New Year, New Landscape
Shared Assessments gathered another impressive set of risk professionals and regulators at the Eighth Annual Shared Assessments Summit to address this year’s theme, Third Party Risk Assurance: Everything Old is New Again.
Third party risk management may not be a new concept, but with emerging regulations, technologies and standards, more organizations are faced with adopting both traditional and modern ways of managing that risk. Organizations must be willing to evolve to meet new risks and challenges, such as new payment methods, security risks, data breaches and more.
Though the risk management landscape is ever-changing, we were fortunate to find some of the most knowledgeable, forward-thinking experts in the industry to share their insights and solutions during this year’s Summit. Here’s what we learned during our discussions:
The increasing emphasis of hackers against third parties:
A fundamental point made over and over by Summit speakers was the extent to which the threat landscape is changing. Hackers routinely seek to exploit the weakest entry points and more often, third parties are proving to be that bull’s-eye, as in the Target breach. The 2014 Sony hack was used as an example of how the consequences of a breach can reverberate through organizations, resulting in changes to corporate leadership, business plans and reputation.
Managing for risk rather than compliance:
Another point made by multiple speakers was that compliance does not automatically equate to effective security. Too much focus on compliance without a strong risk management culture can result in overconfidence, increased risk and successful attacks. Participants were asked to search for ways to weave security into the fabric of their organizations and to move away from a “check the box” compliance mind set.
Governance issues:
Effective security requires the right governance process; that is, good Board/management cohesion, the right tone at the top and shared values across the enterprise. There was a robust discussion about the role of the Board of Directors, senior management, and – in particular – the role of the Chief Information Security Officer (CISO) and the relationship of that position to the Chief Information Officer (CIO) and the Chief Security Officer (CSO). A major focus was the role of the CISO in effective Board communication, and although most speakers and panel participants favored a strong Board role for the Chief Information Security Officer, that perspective was not universal.
National Institute of Standards and Technology (NIST) security guidance:
Another focus of discussion was the difference between regulatory regimes in different vertical sectors and even within sectors. There was a consensus that NIST Cybersecurity Framework can help build a unified perspective across industry sectors, especially where sector-specific regulatory guidance is not robust.
Optimizing third party risk mitigation:
Collaborative Onsite Assessments Program participants reviewed pilot engagements and reported: (1) that these assessments met 100 percent of their institutional needs and, (2) that results were as good as or better than their own proprietary approaches.
Leveraging resilience to ensure positive outcomes:
Business resilience has been the subject of recent regulatory guidance and was a focus of several speakers and panelists. Participants stressed the importance of organizational resilience to good event outcomes; without it, event outcomes are at risk.
Identifying your firm’s Crown Jewels
A number of speakers asked the question, “Do you know what your firm’s Crown Jewels are and how they are secured?” Whether those Jewels are critical intellectual property (the formula for Coke or Pepsi), key business plans (a major pending acquisition), or something else, exposing those secrets can have serious business consequences. Protecting them is a mission-critical responsibility.
Exploring vendor risk management beyond IT:
A number of speakers and panelists raised the subject of third party operating risk management and how that subject fit within the Shared Assessments Program. Panelists spoke about the need for an international vendor management operational risk standard. Staff noted a number of areas where the program was expanding to incorporate operational risk related issues with the expectation that operational risk inclusion will accelerate.
More from the Eighth Annual Shared Assessments Summit…
Special Thanks to our Knowledgeable Speakers
This year’s Summit brought together some of the most diverse and talented risk management and business professionals from across the nation. We are grateful to all of these wonderful speakers for their contributions to our workshops, panels and discussions:
- Catherine A. Allen – Chairman and CEO, The Santa Fe Group
- Seth Bailey – Director of Information Security, Iron Mountain
- Gloria Banks – Chief Compliance Officer, Synovus Financial
- Phil Bennett – Director of Information Security Specialist, Capital One
- John Burcham – Corporate Counsel, EZShield
- French Caldwell – Chief Evangelist, GRC, MetricStream
- Jonathan Dambrot – CEO and Co-Founder, Prevalent Inc.
- Vicki Dean – VP of Member Relations and Sales, The Santa Fe Group
- Angela Dogan – Senior Project Manager, The Santa Fe Group
- Kevin Dunn – Director of Strategic Accounts, Veracode
- Christine Ferrusi Ross – Partner and SVP, Neo Group
- Tom Garrubba – Senior Director, The Santa Fe Group
- Adam Greene – Former HHS, Partner, Davis Wright Tremaine
- Rocco Grillo – Managing Director, Protiviti Inc.
- William Henley – Associate Director of Technology Supervision, FDIC
- Lester Hill – National Bank Examiner and Policy Analyst, Office of the Comptroller of the Currency (OCC)
- Brad Keller – Director of Third Party Risk and Compliance, Prevalent Inc.
- Mary Kipp – President, El Paso Electric
- Katherine Kneeland – Project Manager, The Santa Fe Group
- Jason Maloni – Senior Vice President and Chair of Litigation Practice, Levick
- Hara Marano – Editor-at-Large, Psychology Today
- Shashank Modak – Director of Global Technology Control Programs, JPMorgan Chase & Co.
- John Nye – Independent Risk Management Consultant
- Joseph Prochaska, Jr. – Board Member, Synovus Financial Corporation
- Ron Ross – Fellow, National Institute of Standards and Technology (NIST)
- Robin Slade – EVP and COO, The Santa Fe Group
- Linnea Solem – Chief Privacy Officer and Vice President of Risk and Compliance, Deluxe Corporation
- Atul Vashistha – Chairman and CEO, Neo Group
- Mike Ware – Managing Consultant, Cigital
- Charlotte Whitmore – Former CMO and Board Member, Analytics Pros Inc.
- Joan Woodard – EVP Emeritus, Sandia National Laboratories
We are Surrounded by Industry Champions – VIP Reception Award Winners
Over the last year, the Shared Assessments Program has grown to accommodate more than 140 members. More and more industry champions are joining together to minimize risk and make our world a safer place to do business, so we thought it only appropriate to use a portion of the 2015 Summit to celebrate several of our members who have accomplished so much in our shared quest to continue reducing risk and growing the Shared Assessments Program. Congratulations to the following individuals on a job well done:
- Andy Hout, Consultant, Third Party Risk and Compliance, Prevalent, Inc. – Winner of the Shared Assessments Founders Award in recognition of our deep appreciation for unparalleled dedication to the Shared Assessments Program.
- Jonathan Dambrot, CEO and Co-founder, Prevalent, Inc., Brad Keller, Director, Third Party Risk and Compliance, Prevalent, Inc., Shawn Malone, Vice President, Business Compliance, Radian Group, Paul Poh, Vice President-Technology, Fiserv, and Linnea Solem, Chief Privacy Officer, Vice President Risk and Compliance, Deluxe Corp., – Winners of the Special Achievement Award in recognition of our sincere appreciation for the outstanding commitment to the development of the Shared Assessments Certified Third Party Risk Professional (CTPRP) Program.
- Shashank Modak, Managing Director, Global Technology Control Programs, JPMorgan Chase & Co., – Winner of the Innovator Award in recognition of our utmost gratitude for his outstanding leadership and innovation in the third party risk management industry.
We ♥ Baltimore
On behalf of the Shared Assessments team, the 240 Summit attendees and 10 sponsors, the Santa Fe Group donated $5,000 to support and thank the Baltimore Development Corporation and the Baltimore City Fraternal Order of Police, aiding volunteers and public servants who dedicated themselves to supporting and protecting the city. We hope our humble gift will help support the peace and rebuilding efforts in the beautiful city that hosted our 2015 Summit.
Our Sponsors are the Best
Thank you to all of our sponsors and exhibitors who made this year’s Shared Assessments Summit the best yet!
2016 Summit Opportunities
Interested in being a sponsor or exhibitor at next year’s Summit? Contact Vicki Dean at vicki@santa-fe-group.com or 602-740-1040 to learn more.