Our 11th Annual Shared Risk Assessments Summit took place on April 11-12 at the Ritz Carlton in Pentagon City, VA and brought together thought leaders throughout the risk industry. The theme of this year’s Summit was resilience, and our 300+ attendees were able to hear from subject matter experts across an array of different industries on how to stay resilient amongst an abundance of new concerns.
The day started with opening remarks from our CEO, Catherine Allen, who discussed these new concerns, namely, cyber warfare, fake news, supply chain disruptions, AI, and IoT, and how to focus on detection strategies—we live in an era of when, not if. Following her opening remarks, she introduced our keynote speaker, and first ever recipient of our new Lifetime Achievement Award, Richard Clarke.
The Importance of Cassandras in Risk
Clarke, CEO of Good Harbor LLC, explained the importance of “Cassandras” in assessing risk. AI, genetic engineering, and the IoT are all current fields where experts have data that proves we are going to have significant problems, but nothing is being done about it.
When it comes to risk management at the national and corporate level, these outlier experts are being ignored. Clarke stressed the importance of systematically looking for Cassandras and being willing to listen them, despite the risk seeming outlandish, or even laughable.
While we don’t necessarily need to believe the Cassandra, we do need to give them enough credibility to show the data. Companies may need to adjust so that when they start to see what the Cassandra is predicting, they’ll already have contingency plans in place. As risk professionals, we need to take heed of the Cassandras, start making decisions, and reallocating resources in order to do things differently and mitigate the effects of catastrophic events.
Following Clarkes eye-opening keynote, we began our first panel discussion entitled, “The Future is Now: Emerging Technologies and the Impact on Controls.” The panel, moderated by Joe Prochaska, Synovus Financial Corp, included Holly Dockery, Sandia National Laboratories; Catherine Lotrionte, Georgetown University; and Jeff DeCoux, Hangar Technology. The panel focused on Artificial Intelligence (AI) and Internet of Things (IoT)—one of the main takeaways was the vulnerability that these new devices open us up to, and how manufacturers need to start stepping up and start involving the entire management team when evaluating the risks and exposures of their devices. Everyone should have visibility into what their technology can do and what the risks could entail.
Frameworks to Make the Dream Work
After a brief networking break, we began our second panel discussion on “Third Party Risk Frameworks.” The panel, moderated by Roger Parsley, Deutsche Bank, included Mark Holladay, Synovus Financial Corporation; Lin Lu, Freddie Mac; and Renee Forney, Capital One; and focused on how third party risk management fits into different organizations. The panel agreed that we in a new era of risk management, so it’s crucial to increase our skills and expertise in order to fulfill our responsibilities, no matter what the size of our organization. While risk classifications have changed over time, tiering is still important and mission critical vendors are integral to our risk framework, whether we’re at a small company, financial institution, or enterprise corporation. Lin Lu, Freddie Mac, said it best when she stated, “…third party risk is no different than any other risk.” Additionally, the panel touched on how emerging technologies are impacting how we handle third party risk and the importance of scalability. Organizations need to ask themselves:
- What risks do we have?
- What risks are we willing to take?
- What risks are we not willing to take?
- How does that impact the strategic goals of our business?
Believe in Your Mission
Following the frameworks panel, we enjoyed a case study presented by Prevalent. Brenda Ferraro, Senior Director, led the discussion with customer Bob Maley, Senior Strategist at PayPal. Maley stressed the importance of understanding your company’s mission—if you’re building a program that’s driving your mission, when the regulators and examiners come in, it’s going to be easy. He also introduced the concepts of Chen, the things that everybody knows you do, and Chi, the unexpected, and explained how they relate to risk—if we do the same things over and over, the chen and chi flip. We have to figure out unique ways of staying ahead and understanding the risk of our vendors.
Making a Vendor Naughty List
After a delicious lunch buffet, and Solutions Showcases presented by Prevalent and Security Scorecard, we returned to hear insights on third party risk and resiliency from industry thought-leader Jim Routh. Routh gave us the frightening example of “Tina and Tony,” the office manager and broker who did not go through the proper authentication processes when using Amazon Web Services. Since “Tony” did not like passwords, there was no encryption or logging, which led to a security researcher finding and publishing the data, ultimately leaving him without a business. The main takeaway from Rouths’ presentation was the need to educate our third party vendors on their configuration of cloud controls. Finally, if you don’t have a vendor naughty list, you should—vendors need to be held accountable to the same high internal standards.
Will China Overtake Us?
Perhaps even more frightening than Routh’s “Tony and Tiny” example were John M. B. O’Connor’s thoughts on supply chain risk. O’Connor, Chief Executive Officer, J.H. Whitney Investment Management, LLC highlighted the fact that we’re stepping into an unknown domain of technological complexity and the need to pivot hard and fast to global geo-politics, or risk being overtaken by China. O’Connor even cited how Henry Kissinger spent the majority of his career making sure the US was always more important to China than Russia. We need to widen our aperture and observe more broadly in order to put ourselves at the strategic level and fight at the strategic level.
People are the Problem… And the Solution
After this frighteningly eye-opening presentation, O’Connor joined our next panel discussion, which included Jim Routh, Chief Security Officer, Aetna, and Rocco Grillo, Executive Managing Director, Stroz Friedberg, for a discussion on resiliency. They highlighted how people are our biggest strength, but also our biggest vulnerability. We have to use the innovation in technology to shrink the threat of risk and acknowledge that behaviors at every level are subject to continuous monitoring. Redundancy is expensive and useless—we need to define resilience, create a sense of community that can endure stress, and have faith in the resilience of these community members to be strong enough to let go of the superficial senses of privacy.
Maintaining Personal Resilience
Following a brief networking break where attendees were able to mingle with our exhibitors, we returned for a heart-warming discussion on personal resiliency with Ambassador (ret.) Mary Ann Peters, Chief Executive Officer, Carter Center. According to Peters, who has had a long and rewarding career where she had to quickly adapt to different cultures, the top 5 keys to personal resilience are:
1) Be flexible and adapt to change
2) Embrace ambiguity
3) Get tough, but stay charming
4) Learn from mistakes and failures
5) Focus on helping others
Get Your Regulatory Geek On
Day one concluded with a panel discussion on the regulatory landscape, moderated by Ken Mortensen, Data Protection Officer, InterSystems Corporation, with panelists Valerie Abend, Managing Director, Accenture Security; Kevin Greenfield, Director for Bank Information Technology, Office of the Comptroller of the Currency; and Adam Greene, Partner, Davis Wright Tremaine LLP. As we watched Abend get her “regulatory geek” on, we were asked to contemplate our responsibilities in terms of the broader environments. As third party risk analysts, we need to push the needle a bit more, ask ourselves where we are going to start to fix some of the problems, and ensure that we’re operating at the level we need to operate with the level of assurance that every one of our parties is going to be confident in.
Celebrating Day One
We ended the first day of the conference with a reception, sponsored by SecurityScorecard—appetizers, refreshments, and networking with other risk professionals were the perfect conclusion to day one of our 11th Annual Shared Assessments Summit.
Stay tuned for our summary of day two!