know this this process to detect. So the business has to want to engage with it. So this is more of the carrot rather than the stick. It’s around come and engage with us because we absolutely offer value to you. And if they recognize that then they’ll obviously not try to bypass the process. And the second one is uh you know the number of suppliers that have completed the uh sorry the number of suppliers that have passed or failed the on boarding process. And and I’m more concerned here on on the failed the onboarding process because Often I see that as quite low and you know you have to ask the the question why because you know in especially in a large global organization but the same is true for a smaller you will definitely have organizations that that fail and you want to understand why that is and why that number is where it is on the scale. If it’s too high what’s going on if it’s too low what’s going on? And there’s definitely a sweet spot to be trying and achieved based on you know the nature of your business and the scrutiny that you put your suppliers under. But it shouldn’t be the case that no suppliers are are failing your process. It proves that you know if you have got failures then you’re asking the right questions and that doesn’t necessarily mean that you can’t work with that supplier. It’s you know you have to understand why they failed and you know what risk is presented from that and you know it’s our job to advise the business based on risk and they might choose to accept some of that risk but at least that risk is known is quantified and and can be tracked by us going forward. And then I think on you know the KR my side you know some of the the lagging indicators as well are really important. So the number of priority one security instance generated from the supply chain in the last quarter. So your supply chain will cause you security instance and if they’re not then you know are you have you got the right insights? Are you picking those up and and understanding what’s actually happening in your supply chain? You know that there’ll be things like uh employees leaving and the password for the service not being reset and it’s a whole plethora of things that can generate security incidents for your organization and it’s important that you know about them. It’s important that you understand and take the knowledge and the learning from those and apply those new knowledge and new learnings to your broader supply chain so that you don’t have a reoccurrence of the the same instance. So what’s actually happened in the past should be uh learned from and applied to what happens in the future. So you actually have a better process going forward and that’s really where I suppose the leading indicators come in. So the organization that have been through your process. Uh the number of vendors that within the supply chain that are carrying a high risk score and you know this isn’t abnormal to have vendors that are carrying a high risk score. It might be the the geopolitical risk that they present. It might be a parent company or a relationship etc. And you know a high risk score just means that obviously they they require extra diligence on an ongoing basis. So not just due diligence up front but diligence going forward and and equally understanding how that risk can be mitigated. So it may be having a secondary supplier. So if that vendor experiences difficulties, then obviously there’s another one to fall back on. But if you don’t know about those high risks or they’re not effectively managed, then that can obviously disrupt your your b your your business. And then I suppose a real uh critical one at the moment is, you know, if you’ve got if you’re a manufacturer and your your traffic goes through the sewers canal and you know, a big container ship blocks it, what are you going to do? So you know, you can’t you’ve got loads of ships stacking up. So, if you knew that your supply chain was coming through that canal, could you have mitigated that via having a a more local supplier that might be a higher cost on a day-to-day basis, but you could actually mitigate that risk going forward? And it’s really about just getting into the details and understanding those aspects as well. And then, of course, it’s the the net risk from each domain category within your supply chain. So, it’s it’s fairly normal to to categorize your supply chain, not just in is so you know tier 1 2 3 4 but actually category as well so things like I don’t know I’m a security professional so identity management service providers or physical gates etc and actually start to you know slice and dice your your information flow so you can actually understand for each of those domains have we got a single supplier dependency uh do we know that we’re going to have to terminate a supplier in that space and we have to start to look up a backup do we are we getting threat intel come through terms of geopolitical risk in that region that we have to mitigate. So really understanding and guarding the business based on your intelligence and insights and actually advising on that net risk is is really really key as well.

Brenda: Ryan, je pense que cela s'explique rapidement par notre écosystème. Je pense que vous allez aborder dans la section consacrée à la couverture le sujet des fournisseurs qui ne répondent pas, car cela est devenu plus risqué s'ils ne répondent pas aux demandes d'évaluation et/ou d'atténuation des risques. L'autre point que vous avez abordé pour le KRIS est le risque de concentration, car, comme vous l'avez dit, cela pourrait provoquer un effet domino ou avoir un impact sur la chaîne d'approvisionnement, comme vous l'avez mentionné avec le canal. Mais ces deux éléments sont très importants et essentiels pour notre écosystème actuel.

Brian: Yeah, absolutely. Completely agree. Okay. Then there’s the the threat feed and and I I really would advocate, you know, if you haven’t got threat intelligence flowing into your supply chain, uh, information repositories at the moment to to look at how you can augment this capability on top because it delivers you know the real day-to-day insights in terms of what’s going on but I see you know certain sectors are mandated certainly in the UK uh and other and not subate in the the US regulatory requirements but for example if you work in financial services in the UK you are required by regulation to have threat intelligence coming into your organization what you’re not required to do is use it right so So as long as it’s coming in that satisfies the requirement but I see you know threat intel flowing into organizations at various different touch points and I see companies do an amazing job of distilling and disseminating that and getting it to the right people with context to action but equally I just see it hitting a brick wall and you know it flies into an email queue that people will periodically look at and you know it’s not really being given the credence that that it deserves. So I think you know a couple of things to look at is around you know the meantime to action. So when that int intelligent comes in, you know, it’s been uh certified as valid, it’s been certified as relevant, it’s had some context delivered, you know, and that’s disseminated into the organization. How quickly does that account team that’s responsible for managing that particular client or account, how quickly do they pick that up? How quickly do they action it? Because that’s one of the beauties of, you know, a third party uh risk team is that all the onus shouldn’t be on them. should be distilled into the organization to manage that. There’s certainly account managers that are responsible for individual clients etc. And you know there’s been a lot of effort to build up that relationship. So distill the information down to them add the context but certainly measure how quickly that action is taken on those as well. And then you know from a KRI perspective you know how many suppliers uh across the tiers whether it’s 1 2 3 4 have active uh high threat intel indicators coming in for them. And this could be for anything, right? You can have uh an entire country’s suppliers allocated as high threat indicators because of, you know, government instability or or something that’s going on in the region. But it’s really important that you obviously understand and just have that insight. And if you didn’t have this threat flow coming into your base, come into your information base, then it might just you wouldn’t understand it. You wouldn’t be aware of it unless something actually hits the news. So it’s around understanding, have you got the right information? flowing in. Is it being disseminated into the organization in the right ways? Is it being acted upon in the right ways both within your team and the broader business? And then obviously, are you driving resolution on that? You know, a threat is given for a reason. It it needs an action and it needs something to to either mitigate it or resolve it. And if it can’t be resolved, then it needs tracking as an ongoing risk. But, you know, having all of that information to be able to make that call is is really powerful. And then there’s then there’s compliance. uh my my favorite topic. It’s certainly not going to go away, but you know, it’s only going to continue to rise, but recognizing that your supply chain play such a pivotal role in in your compliance programs. And really for this, it’s just understanding who they are. What is the role that they play? Have you got the right governance over them? Are you tracking it appropriately? And have you got the ability to report on your broader regulatory requirements and compliance requirements, not just within what happens within your own organizational boundaries, but also within your supply chain as well. And here is where quality becomes absolutely key. And certainly in a compliance perspective, as Brenda was saying, you know, if you’ve got unresponsive client uh suppliers that are, you know, play a role in your compliance regime, then you’ve got a a definite real challenge and you need to address that. But quality is absolutely key here. If you’re getting, you know, the old saying is if you get garbage in, you get garbage out. So you need to really focus on the quality of the submissions, especially for those that are in play. from a compliance perspective. And then there’s the the the whole coverage aspect. So we’ve talked around a few of these already, but certainly no supplier should be receiving any payment that hasn’t been triaged or assessed. You absolutely need to to get that. It’s important that the the process doesn’t be seen as a bottleneck. So you need to measure your throughput, measure your time to onboard. And time to onboard from my perspective is isn’t the questionnaire being completed or the analysis being done in your platform. form. It’s, you know, the endto-end process where we engage with the supplier to either we’re comfortable or we’re not comfortable and they’re going into on ongoing diligence going forward and and tracking that and make sureing that it’s optimal. It it’s not that it’s quick, it’s that it’s done right and that the right questions are being asked and the right level of time taken to do it. But it shouldn’t become a bottleneck either. What you don’t want to see is this process being uh buil as a as a blocker to doing business. Uh it will obviously slow things down just in the nature of what you’re trying to do. You’re trying to understand a new relationship with a new supplier. Uh it can be sped up by using tools that already have a lot of that information in in the in the armory as well. And certainly that’s what should be looked at going forward. Right? So different lenses for different audience. So know who’s going to look at the information that’s coming out. And I see this all the time. I see the CESO’s dashboard being presented at a board level which isn’t the right thing to do. the CISO having been one and maybe it’s because I’m a detailed person but I wanted the detail. I wanted detail detail detail not to the nth degree but I wanted to be able to have the information at my fingertips that give me a good understanding of the security of the entire organization including the supply chain because ultimately that’s my accountability and my responsibility. Other people might have it as their job but it’s still my accountability to make sure it’s done right. So I need a lot of detail. The business doesn’t the business needs it to be quantifiable, relevant to their specific business unit. You know, if there’s a manufacturing division and they use a certain list of CL of suppliers, they don’t need to see the suppliers are relevant to them because they don’t use them. So, it has to be relevant to them. It has to be actionable, intelligent, and tailored to what they actually specifically need. And then the board needs something different. The board want the leg work doing for them. You know, they want a very clear view, consolidated, you know, grouped so that they can actually it jumps off the page what they’re being asked to to add input and guidance into. Um I don’t advise going to the board and asking them to make a decision on your behalf because obviously as security leaders you’re required to make those decisions. The board might want to challenge that decision or ratify that decision however they feel. But it’s certainly not good to go in there and say can you make this decision on my behalf. It should be look we’ve got this intelligence we’ve got this information or we’ve got this risk and this is how we’ve decided to manage it. Do you agree or disagree? But that that decision should definitely be made in advance. So really it’s about putting some time and effort into recognizing that this is very valuable information but it’s going to different audiences and how should we present that and again this is where the online tools can really help in terms of different lenses and different views that are that are actually designed and intended for those different audiences going forward. Okay. So my last slide before I hand over to Brenda to talk a little bit about prevalent. So why am I advocating meaningful metrics because this is such a critical business process. It’s not a security process. It’s not a technology process. It’s a business process and it means that the business can understand its risk and run as smoothly as possible. So it’s really important that this process end to end is fit for purpose. It has the account. It has the right strategy set up. You know it’s set up for success. It has the right resource. It has the right tools. But in my view, you know, the reporting aspect of it is as important as the capturing. Otherwise, you’re just capturing for no action. You know, reporting out in those correct lenses, getting the stakeholders engaged, getting them involved, getting them to contribute on what this process should look like, what are their requirements, what do they need from this process so they actually see value from it. And really, as with other areas of security, you know, we’ve seen automation drive across our patching and our vulnerability management, our ident life cycle management, JML, etc. And this is no different. You know, automated workflows to get access to intelligence and threat and and drive behavior within the organization. You know, that’s where moving away from Excel into these tools can can really help you as well. So, and I just add that, you know, the security team isn’t accountable for this end to end or regardless where this sits, it’s a business challenge and a business risk. And that’s why I really advocate that integration with the broader stakeholders. and the business going forward. Good. Thank you, Brenda. Over to you.

Brenda: Très bien, super. Sur la diapositive suivante, Brian a parlé tout à l'heure du quadrant artistique et, comme il vient de le mentionner, en ce qui concerne les mesures, de la capture au reporting, Prevalent fournit une approche stratégique pour collecter et agir par rapport à la gestion des risques, ainsi que pour concevoir le programme afin de répondre aux besoins d'évaluations accrues et tirer parti de l'innovation en exploitant non seulement les informations contextuelles issues du machine learning, mais aussi l'IA, afin que nous puissions refléter les informations sur les risques en utilisant les bons prismes, tels que le CISO, l'entreprise, le conseil d'administration et autres. La plateforme Prévaleant vous offre donc ce processus reproductible dont Brian a parlé pour répondre à des risques quantifiés et équilibrés en utilisant les informations sur les menaces et les réseaux des fournisseurs qui se recoupent. Elle comprend non seulement les évaluations, mais aussi les informations de surveillance cybernétique et financière. Nous rassemblons donc tout ce contenu, ce qui permet de mieux comprendre la conformité que vous devez intégrer dans ces rapports, ainsi que la vision globale de la résilience, le tout en utilisant la plateforme et les personnes. Dans la diapositive suivante, nous nous sommes principalement concentrés sur le dernier point, qui concerne les rapports et la gestion. Il semble que mes diapositives soient mélangées, je vais donc passer à la suivante. Pour être intelligent, le système doit être complet, contextuel, axé sur les données et centré sur les mesures. Néanmoins, pour être unifié, nous assurerons la transparence des risques, en offrant un guichet unique où tous vos programmes peuvent intégrer des informations dans la plateforme et où tout le monde a la même voix. Cela vous donne ce que vous devez savoir à tous les niveaux. Ensuite, pour l'approche prescriptive, nous veillons à ce qu'elle soit rationalisée, axée sur l'action et qu'elle déclenche ce qui est important pour mener cette action. Et sur la diapositive suivante, nous sommes votre partenaire de confiance. Pour celle-ci, nous sommes le leader du quadrant magique de Gartner et nous sommes le fournisseur de réseaux qui connaît la croissance la plus rapide et qui dispose de la plus grande bibliothèque d'évaluations. Et nous utilisons l'harmonisation et la normalisation de toutes les informations de contenu que vous pouvez recueillir, qu'il s'agisse d'évaluations ou d'informations sur les menaces. Nous sommes là pour vous aider à faire évoluer votre programme grâce à l'innovation que nous avons mise en place et soutenue par nos partenaires et clients de confiance qui nous fournissent toujours des exemples de ce qui se passe sur le terrain, en collaboration avec Brian, sur la direction exacte que notre plateforme devrait prendre. Je vais maintenant passer la parole à Amanda. Je crois qu'il y a des questions et nous avons environ 11 ou 12 minutes pour y répondre.

Amanda: Oui, tout à fait. Et merci à tous d'avoir participé. Nous vous en sommes très reconnaissants. J'ai en tout six questions pour l'instant. Je vais donc commencer par la première. Celle-ci s'adresse à Brian. Quels sont, selon vous, les cinq principaux vecteurs de risques liés aux tiers ?

Brian: Oui. Eh bien, vous savez, cinq me viennent à l'esprit. Je veux dire, certainement mes deux principales priorités en termes de couverture, vous savez, pour m'assurer que tous vos fournisseurs sont évalués. Je préconise toujours le risque net, car il y a évidemment un risque brut et des plans de traitement sont appliqués, et vous devez bien comprendre, une fois que tout cela est fait, quel est le risque auquel nous sommes encore confrontés. Je mettrais également le flux d'informations sur les menaces parmi les cinq priorités. Je vais donc vous en citer trois qui me viennent à l'esprit. Ce sont les plus importantes que je préconiserais. Vous savez, s'assurer que tout le monde est intégré dans le système, s'assurer qu'ils sont évalués, puis s'assurer que vous superposez cela avec les informations sur les menaces. Exactement.

Amanda: Parfait. Et la question suivante concerne un autre classement. Quels sont, selon vous, les cinq principaux risques liés aux tiers qui devraient figurer dans les rapports destinés au conseil d'administration ?

Brian: Les cinq principaux quoi ? Désolé. Les cinq principaux risques liés aux tiers sont idéaux pour les rapports au conseil d'administration. Donc, du point de vue des indicateurs clés de risque, je reviendrais évidemment sur ces aspects si nous pouvons y revenir. Je pense donc qu'au niveau du conseil d'administration, les indicateurs retardés et avancés sont vraiment essentiels pour le conseil. Que s'est-il passé dans le passé et en avez-vous tiré des leçons ? Euh, un conseil d'administration sera très indulgent si quelque chose se produit pour la première fois. Et bien sûr, l'organisation doit en tirer des leçons. Il sera moins indulgent si cela se reproduit. Il s'agit donc de savoir comment obtenir ces informations et les appliquer à ce qui va se passer à l'avenir. Euh, nous avons déjà parlé du risque net, euh, les informations sur les menaces sont absolument essentielles, car euh, j'ai certainement vu certains des rapports courants également. Il s'agit de ce que nous savons sur ce fournisseur et de ce que nous avons glané auprès de la communauté. Il s'agit donc de tirer parti de la puissance de cette communauté à votre avantage. Donc, comme nous l'appelons dans le domaine de la sécurité, toutes les informations open source sont également prises en compte. Le conseil d'administration adore voir ce genre de choses, car cela ajoute du contexte. Cela ajoute une justification à votre demande de changement par rapport au statu quo actuel. Voilà donc les points que j'aimerais aborder. D'accord. Donc.

Amanda: parfait. Et puis, la dernière question de cette petite série de trois, euh, de trois questions, est la suivante : avez-vous des suggestions sur la meilleure façon de créer et d'automatiser un processus de départ des fournisseurs ?

Brian: Oui. Le départ d'un employé est donc aussi important que son arrivée. Et j'ai entendu Brenda en parler également. Je sais que c'est aussi son point de vue, car le départ d'un employé peut avoir plusieurs causes, mais quoi qu'il en soit, vous mettez fin ou réduisez les services que vous fournissez à ce fournisseur individuel, alors qu'il existait auparavant une relation. Des comptes ont été créés. Des réseaux ont peut-être été connectés entre eux. Il y a certainement eu des flux de données entre les différentes organisations. Et vous devez comprendre à quoi cela ressemble et en assurer le suivi dans le cadre de votre programme. Vous savez ainsi à quoi ce client ou ce fournisseur a eu accès ou ce qui lui a été donné, car vous devez évidemment demander à récupérer tout cela. Vous savez que vous n'avez pas besoin de demander qu'il vous soit remis, ou peut-être que vous devez le faire selon ce dont il s'agit, mais vous devez savoir qu'il est supprimé de la bonne manière, que la relation est modifiée, qu'elle soit résiliée ou réduite, etc. Il est donc tout aussi important de bien réfléchir à ce à quoi ressemble votre processus de résiliation qu'à votre processus d'intégration. Brenda, je ne sais pas si vous souhaitez ajouter quelque chose à ce sujet.

Brenda: Oui, je suis tout à fait d'accord avec cela. Et je voudrais également ajouter, en rapport avec la question précédente concernant les cinq principaux KIS, ceux que je recommanderais à un niveau plus approfondi que celui évoqué par Ryan, que je me concentrerais sur les risques liés au développement de logiciels et d'applications mobiles. Je me concentrerais également sur les risques liés à la gestion des identités et des accès. L'autre risque concerne les fournisseurs qui ne répondent pas, puis la conformité à toute composante réglementaire, s'il y a un risque à ce niveau. Enfin, celui qui change et passe d'un KPI à un KRI est la conformité globale du programme au sein de votre entreprise, qu'elle utilise ou non le programme de gestion des risques tiers. Ce serait donc un risque que je transformerais en KRI. Hum, mais oui, en ce qui concerne le départ des employés, je suis tout à fait d'accord. C'est tout aussi important et vous devez mettre en place des contrôles et des contrepoids qui fonctionnent de manière cohérente avec vos autres services afin de vous assurer que tout est désactivé, détruit si nécessaire, etc.

Amanda: Merci, tout le monde. Euh, et pour info, nous avons une autre question de sondage que je n'ai pas réussi à poser assez rapidement, mais pendant que nous discutons d'autres questions, veuillez y répondre. Envisagez-vous de renforcer ou de mettre en place un programme de gestion des risques tiers cette année ? En d'autres termes, avez-vous un projet en cours pour lequel nous pourrions vous aider ? Très bien, nous allons laisser cette question en suspens. Nous allons continuer avec les questions. La prochaine est : quelle serait, selon vous, une bonne raison de lancer des réévaluations périodiques, probablement pour Brian ?

Brian: Oui. Donc, je veux dire, vous devriez avoir, vous savez, en fonction du niveau auquel appartient le fournisseur, un calendrier d'évaluations pour l'avenir. Et je pense que vous devez déterminer, en fonction du profil de risque, si vous allez les auditer vous-même, peut-être physiquement, ou si vous allez les auditer en faisant appel à un fournisseur de confiance qui effectuera l'audit en votre nom. Mais je pense que les déclencheurs sont les événements de changement ou un changement dans la relation avec ce fournisseur. Donc, si vous allez faire quelque chose de nouveau, si vous allez faire quelque chose de significativement différent avec eux, peut-être qu'ils ont changé d'emplacement, qu'ils ont décidé de délocaliser certaines de leurs activités ou qu'ils ont subi des changements commerciaux, ou qu'il y a des informations sur des menaces qui vous parviennent et qui ne vous plaisent pas. Je pense donc que cette liste est potentiellement infinie. Il s'agit simplement de comprendre que vous avez codifié ces événements déclencheurs dans votre processus, de sorte que si A plus B plus C se produit, alors nous voulons réexaminer ce fournisseur et vérifier que nous sommes à l'aise, mais cela ne remet évidemment pas en cause les évaluations et les examens périodiques que vous devriez déjà avoir mis en place, qui sont en quelque sorte les déclencheurs d'un examen hors cycle, n'est-ce pas ?

Amanda: Parfait. Euh, celle-ci concerne le moment où vous parliez de l'auto-certification et où quelqu'un vous a demandé de donner plus de précisions à ce sujet.

Brian: pour l'auto-certification Oui. Donc, je veux dire qu'il y aura des niveaux et des fournisseurs au sein de votre structure auxquels vous ne pourrez pas vous attaquer aussi rapidement que possible, et vous savez, j'ai dit en plaisantant que les gens s'occupent évidemment des fournitures de cuisine ou des toilettes, mais ce n'est pas toujours le cas, car le personnel de nettoyage au sein de votre organisation peut toujours présenter un risque et doit faire l'objet d'une vérification appropriée, etc. Ce n'est donc pas toujours le cas qu'ils constituent le niveau le plus bas. Il s'agit plutôt de certaines initiatives ou certains services que vous avez mis en place et que vous ne considérez pas comme essentiels à votre activité. Vous savez, ils ne sont pas connectés à votre infrastructure. Ils n'ont pas accès aux données, etc. Vous vous demandez peut-être si vous devez vous rendre immédiatement dans cette entreprise ou si vous pouvez pour l'instant vous fier à leurs réponses à vos questions et à une forme d'auto-certification, et peut-être vous contenter de vérifier la conformité, les accréditations, la réputation, les menaces, etc. C'est donc cela, le tarage. Vous savez, les entreprises auxquelles vous devez consacrer du temps, celles auxquelles vous devez consacrer moins de temps, mais en réalité, vous devez vous concentrer sur toutes, n'est-ce pas ?

Amanda: Et dernière question. Le reporting doit-il être basé sur le risque inhérent ou le risque résiduel ?

Brian: Oui, c'est une bonne question et je pense que cela va dépendre en quelque sorte de l'organisation et de la manière dont elle gère les risques en interne, mais de mon point de vue, ce sont les risques résiduels et inhérents qui sont absolument importants, et si c'était moi, je rendrais compte des deux, car cela montre le parcours du risque et montre en fait ce par quoi nous avons commencé, ce que nous avons faitfait, ce que nous avons appliqué, les mesures d'atténuation que nous avons mises en place et le risque qui subsiste. Cela donne une vue d'ensemble du risque résiduel qui est géré et vous savez qu'il est toujours possible d'appliquer d'autres traitements des risques, mais cela devient alors une décision commerciale qui peut nécessiter davantage d'investissements, l'intervention d'un autre fournisseur, etc. Je pense donc que l'objectif des équipes qui gèrent ce processus est, en fin de compte, de fournir à l'entreprise les informations dont elle a besoin pour prendre ces décisions basées sur les risques. Elles peuvent les accepter, ce qui est tout à fait plausible, ou choisir de les atténuer, mais au moins elles ont eu la possibilité de contribuer, car vous les avez saisies et vous les avez transmises à la hiérarchie. Je pense que c'est là l'élément important.

Amanda: Absolument. Eh bien, c'est tout ce que nous avons pour aujourd'hui. Merci beaucoup à tous d'avoir participé. Brian, tu es formidable. Merci d'avoir fait cela depuis l'autre côté de l'Atlantique, comme on dit. Nous apprécions toujours que tu nous apprennes des choses, alors nous te sommes très reconnaissants. Pour information, tous ceux qui sont encore là recevront demain cet enregistrement dans leur boîte mail. N'hésitez pas à le visionner et à le partager avec qui vous voulez. Et continuez à consulter notre site pour découvrir nos prochains webinaires. Le mois à venir sera très chargé et nous sommes impatients. Retrouvez-nous sur LinkedIn ou assurez-vous de faire partie de notre réseau de communication. Si vous avez des questions, je suis Amanda Fina, responsable du développement commercial chez Prevalent, et Brenda et Brian. Merci encore beaucoup d'avoir participé. Nous vous rendons vos minutes.

Brian: Merci.

Brenda: Merci.

Amanda: Au revoir tout le monde. Prenez soin de vous.