The 12th Annual Shared Assessments Third Party Risk Summit featured the latest thought leadership and best practices in cybersecurity, risk management, vendor management, privacy and assessments featuring provocative topics and engaging keynotes and panelists. Attendees visited with exhibitors and sponsors while engaging in some serious networking with other security professionals from coffee to cocktails.
Catherine Allen opened the conference by introducing the Founder of Security Risk Solutions Steve Katz, known as “the original CISO,” and recipient of the company’s Lifetime Achievement Award. Katz is a pioneer in Information Security practices.
“We’re all part of the same community,” Katz said in his keynote. “If we don’t help each other out, we’re all going to sink.”
The Game of Risk
The first keynote and panel centered around the role of CISOs and what challenges they’re facing today and into the future. From security breaches to perceived—and often overlooked—risks, the CISO is both executive and technology expert, wielding real power in the boardroom even though their role within the corporation continues to be fluid and known as being in the hot seat. In fact, according to panelist Devon Bryan, Executive Vice President and CISO for the National IT System at the Federal Reserve, there’s a new name for the information security officer: “Chief Information Sacrificial Officer.”
The CISO is charged with managing a far ranging and complex portfolio of risk while somehow maintaining a sense of calm. Here’s how Circle K Global CISO Suzanne Hall put it on Wednesday. Imagine a bumpy flight where passengers are gripping the armrests. In the midst of turbulence the CISO is like a flight attendant “who’s still serving coffee.” So basically, remain calm and, well, serve the coffee.
There is a definite need to demonstrate how certain policies will reduce risk. “We have gold in the vault at the Fed but I don’t have an unlimited budget,” Bryan said.
CISOs should be diplomats, not politicians.
OT vs. IT
Today’s CISOs are also tasked with managing new areas of risk, primarily the convergence of OT (Operation Technology) and IT (Information Technology) and any complications that may, and frequently do, arise.
“Both IT and OT teams have to learn to interact together,” said panelist Gary Bruner, Director of IT at El Paso Electric. “I’ve become a guidance counselor, a priest, a rabbi… I’m a bridge builder.”
Once More Unto the Breach
Also known as, breaches happen. But how? According to a study by IBM and the Ponemon Institute, “Cost of a Data Breach,” the three top factors responsible for data breaches are human error, system glitches, and malicious or criminal attacks. Almost half of all breaches are a result of these attacks that intentionally target certain businesses with malicious intent. The average cost of a data breach for organizations worldwide is startling and continuing to grow at $3.8 million. Even more startling? An estimated 73 percent of businesses are not prepared to adequately respond to a cyberattack.
Assume that a security breach occurred in your company. There’s nothing more important than knowing how to rebuild your reputation after a crisis. “Take responsibility,” said panelist Davia Temin, CEO, Temin and Co. “Give a real apology, not a non-apology apology.” Jesse Bryan, CEO and Creative Director at Belief Agency, had a similar rationale. “Companies go down in hubris borne from success and people think they are clever,” Bryan said. “But flat-out lies and half-truths both damage credibility.”
“You have an opportunity after an incident to turn that around and enhance your reputation,” said Teri Robinson, Executive Editor of SC Magazine. “Show that you’re a good steward of data.”
From cybersecurity and data protection, to financial services and machine learning, the first day of the conference explored a wide range of issues—ones that will essentially revolutionize the world of third party risk as we know it.
Only 1.5 percent of security breaches are known.
Which takes us to Day Two.
The Animal Kingdom
James Lam, keynote speaker and President of James Lam and Associates, took attendees on a wild ride as outlined in his February cover story for the National Association of Corporate Directors, “An Animal Kingdom of Disruptive Risks.” There are black swans, or the “unknown unknowns,” gray rhinos, or the “known unknowns,” and white elephants, the “known knowns.” Although each risk has unique characteristics, the impact on a company’s profitability, competitive position and reputation is that same.
As Lam states in his article, corporate directors must “expand their traditional risk oversight beyond well-defined strategic, operational, and financial risks. They must consider atypical risks that are hard to predict, easy to ignore, and difficult to address.”
These challenges make the CISO relationship to the corporate board even more important.
In Boards We Trust?
“Boards feel that it’s the ‘unknown’ that will get us,” said panelist Tammy Rambaldi, Director of Enterprise Risk at Johnson & Johnson. “It’s not always the unknown that gets you. The ‘known’ is most often what’s leading to breaches.”
According to panelist Chuck Yamarone, Chief Corporate Governance Officer at Houlihan Lokey, there’s nothing more critical than the tone that the CISO sets at the top. The overall priorities related to risk and security ultimately dictate the decision-making process of how potential obstacles and breaches will be handled.
“The risk group is not a group of auditors, at least I hope not,” said Annie Searle, a lecturer at the University of Washington. “Be nervous when everybody in the room agrees with you.”
In the final keynote of the summit, Shamla Naidoo, Managing Partner at IBM Global Security Services, discussed global challenges in risk management.
“Cyber risk, technology risk and business risk have all merged and function together in the world of Risk with a capital R,” said Naidoo. She also stressed the importance of diversity in the world of cybersecurity and the lack of qualified candidates. By 2021 there will be an estimated 3.5 million of unfilled cybersecurity positions, according to Cybersecurity Ventures.
“Talent is short in the cybersecurity area,” Naidoo said. “It’s a real crisis. There aren’t enough people to fill the jobs and what we’ve done in the past is not working.”
In the Long Run
The summit concluded with a review of the much-anticipated 2019 Vendor Risk Management Benchmark Study, “Running Hard to Stay in Place,” conducted by Shared Assessments and Protiviti. The survey polled 554 risk management practitioners and C-suite executives based on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM).
Key insights included:
- A strong correlation between high levels of board engagement with VRM issues and capabilities
- Vendor risk management programs barely able to keep up with the fast pace of change
- A lag in Continuous Monitoring across all sectors
- Resource constraints as one of the largest VRM challenges
More than half of security breaches originate from a third party, making the role of CISO and its overall management of the risk portfolio paramount to a company’s success—or its demise. Putting a plan in place now to both recognize and respond to known and unknown threats (remember the gray rhinos!) is a good first step in what will surely be an integral component of a corporation’s lifecycle.