On June 7th, the OCC issued a welcomed update to the 2013 Guidance on how to manage third party relationships (OCC Bulletin 2017-21). While much of the guidance provides insight into how to address issues related to fintech companies, there are several key areas that have received little, if any, previous formal comment by the OCC. This first in a series of blogs will address an area of the Guidance that will substantially improve the TPRM process.
Security professionals are a smart, resilient group. Whether it is dealing with the constant barrage of threats from hackers, software vulnerabilities, privacy concerns, and compliance activities, security professionals are generally in a constant state of learning from on the job experience, technical books, journals, and conferences. However, I have often wondered how many security professionals have an opportunity to reach the C Suite. Certainly, the CISO position has increased in importance and relevance over the last several years, but I am not sure it is a path to the CEO role. There is also no generally accepted reporting structure for the CISO – is this a technical position reporting to the CIO, a financial position reporting to the CFO, or a strategic position with a line to the Board?
An Ode to Narcotics
I admit, the title of this blog was written to grab your attention. But it was also legitimately inspired by recent personal events. About a month ago, my daughter underwent shoulder surgery, and given her multiple shoulder injuries over the years, it was an extensive procedure that involved bone graphs and several medical terms I don’t understand and can’t pronounce (or spell). We brought her home with a collection of Schedule II narcotics that would make the members of Aerosmith (circa 1978) salivate.
When most of us think of our vendors handling sensitive information, we tend to gravitate toward the obvious: the payroll processing company, our contracts law firm, our accounting firm with our financial data, or the patent law firm with all our intellectual property. Frankly, the company that builds and maintains the company website isn’t typically top of mind.
Ask the Australian Red Cross if they agree.
In a way, the Sony breach was really good for the cyber security community. A watershed moment in the industry’s history, it began a transformation from infosec as a compliance requirement – a nuisance – to a legitimate enterprise need, right up there with sales and product development (well, not exactly, but you get the idea). It prompted increased investment in infosec technologies (e.g. SIEM), and accelerated the development of new ones (e.g. UBA).
But, I’m afraid, it was not so good for the third party risk community.
“But Jeff. That’s silly. After Sony – and on the heels of Target especially – regulatory organizations and companies alike began to appreciate the importance of their vendors’ information security.”
My point exactly.