Leading by Examples
As a director of information security for First National Bank of Omaha, Dan Browder leads a team that manages the company’s third-party risk from an information security perspective. His current responsibilities, which include collaborating with the bank’s corporate risk group, are a bit surprising given that he says he “didn’t want anything to do with vendors” just a few years ago. His experience earning his Certified Third-Party Risk Professional (CTPRP) designation changed his mind – and his career. “I came back from the workshop and realized that there was a whole new realm for me to dive into,” Browder recounts. “I’ve basically become the third-party security risk guy in our company.” He was also promoted thanks to his newfound expertise, and he now presents on the topic at information security conferences around the country. In addition to describing his conversion to a third-party risk management (TPRM) evangelist, Browder discusses the program improvements he’s helped guide and why real-life examples are so effective in selling other stakeholders on the need for a mature TPRM capability.
What changes did you help your organization make after you earned your CTPRP?
Dan Browder: The workshop reassured me that we were doing a lot of things really well. It also opened my eyes to a number of improvements that we needed to make. I took those insights back to our information security group and we overhauled our assessment approach and significantly increased the number of vendors that are in scope. As we’ve done so, we’ve identified more problem areas and ways to correct them. We now work directly with our vendors to address these risks where we used to work through intermediaries. We’ve also expanded our team’s collaboration with the enterprise TPRM program and worked to include more types of third parties in scope. Many of those changes were made as a result of the training I received in the CTPRP coursework.
What TPRM improvements have you worked on more recently?
Dan Browder: Time is one of the biggest challenges you face when you increase the number of vendor reviews you conduct, so we’re very focused on efficiency. We’ve purchased third-party risk tools that let our vendors respond to our assessments by answering questions online. We’ve also been working with our enterprise risk partners to streamline their GRC platform, simplify our third-party assessments, and to better integrate with our tools. When I came back from the CTPRP course, I designed a new program that I wanted to implement all at once. But it doesn’t work that way. The CTPRP training focuses on creating review schedules based on risk, and you have to implement program changes according to a similar approach – in phases based on the magnitude of the risk that an ineffective process or practice poses.
How has the CTPRP certification helped your career?
Dan Browder: I was promoted from a senior analyst to a director, and I believe the majority of that decision was based on how I’ve applied the CTPRP training here at the bank. I went from not wanting anything to do with third-party risk management to wanting to be in the middle of it. It’s really changed the direction of my career. Inside the company, I’m a primary advocate for analyzing third parties. Outside the company, I’ve been speaking about third-party risk at information security conferences. I love having conversations at those conferences, especially when I hear new examples of security breaches caused by third-party issues. Those examples can vividly illustrate what went wrong with an assessment and let you make the case for how the assessment should have been conducted.
Connect with Dan.