Security professionals are a smart, resilient group. Whether it is dealing with the constant barrage of threats from hackers, software vulnerabilities, privacy concerns, and compliance activities, security professionals are generally in a constant state of learning from on the job experience, technical books, journals, and conferences. However, I have often wondered how many security professionals have an opportunity to reach the C Suite. Certainly, the CISO position has increased in importance and relevance over the last several years, but I am not sure it is a path to the CEO role. There is also no generally accepted reporting structure for the CISO – is this a technical position reporting to the CIO, a financial position reporting to the CFO, or a strategic position with a line to the Board?
In a recent ILTA survey, over 420 law firms of all sizes were asked what their top 3 technology issues were within their firm (Source: ILTA Technology Survey, 2015). The number one answer they gave was security/risk management. In fact, security and risk management concerns have significantly increased over the last 4 years from 24% in 2012 to 42% in 2015.
I had the great pleasure to participate in an international roundtable in Singapore last week with Shared Assessments. The event was hosted by Deutsche Bank and was well attended with banking, service providers, and local regulatory members in attendance. Prevalent and Protiviti, both members of the Shared Assessments Steering Committee, made the trip to support the Santa Fe team. Local Shared Assessments members included JPMC and Deutsche Bank. The conversation was extremely robust with a few key discussion areas that I would like to highlight.
I am excited to announce an initiative we have been working on with many of the leading global law firms for some time. About 25 law firms approached Prevalent in an effort to determine the viability of creating a purpose-built network that could help standardize the process of third- party assessment, reduce risk, reduce cost, enhance client relationships, and improve industry cybersecurity maturity. After months of working closely with this team, Prevalent developed a model to help support the initiative specifically for the legal community, with the legal community. The model leverages Prevalent’s leading technologies and enables a standardized model for evidence collection, review, risk management, and continuous monitoring.
Today, the Shared Assessments Program released a briefing paper titled “Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program”. The paper was developed out of great necessity, as it became clear that Program members needed additional guidance when managing incidents at the service provider level.
I am very excited to announce the launch of our Prevalent User Group (PUG). PUG will provide our users with a forum to learn about the best practices, tips & tricks, and updated capabilities of Prevalent software solutions as well as provide the ability for our customers to learn from the field experiences and successes of other Prevalent users.
PUG was designed for anyone who is:
I struggle with the need for public references. Clearly our prospective clients want to know that their peers are using our products and services; however, by publicly providing proof that customers are using our solutions, we also knowingly bring more scrutiny by the very criminals that our solutions are supposed to protect our clients from. Additionally, while often clients would like to see public references, they often refuse to be one (with good reason). As a security professional, I would also generally not recommend my clients provide public references, but our marketing and PR teams are always asking because ALL of our competitors do this. I think we need a better way (and a referendum) that does not harm Prevalent for not trying to compete publicly with firms that would potentially do harm to their clients through the use of public acknowledgement. Maybe a private reference and credentialing model to be shared with other potential clients would help here??
This week, Prevalent published an infographic developed by analyst firm EMA focused on vendor threat management.
The infographic starts with a simple question ‘Do We Need Vendor Threat Management?’ It highlights a senior executive speaking with a team member asking whether his organization is prepared to take on third-party risk. The team member answers that they are not, but neither are 92% of other organizations. The simple fact that EMA’s research identifies most companies are not prepared for 3rd party risk management is indicative of overall cyber risk preparedness given the trends in outsourcing, the use of the cloud, and managed services.
Shared Assessments held its inaugural international roundtable in London this week and I was very fortunate to be able to participate. The event was attended by leading financial services firms and service providers. This event was put together by the Shared Assessments International Subcommittee headed by Shared Assessments member Lin Lu, Americas CISO for Deutsche Bank and sponsored at their London offices. The inaugural event highlighted the need for educational and standards leadership by Shared Assessments in the UK region.
While many Shared Assessments members are global firms, the program itself has been primarily focused in the United States. The conversation was excellent and extremely timely given new regulations and changing privacy requirements for both US and European firms. In fact, the very day of the event Safe Harbor was effectively struck down allowing more oversight by European regulators over data being sent to the US.
Why Discovery Automation (with NEW CloudID) Is Important to Your Third-Party Risk Program.
One of the areas that our clients often complain about is not knowing who their third-party service providers, cloud vendors, and software providers are. This creates a significant gap in their third-party risk efforts because it is possible that there are providers with access to sensitive data not being appropriately assessed and monitored from a cybersecurity perspective.