Catherine A. Allen, Founder, Chairman and former CEO of Shared Assessments, kicked off the 2022 Third Party Risk Summit with a warm welcome while noting “It’s really a strange time. It’s been a strange time ever since Covid started, and since our last in-person conference, which was in 2019.” She asked for a moment of silence to honor the losses of friends and family on both personal and professional levels, as well as to acknowledge the suffering and loss of life taking place in Ukraine.
“Over the next few days, the panels, the keynote sessions will center around how we are resetting, refocusing and reconnecting after two long years of constant change and challenges to the environment,” Allen continued before briefly describing what’s ahead for those attending in-person at the Ritz Carlton in Tyson’s Corner, Virginia, as well as the hundreds of virtual attendees.
Allen introduced Andrew Moyad, Shared Assessments recently appointed CEO, who laid out his priorities for the next few years, which are designed to expand Shared Assessments global footprint, measure the adoption of its tools, and create greater value for members and customers by:
In explaining the importance of these goals, Moyad drew on his own journey that led him to Shared Assessments, and his observations on how TPRM has evolved from one of many responsibilities that needed to be checked off a list to a mission-critical, essential part of an organization’s success. Based on his own experiences and observing the growth of Shared Assessments, he wants to partner with Shared Assessments members to further the professionalism of the practice of TPRM and expand the opportunities for careers within the field.
Concluding his remarks, Mr. Moyad surprised Ms. Allen by presenting her with the organization’s first Founder’s Award, which was accompanied by warm testimonials from Ms. Allen’s partners, co-workers, customers, mentees, and associates, highlighting her generosity as a mentor and the tremendous impact of her own work. The previous evening at a smaller gathering, Nasser Fattah, Shared Assessments Senior Advisor, was presented with the 2021 Chain Award, and Phil Bennett, Manager, Information Security Governance, Horizontal Services, Navy Federal Credit Union, received the 2022 MVP Award.
Frances Haugen, the data scientist and engineer who made headlines in 2021 after leaking a trove of internal documents from Facebook showing how the company was well aware of the problems it was creating, delivered a riveting keynote address in which she talked about how the company weaponized its platform and in doing so contributed to international destabilization, and continues to do so. Ms. Haugen also discussed the systemic risks the company (now called Meta) poses to children in its quest for profits and advocated for a “culture of accountability.”. We’ll be discussing Haugen’s address in greater detail in a post to be published after the Summit.
Ms. Haugen then joined Jesse Bryan, CEO, Belief Agency and Lisa O’Connor, Managing Director, Accenture Labs, in a panel discussion moderated by Adam Stone, VP Service Delivery, Chief Privacy Officer, TrustMAPP about the what’s at stake as the Metaverse begins to take form. This fascinating discussion will also be discussed in greater detail in a post-Summit blogpost, but highlights included Mr. Bryan’s discussion of how DAOs (Decentralized Autonomous Organizations) are simultaneously destabilizing the online world as we know while leading the way forward to creating new centers of power within it, including outrageous profits in cryptocurrencies; Ms. O’Connor said the Metaverse, “in practical terms, is a way of interacting with technologies to have a sense of place and a sense of presence… The Metaverse isn’t really a thing, it’s a set of technologies that enable experiences.”
Discussing the way people physically interact with the Metaverse, Ms Haugen described slide treadmills and “for augmented reality, we’re seeing more and more displays that are in things like our glasses… I wouldn’t be surprised if a much larger fraction of our population wore glasses in 20 years and today because of the utility of having an extra screen.”
Mr. Bryan added that the team at Apple developing glasses is twice the size of the team working on the company’s iPhone, “just something to consider if you’re not paying attention,” he said, before adding “the next ten years will have more change than the last 100.”
Dawn Cappelli, Retired VP and CISO, Rockwell Automation Security discussed what threats concern CISOs the most, what keep them up at night, and how they approach these issues, with Niall Browne, SVP and CISO, Palo Alto Networks, and Kevin Gowen, CISO, Synovus. Mr. Browne emphasized the importance of focusing on resilience and developing speedy responses.
Mr. Gowen stressed the need to understand how to get the information one needs, knowing its validity, and then knowing what to do with it. In addition, CISOs need to truly understand that information, which he acknowledged presents a real challenge. In how own work he leans of the five pillars of the NIST Cybersecurity Framework: identify, protect, detect, respond, recover.
Building on Ms. Cappelli’s conversation with Browne and Gowen, OneTrust Product Manager Jason Sabourin discussed how to stay resilient. Acknowledging there are “knowns and unknowns,” Mr. Sabourin stressed the importance of knowing your 3rd parties and what they do for you, that threats are coming from governments, and threat actors are a step ahead of us. How does one stay ahead of those threats and others, including those resulting from IoT and its legions of associated third parties as well as natural disasters, all of which create negative downstream impacts. He states business continuity needs to be ingrained in a company’s culture, not just an exercise, as does third party tiering, due diligence, tabletop exercises, and well-developed response plans.
Joe Prochaska, Shared Assessments Board Member, led a discussion with Jeanne Bickford, Managing Director and Senior Partner, Boston Consulting Group, and Shamla Naidoo, CISO, Head of Cloud Strategy & Innovation, Netskope on what TPRM practitioners need to know about risk and what can be done to mitigate risk. Ms. Naidoo talked about the value of bringing people with you by dividing large challenges into smaller and smaller problems and showing how they connect. Examine how to break big problems into smaller problems, and finally down to the level where it becomes an actionable items. In other words, as Mr. Prochaska noted, “Keep it simple, which allows people to make common-sense judgements and pay closer attention.” Communicating clearly and quickly is essential, especially as the economy and geopolitics grow increasingly complex.
Ms. Bickford added speed and resiliency are again, keys to preparing and being ready, as is keeping people informed. Post-pandemic, Ms. Bickford noted resiliency isn’t just being able to anticipate risk and recover at the moment, but also, figuring out how to thrive under new circumstances. Ms. Naidoo stressed the importance of building more trust in relationships. No one can keep up with the volume of managing every risk. Verify, then trust – and don’t pay vendors until you receive what you want or need from them.
Kabir Barday, CEO, OneTrust delivered an enthusiastic, well-received address to the packed ballroom audience, covering a variety of subjects related to TPRM, including trends illustrate how the profession is changing, creating new opportunities that are attracting people interested in making positive changes. These people believe trust is the ultimate competitive advantage, and ask “Can I trust you with my data? Does my purchase with you harm the planet? Are your actions risk informed?”
Mr. Barday noted prospective employees want to work for companies that support the world and its people, not exploiters. The same goes for investors who have serious ESG concerns. Companies paying lip service to trust are falling behind, and trust is increasingly correlated to financial performance. There is a positive way to collect data from people if you use it in positive ways. The bottom line is people care and the world is starting to pay attention to existential problems.
Barday observed TPRM teams are likely feeling the pressure of high expectations. He advocates for spending less time chasing answers on SIGs and for more time providing value to the organization. Finally, Barday shared that TPRM needs a seat at the ESG table.
Linnea Solem, Founder and CEO, Solem Risk Partners talked with Jo Ann Barefoot, CEO Barefoot Innovation Group, LLC (and former regulator) on her insights on data governance processes for third party risk. Ms. Barefoot observed that in today’s environment, everyone is struggling to keep up with the rate of change– you’re not alone. There are all kinds of risk professionals, and there is a special need for Data Risk Professionals. We are moving toward principle-driven rather than rule-driven environments. Everyone who is working with data governance is heading into unknown territory, and the rules will lag behind. She advises TPRM professionals to broaden their horizons, smash the silos, and bring young people into what you’re doing because they have different views and perspectives when it comes to technology. Be open to learning from Wired magazine, podcasts, and conferences. Ms. Barefoot believes smart devices will start to help their users control their data instead of making them subject of it.
Day 1 ended with four breakout sessions:
It’s not just your suppliers, but your suppliers’ suppliers that matter: a discussion focused on ways to manage the threat posed by Fourth/Nth parties with Gary Roboff, Senior Advisor, Shared Assessments, Bob Jones, Senior Advisor, Shared Assessments, and Jake Olcott, Vice President Business Development, BitSight.
This session included board directors and chief risk officers discussing what they see as emerging risks of interest to Third Party Risk Management (TPRM) professionals, as well as how boards are handling those risks and board directors are keeping abreast of them, with Catherine A. Allen, Founder and Chairperson of the Board, Shared Assessments, Jane Carlin, Director, iShares, and Susan Keating, CEO, Women Corporate Directors.
A discussion between Andrew Moyad, CEO, Shared Assessments and John Bree, Chief Risk Officer & Chief Evangelist, Supply Wisdom.
This session was about leveraging the experience of your peers in exploring the future, benefits, and challenges of integrating and utilizing continuous monitoring solutions across your Third Party Risk Program, with Charlie Miller, Senior Advisor, Shared Assessments, Colleen Milazzo, Vice President Tool Development, Shared Assessments, Mike Jordan, Founder and Principal, 23Advisory, Eric Evans, Managing Director of Business Development, Rapid Ratings, and Bob Maley, Chief Security Officer, Black Kite.