从堆积如山的第三方风险数据中提炼出有用的指标

阿曼达：我看到人数在攀升。大家好，欢迎光临。现在正好整点时刻，我看到大家陆续加入。各位好，我是你们的语音主持人。今天我们都是声音。趁大家等待时，我将发起一项投票——我们都喜欢这样称呼它。 嘿，趁着等待时间。各位进来时请随意回答这个问题。欢迎大家。我是普瑞维兰公司的阿曼达，负责业务拓展，也是今天的主持人。和各位一样，我们今天都未出镜。好的。 感谢大家参与投票。我会保留投票窗口一段时间。再次自我介绍：我是Prevalent的阿曼达，感谢各位参与。看到更多人陆续加入，今天我们将探讨如何基于有效指标实施高效的第三方风险分析方法。虽然你们看不见，但我此刻正比划着引号手势。希望大家都好。 相信各位都熟悉流程，我还是要提醒几项注意事项：当前所有参会者均处于静音状态。但请尽量参与投票并通过下方问答区提问。我们非常欢迎大家在会议尾声向主持人及联合讨论嘉宾提问，时间允许的话定会为您解答。 那么，今天我们邀请到布莱恩·利特尔费尔。能有他参与我们非常激动。他是剑桥网络顾问公司的创始人兼首席执行官，曾任沃达丰全球首席信息安全官，并长期担任英国政府安全顾问。可以说，在我看来——以及所有第三方风险分析师的眼中——他都是位举足轻重的人物。 此外我们还特别邀请到布伦达·费拉罗在线参与，她将在节目中穿插分享有趣的数据和见解，稍后您将听到她的声音。非常荣幸两位能莅临现场，现在请布莱恩开始分享，明天的节目录音将发送给各位。感谢参与，布莱恩，请开始吧。

Brian: Great. Thank you and thanks for the introduction. So, hello everyone. It’s great to be able to to speak to you all. Um, first of all, as we said, we’re going to be discussing how to implement an efficient third party risk analysis approach based on meaningful metrics. And everyone’s probably asking, well, what is meaningful metrics, quote unquote, and we’ll get on to that shortly to to explain what those are. are right. So, we kind of covered me. So, a little bit of scene setting in terms of where we are and just kind of to explain what some of the the terms are and where where my perspectives kind of come from on this. First of all, let me just say uh you know I’ve been working as a CESO for you know 20 25 years and now I spend my time uh leading Cambridge Cyber Advisors and we spend a lot of time mainly in the boardroom mainly helping uh chairman chairwomen uh Ned executive teams really get their handle on, you know, the security posture of their organization, what’s working right, what’s working wrong. So, you know, that’s been really useful to me from an experienced perspective to see it from the other side of the table, so to say. I was always the CISO going in communicating and now I kind of sit on the other side to to help, you know, give my expertise to the board and and make sure that the CISO is kind of answering the right questions and the right things are going on, not just in third party assurance, but obviously plays a big role and I think from from my perspective you know third party insurance is really hard to do well it’s hard to do well uh part of the challenge is obviously it’s global if that’s the way your organization is structured so you you’re having to manage suppliers in in numerous different countries you know it’s not uncommon for you know large organizations to have three four 5,000 different suppliers ranging from people that handle your sensitive data on your behalf all the way down to people that give the kitchen supplies and and refill the bathrooms etc. So there’s a full dichotomy of suppliers that you’ve you’ve got to got to manage for your organization and each of those different suppliers has you know different contract in place with you a different relationship inside your organization and as your company or organization grows its reliance on the third parties is only going to increase as well. So that’s why getting a really strong foundational component in place so that as you have to scale the process scales with you you then it doesn’t become so much of a of a challenge or a battle. But I I think we all know it doesn’t always go to plan. I think if we all sat back and thought of, you know, large household name brands that have had security challenges, data loss, breaches, etc. R that have actually emanated from their supply chain. It wouldn’t take us too long for some of those names to pop into our mind. And I’m not going to put some brands up on the screen, but we can all probably think of those. And I think that that is kind kind of evident that you know those organizations would have had a good approach they would have had a well- resourced team well sometimes not always you know the size and scale of the company doesn’t always equate into that but you know they would have had people focusing on this so I’m going to try and unpick what some of the challenges that I’ve seen and it’s great to get Brenda’s views as well uh and help get into you know what are some of the opportunities for improving your maturity and some of the opportunities to improve and then hopefully look at some meaningful metrics But I think you know just an observation from my side uh as I said spending a lot of time in the boardroom I I see uh and I present at uh conferences and focus groups and discussion forums and the topic of those discussion forums is how do we tackle this chasm uh between the CISO and the board and you know that’s when you get CISOs talking not all of them have the relationship that they would really like with the executive team and the board. Uh some of them don’t feel like they have the right support. Some of them don’t feel like they’re getting the right amount of resource uh from the executive team to be able to effectively manage the risk. But actually sitting on the other side of the table, you hear the same things. You know, if you speak to the Neds and the board, they think that they’re not getting the right information from the CISO. They’re not understanding what the current risk position is. They can’t see, you know, the wood for the trees. They don’t understand what the problem areas are. And they want a bit of clarity in terms of, you know, this is where we are. This is the problems that we’re facing. And, you know, what do we want to do about it and whether we invest or not that’s a riskbased decision but you know the opportunity to contribute to that risk statement is is absolutely key. So I always advise putting yourself in the shoes of the the board and the executive team. You know very rarely have they got a security background but you know very often are they presented fairly technical data and metrics emanating from security tools and they’re kind of expected to to understand whether those metrics should be going up, down, left, right, whether they’re KPIs K eyes etc. And I think that you know as security professionals on on this call or risk professionals or procurement wherever you are we kind of have a responsibility to do some of that leg work and do some of that thinking and present a clear message upwards in terms of what’s our current status and and what are we doing about it going forward. So this is a little bit about what we can do to make things better, what’s within our own power to improve things going forward. Okay. So um third party risk management the known risk and and and why is that? And I think that you know third party risk management definitely presents a clear and credible risk to all organizations big and small. I was doing this uh same presentation to a UK based audience earlier on today and you know there’s a lot of questions around does the organization size and scale make a difference and and actually I don’t think it does right because you’re actually trying to achieve the same outcome irrelevant of size of the company right you all all organizations big and small use suppliers, you need to understand that the the threats and risks that those suppliers present to your business and you want to achieve achieve an outcome in terms of educating the business about what they might be and then also giving some options for for compensatory controls or or mitigating those risks. So I think that there’s definitely a risk presented to all organizations from from their supply chain. But I think every company has definitely their own approach. You know, if I was to spend time with bank A or bank B or healthare company A or healthcare company B they would have different approaches to third party risk management they wouldn’t always be drastically different but there would be nuances in one company on how they approach it and compared to the other and I think I’ve seen it done very well you know with excellent uh stakeholder management everyone in the company understands the process it’s not attempted to be bypassed because people see value from it and then unfortunately I’ve seen it done very badly as well where you know it’s viewed as a bottleneck you know lots of information goes into it. Very little actionable information comes out of it. The team are very stressed. They’re underresourced, etc. So, there’s definitely, you know, a right way to do it and a wrong way to do it. And we’ll hopefully get into what some of those are today and how can we improve it going forward. I think, you know, for those of you who heard me talk on this topic before, you know, the lower end of the maturity organizations, I I tend to say, are still kind of completing Excel spreadsheets, you know, very very long uh questionnaires for their suppliers to to fill in a manual analysis of those questionnaires. It’s purely based on, you know, the experience of analyst A or analyst B. And and obviously that can add delays. It can add different different answers. You know, if you were to put the same questionnaire in front of two analysts, they might interpret it in different ways. So, it’s around how can we go up that maturity curve and, you know, adopt some of the innovation that’s been going on in this space for a long time. And we’ll kind of cover off that whole maturity landscape and what that looks like. But I certainly think that you can’t rely on, you know, touching an organization once peranom and asking them to fill in a questionnaire and then putting those results in an Excel spreadsheet because organizations change multiple points throughout the year. You know, sometimes they might be profitable, sometimes they might be not profitable, sometimes they’re growing, sometimes they’re in a recession. And you know, some of those behaviors drive different business actions. You know, when when budgets are tight, resourcing is constrained, you know, costs are cut back, etc. So, it’s it’s important to understand when these dynamics are happening in the market and and how that can impact your supply chain. And we’ll we’ll get on to some of the tactics and techniques to to hook into some of that near realtime intelligence rather than relying on a single assessment day in the calendar year. So, I’ve put up three common challenges that I see and I’m going to break these down on the next couple of slides, but I just want to kind of point to what I call the the art quad quadrant in the middle. And I think that you know this isn’t a good place. This is not where you want to be. If these three different dynamics are operating on on your function or your team where you haven’t got a clear approach, maybe you’re suffering from resource constraints, whether that’s, you know, an appropriate budget to maybe do some on-site auditing or you haven’t got the uh resource in your team to manage your your tooling choice, whatever that is, and you haven’t got the right tools to to scale. to the amount of risk that you’ve got under management. So maybe you’ve got a couple of thousand suppliers and you have to having to run them on a spreadsheet. All of those have a possibility to impact the performance of the team and and the net effect of that is the business isn’t getting the outcome or the result that it needs. So the art quadrant is is definitely not where you want to be. But let me break these couple of areas down and we’ll have a bit of a conversation around it. So I think the approach is is absolutely key and you know different organizations position this team in their in their structure in different places and you know I have a personal preference where I believe it should be but you know it doesn’t align with everyone else’s so I think as long as it’s positioned in the right place for that individual company and it’s got the right investment and the right support then you know that that’s fine it will work but I think you know it needs a very clear strategy and I and I mean a strategy for the third party risk management function not just the CISO strategy not the IT strategy not the business strategy. There needs to be a strategic direction of how are you going to manage, assess, quantify, communicate the risk that’s presented by those whatever whether it’s 5, 10, 15, 5,000 suppliers that are in your portfolio. And it should be obviously strategic in nature. You know, why does this team of people exist? What what outcomes are we going to deliver and who are we going to deliver them to? What action is taken on our metrics and reporting? We produce them. Does does Does anyone actually read them? Is is any action taken upon them? And if not, why not? And and in some organizations I’ve been in, uh the third party research management team can can feel a little bit of a backwater. You know, does the business realize we even exist and what is the value that we add? And these are some of the questions I get asked a lot of times when I go in and things aren’t working very well. But it obviously needs to be set up for success. You know, the the stakeholder management is is absolutely key. You know, know that the stakeholder isn’t only the security function. It’s it’s the very broadest parts of the business. You know, each area of the business whether it’s from logistics into technology or research and development, they will all work with a certain different list of suppliers and they will present different risks and different opportunities to the business. And obviously a supplier in in one country in a large global organization might be minimal but in another country it might be huge. So it’s really important that you understand that. that whole global supplier approach and then obviously the clarity of reporting um you know giving clear insights to the business about what’s going on and what is the actual risk and then trying to actively and positively reduce false positives as well. So if you’re constantly pushing messages into the business which prove to be inaccurate or not entirely true then obviously that damages the reputation of the team. So there needs to be a big focus on when you do report it’s accurate and something in genuine needs to follow on as a as an ongoing requirement going forward. So the focus of the team needs to be strategic. There are absolutely times when it will be reactive where where the business comes to you and says, “Hey, we really need to do this new initiative and we’re taking on this new supplier and we need you to do some shortcuts and actually get this supplier assessed as as quickly as possible.” That that will always happen. But fundamentally, if your team is always being driven in that in that tactical approach, uh you’ll never get round to your strategic direction and obviously your your goal and focus should be to strategically manage the risk going forward and then there’s the whole resource for the area as well and I’ve seen third party resource management teams are one or two people uh and that might be okay right if you’ve got a really intuitive tool and you’ve got all of the uh the knowledge flying into a small team and it and it’s manageable then then so be it that works fine but equally seen teams of one or two people having to manage a couple of thousand suppliers using an Excel spreadsheet and being completely swamped and you know significantly behind on the on the assessment timeline you know not producing the the reporting and metrics etc. So there’s there’s definitely a place on that scale where you you’d prefer to be and I think that you know this team manages a significant portion of the strategic risk for the for the company. Uh you know we’ve seen what a breach in the supply chain can can do do to your organization’s reputation and brand. So it definitely has a very clear purpose and outcome and that strategy and purpose of the function should be translated into a target operating model where it’s clearly presented back to the business saying look this is the amount of risk that we’ve got under management. This is the number of suppliers that we’ve got under management. This is the current tooling that we’ve got. This is our current process. But have we got the right resource? Have we got the right target operating model that we need to be able to drive that that initi? strategically rather than tactical and firefighting and and obviously what we see sometimes is you know a team is put in place and the organization goes through rapid growth you know massive numbers of suppliers coming on board but the the team size has to remain static because that’s all it’s got the budget for and I think that that’s where you know having that very clear strategy having the very clear business stakeholders bought into the value that you deliver that means that obviously if if the team is becoming stretched by the increased work load on it then obviously you need to be able to grow to effectively keep that risk under under management going forward. So there definitely is a different approach and we’ll get on to that in a minute. So embracing the innovation in this space. So as I said I’ve been a CISO for you know over 20 years. I still work very closely in in the space and I’ve definitely seen the the evolution in this space uh for the teams that have been under my management. So so absolutely have I used Excel spreadsheets sheets before to manage third party risk. Yes, absolutely. Uh it was all that was available to me. And then obviously we went through different levels of maturity as different software was coming out things like putting in place uh GRC tools, governance, risk and compliance to kind of harmonize our governance activities and our risk and and our compliance regimes. They were very, you know, difficult to integrate, very complex to manage, etc. And then obviously with there’s a new breed of tooling coming out, there’s there’s purpose built to to manage this space of which prevalent is is one of them. And I think that you know starting to see organizations fully embrace this well there have been for some years really is a bit of a gamecher not only for the the teams that have to operate the community of suppliers uh but it actually changes the the whole approach because you know rather than having to go to you know every one of your suppliers you know normally a large percentage of those have already got profiles on these platforms and tools. So it significantly reduced which is the the number of questions that you have to ask. So the the plea is to to definitely if you are still using Excel to manage this then start to to obviously move away from that and embrace some of the innovation that’s been made available to us in this area. So I just want to baseline this and I realize I’ll be teaching some of you to to suck eggs but but actually at the boardroom it’s not and you have to recognize that it’s it’s really important to explain yourself and and make sure that everyone’s on the same page and you understand what you’re going to be talking about. And you know, in my personal view, certainly in this space, you know, a key performance indicator, if I’m looking at a KPI in this space, I’m looking at it to to measure the performance and effectiveness of my function. I’m looking at the processes, the the throughput, you know, how many failures and successes that we have going through the the testing cycles that we’re running. But it’s it’s it’s as it says, you know, how are we performing? Are we delivering? ing as the business would expect. Are we delivering to the outcomes that we want to deliver and are we most more importantly delivering a quality service? Uh we could certainly push reviews and cycles through the system, but if it’s not quality, then there’s no point doing it. So quality is is absolutely up there as well. And then we have obviously the the key risk indicators that kind of start to delve into and and look into, you know, how much risk are we currently exposed to and what risk treatments do we have to apply? across our supplier base and and obviously typically that would be segmented as well. So probably already knew that all of you but you know from a KPI and KRI perspective that’s that’s how I manage and measure them. So what what do I mean from meaningful metrics? So you know this this was from one of my uh accounts that I worked on many years ago and this was an actual dashboard presented to the board on third party risk and you know this was one page of I think about five or six And obviously the supplies are grayed out. It would have been a list of supplies in very very small font where you’d have to have a lot better eyes than I have printed on a piece of A4 paper and and then across the top there’s the the controls that are distilled from the security policy and then obviously a line per supplier going across all of the controls. And you can see that that’s fairly complex and this was a view that is presented to a senior audience. And what it what it is in my view is it’s complex. It’s busy. It’s it’s definitely not dynamic. It’s completely static and and obviously because it’s printed on paper, it’s it’s it’s non-clickable, but you can see uh obviously what a security analyst has to actually go through. These are I suppose the responses to the key controls because it certainly wouldn’t be all the controls uh within a particular supplier. And you can see that some are green, dark green, light green, some are yellow, some are amber, some are red, some are pink, etc. And obviously it’s the expertise of an analyst that has to kind of look across one of those lines and think well with all of that taken to into account where where actually is this supplier from a risk perspective and I suppose the the missing dynamic here is of course threat this this snapshot on the left is a a single point in time view of how a supplier was operating during those couple of days that it probably took them to to fill in uh the questionnaire but as I said there is another way um you know having organizations precomplete for the majority of questions that we’d want to ask them, you know, they much prefer it because honestly speaking to suppliers like I do, if you put yourselves in the shoes of a of a really big supplier, I’m thinking like, I don’t know, a HP and IBM and Oracle or a big outsourcer, think of the amount of differing types of questionnaires that they must get from all of their suppliers in different shapes, different formats, all loosely trying to achieve the same thing, but structured completely differently. And they have to spin up a a small industry just to try and respond to this plethora of requests coming from their client base. Obviously, it’s really important work, but there’s obviously a simpler way to do that and that’s where all of these new uh third party risk tools have really come into their their own because it’s really simple for the end user, which is all of you guys and girls on the call. It’s really easy to understand what it’s telling you because you can codify all of the requirements that you have from your security policy. So, what do you really care care about what has he got a little bit of flex on you know what are our tolerance levels on individual risk statements and when they’re all answered obviously I’m not trying to put risk analysts out of jobs who can do some really important work in this space as well but the tool will digest all of that and and obviously suggest the the risk ratings the past failures on on your behalf but what it does do is obviously it’s dynamic it’s it’s not a single day in the in a calendar year it’s pulling information from its knowledge community It’s pulling information from assessments that are done by other clients. It’s feeding in the threat angle and it allows the the the customer to to really drill down and and you know explore what’s behind that red box. What was the what was the question asked? What was the response? You know, what have we tried to to ascertain from that and how can we improve things going forward? I don’t know. Brenda, do you want to say anything on that slide or do you see that as well or?

布伦达：确实如此。当你展示这张幻灯片时，我注意到左侧的网格图让人联想到在玩战舰游戏。我能想象首席信息安全官或董事会看到这张图时会想：我们该从哪里下手进攻呢？这点确实很有意思。 但我确实认同，建立有意义的指标体系，让信息简洁易懂，正是我们需要专注的方向——这能帮助我们过滤干扰，确保真正重要的事项始终呈现在董事会和CISO的视野中。

布莱恩：没错，完全同意。好的。那么，有哪些最佳实践指标值得衡量？或者说，有哪些分类标准？ 从我的角度来看，主要分为四大类。我会先介绍各类别的名称，然后列出我认为需要重点关注的关键绩效指标（KPI）和关键信息指标（KIS），这些也是董事会希望了解的内容。这里说的董事会，其实也包括高管团队。 无论您是向CEO及其一线团队汇报，还是向包含CEO、CFO、COO的董事会汇报，风险管理都应成为核心议题。他们期待的是全面平衡的记分卡体系——既需基于合理逻辑形成决策依据，又必须具备可量化性，最重要的是确保流程可重复。 我见过太多风险流程缺乏可重复性的案例。 若将相同信息交由两位不同分析师处理，结果往往截然不同。这正是工具的价值所在——它能建立可重复流程。当相同数据流输入时，结果将保持一致，唯一变量是叠加威胁角度可能改变整体图景。 我认为威胁才是核心变量，它为在线平台工具创造了真正价值。若仅依赖问卷填写和反馈，那只是单一视角——仅代表该组织的观点，而非整个社区的视角。 它忽略了所有公开的开源情报。例如某公司可能宣称"我们的补丁管理绝对到位"，但威胁分析工具却显示其公共网站存在六个未修复的高危漏洞。两者未必存在关联。 将这类情报融入风险决策，能真正实现量化评估——超越政策制定和实践执行层面，直观呈现实际合规状况。显然，随着组织风险态势每日变化、威胁环境日新月异，将这些动态信息融入环境评估至关重要。 从合规角度看，合规要求不会消失，反而会日益严苛。作为曾为大型跨国企业担任全球首席信息安全官的人，我深知合规监管体系极其复杂，而供应商在此过程中扮演着关键角色——无论是代为管理数据，还是参与任何合规项目环节。 关键在于：作为母公司，您必须承担起管理供应链合规性的责任。这绝非责任转移——即便供应商负责特定环节，问题仍归您所有。您必须有效实施远程管控。 正因如此，所有用于构建供应商合规性完整图景的指标体系都至关重要。覆盖范围同样关键——必须实现对供应商足迹的全面监控。正如我们讨论过的：英国的小型供应商，可能正是美国业务部门的巨型供应商。 企业必须洞悉这种关联，确保向供应商提出正确问题，避免因供应商发生安全威胁事件而措手不及。企业需要率先获取这类洞察。我认为这相当于企业的供应链耳目系统——当供应商遭遇安全事件时，企业必须抢占先机。 你需要及时向业务相关方通报情况，绝不能等到CNN或福克斯新闻突然报道时才惊觉事态严重。因此掌握这些洞察、经验和覆盖范围至关重要。布伦丹，你还有补充吗？

布伦达：我找到静音键了。嗯。刚才听你发言时，我想到过去一年多经历的各种情境中，全球视野与本土视角的重要性日益凸显。 若不理解你刚才提到的三要素——情境驱动的合规性、供应商威胁情报以及量化平衡的风险——就无法在构建韧性时，将这三者全面融合且清晰呈现于全球视野中。因此我非常欣赏你阐述的这种思路。

Brian: Great. Thank you. So, I’m going to put up some KPIs and and K eyes just, you know, I’m not going to run through them all. Don’t worry. You know, I’ll just probably say a couple of KPIs and couple of K eyes on each each of these four areas. And, you know, these are they’re they’re not unique to me and obviously the none of them will be a wow, we haven’t thought of that before. But what it is is, you know, is understanding from both the CISO side and the board side what are some of the things that they want to hook into and And by all means, this isn’t an exhaustive list, right? So depending on the sector that you’re in, depending on the type of organization that you operate in, whether they’re really into the detail or they like the the high level view, it will change and it will be be dynamic. But but at a very high level aspect, you know, these are some of the key things that I would certainly like to pick out. So from a risk perspective, we’ve already touched coverage. You know, there shouldn’t be any supplier receiving revenue from your organization uh from your financ function that hasn’t been in some way, shape or form assessed by the third party risk management uh organization. It might have been a notification and a quick assessment done and decided you know that it’s not important for whatever reason but it should have gone through the process and the reason is because obviously if no assessment’s been done there’s there’s no understanding of the risk and and I do see that a lot. I see you know uh organizations not having a good handle on you know their coverage there being suppliers in place that that have an issue downstream and you know it comes back into the third party research team saying well what do you know about these guys and it’s like nothing they’ve never been assessed we didn’t know you were using them and this is a really important gap to close and it’s it’s you know the key thing here is that the business sees this as a valuable process because we all know especially with cloud-based services now it’s fairly easy for a business unit to spin up a relationship with an external supplier using a credit card and you know that would be fairly difficult for you know this this process to detect. So the business has to want to engage with it. So this is more of the carrot rather than the stick. It’s around come and engage with us because we absolutely offer value to you. And if they recognize that then they’ll obviously not try to bypass the process. And the second one is uh you know the number of suppliers that have completed the uh sorry the number of suppliers that have passed or failed the on boarding process. And and I’m more concerned here on on the failed the onboarding process because Often I see that as quite low and you know you have to ask the the question why because you know in especially in a large global organization but the same is true for a smaller you will definitely have organizations that that fail and you want to understand why that is and why that number is where it is on the scale. If it’s too high what’s going on if it’s too low what’s going on? And there’s definitely a sweet spot to be trying and achieved based on you know the nature of your business and the scrutiny that you put your suppliers under. But it shouldn’t be the case that no suppliers are are failing your process. It proves that you know if you have got failures then you’re asking the right questions and that doesn’t necessarily mean that you can’t work with that supplier. It’s you know you have to understand why they failed and you know what risk is presented from that and you know it’s our job to advise the business based on risk and they might choose to accept some of that risk but at least that risk is known is quantified and and can be tracked by us going forward. And then I think on you know the KR my side you know some of the the lagging indicators as well are really important. So the number of priority one security instance generated from the supply chain in the last quarter. So your supply chain will cause you security instance and if they’re not then you know are you have you got the right insights? Are you picking those up and and understanding what’s actually happening in your supply chain? You know that there’ll be things like uh employees leaving and the password for the service not being reset and it’s a whole plethora of things that can generate security incidents for your organization and it’s important that you know about them. It’s important that you understand and take the knowledge and the learning from those and apply those new knowledge and new learnings to your broader supply chain so that you don’t have a reoccurrence of the the same instance. So what’s actually happened in the past should be uh learned from and applied to what happens in the future. So you actually have a better process going forward and that’s really where I suppose the leading indicators come in. So the organization that have been through your process. Uh the number of vendors that within the supply chain that are carrying a high risk score and you know this isn’t abnormal to have vendors that are carrying a high risk score. It might be the the geopolitical risk that they present. It might be a parent company or a relationship etc. And you know a high risk score just means that obviously they they require extra diligence on an ongoing basis. So not just due diligence up front but diligence going forward and and equally understanding how that risk can be mitigated. So it may be having a secondary supplier. So if that vendor experiences difficulties, then obviously there’s another one to fall back on. But if you don’t know about those high risks or they’re not effectively managed, then that can obviously disrupt your your b your your business. And then I suppose a real uh critical one at the moment is, you know, if you’ve got if you’re a manufacturer and your your traffic goes through the sewers canal and you know, a big container ship blocks it, what are you going to do? So you know, you can’t you’ve got loads of ships stacking up. So, if you knew that your supply chain was coming through that canal, could you have mitigated that via having a a more local supplier that might be a higher cost on a day-to-day basis, but you could actually mitigate that risk going forward? And it’s really about just getting into the details and understanding those aspects as well. And then, of course, it’s the the net risk from each domain category within your supply chain. So, it’s it’s fairly normal to to categorize your supply chain, not just in is so you know tier 1 2 3 4 but actually category as well so things like I don’t know I’m a security professional so identity management service providers or physical gates etc and actually start to you know slice and dice your your information flow so you can actually understand for each of those domains have we got a single supplier dependency uh do we know that we’re going to have to terminate a supplier in that space and we have to start to look up a backup do we are we getting threat intel come through terms of geopolitical risk in that region that we have to mitigate. So really understanding and guarding the business based on your intelligence and insights and actually advising on that net risk is is really really key as well.

布伦达：瑞安，关于这些问题我快速补充两点。首先是我们的生态系统问题，我认为你在风险覆盖部分会提到供应商响应迟缓的风险——如果他们不回应评估请求或拒绝采取风险缓解措施，这种情况已变得更加危险。 至于你提到的KRIS问题，集中风险确实如你所言可能引发多米诺效应——就像运河事件所示，供应链环节的集中化会造成连锁影响。这两点对当前生态系统至关重要。

Brian: Yeah, absolutely. Completely agree. Okay. Then there’s the the threat feed and and I I really would advocate, you know, if you haven’t got threat intelligence flowing into your supply chain, uh, information repositories at the moment to to look at how you can augment this capability on top because it delivers you know the real day-to-day insights in terms of what’s going on but I see you know certain sectors are mandated certainly in the UK uh and other and not subate in the the US regulatory requirements but for example if you work in financial services in the UK you are required by regulation to have threat intelligence coming into your organization what you’re not required to do is use it right so So as long as it’s coming in that satisfies the requirement but I see you know threat intel flowing into organizations at various different touch points and I see companies do an amazing job of distilling and disseminating that and getting it to the right people with context to action but equally I just see it hitting a brick wall and you know it flies into an email queue that people will periodically look at and you know it’s not really being given the credence that that it deserves. So I think you know a couple of things to look at is around you know the meantime to action. So when that int intelligent comes in, you know, it’s been uh certified as valid, it’s been certified as relevant, it’s had some context delivered, you know, and that’s disseminated into the organization. How quickly does that account team that’s responsible for managing that particular client or account, how quickly do they pick that up? How quickly do they action it? Because that’s one of the beauties of, you know, a third party uh risk team is that all the onus shouldn’t be on them. should be distilled into the organization to manage that. There’s certainly account managers that are responsible for individual clients etc. And you know there’s been a lot of effort to build up that relationship. So distill the information down to them add the context but certainly measure how quickly that action is taken on those as well. And then you know from a KRI perspective you know how many suppliers uh across the tiers whether it’s 1 2 3 4 have active uh high threat intel indicators coming in for them. And this could be for anything, right? You can have uh an entire country’s suppliers allocated as high threat indicators because of, you know, government instability or or something that’s going on in the region. But it’s really important that you obviously understand and just have that insight. And if you didn’t have this threat flow coming into your base, come into your information base, then it might just you wouldn’t understand it. You wouldn’t be aware of it unless something actually hits the news. So it’s around understanding, have you got the right information? flowing in. Is it being disseminated into the organization in the right ways? Is it being acted upon in the right ways both within your team and the broader business? And then obviously, are you driving resolution on that? You know, a threat is given for a reason. It it needs an action and it needs something to to either mitigate it or resolve it. And if it can’t be resolved, then it needs tracking as an ongoing risk. But, you know, having all of that information to be able to make that call is is really powerful. And then there’s then there’s compliance. uh my my favorite topic. It’s certainly not going to go away, but you know, it’s only going to continue to rise, but recognizing that your supply chain play such a pivotal role in in your compliance programs. And really for this, it’s just understanding who they are. What is the role that they play? Have you got the right governance over them? Are you tracking it appropriately? And have you got the ability to report on your broader regulatory requirements and compliance requirements, not just within what happens within your own organizational boundaries, but also within your supply chain as well. And here is where quality becomes absolutely key. And certainly in a compliance perspective, as Brenda was saying, you know, if you’ve got unresponsive client uh suppliers that are, you know, play a role in your compliance regime, then you’ve got a a definite real challenge and you need to address that. But quality is absolutely key here. If you’re getting, you know, the old saying is if you get garbage in, you get garbage out. So you need to really focus on the quality of the submissions, especially for those that are in play. from a compliance perspective. And then there’s the the the whole coverage aspect. So we’ve talked around a few of these already, but certainly no supplier should be receiving any payment that hasn’t been triaged or assessed. You absolutely need to to get that. It’s important that the the process doesn’t be seen as a bottleneck. So you need to measure your throughput, measure your time to onboard. And time to onboard from my perspective is isn’t the questionnaire being completed or the analysis being done in your platform. form. It’s, you know, the endto-end process where we engage with the supplier to either we’re comfortable or we’re not comfortable and they’re going into on ongoing diligence going forward and and tracking that and make sureing that it’s optimal. It it’s not that it’s quick, it’s that it’s done right and that the right questions are being asked and the right level of time taken to do it. But it shouldn’t become a bottleneck either. What you don’t want to see is this process being uh buil as a as a blocker to doing business. Uh it will obviously slow things down just in the nature of what you’re trying to do. You’re trying to understand a new relationship with a new supplier. Uh it can be sped up by using tools that already have a lot of that information in in the in the armory as well. And certainly that’s what should be looked at going forward. Right? So different lenses for different audience. So know who’s going to look at the information that’s coming out. And I see this all the time. I see the CESO’s dashboard being presented at a board level which isn’t the right thing to do. the CISO having been one and maybe it’s because I’m a detailed person but I wanted the detail. I wanted detail detail detail not to the nth degree but I wanted to be able to have the information at my fingertips that give me a good understanding of the security of the entire organization including the supply chain because ultimately that’s my accountability and my responsibility. Other people might have it as their job but it’s still my accountability to make sure it’s done right. So I need a lot of detail. The business doesn’t the business needs it to be quantifiable, relevant to their specific business unit. You know, if there’s a manufacturing division and they use a certain list of CL of suppliers, they don’t need to see the suppliers are relevant to them because they don’t use them. So, it has to be relevant to them. It has to be actionable, intelligent, and tailored to what they actually specifically need. And then the board needs something different. The board want the leg work doing for them. You know, they want a very clear view, consolidated, you know, grouped so that they can actually it jumps off the page what they’re being asked to to add input and guidance into. Um I don’t advise going to the board and asking them to make a decision on your behalf because obviously as security leaders you’re required to make those decisions. The board might want to challenge that decision or ratify that decision however they feel. But it’s certainly not good to go in there and say can you make this decision on my behalf. It should be look we’ve got this intelligence we’ve got this information or we’ve got this risk and this is how we’ve decided to manage it. Do you agree or disagree? But that that decision should definitely be made in advance. So really it’s about putting some time and effort into recognizing that this is very valuable information but it’s going to different audiences and how should we present that and again this is where the online tools can really help in terms of different lenses and different views that are that are actually designed and intended for those different audiences going forward. Okay. So my last slide before I hand over to Brenda to talk a little bit about prevalent. So why am I advocating meaningful metrics because this is such a critical business process. It’s not a security process. It’s not a technology process. It’s a business process and it means that the business can understand its risk and run as smoothly as possible. So it’s really important that this process end to end is fit for purpose. It has the account. It has the right strategy set up. You know it’s set up for success. It has the right resource. It has the right tools. But in my view, you know, the reporting aspect of it is as important as the capturing. Otherwise, you’re just capturing for no action. You know, reporting out in those correct lenses, getting the stakeholders engaged, getting them involved, getting them to contribute on what this process should look like, what are their requirements, what do they need from this process so they actually see value from it. And really, as with other areas of security, you know, we’ve seen automation drive across our patching and our vulnerability management, our ident life cycle management, JML, etc. And this is no different. You know, automated workflows to get access to intelligence and threat and and drive behavior within the organization. You know, that’s where moving away from Excel into these tools can can really help you as well. So, and I just add that, you know, the security team isn’t accountable for this end to end or regardless where this sits, it’s a business challenge and a business risk. And that’s why I really advocate that integration with the broader stakeholders. and the business going forward. Good. Thank you, Brenda. Over to you.

布伦达：好的，很好。那么在下一张幻灯片上， 布莱恩之前提到的艺术象限，以及他刚提及的从采集到报告的指标体系，普瑞瓦伦特提供了一种战略方法来收集和执行风险管理，同时设计项目以满足日益增长的评估需求。我们不仅利用机器学习的上下文信息，还借助人工智能创新，通过正确的视角（如CISO、业务部门、董事会等）来反映风险信息。 Prevant平台提供布莱恩所述的可复现流程，通过重叠的供应商威胁情报与网络体系实现量化平衡风险管理。该体系不仅涵盖评估环节，更包含网络业务与财务监控信息。我们整合所有内容，驱动合规认知转化为报告内容，同时借助平台与团队力量构建全球视角的韧性体系。 今日演示重点聚焦最后一环——即将呈现的"报告与管理"环节。因幻灯片顺序错乱，现切换至下一页。 对于智能数据驱动的综合性情境化指标体系，我们聚焦于数据分析。在统一平台层面，我们将提供风险透明化服务，打造一站式解决方案——所有项目信息均可嵌入平台，确保全员信息同步。该体系能满足各层级决策所需。至于规范化方法，我们确保流程精简高效、行动导向明确，精准触发关键行动。 下一页展示的是我们作为您值得信赖的合作伙伴。在此领域，我们不仅是Gartner魔力象限的领导者，更是网络评估库规模最大、增长最快的供应商。我们通过协调与标准化处理您收集的所有内容信息——无论是评估数据还是威胁情报。 依托我们构建的创新体系，并借助可信赖的合作伙伴与客户提供的实战案例，以及布莱恩对平台发展方向的精准指引，我们将助力您的项目实现更成熟的进阶。现在请阿曼达接续分享。相信各位有疑问待解，我们还有11至12分钟时间进行答疑。

阿曼达：是的，我们确实有。感谢各位的参与，我们非常感激。目前我这里总共收到了六个问题。那么我从最上面开始提问。这个是给布莱恩的：你认为排名前五的第三方风险载体有哪些？

布莱恩：嗯。好吧，你知道，我脑子里立刻想到五点。我的意思是，排名前两位的覆盖范围，就是确保所有供应商都经过评估。我始终主张关注净风险——因为显然存在总风险，也实施了应对方案，但你必须清楚，在完成所有这些后，我们仍需承担的风险究竟是什么？ 威胁情报的实时推送绝对是前五要务之一。现在我先列出三项最关键的建议：确保所有供应商都纳入系统评估，同时叠加威胁情报分析。没错。

阿曼达：完美。接下来是另一项排名。您认为最适合董事会层级汇报的前五大第三方风险是什么？

布莱恩：前五名什么？抱歉。前五名第三方风险关键指标最适合董事会层面的汇报。所以从关键风险指标的角度来看，我认为显然需要回归这些核心要素。董事会层面，滞后指标和领先指标至关重要——既要审视过往事件及其教训，也要关注未来趋势。董事会对首次发生的事件通常会宽容以待。 当然，组织必须从中吸取教训。若问题重演，董事会容忍度将大幅降低。关键在于如何获取这些信息并应用于未来风险防范。 我们已讨论过净风险——威胁情报至关重要。我见过不少主流报告都围绕着"我们掌握的供应商信息"和"从行业社群获取的情报"展开。关键在于如何利用社群力量为己所用。 在安全领域，我们同样需要整合所有开源情报。董事会非常重视这类信息，因为它们能提供背景支撑，为打破现状的决策提供合理依据。以上就是我需要覆盖的核心内容。

阿曼达：太好了。那么这个三折页的最后一个问题是：关于如何最佳创建并自动化供应商离职流程，您有什么建议吗？

布莱恩：是的。离职管理和入职管理同样重要。 我听过布伦达也谈过这个观点。我知道这也是她的看法，因为离职离职可能出于多种原因，但无论如何，你都在终止或减少与该供应商的合作服务，而双方历史上存在合作关系。 账户曾被创建，网络可能相互连接，不同组织间必然存在数据流动。你必须理解这些关联的具体形态，并将其纳入项目管理流程。这样才能明确客户或供应商曾被授予哪些权限——显然你需要收回这些权限。 您未必需要要求对方主动移交（具体取决于权限类型），但必须确保相关数据被正确删除，且合作关系已按终止或缩减等形式调整。因此，设计完善的终止流程与入职流程同样重要。 布伦达，不知你是否想补充些什么？

布伦达：是的。不，我完全同意这个观点。同时基于之前关于"前五大关键信息系统（KIS）"的提问，我建议在瑞安提到的层面之外更深入地关注软件与移动开发风险。 身份与访问管理风险同样重要。此外还需关注供应商响应迟滞问题，以及任何监管合规环节的潜在风险。最后，我认为将关键绩效指标（KPI）转化为关键风险指标（KRI）的关键在于：企业是否采用第三方风险管理方案来确保整体合规计划的高效运行。这正是我主张纳入KRI范畴的风险领域。 嗯，关于离职管理流程，我完全赞同。这同样至关重要，必须建立有效的制衡机制，并与其他部门协同运作，确保所有权限被关闭、数据被销毁（如适用）等。

阿曼达：谢谢大家。另外提醒各位，我们还有个投票问题——我没来得及及时发布，但趁着大家还在讨论其他问题时，请务必回答：你们今年是否计划建立或完善第三方风险管理项目？换句话说，是否有正在推进的项目需要我们协助？好的，投票通道保持开放。 继续提问环节。下一个问题：对于布莱恩而言，您认为启动定期风险再评估的最佳触发点是什么？

布莱恩：是的。我的意思是，无论供应商属于哪个层级，你都应该制定一个未来的评估计划。 我认为需要根据风险状况来判断：究竟是亲自进行现场审计，还是委托可信赖的第三方供应商代为执行。不过触发评估的节点通常是业务变更或与该供应商的合作关系发生变化。 例如当供应商开展新业务、重大调整合作模式时——比如迁址、将部分业务外包、经历重大业务变革，或是收到某些令人担忧的威胁情报时。 因此我认为触发因素可能无穷无尽。关键在于将这些触发事件编入流程规范：当A+B+C同时发生时，就需要重新评估该供应商并确认合作安全。当然这并不否定定期评估审查的必要性——这些本就是非周期性审查的触发机制。

阿曼达：太好了。这个问题是基于你之前谈论自我认证时，有人请你对此进行更详细的说明。

布莱恩：关于自我认证，是的。我的意思是，在贵公司的架构中，确实存在某些层级和供应商，你们可能无法第一时间完成审核。我开玩笑说那些负责厨房用品或卫生间清洁的供应商，但实际情况并非如此——因为贵公司内部的清洁人员同样可能带来风险，他们也需要经过适当的背景审查等流程。 所以他们未必总是最低层级。关键在于你们已实施的某些举措或服务，这些对业务并非至关重要。 这类服务不接入企业基础设施，也无法接触核心数据。此时可考虑：是否需要立即实地考察？能否暂时依赖其自证资质？只需核查合规认证、行业声誉及风险等级即可。这就是分层管理的核心逻辑。 您需要区分哪些公司值得投入更多时间，哪些公司只需较少投入，但实际上所有公司都值得关注，对吧？

阿曼达：最后一个问题。报告应该基于固有风险还是残余风险？

布莱恩：是的，这是个好问题。我认为这在某种程度上取决于组织内部的风险管理方式，但从我的角度来看，残余风险和固有风险绝对至关重要。如果是我负责汇报，我会同时呈现这两者——因为这既能展现风险管理历程，又能清晰说明：这是我们最初面临的风险，这是我们采取的措施，这些是已实施的缓解方案，而这便是我们最终承担的风险。这样就能让各方了解残余风险的具体情况。我们采取了哪些措施，实施了哪些缓解方案，最终留存的风险是什么。这能清晰呈现受控的残余风险状况——当然后续仍可实施风险处置，但这便涉及业务决策层面了，比如是否需要追加投资、引入新供应商等。 因此我认为，负责此流程的团队核心使命在于为业务部门提供风险决策所需的信息。他们可能接受风险现状——这完全合理；也可能选择进一步管控。但关键在于：通过系统化风险捕捉与层级上报机制，业务方获得了参与决策的机会，这才是至关重要的环节。

阿曼达：当然。那么今天的内容就到这里。感谢各位的参与。布莱恩，你太棒了！感谢你跨越大西洋参与本次活动。我们总是很高兴你能来分享专业见解，真的非常感谢。提醒各位，明天你们都会收到本次活动的录播视频。 欢迎随时观看并分享给任何你想分享的人。请继续关注我们即将推出的其他网络研讨会。 接下来这个月活动安排满满，我们已蓄势待发。请通过领英关注我们，确保加入我们的通讯网络。如有疑问，我是普瑞文特业务发展部的阿曼达·菲娜，还有布伦达和布莱恩。再次衷心感谢各位参与，现在请各位回归日常工作。

布莱恩：谢谢。

布伦达：谢谢。

阿曼达：大家再见。保重。