Description
Measuring risk from third parties can be complex, requiring you to translate obscure metrics into potential business impacts. And, once you define ways to measure risk, you still need benchmarks and standards to compare your third-party risk management (TPRM) program’s effectiveness. It doesn’t have to be so complicated!
Bryan Littlefair, past Global CISO of Vodafone Group and Aviva, will show you how you can correlate performance and risk metrics for more informative TPRM program reporting.
In this webinar, you’ll gain practical tips for:
- Defining and implementing meaningful and actionable TPRM KPIs and KRIs
- Leveraging risk triggers to unearth your major pillars of risk
- Fostering a “collective risk management” ideology in your organization
- Evolving TPRM metrics from checklists to continuous risk management
This webinar is ideal for any risk leader seeking to measure and evolve their TPRM program. Watch on-demand now!
Speakers
Bryan Littlefair
past Global CISO of Vodafone Group and Aviva
Transcript
Melissa: Hello, welcome everybody. Let’s see. Ah, they’re coming in. Should be a good one. Happy Thursday. It’s great to see everybody start joining. While we wait for everybody to get connected and settle in, I’m going to launch our first poll out of two. Um, if you’ve attended one of our webinar webinars before, you know the drill. We’re always just curious to know what brings you to today’s webinar. Um, is it educational? Are you in the beginning stages of your third-party risk program? Current prevalent customer, let me know. Um, I’ll leave that poll up there while I get some introductions started. We have a very special guest here, Brian Littlefare, past past global CISO of Vodafone Group and Aviva. We also have Scott Lang, our very own VP of product marketing here at Prevalent. As well as Amanda and myself and we are wave, right? Um, we are in business development and we’re usually the ones who follow up with you after this webinar and we’ve chatted with some of you before, I’m sure. So, if not me or her, you’ll will hear from Landon or null. So just be on the lookout for them. Today Brian will dig into the topic entitled the right KPIs and Kri for measuring third-party risk. So he’ll show you how you can correlate performance and risk metrics for a more informative TPRM program reporting. So as my dog is barking as a quick reminder we do want to value your time. Um, so just make sure you are using sorry Amanda can you take over and talk about the the chat.
Amanda: Yeah, of course. Dogs, you know, everyone works from home these days. Um, Yep. So, we’re going to be asking you guys to stay interactive as much as possible. So, please use the Q&A section if you have a question. Specifically, if you have a question, if you just have a comment, use the chat. But, we really want to organize it and separate it because I’m sure you guys have a lot of stuff to cover and ask Brian and Scott. So, that’s about it. It’s going to be recorded. You’ll get in your inbox either today or tomorrow and You guys can take it away, Brian. We are good to go.
Brian: Great. Cheers, Amanda. Thanks, Melissa. So, yeah, a really important topic today. How we get the right KPIs and KISS and it’s something, you know, strangely enough, I’m quite passionate about and something that I spend a lot of time advising, you know, boards and executive teams because not a lot of us get it right, myself included. Um, you know, it’s a it’s a hard area to to mature, to get the right KPIs and messagings from your security program up to the board, but it is critical to get correct so that we get that right engagement. So, you know, today I’m going to give you my views and I’m hopefully going to leave plenty of time after Scott’s done his section at the end where we can, you know, get into some of your questions and answers and hopefully I can give you the benefit of some of my experience. So, uh, please, as as Amanda said, use the the Q&A aspect so that we can get those questions flowing in. I think, you know, one really interesting dynamic that I observe and I’m asked to speak at a lot at the moment is you know if you look at all the security conferences around the world so whether you’ve got RSA or infosc over in in Europe there’s specific streams that are pulling uh some fairly big CISOs and leadership teams in security organizations into into focus groups and the topic it might have a different title but it’s focusing on how does the CISO communicate with the board uh and the word chasm is is often used because there’s a gap there’s a there’s a misunderstanding or a miscommunication or the CESU isn’t getting through to the board with the right level of information. So, the board are ultimately disengaging. I just find it’s really interesting that, you know, these discussion groups are happening. If they’re happening, it’s it says there’s a problem because obviously the industry’s kind of picked up on that and how do we resolve that and how do we take it forward? And a lot of that comes down to to the KPIs, how we present, you know, the effectiveness or uneffectiveness of our security programs up to our senior management for intervention for support for backing all of those aspects. So it’s a really key important aspect that we get right. So I think you know it’s not just large enterprises facing this problem. So not all of you on the call will you know have a an expansive global board and leadership teams around the world etc. But it still is important because all of us are on a security journey. No one in security is ever finished. It’s the job for life. You never actually get to tick that box at the end and say well security is done. We can move on. There’s, you know, constant challenges that arise. So, it’s relevant for all of us understanding, you know, how do we capture where we are on that maturity journey and and reach out for that help and support from from upper management. I think the one thing I see and I’ll try and highlight it later on is when security leaders are communicating upwards in the chain around third party risk but but equally more holistic around the security program, they forget the language of the board which is risk and finance. And all too often we’re talking, you know, what a board member would call technical mumbo jumbo, right? They’re they’re very clever people. Uh they certainly shouldn’t be put down because they don’t understand the nuances of security technology. Uh they wouldn’t be on the board if they if they couldn’t add value, but it’s up for us to translate our security technical lingo, if you like, into the language of the board, which is purely centered around risk and finance. So, we can’t go in there with raw security events, firewall logs, and all of those aspects. they’re rapidly lost when they’re not you’re not talking to a technical audience. So, we need to recognize that and you know I’ve coined the phrase meaningful metrics uh because they have to be meaningful to the recipient. They have to understand what you’re trying to tell them. They almost have to jump off the page in terms of clarity and conciseness and you know a lot I see aren’t there and hopefully we can have a good conversation today about how we mature from where everyone is today and and how we kind of get to where we need to be at the end goal. Sorry. So, you know, third party risk management, I’ve run security for numerous organizations, some very big and and some not so big. Uh, so I’ve got a, you know, very good exposure to third party risk. I’ve always managed it when I’ve been a CISA. Um, and certainly if you listen to, you know, the government organizations around the world, so whether it’s NSA in in the US or the NCSC in the UK and the various other bodies around the planet, Everyone is sending out the advice and guidance that it’s not sufficient just to secure your organization. We all have a distributed risk in terms of managing the risk that presents itself from our supply chain. We will all have different levels of suppliers from people that supply ingredients into the kitchens for our staff all the way through to people and organizations that manage our data centers when we outsource them uh to them. So there’s a different complexity in that risk model and in that picture. But we need to get better at, you know, understanding what that risk is and how can that mis risk materialize because we need to know that because we need to mitigate it and if we don’t know about it then it’s really hard for us to actually mitigate it going forward. But many organizations uh and thankfully this is starting to change but certainly when I started in security uh probably 20 25 years ago uh platforms like prevalent weren’t around so we had to do our third party risk on on Excel spreadsheets and similar database processes. But now platforms like Prevalent are around, we really shouldn’t be using Microsoft Excel. And and I apologize in advance if you are a Microsoft Excel user because I’m going to give it a bit of a bashing today because u you know Excel has its its place within an organization, but it it it’s not on managing third party risk and and I’ll get on to that in a few slides. We need to get, you know, our interaction with our customers and suppliers in near real time as possible. uh an Excel won’t allow you to do that. Um we can’t be in a world where we’re gauging risk in a in an annual cycle where we’re sending out questionnaires. Uh uh third party suppliers are filling in those questionnaires. They come back into our analyst teams who are massively overstretched. Uh and then obviously they have to diagnose those results and try and produce a risk position. But as soon as that’s done, it’s out of date. As soon as you get that, you know, questionnaire back, it’s it’s practically useless because we all think about our own organizations, how much management changes, how much strategy changes, how we release new products and services, new policies and procedures that are released internally. That’s exactly the same in in the supplier world. And if you’re just capturing that and analyzing that annually, then you know thousands of changes are going to happen and occur between those cycles and you’re just not going to know about it. So you might think that a supplier is pretty unrisky, but actually they’ve, you know, launched on a new venture or a new product But that actually really increases their risk profile. So it’s about focusing on getting that risk trigger about focusing on getting that information from your suppliers as near real time as as possible. And I think you know moving away from the Excel way of the world into platforms like Prevenant is hopefully why you’re all on the call today to understand how you can achieve that if you’re not already on that journey.
Brian: Sorry, wrong way. So three of the common challenges that you know, I think organizations face and hopefully some of you might resonate with this and again feel free to put any questions in the chat and we’ll get into that later on. But I’ve coined this really the the art quadrant. Uh what I see are challenges in third party risk management around the approach, the tooling that’s being used and the resource that’s within the team. So let’s I’m going to run through these and and they all have a slide each but you know that art quadrant if you if you don’t have the right strategy in place, if you haven’t adopted the right tooling and you’re not optimizing your resource and I use optimizing you know why ask for more people when when ultimately you haven’t optimized your tooling. So if you have those three things then it’s almost the perfect storm and you’re going to have a challenge around doing third party risk management correctly uh or being able to advise the business in the right way. So if you if you’re in the art quadrant your priority today is is how do I get out of that and and hopefully we can help give you some answers to that as well. So if we look at the approach, you know, the third party risk management needs to have a strategic approach and and what I mean by that is it has to be designed to assess, evaluate, capture and ultimately treat risk. It can’t be just to run an annual cycle that sends an auditor out to a tier one supplier and sends a questionnaire out to a tier three. The results are assessed. You know, just because you’re running that cycle doesn’t mean to say you’re doing third party risk management. The who is in the M. You’re managing that risk. You’re effectively capturing it. You’re understanding the potential impact on your parent organization. You’re advising the business about that risk. You’re putting in treatment plans. You’re having the dialogue with with the supplier and you’re mitigating or accepting those risks, but you have that informed position. That is, you know, the risk management aspect of of the third party program. It absolutely, you know, needs alignment with the the broader business. But it shouldn’t be driven by the business and and what I mean by that is you are the expertise in this space. You are the expertise in in risk. You are the expertise in security. So it needs to be you know the accountable person whether you’re in procurement or whether you’re in the security function. It doesn’t make much difference. But whoever’s owning and running this process needs to have that pure direction around we’re here to tackle risk. If the business is you know trying to dictate how it happens and you know which which supply buyers get which attention. They need to have that security background. They need to have that risk background to actually understand what the potential impacts on that will be. So you can’t just be purely driven by the business because it won’t lower your risk profile. So let’s look at resources. So when I look around organizations, I think that the third party risk uh uh risk management teams are, you know, often heavily underresourced. But then I start to ask the question, you know, Have you optimized the the resource? If you’re trying to run, you know, three and a half, four and a half thousand suppliers around the globe in 60 70 countries using an Excel-based process, that’s never going to work. It doesn’t matter how many people you throw at it. It doesn’t matter if you spin up a captive in India and put 100 people on it and things like that. It’s just not going to work. Um, so rather than just thinking we haven’t got enough people, we need more people. You need to step back from the problem and say this process isn’t working. Are in the our quadrant. So rather than just looking at resource, what can we do around the technology, what can we do around the process and how do we actually optimize the resource that is needed to run an effective third party risk management program. So I personally have ran um obviously I’m on this presentation because I’ve used preent extensively in my past but I’ve personally ran you know global multinational organizations with four and a half thousand suppliers with a team of six people. U so it absolutely can be achieved if you’ve optimized the process, the technology and you know the data flows that are coming in and out of the team. But you know it is focusing down on how do you support those people bestly you know you need the right resource they need right skill uh they need to be focused in you know tiering the the the companies that are within there effectively so they know who to spend the most time with um and equally they need to know the the global ramifications of those suppliers and I’ll get on to that a little bit later on so Optimization is the key thing about resource. Don’t just throw people at the problem. It’s it’s not going to fix it. And then if we look at the the sorry you keep going the wrong way. And if you look at the uh the tooling aspect so so we talked earlier on around innovation in this space and there’s a lot of innovation in this space because you know governments and organizations are recognizing that they can’t just secure the mothership. They have to effectively secure everything that is interconnected with that mothership. And you know We’ve talked around different suppliers, different criticalities to the organizations. Some might have, you know, physical connectivity into your networks. Some might have staff members on their sites that have virtual logical access into your networks. And we need to understand what that looks like. And that’s a very complex picture. You know, building all of those nuances together and then actually understanding the the global aspect of that. So, for example, if you are working for a large organization, you might have a supplier in one country that is fairly insignificant but actually in another one of your countries they’re major. So you have to actually understand the global ramifications of of your suppliers as well. So we need to we need to mature we need to move up that maturity scale recognizing that if we are looking at what you do today and you would view it as a manual process in terms of manually sending out questionnaires relying on individual analysts to actually interpret those results and you know they’re very skilled people and I’m not doing them a disservice. But the challenge is if you give a questionnaire to analyst A and give a questionnaire to analyst B, you’re going to get two answers coming back. Um, so use the analysts to actually interpret the results that the modern tools are giving you. That’s where, you know, the best use of their skill is. It’s like if we look at a security operation center, we wouldn’t put our level one, two, and three sock analysts on looking at the raw data flowing into the sock. We rely on the scene technology to do the analysis. and we present them with the issues that we think need investigation and that’s the innovation that’s happened in this space. Let the tools like prevalent absorb all the information analyze where the key risks are that you can set the parameters on and then give that information to the analyst. That’s where they can have maximum traction and you know use their skill set to to best effect.
Brian: So let’s get on to you know the KPIs and the the KRIS and you know I just want to baseline you know when I’m talking around KPI I and KIS. This is ultimately what I’m talking about. So we use KPIs to to measure performance. So the key is in the name, right? Key performance indicator. Is something working as as it was designed? Is it design effective? Is it designed in the right way? Is it operationally effective? So are we operating it in the right manner and getting the right data flows through? But that’s what we’re looking for from a KPI perspective. The KRI is completely different. You know, how much risk are we exposed to? And there’s gross risk. there’s net risk. You know, we we have a you know, baseline of risk. We apply treatments to it and then obviously we get the the net risk coming out of that. So that’s the baseline. That’s what we’re going to be talking around going forward. So meaningful metrics. So this is actually a dashboard from a customer that used Excel. Granted, it was a few years ago, but I still see things like this floating around today. And as you can see, this was presented to a board member. There was no, you know, an analysis of the data. There was no supporting documentation. It was just an Excel spreadsheet showing here’s our suppliers on the left. I think there’s about 40 rows on there. Here’s our information security controls along the top. And then here’s how a supplier has performed against those security controls. So you can see there is two shades of yellow, there’s two shades of green, there’s two shades of red. And you know, I challenge anyone to look at that matrix kind of understand where the key challenge areas are. I think, you know, if you look at the information security controls about 3/4 of the way along, you know, there’s a fair few suppliers that are scoring red. And, you know, from experience, I’d probably say that’s something around physical security because not all small suppliers have CCTV and perimeter fences, etc. that you might have in your security controls. But regardless, it’s it’s complex, it’s busy, it’s static because, you know, these are assessed once a year.
Brian: And then there’s dialogue with the supplier around, you know, you failed this control, can you put this remediation in place, but it largely stays the same for months and months on end. So when you’re putting a monthly report into the board, the board members are going, well, this hasn’t changed. You know, what’s the value of you coming today to present something that’s not going to change in 12 months? You know, we saw it last month. And you can’t drill down into the issues. You know, it relies on the presenter to actually know the issue or challenge that’s behind every single one of those squares because if a board member focuses in on a supplier and the control and says what’s the situation with this one you have to be able to wax lyrical that rather than actually click on it and and visualize it but obviously it doesn’t have to be this way uh tools like prevalent obviously which is the dashboard on the right you can actually use that which I used to do for the board communication so you don’t go in with the powerpoint you go in with a live website live data actually show the dashboards and actually be able to drill down and say, “Look, here’s the current risks that we’re managing within the supply chain. Here’s where we think the areas that we need focus and support on. Here’s where we think we have a challenge. Let’s have a quick discussion about what we’re going to do about it. Drill down into the data set. Everyone’s informed. Everyone’s happy. Move forward.” So, you can see why I’m giving Microsoft Excel a bit of a bashing. And apologies if you use it today, but you know, I have had to use it in the past as I’ve said, but when you put a platform like prevalent into your organization, it really is a bit of a game changer. It really allows you to be more effective as a security leader, which is ultimately, I think, what you all want to be able to do. So, what metrics are best practice in my opinion and remember this is just my opinion and feel free to challenge it. You know, I always like a good debate, but you know, what should we be measuring? And I largely put it into four buckets. And um so risk, we’re kind of, you know, covering that fairly fairly well.
Brian: I think it’s pretty obvious that, you know, we need to assess our supply chain from a risk perspective. Another benefit from from prevalent is threat. You can’t put a threat lens through an Excel spreadsheet. Being able to visualize the potential threats that your suppliers uh or threats that they’re facing. Getting that threat intelligence, open-source, you know, OINT data that we call it flowing through on your supplier footprint means that you start to understand a lot more about them and it means you can also challenge them, right? So, you know, if you’re getting a supplier come back to you with with some data that doesn’t correlate with their threat intelligence. For example, you know, they patch their perimeter every week, but you can see vulnerabilities on their perimeter for two months. It allows you to have an informed conversation about what is reality. Um, and equally, you know, threat doesn’t always have to be about cyber and risk doesn’t always have to be about cyber. Um, security is more holistic than that. So, we we’re going to encompass business continuity. We’re going to encompass disaster recovery. We’re going to all of those components flowing together into a single dashboard that allows you to understand what happens if this supplier wasn’t there anymore. Think about the organizations that are around the world that have just had to remove Russia from the entire equation. Think about the organizations around the world that are kind of looking at China and looking potentially what they’re doing from a military aspect with Taiwan and understanding what happens if China goes away and we can no longer have them as part of our vendor or part of our supply chain, part of our development. and part of our code creation. All of those aspects, modeling what that would happen on your supply chain, all of those aspects become a lot easier to do when you’re using a tool like this. Compliance becomes a lot easier as well. And I’m going to drill down on on these as well. Don’t worry, I’m just skipping the headlines.
Brian: So compliance becomes a lot easier because, you know, rather than actually having to audit a supplier around their compliance to whatever it is, PCI, Sarbain, Oxley, California Act, you you know, you name it, you can code a ify those requirements by checking a box and saying this supplier is in scope for this compliance in relation to our organization. So assess them against that. Um so that’s really valuable in terms of just getting those attestation statements coming back which you can present to an order auditor and say hey we’ve looked at them here’s what here’s what the view is and here’s what other companies think the view is in relation to their compliance as well which is equally really useful. And then there’s coverage and you know I see this all the time where organizations are running a third party risk program but they haven’t got full coverage they don’t know all of their suppliers and cloud computing doesn’t help here in the ability to you know spin up a service on a credit card shadow IT is also an issue where bit the business kind of bypasses the normal CIO and CTO processes and stands up technical environments with new suppliers on their own but it’s our job to get beyond that and actually capture that and make sure that we’ve got that good holistic view uh so we are assessing all suppliers in that mix. It is a challenge. I’ve done it myself several times and it is the biggest issue if I’m honest. So let’s look at you know what are some of the you know KPIs that I would you know gauge in a in a risk perspective and equally some of the KRIS. So we’ve talked coverage but I do think it is the the most important one.
Brian: No one wants to be blindsided by you know a supplier that you didn’t know about that’s had an issue and had an impact on the business and they’ve appeared on CNN or I use news depending on where you are in the world and you didn’t know about them you haven’t done an assessment and it’s impacting the business so getting that coverage is absolutely key and the way you have to do that is get hold of procurement and you you know you insist that nothing goes through the procurement process end to end without your due diligence process completed and you know the the third one down there the potential of suppliers that have completed the onboarding assessment if there’s cash flowing from organization A as in from you to a supplier and that assessment isn’t complete, then then you’ve got a problem or you may have a problem. You know, you don’t want to pedal the fear, uncertainty, and doubt, but in terms of designing your process for for success, that should be 100%. You should make sure that you’ve got your hooks into the process at the earliest stage possible so that you can do your assessment. But again, I’m going to wax lyrical on this. The benefit of using a tool like Prevalent is if the business comes to you and says, “Hey, Minister and Mrs. CISO, we’re going to need you to on board this new supplier. They’re critical to us. We’re doing a new product launch, etc. We need to understand them very quickly. In the old world around Excel and questionnaires, that that wouldn’t be achievable. That takes time because you you’re only going to find out what you know about them on Google, right? So, you don’t know this supplier. You don’t know anything about them at all.
Brian: When you go on prevalent, it’s highly likely that some other person in in the world has used this supplier and is on the prevalent platform and equally prevalent go out to suppliers proactively and say look come on come onto our platform fill in your questionnaires on here and then obviously new suppliers get access to that information so you’re benefiting from that collective risk management you’re benefiting from what other other organizations have asked that supplier and you can get access to that information so you’re not staring at a blank Excel sheet you can start to see you know probably 90 95% of the questions you’re going to ask them anyway are going to be on the platform so you can really hit the ground running and and drive that forward. But I think, you know, from from a KPIs perspective, they’re the the few that I’d pull out on there. But the one thing you need to be measuring and the the key thing that you know really causes damage to the security reputation is that you become a blocker. And you’ve probably heard that before. We don’t want to engage with security. They slow us down or procurement say they don’t want to work with us on this process because it’s too slow. So really track the the meantime for that process to go through. through your security organization and again look at what can be optimized and and obviously I think we’re going through a lot of what that is as well and then if we look at the KRIS you know I always look at lag indicators and I always look at lead indicators so lag is what’s happened in the past and lead is kind of looking into the future what do we need to con constantly keep an eye on and focus as well so you know we always want to be looking at incidents you know who in our supply chain has caused us issues and challenges and you know that doesn’t happen to be cyber. The sewers canal was blocked. You know, you might have had shipments on that on, you know, on one of those boats that couldn’t get through. That is a supply chain issue. It’s not a cyber issue, but it is a supply chain issue. And you still have to understand, can that risk be mitigated? And, you know, can you think through that in advance before it actually occurs?
Brian: And things like the number of suppliers that present a continued high risk following successful on boarding. So, you might have gone through the process, they still present a high risk whether it’s geopolitical or the products that they’re creating. It could cause you a reputational damage or it could impact your supply chain, but you still have to work with them. There’s no other choice or you know that’s who the business has chosen. So, you will keep a very close eye on them. You’ll put them in tier one and you want to keep that moving forward. So, it’s it’s really focusing down your risk lens. Your risk lens should be your magnifying glass really drilling down into into what that is, right? And then look at threat. So, threat is key. If you’re not doing threat, as part of your third party risk management program at the moment. You absolutely need to understand how you can ingest that in. Obviously, it comes part of this platform. But equally, you know, if you’re just not doing it, you need to be doing it. And that’s really looking at, you know, the number of suppliers that you can get threat intel on. Uh most of the suppliers in the prevalent platform will already be prepopulated with with threat intelligence. But this really comes down to, you know, your compliance programs and what intel can you actually get on them because you know, over and above risk, which is actually something that, you know, may happen. Threat is something that either has happened or is about to happen and you’re getting early indications of that occurring. So, getting that threat intel flowing through into your organization is really useful. So, really slicing and dicing that, looking at it from a compliance lens, but equally looking at it from a tier lens. If you’ve got a high degree of threat, as in something may occur in the short near term in your tier one supply base, then you know that’s like going to be an issue and how you going to mitigate that going forward. So, you know, again, this is a really useful if if risk is the magnifying glass, then you know, threat is the microscope.
Brian: It allows you to actually understand what is actually happening in near real time and is actually, you know, could really impact your business like fairly significantly, right? And then if we look at compliance, so compliance is only going to increase. And if we look at the regulators around the world who are starting to align their compliance programs because you know when you run a large global multinational it can be really complex with you know the difference in compliance programs around the planet so they are starting to align I think you know when we look at data there’s around 63 different requirements around the planet that just relate to data so in Europe we have GDPR US you have the California act Canada has their own South Africa has their own etc and those that haven’t got them yet are are developing them but we are starting to see commonalities in that approach. But compliance isn’t going to go away, especially if you’re in a regulated industry. And the reason it is there is because obviously the regulators are looking at the uh the the people that are within their sector and they’re not seeing the behaviors that they want to observe. So they’re actually driving it through regulation. You will do this. This is how we want you to approach it. And they get very prescriptive with that going forward. Now compliance used to be a real challenge to achieve. You know, in a manual world, it was very difficult. to, you know, get that lens across your supply chain. Not only are you trying to assess them against your own security policy, you’ve got all of these different compliance regimes that you now have to assess them against as well. But honestly, it can become a click of the button. I don’t want to oversimplify it because, you know, you have to architect it well in the platform and understand who’s in scope and who’s out of scope. But it is absolutely a gamecher in terms of pace and and ability to actually get those done as quickly as possible. So, you know, compliance becomes a breeze. And then that no coverage as well. Absolutely. You know, really really important. We need to make sure that we’ve got that that covered off. Uh I can’t stress this enough.
Brian: I’ve seen it happen as a real problem for specifically larger organizations when they segmented their third party risk management program on a country bycountry basis. They’re just not understanding, you know, the the materiality that a supplier can have on their organization. And equally, they’re being, you know, divided and conquered by the supplier. A supplier isn’t going to tell you that they’re proactively anyway that they’re, you know, supplying a large multinational in all of their different countries with different pricing and different contracts, etc. So, it really is the accountability of procurement to get their arms around that underpinned by the third party risk management program to understand, you know, what potentially could be the impact of that going forward. And again, make sure that there’s no money flowing between company A and company B until that’s actually completed. And obviously track that time to one board metric as well to make sure that you really understand are you being a blocker because you know you potentially might be your process might be you know not optimized you haven’t got the right tools and it might be a real pain to get a supplier through this program and if it is you know be proactive about recognizing where those challenges are and fixing them as well and then obviously making sure you’ve got the the KRIS around you know focusing down on tier ones tier twos etc the ones you actually want to spend time with and have you really understood know their coverage within your organization and then you know putting the different lenses on it for for different audiences right so and this is really important and a tool like prevalent again allows you to do this recognizing that you know when I was the CESO of an organization and I don’t think I was too much of a control freak but I wanted a lot more information than I’d be showing the board uh I wanted the lens that I could dive into that showed me the technical detail that you know I could assign into my technical team to you know get a deeper understanding on. So there’s a different lens that I want to see as a security leader and that you will want to see as a security leader as well.
Brian: And then being able to you know model situations what ifs. What if we did this? What if we didn’t do that? What if someone else did this and we didn’t? Being able to scenario model and be able to get into that threat intelligence as well and understand what if this occurred to this supplier. What was what’s our backup plan? Have we got a supplier B in this space? And you know A big example in that space at the moment is the silicon chips. There’s a huge global shortage around silicon chips and organizations that you know were specifically focused on supplier A and didn’t have a backup in place already when they experienced issues to immediately start to procure from supplier B just missed the boat because those that did already got the chips from supplier B. So they were out as well. So it really is thinking through you know not just from a cyber lens that’s what I keep saying cyber is absolutely critical And obviously it’s my experience and background, but we’re talking supply chain risk here and you know it’s broader than than cyber and information security. So the CISO needs a lens. The business needs a lens as well. And you know we can have this debate but my view personally is the CISO shouldn’t own any risks in regards to remediation. We have business owners or you should have business owners that are responsible for managing those partners within your business. So the the partner the the external third party ies aren’t getting into a business relationship with the CISA. They’re getting into a business relationship with a a business unit or a division within your organization and it should be their accountability to you know manage the the that organization and that supplier going forward. What your job is is to give them the information to do that. So allow them to prioritize get down into that detail around hey we’ve got an issue with this supplier or you want to bring this supplier on and we’ve got a challenge with that as well. We much prefer you to use use that one. But you can present the information and you can present the facts and give them and empower them to be able to obviously drive that resolution plan going forward.
Brian: And again, rather than that very complex cell spreadsheet that I showed you, something like prevalent will just allow you to assign that to different users. So you don’t own the risk, they own the risk, but you’re tracking that remediation going forward. You can get flags if there’s any issues and challenges as well. So again, really powerful from that perspective. And then you have the board. And I use the board and the executive team kind of interchangeably here, but what they’re looking for is a very high level view, a very high level picture. What is the consolidated risk picture? Give me the the elevator pitch, the third 30,000 ft. But I want to be able to drill down. If you’re telling me there’s a problem, I want to be able to get into that data because it’s, you know, they are personally and individually accountable in in a lot of sectors around managing effective risk. And if you’re going into that board and there’s an issue or a potential challenge. You need to give them the information, but they can’t troll through, you know, pages and pages of data, they need it presented on a plate. The analysis needs to be done on their behalf. And what you just actually need to be able to do is say, you know, I think we have an issue. I think we have a problem. I need your support. And if you obviously use those universal languages of the boardroom around risk and finance, then you’ll obviously get those hooks into those board members and get them supporting on your behalf. that’s really critical as well. So why am I advocating you know meaningful metrics and and KPIs in this space? So you know just to summary Scott’s fly before I hand over to Scott because I can see there’s a lot of questions coming in this process exists for a reason and we need to to to remember that you know I see so many people going through the cycle but the risk reduction isn’t occurring. So the process is running but the risk isn’t going down. So we absolutely need to be focused that it’s there to reduce risk uh and and effectively manage it going forward. Um and and equally accepting risk is perfectly fine. You know I see organizations accept risks all the time.
Brian: You know um I could give numerous examples around you know I worked for a large organization that you know invested heavily in in printers. These printers were the size of a warehouse but in order to replace the management console that was based on Windows XP service pack 2 which we all know vulnerabilities in it. There was no answer but to spend 10 million on a new printer, but the printer was working perfectly fine. The third party risk management program might say, “We need to replace the printer.” The business would say, “I’m not going to spend 10 million on a new printer. Find another way around it.” So, we’re not going to accept the risk in its entirety. We’re going to put a treatment plan around it. We’re going to reduce the risk by putting security wrappers around it. But, we’re we’ve exposed the issue. We’ve had an informed conversation. We now understand the risk and we’re getting to a point where it’s more manageable and we can understand it. That’s the process that we need to be driving going forward. How you report that risk into the business is absolutely key as well. I see a lot of business stakeholders that are distant from this process because they don’t see the value that it’s delivering and you know staying close to those business stakeholders the the leaders of the respective areas within your own businesses and actually understanding is this adding value? Are you getting what you need from this process? Because this is my objective in terms of reducing risk and I need to work with you to effectively be able to do that. So, are we hitting the mark? Are you getting what you need? What else do you need? You have to be adaptive to to those requirements as well and really take them on board. So, don’t be in your ivory security silo. Break those walls down and engage with the business and make sure that you’re delivering a quality service because if you’re not, they’ll just look elsewhere for that information. And and as a security leader, you don’t want that.
Brian: If you think back, you know, if you’re looking at my Excel spreadsheet example, and you thought hey that’s kind of what I do at the moment you know I’m not giving clarity to the business they have to do the analysis on my behalf when I present it then we need to understand how that can change we need to understand how to adopt it so you’re probably you know burning out your you know finite resources from a human resource perspective within the security team as well so understand what you can do mature your third party risk management program away from spreadsheets and databases and and look at the innovative platforms you know the we’ve done a lot of innovation in this space because we recognize it’s an issue. We recognize there’s challenges there. We we we can’t put threat through an Excel spreadsheet. It can’t be real time by its very nature. We need to involve communitydriven risk approach so that we’re tapping into the questionnaires and you know the threat intelligence and the approaches of you know thousands of other customers of that supplier. We can see all of that information. We’re not just relying on our data set. So there’s a lot of you know power in that. collective intelligence that you can get from platforms like this and you know really remember that you know one thing I always said to my security teams is you’re not accountable for this process end to end you need to work with the broader business I’ve done lots of you know webinars for prevalent and you know one of the other ones I suggest you look at is you how we get the relationship really working with the the procurement teams because our objectives are absolutely aligned but we need to that clarity of communication into the business we need those meaningful metrics so we can inform the stakeholders what’s going on. It’s a real challenge to get all of that data in and put the context behind it, but you know, using tools like Prevalent will will really help. So, I’m going to hand over to Scott who’s going to talk a little bit around Prevalent and then we can get into your Q&A. So, Scott, over to you.
Scott: Thanks very much, Brian. I appreciate that. Um, you know, everything that Brian talked about today was all about at the end of the day maturing your existing approach to how you understand, organize and communicate the most important metrics, you know, up the ladder, if you will, or up the chain in the organization. That is at the heart of of why we have designed our solution the way we’ve designed it is to get you from a point A to a point whatever be that point zed, point B, you know, whatever down the line. And we deliver our solution approach in one of three different ways. The first is helping you get a quick handle on the most important risk metrics that matter to you by checking out uh a completed risk assessment, an already completed risk assessment from our library, our global intelligence network. Now, those assessments are based on industry standard assessment types uh and can help you download and digest that information, load it up in your local instance, so you already have a completed uh risk register and the ability to then map the risks for that vendor to the industry framework or security framework that’s important to you. So, you can help prioritize and then calculate risks. Now, that includes inherent risks, right? So, the risks that the vendor brings to an organization without the treatment of any controls, your controls, right? The controls you require uh specific to your organization. Uh and then can help you quantify those risks into what we call a heat map based on likelihood and probability of of occurrence. The second mechanism we employ to help you kind of get control of of of risk is have us do it for you. You know, we’ve got a a you know three different risk operations centers uh you know risk operations professionals that are located in the states in Canada and the UK that help you to um uh you know design the right assessment that’s important for you to collect from your vendors collect that information analyze it and present it in such a way that you can easily uh report in the organization who your riskiest vendors are what areas controls need to be applied uh more so for everything from onboarding all the way you’re offboarding in that life cycle or if you want to use the solution yourself, you can do that. Uh so the thirdparty risk management platform is uh our core solution that enables you to um onboard vendors, identify risks, create the right content to collect those risks after inherent risk assessment is done um and then organize, analyze, and then uh remediate risks with built-in recommendations in the platform. And all of those capabilities uh are delivered with a consistent thread through them. and that is continuous vendor cyber business and financial risks because collecting risks one time a year isn’t going to do anybody any good uh because as soon as that risk assessment is done well something happens right so that’s why we include a real-time continuous element to risk management along with the collection and analysis of of risk insight next slide Brian.
Scott: Um and again like I mentioned our objective is to help you get from point A to point whatever uh and we do we have a very prescriptive approach to help you get there. Everything from um you know, let’s say you’re starting out in a place where you don’t even have your vendors all together in one place, much less know which metrics to report on. Um you know, we can help you programmatically onboard and score those vendors to help you prioritize what kind of risk management needs to be done um uh you know, to those vendors. You know, next is, you know, again, calling back to what Brian said a few minutes ago, you know, not knocking too hard on on on Microsoft Excel here. I know we all use it in some capacity, but if you’re ready to break out of spreadsheet jail. We can help you automate that process, you know, in our platform to create the right content, uh, send out that content to your to your vendors, uh, and then analyze it automatically in the platform and not have to worry about switching, uh, spreadsheets back and forth. Um, we mentioned validating assessment results with continuous cyber monitoring. Intel is the next step in the process. Help you make smarter decisions by keeping that data fresh, current, relevant. Uh, so that you know when you’re presenting information on key risks, uh you know or or even KPIs uh that that data is uh is current and that gives you the ability to fix those problems with built-in remediation guidance and best practices in the platform and then ev uh eventually kind of pro proactively and continuously assessing you know those risks on a continuous basis. As that program of yours matures it becomes inherently uh less reactive and more proactive. Your visibility increases, your efficiency increases if you take that right approach. uh to kind of getting there. Next slide, please, Brian.
Scott: Um you know, what differentiates us is um you know, how we collect information and all the different sources we collect it from. You know, this starburst, if you will, uh is just a sampling of the different data sources we use to bring information into the system to help you understand where your biggest risks are and how to quantify and communicate those. Everything from the vendor community uh to crowdsourcing to private sources that we license information from regulatory monitoring that we keep updated in the system, industry partnerships, integrations to systems you’re probably already using, completed assessments on our laboratory or laboratory, our library uh and uh uh and finally public sources like OSENT information that we collect as well. So all of this information we gather for you to add context, flavor, and clarity into your um uh you know uh assessment that you’re sending out so that when you do your reporting, when you’re defining your KISS and KPI, they have not just the information but the context behind the information. That’s our approach anyway. Back to you.
Brian: Thanks Scott. So um we’re now at the the Q&A aspect. So I’m going to I think hand over to Melissa and Amanda just to know send us you’ve been all been putting in your questions but I think there’s a there’s a poll coming up first right guys?
Melissa: Yeah we just uh launched our second and final poll. Um we’re just curious you know If you’re looking to establish or augment a third party risk program within a year, please be honest. Um because we do follow up. Like I said earlier, it’ll be me, Amanda, Null, um Landon. So, I mean, it it’s one of us. We’ll definitely be doing our due diligence. Um but let’s go ahead and attack a little bit of this Q&A. It’s very busy. Um this one might be for Scott, but I’ll let you guys decide. First question is, does the prevalent platform have Intel on large companies such as Microsoft?
Scott: Uh absolutely we do. Um we have two um complimentary sources of intel on large companies like Microsoft. Number one is a completed um assessment uh that’s been done on them. Let’s say a standard information gathering assessment. Maybe it’s a SOCK 2 uh report. And then we augment that with continuous uh monitoring of cyber security, business, financial, reputational uh and data breach related information. to to to kind of fill out the vendor profile and add additional information to the uh to the completed assessment. So, yes, we do.
Melissa: Got it. All right. Next question. Um, from your experience, how would you best calculate and communicate overall annual risk exposure from a third party risk management perspective?
Brian: Wow. You know, that’s one of the hardest things to do um, you know, collectively. Um, the way I’ve personally always approached it is in in the tiers. So, you know, looking at, you know, a tier one, tier two, tier three suppliers and and maybe you go down to to tier four. Uh because if you mix tier four and tier one together, for example, then, you know, it just confuses the picture. So, it’s really focusing, you know, on those suppliers that are absolutely critical to you or your customers or your business success. Maybe they produce things on your behalf. And in terms of looking at the effectiveness of the program, it’s around, you know, where did you start? What did you set out to achieve in terms of risk reduction in those suppliers? And then what have you achieved at the end of the year. But you know that’s an iterative process. So you know I wouldn’t communicate that once a year. I’d be talking around that every month because in my experience the executive team want to support you know security and procurement with these challenges and it’s around you know we’re working with this supplier they’re not they’re maybe not conforming to this or that etc. And about moving that dial constantly. So yeah if you want to do it annually make sure you’re doing it with in a tiered approach but at least, you know, break it down into into 12 month cycles as well so that people aren’t, you know, surprised and shocked at the end of the year. They they recognize what you’re saying because they’ve been part of the conversation throughout the year as well. Right.
Melissa: Perfect. Thank you. All right. Next question. Is vendor threat intelligence automated like an automatic feed or does prevalent just offer fields for an organization to perform their own OS int I guess on their vendors? So it might be for Scott.
Scott: Yeah. Um So we offer our own native uh um continuous monitoring feeds, right? So we incorporate uh cyber feeds. Uh we’ve built our own cyber feeds as well to collect information to get it into the platform. Uh and then we’ve got uh business uh reputational information that we also consume from outside sources as well as financial um uh information uh as well. So it’s a combination of feeds we built information uh uh you know we built and information we collect uh as well, but we also have an open API and a connector marketplace to enable you to build a connection from the prevalent platform to any other system you’re currently using for that.
Melissa: Great. Thanks, Scott.
Melissa: All right, here we go. Supplier onboarding process is often a mystery in many organizations in terms of inputs and outcomes depending on process owners. What are best practices for supplier onboarding to ensure robustness in the process?
Brian: Yes. So, I think Again, it’s a tiered approach. So, I always use an example, you know, if you’ve got someone supplying ingredients for the kitchen or, you know, someone managing a data center, the on boarding process for that would be slightly different. I think all of the, you know, questions that you’d ask the kitchen supplier would be included in the data center supplier, but they’d get a lot more. Um, where I see a complex process in place is where the same on boarding process is used for both. Uh, and that’s where, you know, you’re asking, you know, someone that supplies kitchen ingredients, whether they have privacy, CCTV, uh you know, 24-hour manuarding, um speed gates to go in and out, etc. There’s there’s a relevance that you need to be able to to, you know, ask your supplier. So, again, take that that tiered approach. I think for the for the on boarding, it’s really the high level getting to know the supplier, you know, which policies and procedures do they have in place, who’s the management of the organizations, what’s the financials of the organizations? It’s, you know, you you might not know anything about them. You need a rapid data capture. And that’s where I said, you know, if you’re using Excel, you’re starting from a blank sheet of paper. That’s hard to do. If you’re using something like Prevalent, you can normally find out a large chunk of information on on that supplier. So, best practice is, you know, don’t ask them everything as part of the onboarding process. Ask them what is critical to proceed and then obviously you can find out the rest as part of the relationship going forward. But then actually tap into a process where you can get that information as quickly as possible so you don’t become a a background.
Melissa: All right, perfect. Let’s see. I do have another one. For a firm that has to manage budgets tightly, how can they best balance the need to choose smaller suppliers that speak to a business need and meet their budget with reducing the risk, which is more likely to be the case with larger and more expensive suppliers?
Brian: Yeah. And this absolutely needs to happen, right? And and I I’ve seen small suppliers that could potentially be bankrupted by going through a large multinationals, third party risk management process because you know the investment in time on their behalf to answer all the questions and you know put all the data in etc. you know it can be a real challenge and you can actually stifle innovation or stifle smaller organizations approaching you by having a two ownerous process. So I think we all need to recognize that you know even large multinationals want to work with small innovative companies it can be a big differentiator for them right So we need to be flexible in in our approach and in our process and again it’s around tearing not only on you know criticality to the organization but size and scale of that organization as well. If you’re working with a small fourperson startup you know you just have to be sensible around the questions that you’re you’re going to ask them and you should have some fluidity in your program around the size and scale of the organization because a lot of the things you’d expect to be present in a large organization won’t be present in a in a small startup or or scale up, but that doesn’t mean you don’t want to work with them. Um, and again, you’re absolutely right. You know, you can you can burn a lot of internal resource trying to capture what is the risk presented from a large organization, but that’s where things like sock two, sock three, sock one reports really come into their own. So, what you’re looking for is assurance at the end of the day to be able to manage your risk. Whether that needs to be done personally and individually by your team or whether you can leverage you know intelligence in prevalent or you can leverage the data that’s in sock two reports and things like that that becomes really useful as well. So.
Melissa: Thank you. All right, keep on going here. We’re really chipping away at all these questions. Um to what degree are cultural nuances integrated in calculating risk assessment to include an organization’s impact on established moors or practices within a community where it operates?
Brian: And what established morals. Do you think that means or?
Melissa: I think so. Yeah. Well, you can assume that one.
Brian: Yeah. So, I think you know c culture is a very interesting lens that we we always have to to factor in. Uh things like anti-bribery exist because of the culture that exists in in some you know countries where you know some of us may operate in. It was fairly normal for an envelope to be passed over the table when a when a business deal went ahead. So we we have to understand our organizations culture and and how we expect our supply chain to behave. Uh and you know that even might be organizations that operate in countries where you know best practice isn’t observed and you know it might be a a cultural acceptance for them but you know we’re under regulation to ensure that that doesn’t occur within our with within our supply chain. So we have to be fairly strong and you know we have to have governance over over those aspects in terms of you know anti-money laundering anti- bribery all of those aspects just to make that they they are covered off. So we have to understand that cultural differences occur and be sensitive to them. But equally we have to understand what is our company’s core culture. How do we expect ourselves to behave? How do we hold ourselves to account? And that’s ultimately the you know the requirements that you push out to your supply chain and then you put the right controls in place to be able to measure that as well. You know that’s why I was saying you know it’s not just about cyber risk it’s about risk and you know culture itself can present a risk. So just being conscious of that Perfect. All right, here we go. How do you put a monetary value to the overall score or rating of a particular third party vendor?
Melissa: Sorry, guys. Is there some more?
Melissa: Uh, this one might be for you or Scott. I’m not sure who can answer this one a little bit better. Go ahead.
Brian: How do you put a monetary value in the overall score of particular third party vendor? It’s it’s always tough. It’s it’s like, you know, how do you assess the monetary impact of a security incident? that’s just occurred in all of those aspects. So, you know, Scott, you can answer after me, but I say, you know, it could be largely subjective around, you know, you have to understand your business. For example, I do a lot of work in manufacturing. They understand how many units they produce per day, per hour, per minute, etc. that flow through their factory. If they have a cyber incident, you know, from a supplier and their factory shuts down, they can very easily quantify in terms of lost product that they’ve made, what the financial impact on that will organization is going to be. There’s still a different dynamic around what’s the cost to restore business because do you need new laptops, new servers? Do you need to pay people while they’re off work? There’s lots of different factors that you have to think through. And I’m not saying you can do that for every single supplier within your footprint. But again, it’s, you know, which of our critical suppliers are we going to have to map that? And my lens is always who can give us a problem, who can stop us servicing our customers either physically or logically, and what can we do to to mitigate that going forward. And You know, there’s always going to be a range. So, try and make that range as as small as possible. But, you know, don’t go in with one number. It’s always going to be a range.
Brian: Scott, have you anything to add on that one or?
Scott: Scott‘s getting a coffee? No.
Brian: All right, that’s fine.
Scott: Sorry, it’s me talking into my my muted telephone. Still on still on vacation brain. I got back from vacation yesterday afternoon. Um, honestly, it’s just so individualized per for every company. I mean there’s a general framework for you know how what the prioritization is is you know based on likelihood and impact whatever and the scoring methodology by company that you know there’s there’s such little standardization based on how it impacts you really I wouldn’t I wouldn’t add really anything different than what that uh than Brian said.
Melissa: Awesome. Okay, I have time for one more question. Based on your experience, to what degree has collected data in a more digestible format helped an organization negotiate its insurance costs to include cyber security coverage?
Brian: Yeah, it helps a lot um because it it can show that you’ve understood that risk and you’ve got it under effective management. Know cyber insurance is becoming harder to get. It’s it’s value is becoming mitigated as well. You know, I understand, you know, it’s it’s absolutely fashionable to have and you know, it’s it’s best practice to to have it in place, but there’s always get out of get out of jail free on these on these clauses. is right. So if you haven’t done the right things, you might have cyber insurance, but when it comes to cash out, if they come in and say, “Well, you didn’t effectively quantify and manage the risk in your supply chain, then you’re not getting any money, right? Or you haven’t applied your vulnerability management or your patches effectively.” It’s like your house gets burgled, but you left the front door or the back door open. They’re not going to be very happy with you. So having that collected view up front and actually showing the, you know, if you’re if you’re using a broker or if you’re going direct to a large insurance It will actually be a requirement that you’ve understood this risk before they give you the insurance. But but showing that you’ve been proactive that you are effectively managing that that process will lead to a cheaper premium uh you know the more capability you have uh and able to demonstrate that you take security seriously in your organization it will lead to reduced premiums for your organization going forward. So you know it has knock-on impacts on on that side as well.
Melissa: Great. Well That is about all the time we have for today. So, I really hope you guys enjoyed this webinar provided by Brian. Um, I’m sure we gave you a lot to think about and we will be seeing you shortly in your inboxes. Take care. Bye.
Brian: Thanks everyone.
©2025 Mitratech, Inc. All rights reserved.
©2025 Mitratech, Inc. All rights reserved.