Top Risks That Your TPRM Program Might Be Missing

Matt: Let’s go ahead and kick things off with some introductions. Um, so my name is Matt. I uh work here prevalent in business development and uh today we have a returning guest, Brian Littlefair. He’s the CEO of Cambridge Cyber Advisors. Um, he also has experience as a former CISO of the Vodafone Group and A Viva. Um, welcome back, Brian.

Brian: Thanks, Matt. Hey, good to see everyone.

Matt: And, uh, last but not least, we also have Scott Lang joining us today. Um, Scott’s our VP of product marketing and he will, uh, dive into how we are able to mature your TPRM program at the end of the session. Thanks Scott.

Scott: Hey Matt, how you doing?

Matt: Good to see you. Good to see you. All right, so just as a little bit of housekeeping, um this webinar is being recorded. Um so you’ll get this and the slideshow shortly after the webinar. Lastly, you’re all muted, so just please use the Q&A box function um for any questions you may have during the webinar. Um and without further ado, I’ll go ahead and hand things over to Brian as he shares the top risks that your TPRM program might be missing. Go ahead, Brian.

Brian: Thanks, Matt. Really appreciate the introduction. So, hi everyone. As Matt said, I’m I’m Brian. I’m looking forward to presenting this topic to you today. Little bit of my housekeeping. I’ve got a bit of a a cold, so I will be drinking water. I’ve got a bit of a sore throat, but we will we will happily get through this topic. So, what we’re going to be discussing today, as Matt said, is is top risks that your TPM program might be missing or or may be missing. Uh, and we’re actually going to be focusing um on the nonIT related risks, right? So, I think as you know, security professionals, which the predominant people probably on the call are, you know, we tend to focus down on the information, the data, the cyber risk, etc. But I’m going to be looking at some of the other risks and angles that I personally think, you know, in order to have a fully rounded TPLR program, you have to include and maybe that we all haven’t got them baked in just yet. Right? So, a little bit about me. There’s my picture. You can see that. So, a little bit of scene thing a couple of slides before we we get in. So we know from statistics you know prevalent does their own you know reviews and and questionnaires etc. But equally you know broader in the third party risk management space we know that quite often or in the majority of cases the responsibility for conducting TPRM traditionally sits within the the security function whatever that function is called and therefore as I said our priority is to focus down on that that cyber and information security risks but But we’re not the the only uh recipient of of this data and we’re not the only people that should be contributing to, you know, the data set that’s that’s collected and analyzed on behalf of our customer base. So I still think that trend is going to continue. You know, the the security team under the CISO is still going to be, you know, the prime users. But in order to get that full holistic risk picture, we know I’ve done a webinar before on how important it is to to lies and and work with the procurement function, but equally we’ve got legal, we’ve got risk, We’ve got compliance where it exists and they all have interests in the data that should be within your TPRM program.

And quite frankly, they’ve all got different expertise, you know, that complements the security skill set that can really help to build that enriched picture of, you know, how risky is this supplier to our business going forward. We all know about regulation. Love it or hate it, it’s it’s here to stay. And I think, you know, the level of of regulation that we’re all going to experience, obviously, depending on the the sector that you’re in, is only going to go up. Uh I’ve got a slide on on on regulation later on, but certainly since I started in in IT/ security many moons ago, uh the the amount of regulation that was subjective to at the moment is is you know 10 20fold what it was back then. So I think that trend is only going to continue. Um it says there you know the latest Verizon threat report 62% of system compromises came via the partner and supplier channel. I think we all know through our threat intelligence sources that you know the the activist groups etc are definitely focusing on the supply chain as you know the their most lucrative you know attack vector fishing being the most uh you know used vehicle but in terms of targeting organizations why target one specific organization and put all your effort into that when you can target a major supplier and get hold of you know thousands tens of thousands of their customers that are connected into their their platforms and systems. So this is a very real threat, you know, it’s not not scareware or fear, uncertainty, and doubt as you know, sometimes it’s called. It’s something that’s very real and we have to be tuned into that and understand how we can potentially mitigate that going forward. So today, we know all of this, right? We we understand this. We understand what we need to be focusing on, but as I say, what we’re going to be focusing on today are those areas that we’re probably not focusing on on a day-to-day basis, which is the nonIT areas and how important they can be in in ensuring our, you know, holistic cyber risk. So what does that holistic business aligned approach actually look like?

So I’m a I’m a great advocate of of being business aligned. I think if you are a CISO or a head of security, whatever the title is, if you’re not fully aligned behind your business strategy, then you know you’re operating in a silo and and silos don’t really help anyone. So you know getting not just your TPRM strategy but your whole you know information/cyber security strategy fully aligned behind the business that you’re trying to protect. So really and truly understanding that business, you know, what products does it offer, what geographies does it operate in, you know, what’s its approach to delivering to to customers? Is it direct to the consumer or is it a B2B organization? Because all of this ultimately changes your your risk profile. So you have to decide, you know, if I’m going to run an effective TPRM function, what are the uh outputs that I need to deliver into the business so they can, you know, make sense principle choices around the strategy going forward. And that’s that’s ultimately what this program is there to do, right? It understands what external suppliers are required for the business to operate and what risks do they present to a continuity of service and and potentially the reputation of the organization and how do we make sure that that continues going forward. And I’ve been in security long enough when great tools like like prevalent uh weren’t available. You know, I would definitely started when you know Microsoft Excel was the only tool available to us and we had you know huge long complex spreadsheets where we’re trying to track you know remediation in thousands of different suppliers and and I know some of you might still be in that world today uh and it’s definitely a challenge to do an effective TPRM program on on Microsoft Excel. Some of the you know cool tricks like you know real time updates on on performance of suppliers uh the threat intelligence aspects you you just can’t do that on on you know Microsoft Excel. It’s obviously wasn’t designed to run a third party function and and that’s why you know tools like prevalent have have been developed. So yeah, we absolutely need to make sure we’ve got the right tool. We need to make sure we’ve got the right resource in in terms of people.

I’ve never gone into an organization and and seen their third party uh you know re u TPRM function and thought wow there’s far too many people in that. I often go into into organizations and and see you know two or three people under resourc manual processes trying to actually get a a handle on what is a key strategic risk for the organization and and quite frankly struggling to do it because that either they’re not skilled enough or what is the main problem is they haven’t got the right tools at their their fingertips to obviously drive it forward. So we need to recognize that we’re collecting a very rich data source here. We need to make sure that we amass all of that together. We get an aligned view of risk across the organization. I talk about it in my other webinars for prevalent as well. The silo thing again it’s not just organizational. There’s there’s no point collecting all of this data and just keeping it within the security function and equally there’s no point having you know two different views on the risk that a supplier presents to your organization. So if security have a view and then perhaps procurement have a view on a different system that they’re using then obviously we’ve got two lenses within the same business and that doesn’t make any sense. So really a consolidation down and a collaboration across all the different business units on a really professional tool will pay dividends on you know being able to manage the risk within your organization. So let’s talk about you know the the scope and segmentation because these really are critical to not being able uh to actually assess your your risk within your uh supplier footprint. You know we can’t put the same level of focus and attention on on every single supplier that you know suppliers products or services into our organization. So all too often I think you know TPRM programs sometimes aren’t truly global. So I go into large multinational organizations and I see a really effective process in their home country or home region. And then when you say well you know how is this process run in in in Asia? How is this program run in Europe or America etc?

it’s not always to the same level of of you know governance not always to the lame same level of standards and things like that. So it’s really making en sure that you have where possible a global process where possible you have a global tool and there’s a big reason for that right if you if you reverse this question and look at it from a supplier lens they’re obviously incentivized to to sell as much of their product and service as they can and they will divide and conquer an organization I’ve seen it many times even in in organizations that I’ve run if you haven’t got the right governance over that supplier and and control over their interaction within your organization not really have different service levels and different risks. You’ll also have different prices and different SLAs’s etc. all over the globe. So it really makes sense to understand everywhere where that supplier operates and and interacts with your organization. And in order to do that obviously you have to be uh truly global. Um you know regulation definitely exists in this space. Um it would be great if the regulators would start to standardize their approach. You know I’ve spent a lot of personal time with with regulators exp- ing that there’s such a heavy overlap over you know some of the the regulations around the globe but you know each individual uh country or or nation etc wants to have their own individual uh set of regulatory standards that you know apply to different sectors within their remit. So even though there’s you know they’re fairly common there are nuances and differences between them. So it’s important that we a fully understand them and understand what they are and I get on to that a little bit later on but equally again you know, a plug for prevalent. You know, I should just say in in my jobs that I’ve worked, you know, for large multinational organizations, I speak on behalf of prevalent because, you know, I’ve used the tool in in earnest. I understand the the value that it can it can definitely uh deliver into an organization. So, it’s really, you know, imperative that our program covers the full life cycle of of a supplier as well. All too often we frontload that, you know, that effort and resource.

So, we’ve got a new supplier coming into the organization. So we you know throw everything at it, understand the ownership model, understand where they operate etc. But we don’t always you know keep that effort up. If they are a tier one or or critical supplier to our organization and obviously some tier 2s as well, we need to make sure that we’ve got a constant monitoring on on that organization. And again for those of you that using Microsoft Excel uh or even a manual process of sending out questionnaires, you’ve only really got, if you think about it, an update coming in every 12 months. You you haven’t got uh you know a real time lens on what’s happening to that that company, what’s happening to its financial state, has it had a breach, etc. And sometimes you could be blindsided that one of your suppliers has had a big incident. Your senior stakeholders in the organization know about it, but perhaps you don’t. So you want to find out about it first and you want to be the one advising the business, not the other way around. So in order to be able to do this effectively, which is hopefully what we all want to do. We need to make sure we have that holistic coverage of, you know, everything that we’re accountable for. And that segmentation down into the tiers is is really really critical as well. And we get on to the the nth as well. So many people don’t look at the nth and I think that’s really really important. So by nth I mean the vendors of your vendors. So you might give out a contract to you know one of your suppliers. Uh they might subcontract that to to other suppliers that potentially you’re not aware of but certainly in in regulated sectors when we’re talking about PII personally identifiable information that’s really critical that you know that end to end path of that data and we talk about that a little bit later on as well. So let’s look at the you know the the buckets of activity that we’re going to focus on for what I think the nonIT risks that I personally think are critical that we that we monitor going forward.

So one is you know operational so making sure that our partners and suppliers have you know the ability to continue to service the you know the product or service that we’ve procured from them. We need to make sure that their business continuity that they’re disaster recovery and a whole host of other measures are up to scratch otherwise you know if something happens to them equally by default something happens to us and how can we potentially hedge that risk as well. Then obviously we’ve got the the world of compliance we’re we’re very familiar to this in you know the world of cyber security but obviously it’s border than than information and cyber security. There’s lots of other compliance regulations that we need to be aware of as well. And then depending on where you are in the world, the CSR/ ESG requirements, you know, we all want to be good global citizens. We all want to make sure that our products and services are amazing. Absolutely. But we don’t want to be exploiting anyone to to get to that point. So, how can we make sure when we’ve outsourced or offshored to to far shored countries that we’ve got that same level of governance and control? over what we’re looking to achieve. And then financial, you know, uh making sure that, you know, the liquidity of that organization is strong, making sure that they’re they’re not going to go bankrupt tomorrow, which would leave us again um you know, in inability to service our customers when a key supplier goes goes bankrupt. So, I’m going to go into each of these areas with a little bit of depth. I’m going to obviously give some examples, but as Matt said at the beginning, feel free to put any questions in the chat and I’ll I’ll get round to those as well. So let’s look at operational risk. So couple of examples. I’m going to go into these as well. So we’ve got obviously COVID. So we’ve got, you know, a global pandemic uh causing issues. We’ve got political instability. We’ve got the Russian Ukraine crisis. We’ve got the potential of of China invading Taiwan. And then we’ve got logistical challenges as well.

So not immediately cyber related, but can absolutely have an impact in our in our, you know, organization’s ability to to to run its or it run its business. So global events can and as we’ve seen will obviously impact your organization. Uh and I don’t think operational risk is is often given you know the the credence or the seriousness uh it deserves based on the impact it can have on your organization. Obviously we’ve seen what can happen with you know global conflict conflicts in nations. They significantly disrupted global trade both physically and virtually. So this just isn’t a logistics issue. You know many people had, you know, organizations that were working within in both Russia and Ukraine. You know, ties with Russia had to be severed. You know, lots of the workforce within Ukraine had to pick up arms, etc. So, you know, work forces and employees disappeared overnight. So, it doesn’t just have to be a physical asset that you’re procuring. You know, if the resource disappears, then if you’re using, you know, coders or developers, etc., and they’re no longer available, then that digital asset is is also disrupted as well. And, you know, operational challenges can easily lead to household names going bankrupt as well. I’ve put the example up of of Revlon and it’s really interesting in their u in their bankruptcy claim in in the US they actually cited the inability to manufacture sign sufficient product and wholesaler imposed fines as their reason for filing the bankruptcy. So, you know, their supply chain was disrupted. You know, access to raw materials was disrupted. They’d made commitments to their suppliers that they’re going to deliver a certain amount of units every single month. They couldn’t make those commitments. The penalties were significant back on the parent organization and that just snowballed and eventually you know a household name like Revlon had to file for for bankrup bankruptcy citing supply chain as it in it as its major issue. But there are also many industries you know relying on products and services from both Ukraine and and Russia as we just mentioned. Sorry.

Um so if we look at you know Ukraine’s grain production it’s been very well publicized that you know huge stops of grain in in Ukraine that are just stacking up and you know they can only get a you know a very small percentage of the ships that would typically transport that grain outside of the organization but actually 80% of that grain was bought up by the UN world food program so it has a huge impact on you know developing nations and those in need of aid so you know that just disrupts u you know a huge onward supply chain then if we look at Russia uh certainly in Europe we had a massive reliance on you know natural gas big pipelines coming into several countries from from Russia which kind of stopped overnight that had a massive impact on on gas and oil prices here in the UK which were already high but went up to you know exponential levels. Uh but not just for you know petrol but pretty much every oil derivative with you know it caused huge onward uh challenges from from the supply chain and we really just have to think about you know if that was Russia Ukraine if if China were to invade Taiwan and we think about if the same sanctions that we imposed on Russia were to be imposed on China. And think about our reliance on products, goods, services, outsourcing on Chinese owned businesses and Chinese services, etc. Even things like logistics and shipping, uh, you know, which they’re pretty much the magnates in that would have a massive impact on pretty much all of our organizations either either directly or indirectly. So, we need to model, you know, based on past events. So, what do we know about what happened in the past and how do we, you know, predict what would have potentially happening in the future? Looking at our suppliers, are they overexposed perhaps in a specific location that, you know, potentially has the ability to have some political disruption? You know, if you’re Intel or or AMD or an organization like that, and you look at Ukraine that produce 54% of your, you know, world semiconductor grade neon, then, you know, you would hope that they had a plan for, you know, plan A, plan B, plan C, and D.

to to kind of replace that you know nearly 55% of you know the neon that they would have been buying in from Ukraine cuz that was and is significantly disrupted and certainly when we saw the you know the invasion and the war commence their semiconductor industry certainly was affected by that so then let’s look at you know compliance risks so I mentioned you know each individual location and this is really only compliance around around data security kind of going with with their own thing. So there’s, you know, lots of individual uh, you know, regulations and focuses and and this is growing exponentially. That African continent is going to be pretty much filled up, I’d say, by, you know, the next year or so. So lots of individual approaches to how data needs to be managed. And if you’re, you know, a national organization sitting within a single country, then obviously you only have to really be concerned about the citizens within that country. But if you’re a global multi multinational, operating you know 60 70 different countries etc. then this becomes you know highly complex for for you to manage sorry just advance that slide so you know people often think they can outsource their problems I speak to many organizations where they say well that’s not really an issue for us because we use this outsourcer that’s not the case actually so you can’t outsource your problems when it comes to compliance they certainly haven’t gone away you still remain the data owner if your supplier has an issue in relation to your data, it’s still your problem. The compliance landscape, as I mentioned, for multinationals, it’s it’s complex today. It’s only going to get more and more complex as we move things forward. A tool like Prevalent can really help you uh you know, understand your individual compliance requirements in in individual locations and, you know, help with things like, you know, your your internal or your external audits by producing reports on you know, how things work in various different geographies and things like that. I think the common theme as I just touched on is you know you take those 60 different requirements the one thing that is common throughout them all is that you remain accountable.

You can outsource responsibility but you can’t out outsource the accountability. You can have someone run a process or process your data on your behalf or run a call center and have access to your customer records but but ultimately in the eyes of the regulator and the eyes of you know the legal systems in in most countries you remain in uh accountable for for that data and that’s where it becomes really really critical to understand your ENT uh you know exposure if you’ve put a contract in place with with an individual organization have they outsourced that to someone else and it’s really critical when it comes to to PII so what can we do in this critical landscape obviously use a tool like prevalent that’s going to be really useful for you uh you know if you have a data breach the regulatory requirements in different locations have very different time frames frames. I’ve spent most of my life working in financial services and telecommunications. So, I know the regulatory landscape in in those two sectors very well. And I know that if I have a breach in Singapore versus a breach in India, my response times have to be, you know, notably different. The way in which I catalog the incident has to be very different. You know, who I who I tell and, you know, who gets engaged are very different as well. So, you have to fully understand that and you know, be able to have that um you know, front and center in your memory going forward. Well, there’s two things that are, you know, dead certain. Uh complexity and uncertainty is a phrase of mine. They are the enemy of of security. If if something is highly complex, it’s very difficult to secure. And if you have an uncertain environment that with lots of changing, you know, uh factors in, it’s really difficult to to enforce security in there as well. And that really comes down to, you know, your TPRM process as well as your your broader security strategy as well. So contra in in a world like that contracts and ways of working have to be absolutely crystal clear. You know who is the data owner you know a little bit of a clue that’s always yourself as I said earlier you you can’t outsource that. So recognizing that it doesn’t matter what contract you’re putting in place.

It doesn’t matter who’s doing the day-to-day activity. You remain that that data owner who’s going to actually interact and and process the data. And when you get into really sensitive information payment records etc. You have to get down to individual names. You have to be able to uh be distance managing who’s got access to your information on a day-to-day basis. What’s their joiners mover as levers process? You know, if someone’s left the organization, is their access revoked instantly? And you know, any new joiners coming in, if they’re accessing sensitive information, have we done the right level of vetting around them as well? What you know, what compliance uh requirements apply to those individual citizens data in individual countries? because it does differ. You know, for some nations, for example, even if you’re outsourcing, it has to be, you know, someone from that nation origin actually accessing that data. And that’s, you know, either too difficult to do so it doesn’t happen, but you know, you have to still have to factor that in that that’s a requirement. And, you know, a good way to move forward here is to identify what perfect looks like. I found, you know, when when going into a new space or or doing something like this to make sure that you, you know, find what perfect looks like. Reach out to your peer organizations. I rarely find that people are competitive with each other when it comes to to cyber or information security. I think people are, you know, willing to be really open and transparent around, you know, what they do and the processes to people that they trust or or circles of trust. So, you know, get involved with, you know, discussion groups and forums and just make sure that you’re capturing how other people do it and then make sure that you put, you know, similar processes in place, you know, You don’t have to start with a blank sheet of paper here. So, let’s look at the, you know, the ESG and and CSR risk. Um, so depending on on where you are, whatever you want to call it, as I say, we want to be good citizens.

We want to make sure that we’re doing the right things from an organizational perspective, we all want to have great products and services, but we need to recognize that the world is a very big place, and it’s not always the the same as how we would recognize it in our in our home countries as well. So whether it’s, you know, just to expand the acronyms, so you know, corporate social responsibility, you know, we want to make sure we’re doing the right things or ESG, we want to make sure we’re protecting the environment, we’re doing the right social aspects, and we want to make sure we’ve got the right the right governance, etc. So one of the trends that we’ll all recognize is is offshoring and outsourcing. And one of the key drivers to do that is to reduce cost. So one of the key things that happens is we go to to lowerc cost regions of the world. Still high skill, but you know, a lower price band so that we can reduce the operational overhead on that on that service which has you know a knock-on impact on the profitability of our organization but we need to recognize as I said that not all places are the same not all countries have the same level of corporate ethics as as we may enjoy uh and you know some locations it’s clear that employees are still exploited but that’s a fact we just have to face up to in some other countries you know certainly in in my past I’ve had to deal with this the payments of of bribe to, you know, say grease the wheels or to somehow make highly complex bureaucracies disappear overnight. They’ve been common place for for generations. You know, it’s it’s a very norm normal way of working for for some people in some of these locations, but you know, I’d say for most of us on this call, obviously I don’t know all the geographies we’re dialing in from, but I’d say for most of us, we have some some legal and, you know, other compliance regulations that would stipulate that, you know, that is illegal. for our company to to operate in in that manner.

So we then have this challenge where we have to operate our way of working our ethics you know that our belief systems et culture and we have to I will say impose because that’s a strong word but that’s what I mean we have to impose that way of working on a distant geography and it doesn’t matter about the the way that they’ve traditionally worked if they want to work with our organization and have our business these are the standards that we will impose and Then we have the challenge of making sure that it’s done in the first place, but equally making sure that we’ve got the right governance over it to make sure that it continues after the contracts awarded. And we’ve all in in the news and and newspapers etc. issues like this coming up. We’ve seen oil spills, for example, damaging the environment. We’ve seen trainer or sneaker manufacturers using child labor. Uh we’ve seen coffee manufacturers paying a notivable wage to its workforce. And we all know how much a copper coffee costs these days, right? So the margins must be immense. So you know, paying the people that actually grow the product and, you know, roast the product and do the picking of the coffee beans, etc. You know, making sure that they have, you know, a fair wage for a fair product is really important to to most organizations. And that’s only a few examples. You know, even people working for for call centers, etc. So it’s really thinking, you know, what does my organization do? Where are we out? sourced, you know, what’s our commitments, what’s our ethical stances, what’s our compliance and legal regulatories in this environment, and how do we make sure we’ve got that effective governance process going over it. It’s really making sure, you know, I say as security professionals, but this is all broader than security, but it all feeds into your TPRM program. We have to make sure we fully understand, you know, that that full chain of custody within the supply chain. And then there’s financial risk, right? So, um, you know, we saw in the global global COVID pandemic and you know that was a a big surprise for for all of us.

You know most information security professionals if you sign up to NIST or ISO or something like that you’ve always had a global pandemic flu policy within your arsenal but you know most people would have thought it was quite unrealistic and you know never thought it would see the light of day but but actually it did and we’ve all seen that you know the the organizations that that suffered from that that didn’t have the you know appropriate IT infrastructure for their employees to immediately work from home. Didn’t have the ability to to pivot quickly in terms of how they operated or delivered products and services to their customers and and rapidly take things online from from physical premises and things like that. So that really impacted the the bottom line and the balance sheet of of several organizations. And then we throw into that mix, we’re coming out of that world now, but you you look across the planet at the moment, right? We’ve got a mixture of rising inflation, we’ve got rising interest rates, We’ve got increased borrowing by governments across the globe. And then to compound that from organizations, we’ve got the highest rate of of crypto malware than we’ve as we’ve ever seen. You know, attacking organizations literally encrypting their data and holding them to ransom. So, you know, if they haven’t got the right insurance in place, you know, that can, you know, we saw with, you know, several organizations around the around the world, uh, you know, that actually had a crypto malware incident. Their finances couldn’t hold up to it. They weren’t insured or policy at the time didn’t actually inu include the payment. They didn’t have the ability to restore that organization quickly and and actually went under. Uh and that can happen to you know pretty much any organization if they haven’t got the right the right plans in place. So we need to be proactive and and think all of this through. We need to ask the questions that are probing not just around cyber and information security but you know how liquid is this organization? How capable are its finances to withstand some of the things that we’ve we’ve just discussed?

and how stable is it? You know, could it potentially falter overnight for some of the examples. So, what can we do? You know, you know, what is the the trend with each supplier? Most large organizations release their financial statements to the public so we can start to consume that information and understand, you know, what is the trend? Are they getting more free cash flow within that organization? Are they downpaying debt? Or are they getting less cash flow and accumulating more debt? Does it start to look more risky year on year? Or does that risk start go down. Have they, you know, insured against, you know, potential impacts to their organization? Not just from a cyber risk perspective, but from a business impact perspective. So, you know, are they insured against the the losses that they might um, you know, incur from not being able to service their suppliers. So, looking at that Revlon for example, you know, have they hedged that potential risk from occurring and they’ve got that covered off from the insurance market or not? And actually, you know, where are they based? Uh, you know, where are their locations around the globe. Where are they headquartered? Have they got the ability to, you know, be manipulated or or be challenged by, you know, corrupt governments? Are they potentially exposed to political instability? So, you know, all of these things absolutely factor in and getting that accurate information is is really key, but as I said at the beginning, life that is is really equally important just to make sure that we’ve got all of that information to our fingertips and that we can disseminate that within our organizations. to the people that need to you know consume that and be able to make riskbased decisions going forward. So in terms of just before I hand over to Scott you know what do what can we do differently you know what would really make a difference so I think we have to work collaboratively um we’re often and I I’m guilty of this as well you know we’re we’re cyber and information security professionals and there may be many other disciplines on on the call as well but as I said you know the the more active users of this you know this tool and this technology and this process.

As information security professionals, we have to recognize that we don’t have all the answers. We’ve got a certain mindset and a certain view of how we approach problems. We need to collaborate widely within our organization. So, uh, as I said, please look at my webinar I did about collaboration with the procurement function and you’ll find that the CISO and the director of procurement or the chief procurement officer have really overlapping accountabilities when it comes to risk. uh and lots of the you know shared performance indicators. So making sure that you know you tap into those different functions with the different expertise. So working with HR, legal, finance to to make sure that we’ve set up the right KPIs so that we can start to see see when things go wrong. What we don’t want to do is you know find out when the wheels have completely fallen off. There is you know lead and lag indicators where we can start to see challenges starting to creep in and when we see those we can start to understand well what would our response be you know most mature organizations wouldn’t put all their eggs in one basket with it with a single critical supplier. So you would already have that resilience baked in you know whether it’s you know you get raw materials from you know two or three different suppliers that are geographically dispersed. So if there is an impact then it then it doesn’t obviously you know have a have a huge issue for you. U then obviously ensure you’re operating holistically across your supplier footprint. Um as I said most Organizations that use a tool like prevalent have the ability to do this. Uh you have the ability to you know program in where your suppliers are you know providing products and services to you around the globe. But if you’re running a manual process this might be a bit of a challenge in terms of hooking into especially if you’re multinational where your suppliers are interacting with your organization.

So where possible create that global process make sure that you’re operating you know that single process globally and then you know making sure that you’ve got that endth relationships really thought out throughout your organization and then really you know model scenarios u certainly before COVID hit uh a good CISO that I know did a you know an exercise with their boardroom uh about a global pandemic flu and everyone thought it was really good. I think the CEO pulled him aside afterwards and said you know can we choose a scenario that’s a little bit more likely next time. Uh but then obviously you know a couple of months later you know something like co did it, you know, it’s a really sensible investment to sit down with your distributed, you know, stakeholders and actually model, you know, what would happen if the sewers canal got blocked again and we couldn’t get our, you know, manufacturing goods to our customers or we couldn’t get our raw materials in. What would happen, you know, uh, what’s the impact on our organization with the Houthies at the moment in the Red Sea, you know, diverting 200 billion of trade and adding weeks to the the transit time to to some countries and locations. All of these things have impacts and there’s a lot of value in in modeling a few of these scenarios. So yes, do the traditional cyber ones, but equally think wider and actually understand well what actually could impact our organization because it’s it’s not always a cyber attack. And I think if we are responsible for this risk process, we have to be able to guide the business effectively and that’s obviously thinking thinking broader and wider than cyber. And then You have to have your finger on on the pulse. Obviously, you have to, you know, have those real time threat intelligence feeds. Uh, again, something you can’t have with a manual process. You know, you can put in who your critical suppliers on. You can have, you know, pretty much real-time monitor on on what’s going on. You can see what other people have have found out about them. And that’s really critical that you can, you know, be near real time when it comes to managing and monitoring your supplier footprint.

When there was uh, you know, the the challenge with Neon that I said earlier in the in the chip manufacturing there was actually an employee at IBM who was pretty much on the ball and you know recognized that this would be a big issue and bulk bought and have been bulk bought in millions of tons uh for that organization to make sure that they didn’t have service disruptions uh you know not all organizations would have had that real-time intel not all organizations would have been able to react because this guy knew he had air cover in advance to be able to do something like that so really work it through and make sure it’s built into your global process because as it says at the bottom there, you know, if you are running a really effective supplier risk program, you will have, you know, arguably thought through pretty much everything that can happen in your supply chain that can disrupt uh, you know, you running your product and services. And then it comes down to, you know, a cost perspective. You know, how much are you willing to invest to hedge that risk? Is it going to an insurance provider? Is it putting, you know, a couple of other suppliers on your books that can offer the same product and service? uh just to make sure that you’ve hedged that risk going forward. Good. Hope you find that useful and there’s lots of questions for me. I’m just going to hand over to Scott to do a few slides and then we’ll get into the Q&A. So Scott, over to you.

Matt: Awesome. Thanks so much, Brian. Uh and you can continue on to the next slide if you like.

Scott: Um you know, one of the things that I really took away from from Brian’s discussion is, you know, this very diverse field of risk types that we have to be aware of and we have all fallen into that. trap where you’re kind of worried primarily about the cyber security risks that a vendor or supplier introduces to the organization in one of two ways. One way being a software supply chain risk. You know, you’re doing business with a or you bought a piece of software, you employed in the organization. It turns into a move it or winds type situation. The code gets compromised. All of a sudden that code is in your environment. Well, that code could also be in your third party’s environments as well. And if they’re managing your data uh or have connections into your systems, again, that’s a route to your organization. Second cyber risk is the risk of a breach, right? Uh a PJNA type situation where um uh you know the you know a medical billing provider for example that’s managing your customer database to issue medical billing gets attacked. You know your customer information gets compromised and all of a sudden it ends up uh for sale out out there on the on the dark web somewhere and that’s liability for you. It’s those things that get all the press. But As Brian said earlier in the presentation, it’s some of these, you know, sneakier, less tangible, more qualitative type of risks that can lurk in the background that, you know, we really need to keep our our eye on to avoid them turning into some sort of a disruption for us in the future. You know, supply chain impact, supply chain disruption, somebody gets acquired or there’s an M&A in in a vendor, uh, all of a sudden that, uh, that that creates a strategic implication for your for your ecosystem. Anyway, so kind of what we see organizations struggling with from a thirdparty risk management perspective are really three things uh as they’re kind of trying to get their arms around the program uh you know build up that program whatever and that’s number one manual processes.

You know we do a survey every year to uh the industry and one of the questions we ask in that survey is you know are you using uh spreadsheets or you know what tools do you use to manage a third party risk you know management uh uh program? Almost half, 48% of respondents said uh they rely solely on spreadsheets to um uh to manage their third-party risk program. You know, I know many many of you are are on the phone today. It’s okay. Uh there’s always a great place to start uh to to to kind of ditch your spreadsheets and you know, this might be, you know, the day to do that day to make that choice. Very manual process. You understand the risks involved in manual process. It’s hard to keep it up to date. uh it’s hard to um uh get real-time information. It’s hard to you know map controls in a spreadsheet very effectively to remediate uh and in effect close the loop on on the on the problem of third party risk. Second is uh you know that study showed that roughly 20% of companies are are tracking risks across uh at least one stage of the third party vendor supplier risk life cycle. 20% two out of 10 uh are tracking risks across that life cycle. That’s problematic. You know, I think the natural inclination for us is to do a pretty deep uh due diligence assessment when you’re onboarding a vendor or when you’re evaluating a vendor to see if you want to do business with them. Get a look at their cyber posture, their competitive posture, their financial posture, their ESD scores, you know, reputational issues, you know, whatever. And then once it’s done, we kind of move on. We’re comfortable. They they they match the risk appetite of the business. We move forward with them. And then we do some periodic reassessment. But then after that, you know, time happens and then, you know, we as is human nature, we tend to focus on the next big problem and maybe we have some vendors that, you know, we’ve had in the life cycle for a while. We’re doing business with that are still continuing to to present us some risks. Uh, and the data would show that, you know, few companies are really looking at risks from, you know, cradle to grave.

Third is uh this, you know, crazy situation where everybody’s got their hand on the plow in third party risk management in many organizations. Um 71% of companies report that the infosc team owns third party risk but 63% say the procurement team owns the relationship. So I’ll pose that question to you. Is that your environment? Right? So you maybe being on the security or the compliance or the third party risk team are the one that’s probably tasked with managing the assessment process or understanding you know what uh what type of information you have to manage you know with regard to the third party. But it’s really the procurement team that has the day-to-day contact with them maybe or uh is at least paying the bills. So they need to be kept in the loop. That dichotomy, that ownership, you know, if it’s not managed appropriately, if you’re not delivering the right type of insights for all stakeholders involved, you know, could lead to some conflict or at worst a hot potato where nobody really manages the relationship. Next slide, please, Brian. Um ultimately, you know, what we kind of understand from from doing this for 20 years is that organizations, you know, want to achieve these three things from their third-party risk management programs. First is to get the data they need to make better decisions. We talked about how manual that process is. We talked about how disparate data sources lead to maybe not a real real time uh uh you know kind of approach there or not looking at risk throughout the life cycle. Second, increasing team efficiency and knocking down silos. You know, if your if your IT security team, you know, needs to execute an assessment to understand the security posture of a potential vendor or supplier. Procurement team wants to know what’s their, you know, their financial health. Can they pay their bills? Got good credit rating. Maybe the compliance or risk management team wants to know, you know, are they do they have any reputational issues? Have they been in the news? Are there any product quality problems to worry about? Things like that. What ends up happening is you get three different audiences who want to know a little bit of information about this third party.

And very rarely do we find in enterprises of any size the ability to bring all that stuff together so that you have like one view into that third party, you know, regardless of the type of risk you want to manage. Uh, and then third is evolve and scale your program over time. I mean, look, I get it. It’s uh it’s a uh it’s a challenge, right? You got to be prepared for new third parties, for decommissioning, you know, uh vendors you no longer do business with. Um, and you need some elasticity in your processes and your solutions to, you know, allow to do that and you know spreadsheets manual processes whatever just aren’t going to do the trick there. Next slide please Brian. You know what we seek to do is to look at risk holistically uh across a third party vendor or supplier relationship. You know our recognition is that you know we see risk at every stage of that relationship from the point where you decide to source a new vendor and choose them and onboard them to the point where that contract expires and you know not interested in renewing and you want to offboard uh the vendor and and terminate the contract and the relationship. Each of those stages presents unique unique risks and they present those unique risks to multiple different teams you know throughout the organization whether it’s not really having good risk based insights uh to a potential vendor that you want to select. You know it’s one thing to determine that a a vendor or supplier’s offering is fit for purpose but are they fit to your company’s risk profile right? traditional RFX processes typically, you know, don’t resolve that issue. Second, when it comes to onboarding, um the contractual process we find tends to not, you know, be integrated very well with um the risk uh risk analysis or or or the risk mitigation process. Wouldn’t it be great if there was a way to unify the management of KPIs, Kri, SLAs’s, performance measures in a contract and treat them as risks of non-performance or miss expectations or you know cyber risks or something to manage this kind of stuff altogether. Uh a third third big challenge we see is all the manual processes required to measure uh inherent risk.

You know you don’t really know you don’t have a good handle on what the next step should be if you don’t have a starting point to say okay these these these you know these particular group of vendors have you know a high risk profile in this area. We need to kind of go deep here to determine you know what their policies are in data privacy for example. Third, assessment and remediation. You know, we we talked about ditching spreadsheets and manual processes and things like that, but you know, I think a critical success factor here for you in an assessment process is having a library of questionnaires or questions that address the risks that different departments throughout your enterprise are going to be wanting to to know more about. As I said, you know, financial team wants to know this or procurement team wants to know this, IT team wants to know So that you know doing kind of like a manual spreadsheet based process or maybe looking at like one questionnaire uh you know just uh typically isn’t going to make anybody happy. Monitoring and validation is is kind of the fifth step in the process and kind of what we see here is where these kind of silos of information start to emerge from one another. You know you get a cyber score, you get an ESD score, you get uh a a financial, you know, credit rating, something like that. Well, what do you do with all that? You know, like if you’re the one kind of managing the relationship or you know who do you share that information with how do you share it in what format how does that impact decision- making uh third SLAs’s and performance we kind of talked about the integration there between uh contracting and and risk management then finally offboarding you get to the point where you know it’s time to time to end that relationship what we see is a lot of organizations don’t have a very prescriptive onboarding process that is centralized with you know task assignment prioritization you know, more that that kind of allows you to uh very safely and securely say, “Okay, we’re done here and all these items have been have been checked off. We can move on.” Uh, next slide, please, Brian. You know, what we do to address this problem is a combination of three things.

Number one is um you know, we’ve we’ve we’ve got, you know, a thirdparty risk management platform that’s leveraged by our internal managed services team if you choose to go that route. Uh, but we will execute all of the thirdparty risk uh effort uh on your behalf. That includes onboarding vendors, performing inherent risk scoring, issuing assessments, analyzing, making remediation recommendations, helping out with contract, you know, whatever. We we we cover the entire third party risk life cycle to nuts. If you want to do it yourself, that’s okay, too, because we’ve got the platform to uh to do that. The second piece of the equation is is data. I mean, I would stack up our platform against any other, you know, platform in the industry. in terms of the amount of intelligence and the quality of intelligence that we’ve imported into the platform and then present to you in very intelligent looking scorecards and also into central risk registers to help to validate the presence of certain controls and that data is important for good decision-m and then third I mentioned the platform right uh the ability to house all of the workflow uh the questionnaires the risks the reporting the compliance frameworks and more in a single platform form to help you, you know, reduce the amount of time and all that soul correcting effort to uh to execute on your risk assessments. Next slide, please, Brian. Um, you know, kind of the heart of of today’s presentation is, you know, we do this for a heck of a lot of different types of of risks and I’ve just plunked six categories of them here on the on the um the slide right now. And all the little bullet points are the pieces of intelligence or the questionnaires that we have in the platform to help you kind of gather this information. Of course, cyber business operational, financial, ESG, you know, reputational and compliance. And again, we centralize this information in the platform to help you make good risk based decisions on whether or not you want to do business with a particular vendor or keep doing business with a vendor or or kind of recommend remediations to get to a place where you’re happy with a residual risk score that’s that aligns with the rest of the company.

Next slide, please, Brian. And I think that’s all I wanted to share with you today, which is kind of how we can help address the problem of multiple different risk types in the environment and how we can bring that together in a single solution, help you do some analytics, some reporting, some remediations to ultimately mitigate that risk on a on a long-term basis. That’s all I want to share with you today. I think Matt, we’ll pick it back over to you and uh we’ll open it up for questions.

Matt: Alrighty, thank you very much, Scott. Okay, see here. So, uh now would actually be a great time for you guys all to drop in any more questions you have into that Q&A box. I’m launch the last poll right now um on the screen while you do that um so that we can follow up with you regarding any TPRM projects on your radar um essentially just basically would you like a followup from Prevalent to discuss enhancing your TPRM program and just you know please be honest because we really do follow up with you. So let me launch that poll for you real quick. Yeah. Right. Polls going and uh we do have looks like a little bit more uh questions than time, Brian. So, I’m going to give you the first look if you uh have any questions you see that jump out of you. Otherwise, I can happy to pick one and we can go through some. Nope. You’re on mute it looks like.

Brian: Yeah, I’ll just whiz through some Matt for you if that’s okay. So, we got questions around, you know, what documentation do we need to monitor sub contractors? So, that that endth uh, you know, thing that we were talking about earlier, you actually need to ask them the same questions you’d ask your primary supplier, right? So, if they’re getting access to, you know, the data, you need to know everything about them as well. Location and ownership models, you know, products, services, locations, etc. So, it’s an extension. So, it’s not additional. It’s a replication of what you would ask your existing supplier and uh you know, carry that over to those guys as well. A couple of questions on ESG, you know, uh not clear about the relationship between ESG and the challenges it poses to your TPRM function. So, you know, just imagine one of your key suppliers was, you know, found to, you know, being involved in child slavery or significant health and safety breaches, etc. Uh and and obviously newspapers get wind of it and say company X uses child labor etc. So that’s not something that you really want your brand associated with. So that those are the linkages, right? And and recognizing that there’s regulatory and legal drivers to make sure that that doesn’t happen. I think you know most companies have an accountability to push those into your supply chain just to make sure they they don’t occur. Um Scott, I think I was for you from Patrick the the current SIG being ported to the prevalent tool.

Scott: Yeah. Yeah. Question is uh can the current SIG be imported into the prevalent tool to identify the inherent and residual risk ratings then compare it with the business risk appetite? The answer to that is yes. We have already imported SIG 2024 into the prevalent platform. Then you can migrate and previous answers from 2023 and before into the new version before you start uh assessing your your suppliers using 2024 uh this year. And that includes the inherent residual risk analysis and then the mappings to business risk and then the framework mappings to for compliance as well.

Brian: Great. And then we’ve got a question, you know, what are the top three items one should focus on when trying to mature a TPRM organization? No, I I any cyber security question, right? People, process, technology. And I saw Scott had people data platform on his slide 19. So it’s, you know, fair fairly similar, right? So we need to make sure you’ve got the right people, you know, skilled people that can recognize the output that the tool’s giving you and you know drive appropriate action within your organization. You need like global processes and good data sets to make sure that you’re getting a good holistic picture and then as as Scott said and I’ve said several times on this webinar you know if you are running a manual process today I think you know it’s a good place to start but the world has definitely moved on. I think you know look at what a tool like prevalent can do for you and kind of you know recognize the you know the transformation in you know your ability to serve risk for your organization. Uh there’s another one around is there a reason why the business unit contacting or contracting the service doesn’t own the relationship with the customer. I think that comes down to individual organizations. I’ve certainly worked for organizations where they haven’t had centralized procurement and they do own you know the relationship with the with the you know the end user. I think that you know it’s setting it up so it’s collaborative. I think as long as you’ve got that single view That’s that’s really critical. You don’t want procurement having a view of the client base and you having another because obviously then you’re both guiding the business in in different ways. So I think that’s really really critical. Uh Scott, do you want to take that one? Uh with prevalent, can we opt into one specific risk intelligence category for example only financial?

Scott: Yeah, absolutely. Um I mean the short answer to the question is yes. If you only want to monitor financial risk for vendors, you can absolutely do that with a prevalent platform. But the biggest value you get from the platform is looking at risk holistically across multiple different types from multiple different internal enterprise teams. So yeah, there are tools out there that might be able you know D&B, credit safe, you know, whether they give you financial report for vendors, but it’s what you do with the data that matters and then that’s the value that we provide is that we take the data, we map it to potential risks and flags and alerts and let you take action on it.

Brian: Good. And the last one, Scott’s for you as well.

Scott: Yeah. Yeah. Question is, if I use the tool to send the SIG as a questionnaire, but my vendor returns the SIG to me via email. Can I upload their answers into the questionnaire I sent? The answer is yes, you can do that. And then you can call the up that vendor and just holler at them on the phone for doing that.

Brian: Good, Matt. We did it.

Matt: All right. Okay. Awesome. Well, thank you very much, Brian, and of course, Scott as well. And thanks everyone um for all the questions. So, if you do want to stay in the TPRM loop, feel free to ask. us on LinkedIn. And then lastly, you know, I hope to see a handful of you in your inboxes and maybe even at one of our future webinars. Um, so thanks very much again everybody and take care.

Brian: Thank you everyone. Cheers.

Scott: Take care everybody. Bye now. Cheers.