CTPRP: Revenge of the TPRM Nerd

Three years ago Luc Levensohn reached a career inflection point where he decided to transition from IT management to pursue information security compliance full-time. He quickly earned three certifications, including the Certified Third Party Risk Professional (CTPRP) designation, created a one-person information security consulting business and, he explains, broadcast a straightforward sales pitch: “I’m a third party risk management nerd looking for an opportunity in a large organization where I can focus on third party risk 100 percent of the time.” It did not take Staples long to hire him as its senior consultant for security compliance. Levensohn discusses the challenges of execution and the importance of marketing third party risk management (TPRM) best practices throughout the company.

What is your TPRM role at Staples?
Luc Levensohn:  I interface with legal, procurement, security operations, IT operations,  privacy and customers. I serve Staples customers directly, which is not something that many security roles get to do. At Staples, the importance of serving our customers is continually reinforced, and that really resonates with me. Service to our customers is our highest priority. It’s an awesome responsibility!

How has your CTPRP training and exposure helped you fulfill your job responsibilities?
Luc Levensohn: Once you’ve taken the test and earned the certification, it’s really up to you to execute. Although you know what your program should look like, getting to that state can be challenging because you rarely have governance over all, or even most, aspects of the program. I’ve learned a lot by executing. I’ve learned how important it is for me to market third party risk management best practices throughout the organization. Education and communications are a huge part of what we do as third party risk management professionals.

What value do you derive from retaining your CTPRP certification?
Luc Levensohn: The book and the certification are really facets of the Shared Assessments overall body of knowledge, which I continually refer to. This year was my seventh time attending the annual summit, and I always learn from all that content [at the summits and accompanying workshops] and from gaining exposure to other CTPRP’s programs – including some who are our customers. That exposure has been invaluable. It has especially helped us respond to requests from our highly regulated customers – which is a major component of the value I bring to our organization. Through Shared Assessments, I’ve met a handful of people who I can go to with a question or a problem that I’m not 100 percent sure how to address. That issue could relate to documenting a policy for responding to customer assessments or adjusting the framework for contract reviews. I know people who are specialists in those areas from the relationships we’ve developed while working on Shared Assessments committees together. Being able to reach out to them is priceless.

How does the company benefit from your CTPRP certification and TPRM expertise?
Luc Levensohn: First, organizing all of our content – including content from our affiliate companies – based on the SIG framework gives us a powerful tool to manage our evidence and to tell a compelling story. Second, having that broad but well-mapped organizational framework for all of our evidence enables us to be far more nimble and effective when we respond to unique or tailored customer requests. We can be sensitive to those information requests without launching into an all-out fire drill, which is something you always try to avoid. Third – and this more of a Shared Assessments principle than a specific CTPRP component – using risk scoring and risk tiers has helped us manage or own vendors more effectively. We’re continually able to prioritize the areas of highest risk, which strengthens our due diligence in an efficient manner. That’s why I have the people on my team take CTPRP test as soon as they are ready.

Connect with Luc.