With the support of BitSight, Shared Assessments kicked off pre-summit events with the “Putting the Shared Assessments Framework Into Action” workshop. From webcam to laptop, the online workshop was a successful exchange of knowledge mapping out navigable routes through the choppy waters of TPRM in the post-pandemic world. Key takeaways (and referenced tips, tools, guidelines) from the workshop follow below.
Addressing Evolving Risk Challenges
The workshop began with an exploration of the “new normal.” Charlie Miller (Senior Advisor, The Santa Fe Group) and Gary Roboff (Senior Advisor, The Santa Fe Group) discussed increased risk and complexity in TPRM. These factors have given jobs in risk more importance as organizations realize an end-to-end understanding of business processes and risk mitigation practices lead to resilience.
Randy Sabbagh (Technology Director, Technology Risk Management, Charles Schwab and Company) and Tom Garrubba (VP and CISO, Shared Assessments) defined what it means to be a resilient organization. Resilience is the ability for organizations to prevent, adapt, respond to, recover and learn from disruptions. To understand a vendor’s capabilities in regard to business continuity ask yourself “in extenuating circumstances, can this vendor can deliver the functions/products they originally delivered?”
Geo-Political / Environmental
John Bree (Chief Evangelist and Chief Risk Office, Supply Wisdom) identified eight key risks and suggested these “levers” as mitigating risks:
- Data & Analytics
- Risk Transfer
- Real-time and Continuous Monitoring
By reviewing several instances of COVID 19 developments across the globe (China, India, Philippinnes), Bree pointed to the need for actionable data as he emphasized a lifecycle approach to risk.
Paul Kooney (Managing Director, Protiviti), Frank Roppelt (Senior Manager, Security Policy & Vendor Risk, TD Ameritrade) and Evan Tegethoff (Vice President of Consulting Engineering, BitSight) provided an overview of TPRM Impact of COVID-19. “Trust,but verify” has become complex as with an impacted the workforce, key stakeholders have been furloughed/laid off and lack of investments in technology as businesses transitioned to work from home. Continuous monitoring is the answer to unwinding this complexity. With real-time security viewpoints, an organization can determine whether or not a third party will make a good partner. Leveraging OODA is a means realizing this understanding.
Niall Browne (SVP and CISO, Palo Alto Networks) and Gary Roboff (Senior Advisor, The Santa Fe Group) defined the service types found in cloud. The cloud has introduced issues of scale and speed with shifts in the workplace. The need to “Shift Left” (moving security into the foundation of development) has never been greater. Creating foundational controls and automation for security is key.
Shawn H. Malone (Founder & CEO, Security Diligence, LLC) and Charlie Miller (Senior Advisor, The Santa Fe Group) presented emerging technologies such as IoT, 5G and AI, their associated risks and recommendations to mitigate those risks. Malone and Miller reviewed regulations around these technologies and definitions within each category of technology.
Mergers & Acquisitions –
Phil Bennett (Manager, Information Security Metrics and Analytics, Navy Federal Credit Union), Bob Jones (Senior Advisor, The Santa Fe Group), Linnea Solem (President, Solem Risk Partners LLC) and Christopher Wancko (IT Strategy Senior Advisor, Cigna) discussed using TPRM best practices for due diligence in mergers and acquisitions. By applying TPRM tools and techniques to the M&A discovery processes, organizations can help to identify risks that might be otherwise be overlooked.This segment of the workshop gave rise to a new hashtag: #DueDiligenceDistancing. Avoiding financial and reputational losses resulting from inadequate and unfocused due diligence by using the tips and tools in the M&A briefing paper published last month.
Brad Keller (Senior Vice President & CSO, The Santa Fe Group) walked workshop attendees through assessments repositories: a collection of individual vendor questionnaires. He presented the types of information therein and the benefits thereof, touching on the differences between assessment repositories and assurance portals.
All sections of the workshop pointed to the notion that any number of factors may quickly increase the need for efficiency in third party risk management in an evolving environment. The primary challenge in TPRM is likely improving business resilience with fewer resources – a difficult task even in far less economically-constrained environments. Workshop attendees were urged to take the basic steps to improve resiliency, to increase the quality and use of real time data to monitor operational and financial risks associated with third parties.