Third-Party Risk: Critical Requirements for Benchmarking Your Business & Supply Chain
See More Details →Description
COVID-19 has re-defined “normal” for businesses. Considering such a rapidly changing environment, daily government guidelines, and work-from-home adjustments, it’s critical to focus on examining Business Continuity, Disaster Recovery and Resiliency Plans. This webinar will help you:
- Understand how to adjust continuity plans to account for degraded product/service levels due to regional quarantines
- Know your third-party ecosystem and identify weak links posing risks to your operations
- Identify where to strategically cut costs to minimize damage to the supply chain
- Address questionnaire fatigue among your vendors
- Proactively prepare for the regulatory fallout after the dust settles
You’ll also learn how to identify gaps in your third-party assessments and evaluate your readiness for this evolving situation.
Don’t miss this session led by experts Brenda Ferraro and Jeremiah Sahlberg. Brenda is the former third-party program lead for organizations including Aetna, PayPal/eBay, & Charles Schwab, and current chairwoman of the Content Governance Committee at Shared Assessments. Jeremiah has more than 20 years of experience in the security and risk space, helping organizations design, establish, and mature their privacy and security programs and capitalize on efficiency. He previously held the senior director of protect operations at NBCUniversal and frequently guest lectures at security conferences.
Intervenants

Brenda Ferraro
Former third-party program lead for organizations including Aetna, PayPal/eBay, & Charles Schwab, and current chairwoman of the Content Governance Committee at Shared Assessments

Jeremiah Sahlberg
Previous Senior Director of protect operations at NBCUniversal
Transcript
Peter Schumacher: Welcome and thank you for joining our webinar today, critical requirements for benchmarking your business and supply chain. Today as our host, we’re featuring two third-party risk experts, Prevalent very own Vice President of Third Party Risk Brenda Ferraro, and Jeremiah Salberg, Managing Director, Federal Third Party Risk at Tevora. My name is Peter Schumacher, I’m your webinar host for the day. I’ve got a couple housekeeping items to go over before we get started. So first of all, this is a reminder that all the attendee lines are muted. However, in an effort to keep this session interactive, we do ask that you submit your questions using the Zoom console. Time permitting, we’ll get to those Q&A, get to the Q&A at the end of the sessions.
Peter Schumacher: So this should be about a half an hour of content and then some Q&A at the end. We are recording today’s webinar, so we will be sending that out in the next day or so with a follow-up link to that recording. I know you guys did not join to hear my voice, so at this point I’d like to turn things over to Brenda and Jeremiah.
Brenda Ferraro: Thanks so much Peter. Jeremiah, it’s really exciting to be here with you today. Just a little bit about background about me so that those who are listening, if they have never met me or don’t know me, I live, breathe, eat, and sleep third party, and I have a background in incident response and I’m a certified process Master, been in a financial and healthcare space, and I’m really happy to talk to you today about business resilience and how we can help the communities in efforts to look at third party risk in a different approach since our landscape has changed.
Jeremiah Salberg: Thanks so much Brenda. This is Jeremiah Salberg for those that haven’t had the chance to meet and thank you Peter for the introduction there. Like Brenda, this, I’ve been in the cybersecurity space for over 20 years. Started in the federal space but moved my way into the financial markets, spent a lot of time doing in the healthcare space and the PCI space. I’ve actually worn the CISO badge, so I know what it’s like on the inside responding to the third-party risk requests from organizations much like many of you in the phone.
Jeremiah Salberg: Likewise, I’ve run programs at big $30 billion entertainment organizations for managing the supplier risk program, so hopefully bring a little bit that to bear today. And one of the things I was asked to share is a fun fact about me. So, if I wasn’t in the field of cybersecurity, what would I be doing? Honestly, I love food, I love breakfast, so in an ideal world, I’d be at a little breakfast diner running that with a bookshelf, shelves of books that customers could come in, you know, pick up a book or read a book while they had a good breakfast, a good cup of coffee, and if they like it, they buy it. But that’s not the world we live in, so I am a cybersecurity professional. How about you, Brenda, what would you be doing if you were not in the cybersecurity space?
Brenda Ferraro: I love that you would have breakfast. I’d be at your place at dinner because I like breakfast for dinner. Let me see, for me, if I wasn’t doing cybersecurity world work, um, if I look at it from a perspective of when I was younger, you always kind of figure out what you want to be when you’re little. I wanted to be a triple threat where I would act and I would dance and I would sing, so kind of a performer. But um, I also lived in the world of CISO when I was at a healthcare company, and I think that I would like to stay in the security space. So maybe I would do a CISO work again if I could stay in cybersecurity and then I guess teach. There’s so many opportunities for things to do, so um, I’d land on maybe the things that I did when I was younger or wanted to be when I was younger if I couldn’t be in cybersecurity, but if I had to change the goal of what I’m doing now and stay in cybersecurity, it would be a CISO again.
Jeremiah Salberg: Oh, fantastic. What’s your favorite breakfast item though, real quick, before we get into this?
Brenda Ferraro: A good omelet with some sourdough bread and a cup of coffee with a little cream in it. That’s my go-to.
Jeremiah Salberg: Yum, I’m hungry. Well, we’re not here to talk about food, although I think it might make a fun little webinar some other time. Uh, we’re here to talk about business resilience, um, and so we’ve got a couple different topics that we’re going to touch on as we go through the session today. Uh, we’re going to talk a little bit about the business continuity planning and what you need to look at your own programs, what are some of the key things to think about. Uh, we’re definitely in a new time, new space, so.
Jeremiah Salberg: Uh, we’re getting and seeing clients, even ourselves, are, are having to work through some of our business continuity plans, so we’ll talk a little bit about that. Uh, part of understanding your business continuity is certainly going to be understanding how your third parties fill in, provide services for, and ultimately are your success in how you pivot and change in today’s landscape. So we’ll dive into that a little bit. Uh, being in the third-party supply chain review process, it’s, you get interesting visibility as to the providers that provide key and critical services for the organization, so one of the things that we’ll talk about is, you know, do you see overlap there, is there ability to optimize certain things? Certainly, I as as a former CISO, I’m sure you Brenda as a CISO as well, have been on the receiving end of questionnaires. There’s lots of questionnaires that you, you get thrown at you. Sometimes they’re the same, sometimes they they’re different, but certainly, there’s a questionnaire fatigue that happens.
Jeremiah Salberg: And, and as someone who’s reviewing those questionnaires, is there, you know, now a better way to do that? So that problem of questionnaire fatigue certainly haunts us all from a couple different angles. So we’ll touch on that. And then lastly, as we get into, you know, we, we’re things are going to, you know, going through this change right now with all the business continuity, there’s going to be a greater emphasis on making sure that our supply chains are shored up, that we’ve got the right kind of controls in place. And while these are all foundational things in certain compliance frameworks today, we’ll certainly, um, expect that those are evaluated a little bit more detail going forward, so, uh, we’ll touch on some key concepts on that as well. But, uh, those are going to be your key talking points, but we’ll flow in and out some other, uh, fun elements. I think we’ve got a couple polls that, uh, we’ve got teed up for today, so Brenda, you want to kick us off?
Brenda Ferraro: Yeah, in fact, this is our first poll. So if you’re walking and listening to us or if you are sitting at your desk, please participate at something fun. The first one is, when the world noticed the supply chain issue with TP, did your brain immediately think, wait a minute, TP stands for not only toilet paper but also third party. So let’s give you a couple moments. It was funny when everyone was saying there’s like a TP issue, and the first thing that came to my mind was, of course, we have third-party things that we’re working on and yes, there’s going to be supply chain items that we need to address, but it kind of caught me as a little chuckle when I thought of TP as third party instead of toilet paper, and I think that kind of hit home with everyone. I know there were certainly low supplies everywhere around where I live, but things are starting to improve, that started to normalize from what I see. But absolutely, I, you know, that that that hits home for everyone. Let’s see what we’ve got as our results. I’m wondering, Peter, if you’re able to share that.
Brenda Ferraro: Oh, yay, they’re thinking it’s funny. Hey, we need some more humor these days, so absolutely. I like that, uh, that response there.
Brenda Ferraro: All right, very good. So, are you able to see the response, Jeremia, or is it just us? I don’t know.
Jeremiah Salberg: I’m able to see it as well, so it looks like, uh, almost 80% of folks thought that was funny, whereas, uh, 20% made that as a correlation that TP has more than one meaning and may stand for toilet paper there.
Brenda Ferraro: How fun. All right, well, great. Well, let’s get into some more content. Absolutely. So, you want to take this and explain exactly what this means?
Jeremiah Salberg: Sure, absolutely. So business resilience, you know, that’s one of the key things that makes or breaks an organization. And so when there these events, uh, like we’re experiencing right now, organizations have to be able to adapt quickly. We’ve seen this, uh, in many different industries. Um, certainly in the food service industry, we’ve got this, uh, you know, now not dining in but the ability to do curbside pickup, a lot of delivery activities. But one of the very first things organizations look at is to make sure that they’ve got, uh, the human safety. That’s got to be the prime directive, uh, in your business resilience because you have to take care of those that support the organization. The second thing is to really look at and understand, you know, who are those essential providers of services within your organization. Certainly, uh, if you’re an airline industry, you, um, you’ve got to have pilots, they still have to fly planes. Um, if you are in, you doctors need to be available. Uh, so you have to look at, you know, who are those critical, um, providers of services. Certainly those that are working in the grocery stores, uh, hats off to all of them to making sure that we’re able to get our food, uh, delivered and available for us. So you have to look at what are those critical folks and then, you know, figuring out how to provide those core business services. What are you trying to provide and make sure that you can service your customers in an ever-changing environment? Um, so how do you really prepare for this? You know, you’ve looked at your business continuity processes and your disaster recovery processes, and ultimately you have to make sure you have a good, well-established communication plan, not only internally but to your customers to make sure you’re giving them the path to provide the services that you do as a business. So I know you got a slide here that I think is going to dive into it a little more deeper perspective, but it’s, you know, how do you continue to do what you need to do?
Brenda Ferraro: And I think what’s interesting about that is we all worked at offices and we didn’t think that we would be working from home full-time in some cases in some areas. And so it was really interesting to me that we’ve got this business continuity plans, we have disaster recovery plans, we’ve put things in place, but the emphasis wasn’t really on how do we transition our work situation and what kind of controls would need to be wrapped around those. So out of the eight things we have listed here, we’re starting to look for our third parties to provide information not even just out externally but internally within our own companies because this is a vital role engaging our resilience as a whole. So if you look at the eight things here, one of the ones that I’d like to talk about is cyber incident response. One, very important and critical area of a policy for incident response isn’t just knowing that you have a plan in place, but you actually conduct periodic scenario-based tests, and out of those, you normally will find corrective action plans in order to know that there are disconnects and gaps in your plan so that you’re more prepared for when an incident occurs. What have you seen in, in the field for Tevora on companies that you’ve worked with from an incident response perspective, Jeremiah?
Jeremiah Salberg: A great question there. Um, and so I just wanted to frame it up a little bit. We are a PCI forensics investigator, uh, as an organization, and so we do a lot of incident response, uh, crisis planning, and so we’ve had a number of our customers that we’ve taken through that process as part of an annual exercise where we’ve brought in the executives and walked them through various scenarios. Uh, and it’s interesting as we’ve gone to this remote work model, uh, one of the things that we played out in a lot of those scenarios was what happens for, um, physical environmental, uh, scenarios where the office isn’t there and you’re forced into that remote work from home model. Uh, with that, um, we went through a number of scenarios and it’s, it’s interesting if you practice your, you know, incident response plans, you do those tabletop exercises, you start to get some muscle memory on how to evolve and to pivot into an alternate workforce. And so we’ve got some really good feedback with the customers, says we just went through this scenario three months ago on how to get there. We, we knew we had a couple gaps on getting some people with the remote work model, but we were able to have that on our radar. We knew what steps we needed to take. So, you know, practicing that incident response process, even if you’re not having incidents but, you know, really just doing those tabletop exercises and walking through those what if scenarios really does pay dividends. So part of, you know, business resilience is certainly having those, um, you know, doing those key activities, learning from them, and making sure that your executives are aware of them so that they can make the right kind of decisions when it does happen.
Brenda Ferraro: Yeah, I totally agree. It was funny when I, maybe not so funny, but when I practiced a scenario-based test at the company of which I worked, um, two weeks later, maybe within two to four weeks later, we actually experienced that what-if scenario, and we were completely prepared for it. So it does show that, um, it helps in efforts to practice. Well, what about like critical infrastructure protection? So our critical infrastructure protection was more pertaining to going into an office or traveling to a vendor site or making sure that we had our laptops and devices secured from a perspective of being able to go into an office. And now we’ve changed to a work from home, but we’re also seeing internet situations where companies are having to throttle or they’re realizing latency and having to get more servers put into their their um, disaster recovery plans and those types of things. So what are you seeing in the field related to critical infrastructure protection?
Jeremiah Salberg: You know, that’s it’s, um, interesting. It really depends on how the infrastructure was set up. There’s been a huge uptake and I’ve seen a couple different reports lately around, um, how much adoption of cloud services, um, has happened, not only in the communications, the the Zoom meetings, the the teleconferencing, but actually a shifting of those core services because you’re, you’re trying to limit those that that are actually within the building. So, uh, for those companies that kind of made that investment and did that lift and shift model a couple years ago and over last couple years have done that, optimized, we’re seeing that they’re able to take advantage of that and they’re prepared for it. But there’s certain organizations, certainly within the manufacturing and other areas where they have physical plants, they’re, they’re, they’re kind of stuck, you know, they have to figure out what and how they’re going to operate. So it really, I’m seeing it varying by industry, but, uh, those that have kind of invested in some of those optimizations, uh, adoption of cloud technologies are starting to really see the benefits of them. Um, endpoint security is one that really also comes into play if all of a sudden you’ve got, you know, data that was on workstations and you’re putting to laptops, making sure those laptops have the, you know, were properly configured, managed and prepared for the type of information work activities that, uh, they now may need to do in a remote fashion. So certainly if that prior planning has helped.
Brenda Ferraro: Yeah, I’ve definitely been asking some of our top 50, um, type companies, are you seeing a shift in your critical third-party listing of who’s critical versus not? And they’re saying, no, we’re not really seeing a shift in the companies and how they are, are tiered, um, approach of tier one and critical. However, we are seeing a shift in our key controls because some of our key controls were not in place and they are becoming more of a key. So they’re starting to put those controls around that, so that’s really good. Now the last one that I want to talk about on this page because they’re all important, but we would be here for hours and hours, is the continuity of operations. So we’re seeing different surges of, um, utilization on supply chain management and we’re seeing service level targets that may or may not be met from our contractual obligations. What’s some examples that you have or some advice that you might give with regards to continuity of operations?
Jeremiah Salberg: Absolutely. So, uh, you know, looking at your supply chain and how you’re taking goods and services in, um, that is evolving and changing. Uh, pricing is changing on certain, you, equipment as supply chains get a little thinner, uh, certainly having multiple avenues to procure things from and, and planning for that is certainly part of having a good business resilience model. Um, I’ll take a very personal note, um, my wife was, uh, kind of bringing it home for me is, you know, she was looking at something for, uh, an Easter basket for my daughter, um, and she went to go get it on Amazon, and it wasn’t available to be shipped until the 20th of April, and it was she’s like, huh, well that’s surprising. And Amazon’s model shifted. So we had to go to Walmart. So we had to have a different supply chain there. Likewise, from an organizational perspective, we’re seeing that, uh, they have to have different paths to get and acquire some of the the goods or services that they need to maintain operations. We’re kind of on the cusp of seeing that with the current state of affairs, but you, at the end of the day, you need to make sure that you have plans and backup plans for how you get and provide your services through your third-party ecosystem and realizing that you may need to have a backup there. It’s not always going to be maybe that one vendor you have in place. So a good continuity of operations within business resilience really requires you to have a diverse supply chain.
Brenda Ferraro: And with that’s all working from home, there’s probably some children standing around, so we’re helping the Easter Bunny by getting those baskets to fill them up, so that’s good.
Jeremiah Salberg: Absolutely. All right, so let’s go into poll question number two, Peter, if you can pop that one up. Awesome. So, uh, so here’s the question for everyone. When you got dressed this morning, uh, did you stop and think, uh, am I going to be on a video call today and how dressed up do I really need to be? Uh, yes, because I have to look good like those weathermen on TV, they’re all working from home. Uh, no, because I just don’t care, or no, because my co-workers won’t care, or no, because I won’t show what my house looks like because there’s just too much laundry around. Um, I certainly seen a couple people with, um, the different videos and showing their home and maybe too much insight at times. But what this really saying is your requirements have changed. The requirements that you’ve had as, uh, someone who goes into an office every day, uh, those requirements change, and it changes how you’re approaching, uh, your your routines, uh, and what you need to do. Likewise, within business, your requirements are going to change and shift, and so we’re going to have to kind of look at the shifting requirements, does that change what is really required anymore? Maybe I don’t have to do that particular action and we can change and pivot into a different direction, um, and focus on what.
Brenda Ferraro: Oh, by the way, I did dress up, but we’re not on video today, so. But there are times that I’ve learned the new attire from work from home is fleece jackets. So I wonder what we’re going to become when we start getting into the summer months. I know. Hopefully it’s not too much information. I don’t know if we had a polling results there, uh, Peter, if you’re able to flip that up on the screen or not, uh, for us, but, um.
Peter Schumacher: Yep, you should be seeing it.
Brenda Ferraro: We are not. So maybe you can share the information up for you.
Peter Schumacher: Looks like a mixed bag, so the leader here was, yes, I have to look good. We got 33% with that answer, uh, followed by no, uh, I know my co-workers won’t care. That’s 31%, and then no, I don’t care comes in at 20%, and then the laundry answer, uh, 15%. So it is a mixed bag. Thank you for that.
Brenda Ferraro: All right, we have up here next, that was fun. Now we’re going to talk about key risk indicators. So we’re identifying a lot of switch and changes, just like we were talking about with regards to what you’re wearing based on working from home. We’re shifting a lot of the focus onto the end parties and the span of risk of how we are working with all of these other companies and what might be happening in the threat landscape that we’re facing today. We’re also at the same time tracking any risks that we’ve identified in the past, um, are they being mitigated or do they need to be adjusted, are they not as important as they were before? And then threat score monitoring along with questionnaires having a full holistic picture of what’s being scanned and how we’re looking at the business monitoring side of the house, not only the cyber monitoring side of the house, and then seeing those in a very holistic view by, is there different connection points of, is it, is there data that’s being handled, is there business units that rely on that information to be passed around, are they providing a service, are they providing a a software application that needs to be up for the business to continue running? So many times we’re looking at parts and pieces of these holistic views and we have to correlate those by different types of products. And what you need to get to is a product and a solution like Prevalent that can give you all of this information in one view. So for example, if Acme Inc, who’s in the center, there’s so many interconnections and associations with third parties or tiering entities or subprocessors or data that’s flowing from one point to the next. And I’ve seen that, um, this is very critical and important now where we’re living today in our landscape and how we’re changing how we’re doing business. This is one of the things that we can help the business understand on why these third parties or nth parties are critical to business and if we can shift any of the moving parts and pieces based on what we find out from them on if they’re impacted or not impacted.
Jeremiah Salberg: Great points there. Uh, absolutely having that visibility and, you know, that spider diagram is really good in the middle that kind of, you know, paints the picture of where they are and, uh, what of your third parties you need to understand in those fourth parties, uh, great insights. So question your fatigue. You talked about that a little bit. Let’s get more into it.
Jeremiah Salberg: Sure, absolutely. And this really plays on a couple different sides. But, uh, from the you, third party perspective, um, anyone who’s been a CISO or been responsible for responding to or managing the third-party responses certainly understands, uh, just today I was filling out another questionnaire for our own organization, uh, for a medical organization we’re working with. Um, it’s one of these things where we, they constantly come in there, and by and large, it’s surprising that, um, there’s still a number of folks that are caught back in the, you know, the 1990s model of using spreadsheets. Um, and while the questionnaire model certainly exists, uh, the mechanism for which you manage that process is certainly one that has been improved upon the in the recent years, and solutions out there like Prevalent can help, you know, automate that and simplify that process. One of the things that, um, as you’re reviewing the content that comes back from these questionnaires, it’s important to be able to normalize that information across the different maybe the businesses that are using particular vendors or the types of vendors at certain thresholds, whether or not they’re you know, small to medium, whether maybe they’re, uh, cloud service vendors, and look at them and being able to increase the efficiency of that third-party review process. Uh, the nice thing about these platforms is you can, uh, start to build some automatic rules in there. Uh, one of the the classic problems I see with an organization is you’ll send out a questionnaire, um, and this is with the legacy ones where you had a, you know, an actual spreadsheet saying, do you do this certain activity, if yes, please attach the policy. And they say yes, but they don’t attach the policy. And so then that creates a back and forth transaction. We’ve got a system in place that can automate and make some smart intelligence and requirements where it says if yes, it forces the user to attach a piece of evidence or or something else. It certainly brings efficiency into that process. It minimizes the back and forth time, which at the end of the day, you’re reducing the time to complete that assessment, which is a key, uh, indicator in the success of these programs. How can I reduce the time it takes, how can I make that it’s done accurately, and how can I have some time stamps of knowing who filled out one, what and when? Um, also, once you start to have all this information in your repository, you can go back and say and do some hey, what in this scenario, what vendors have this kind of profile? All of a sudden, maybe you’re dealing with a new vulnerability that came out there and hey, I want to know how many of mine are cloud service providers out there that might be affected by that because maybe I want to reach out to my vendor ecosystem to go ahead and get insights so I can better manage the risk of my or organization. Um, at the end of the day, and this is something that, you know, we constantly hit home, the the the goal of these third-party assessment programs is really to understand the risks with outsourcing. And so, uh, by having the insights, by correlating that data, pulling it all together, you can reuse that data, plus you got real-time analytics of what is the state of the program, what is the state of my vendors, how many of them have I reviewed, um, how many of them are working through that remediation and approval process? So, um, definitely there’s some solutions out there to help eliminate the questionnaire fatigue.
Brenda Ferraro: Yeah, and I think that what’s interesting is, um, going back to the basics, you have to know exactly who your vendor portfolio or profile is. And we’re starting to notice a trend where individuals are starting to want to know what is my inherent risk by just asking the essentials. And so understanding what is this business, what do they do for me, how am I interacting with them, will help to bucketize or tier or filter all of the components of the big huge laundry list of thousands and thousands of vendors and third parties and then taking that information for relevance and asking what you need to know versus everything under the sun. So I’m starting to see things like that, which is helping not only the companies who have to do the proper diligence but the vendors and the third parties who have to respond to these items. So it’s, it’s going in a good direction.
Jeremiah Salberg: It absolutely is. And may I back up for one second just one final point. This, I know we’re getting a little long on time, but, um, you know, as those that are responsible for the third-party programs, one of the very first questions you ask when you’re talking to a vendor and is you read and understand what services they’re providing for an organization, um, and it’s another point to kind of see is there an overlap of service providers that provide the similar types of service. And that really plays back into the business resilience. If you can start to know and flag and understand that these are two suppliers that can do the exact same thing. Oftentimes we’ll do reviews of suppliers, one may be leveraging a third-party provider from the advertising space, maybe another one’s from finance, or another maybe another one’s in a a content or operations capacity, but maybe they do the same thing but they’re just two different companies because they happen to have, uh, contacts, relationships. When you get to like a medium-sized organization, you start to see a lot of overlapping functions in your supplier ecosystem, which can be, if you properly track that information, a way to provide additional resilience into your processes.
Brenda Ferraro: So exactly, totally agree.
Jeremiah Salberg: Um, so regulators, um, everyone’s being very flexible, uh, right now allowing for organizations to do remote assessments, remote audits, but at the core of all these, um, one of the core components of all these frameworks is that you have to have insights into your third-party programs and sometimes the fourth parties or nth parties that are supplying critical services. So some of the things that you’re going to want to make sure you’re, um, you know, know these requirements require you to have an inventory, we’ve talked about that, a good complete inventory of all of your service providers, but not only that, but it has to be integrated into your onboarding process as part of bringing on a new, uh, vendor. You have to have a vetting process to make sure that they have the right kind of security controls in place. Ultimately, you want to make sure that those that are providing services marry and match up to your own information security policies and expectations and that they have at least the minimum bar that you set for your organization.
Jeremiah Salberg: Um, also these frameworks will require that you regularly review your third parties. So these platforms and tools, Prevalent, can certainly help accomplish that for you. Um, when I talk and help manage the these programs with our clients, uh, some of the KPIs they look at are, you know, how long does it take to go through that review process? So by having a system where you can measure the time from a questionnaire sent, the time that it took them to complete that questionnaire to do the analysis, to figure out which assigned person is doing the evaluation of that, to giving them the green light or maybe the the the red light that hey, we can’t move forward, um, measuring how long it takes to go through that process is certainly a key indicator. Another one is, you know, understanding how many of your vendors have you reviewed and are you matched up to what that review process is? A really critical one is understanding how much am I spending my review program per vendor? So going back there and say, okay, my program costs X, I’ve got Y vendors, what is my cost per review and making sure that that makes sense for the risk of the risk tolerance of the organization. Um, and probably the most important one is just to be able to measure and maintain a disposition of your vendors, you know, how many of them are approved, how many are are in remediation but you’re still working with but they have a remediation plan in place, um, and of maybe how many of those have been rejected. So those are some key things that you look at when you’re measuring a program, um, with ultimately understanding that as I mentioned before, the goal of the third-party assessment program is really to understand, um, and have insights into those risks with outsourcing. So I know we’re getting close to time here, but, uh, any thoughts on any of those, uh, points there, Brenda, from your perspective?
Brenda Ferraro: Yeah, real quickly with regards to compliance, it’s important to make sure that even if you’re using an Excel spreadsheet, which you hopefully will not see in the future after listening to this, that you have the ability to look at that content in different views and lenses, such as if someone wanted to see how did the content come back from a third party and how does it relate to compliance to PCI or GDPR or HIPAA so that you can get that content to whomever needs to look at it from that lens and and scrub out the noise that doesn’t matter to them but it does matter to the business as a whole. And of course, um, know your numbers and act on your numbers. I’m huge on metrics, so making sure that you have that information. I totally agree with what you said there. So as we look at how we’re here to help, um, Prevalent is giving a free business resilience offer to anyone, and this is to help in the times that we’re living in and making sure that we are correlating that content and efforts to know what we need to in the future for when the regulators does settles and they start telling us you need to know about X, Y, and Z, we’ve proactively thought about the things that from a very limited perspective, here is what you need to find out because it’s relevant. So here the links are to here today, but also Peter is going to be providing this, uh, deck as a PDF so that you can thankfully just click on them or get them in an email. There’s demos, sample reports, and PDF of what the questions look like and, um, what are you doing at Tevora to help in what we’re living in today?
Jeremiah Salberg: Absolutely. So, uh, one of the key things that, uh, we help our customers in the space, uh, we’ve got two primary service offerings here. One, we helped our customers build their or re- build or retool their, uh, third-party programs, and we help operate them. Um, certainly you have to have the right kind of tools and platforms in place like Prevalent, um, but there’s a lot of consulting that needs to go on to that front side to make sure that A, you have the right inputs to your vendor inventory systems, are you pulling those in from contractual systems, are you pulling them in from somewhere else? Um, and then you want to make sure you have proper alignment, alignment not only with your from your own information security policies to the security contracts that you put in place with your third parties. So as you’re going through that contracting process, if you have a security exhibit or something else that you’re saying that these are the obligations that you expect them to uphold, that those two are in harmony as well as with the review process when you’re asking questions, hey, do you do this? Does that align with what you already put in the contract with them from the security requirements perspective and align with your own information security policy? So getting proper harmonization there is a key piece in making sure that you’ve got an effective and efficient third-party system. So we help with that.
Jeremiah Salberg: We help organizations, um, socialize that process within their own businesses to make sure that those business entities as they’re going through the procurement process are properly getting the, um, third-party review program initiated early because it does take some time. And then lastly, helping organizations define the rules for escalations when, you know, maybe you want to escape the process or if there’s exceptions in place that an executive has mandated that we’re using a certain third party even though it may have some security risks. And then does that entity have the right, um, risk, uh, acceptance process in place to document that? So, um, there can be some exceptions to the rule, but, uh, we are certainly here on the cybersecurity consulting side of the third-party programs.
Brenda Ferraro: Yeah, I think when we were talking about this, my favorite thing that you mentioned was that your company helps to build out the questionnaire process by harmonizing the questions, the workflow, the contracts, et cetera. So that was really, really good. All right, so polling question number three, and then we’ll get to anyone who has questions, who has stayed on the line with us. Peter, do you want to populate that? So, would you be interested in engaging with Prevalent for a free business resilience assessment to benchmark your program? We’ve been seeing some huge success with this where people are able to identify some of the, um, critical vendors and third parties and we can help you with that. So we’ll give you a chance to do that. And as we are um, will go into questions.
Peter Schumacher: Yeah, um, so we need at this time, we need you guys to start typing in your questions, the Q&A console, you’ll see on your Zoom screen, um, and please do take this opportunity. We do have two, uh, third-party risk experts on the line here, ready to answer any questions. So, uh, either enter them in the Q&A section, Zoom, or you can even enter them in the chat. We’ll give everybody just a second to put their questions in.
Peter Schumacher: And then looks like, uh, most folks have stayed on through the, the, uh, the last 36 minutes, so that’s good news.
Brenda Ferraro: Thank you for hanging with us. Yeah.
Jeremiah Salberg: We certainly appreciate taking time out of your, uh, busy schedules today to spend a few moments with us to go over some of our thoughts, uh, in this space. So, um, and even if these questions or something you think about, uh, after today’s session, uh, please reach out. Uh, there’s certainly going to be some follow-up communications. Uh, know that, uh, Brenda and I are both here to answer those questions, may it not be right now, uh, but they pop up. Uh, this is certainly something that, uh, we’re happy to help support you on.
Peter Schumacher: Yeah, thank you, Jeremiah. I think looks like, um, we’ve got a couple folks raising their hand. I think there’s a button to raise your hand. If you don’t mind, just type your question into the Q&A. I don’t want to open the audio lines, um, if we don’t have to.
Brenda Ferraro: But fear not, if they ended up ever having to open their audio line, I could definitely participate with bringing a dog in and having a dog bark in the background if need be.
Jeremiah Salberg: Yeah, lucky, luckily I’ve been working for from home for a number of years now, so I’ve got my situation, uh, hopefully under control where the kids are up at the house and and no pet nearby. But, um, we, we’ve all recently experienced, uh, co-workers that have don’t typically work from home and have got, uh, some distractions that we all get to share in. Um, see in the chat some positive feedback, uh, and then here’s the question. So let’s see, how would you evaluate, uh, resiliency through a questionnaire-based assessment and then how would you verify, Jeremiah?
Brenda Ferraro: You want me to take that or would you like, why you start? I can add on to that one if you don’t mind.
Jeremiah Salberg: Okay, great.
Brenda Ferraro: So questionnaires in and of itself is to not only start the conversation but to become aware of the different controls that are in place. And when it has to do with business resilience, make sure that you’re asking questions and you have actions based on the responses. So for example, if you have, let’s pretend, 10 questions that you’re asking, you’re going to want to make sure that those questions are either going to be escalated to a certain department, it’s going to be tracking information that you need to know, or it’s going to cause action for you to take and efforts for you to gain that knowledge. And in the most important one is to know if they’re impacted or the second most important one is to know if they are going to have to close business because you’ll have to make a risk-based decision to shift. But that gathering of content is critical because if you didn’t know it before with your current questionnaires that you have now, this puts a very, um, a shining bright light on building relationships with those vendors that are stronger and helping them to navigate with you exactly what needs to be done as changes need to occur. What do you think, Jeremiah?
Jeremiah Salberg: Absolutely. And to echo your point there, um, you know, the questionnaires really start the discussion and start the dialogue so that you can start asking those second, secondary questions and have follow-up questions. Each vendor that provides you services are going to have a little bit different, uh, uniqueness to what’s important to you. Um, you know, they may do software development, maybe they provide you goods or or some services, uh, uh, in some sort of way. So knowing where they are located, knowing, uh, what kind of, you know, how big the organization. So there’s some profiling questions that are always included in this to kind of give you a sense and set the stage. But as you ask those questions and you knowing what services they’re providing will make a deter, help you make a determination, you know, do they need, are they relying on, you know, are they using a data center, what kind of data center are they using, are they using AWS, are they using maybe an off-market data center? Um, and so, okay, what is that off-market data center, do they have the kind of resiliencies, the, you know, four nines, five nines, whatever the number of nines they have to help provide the kind of services that are needed behind it? So it really like, uh, Brenda you mentioned there, you know, it starts the discussion, but it really depends on what that service is being provided to you to understand and ask the what if scenario questions and saying, okay, does that have enough resilience for what you need as an organization? Hopefully good answer. Um, if it didn’t, please follow up with us. We’re happy to go into a much deeper, uh, discussion afterwards.
Peter Schumacher: Thank you, Jeremiah. Yeah, and we do have, uh, on this slide, um, a couple email addresses. But, um, you’ll also receive these slides in a recording of this session. I’ll send it out by tomorrow morning. So feel free to reply to that and I’ll direct your question, uh, to Brenda and Jeremiah. Um, but I don’t see anything else in the queue. Uh, you guys have done a wonderful job providing tips and tricks and good conversation. I think, uh, you satisfied everyone’s curiosity here, so no further questions. I think we’re going to, um, go ahead and wrap this up. So thank you very much, Brenda. Thank you, Jeremiah, and everyone stay safe, uh, I would say out there, but I mean at your homes. Stay safe at your homes, uh, and good luck to everybody. Take care everyone.
Brenda Ferraro: Thank you. Stay well.

©2025 Mitratech, Inc. All rights reserved.

©2025 Mitratech, Inc. All rights reserved.