NEW BRIEFING PAPER Best Practices for Reducing Third Party Risk

Looking Back on Spring Time in Washington, DC

Gartner, NIST, and the Washington Capitals

by Jared Feinberg

June 26th, 2018

I

It’s been a whirlwind tour the last several weeks of spring here in the DMV (DC, MD, and VA for my non-local friends and colleagues), with the Gartner Risk and Security Management Summit, the US Government’s Supply Chain Integrity Month, the addition of supply chain risk management in the National Institute of Standards and Technology (NIST) Cybersecurity Framework 1.1, and one awesome Championship parade celebrating the Washington Capitals winning the Stanley Cup!

So, what did I learn about cybersecurity that is relevant for businesses and vendors …

  1. Always think about the business—its objectives, its strategies and plans to accomplish these objectives, and how it really operates.  This should be the starting point for everything else—knowing the goal and the context matters the most!  Thinking about context, Gartner talked about the full-blown trend of Digital Business—optimizing existing revenue generating models and creating new technology-enabled business models, and the digital business risk that comes along with that.  You probably hear about this a lot—or maybe you don’t, but it was valuable to think through how this trend has expanded the cyber threat surface compared to just a few years ago.
  2. Go deeper to prioritize the business—what are its crown jewels or critical digital assets—and use understandable risk frameworks to tie the business, security, and risk together.  As you dig deeper, think about what's most important—your crown jewels: IP, business plans, core IT systems.  Be able to discuss these, along with your risk appetite and risk tolerance, in plain, human language terms (not vendor language, not even more technical risks, and not just IT specific language).  Doing so will bring business, security, and risk together talking apples to apples.  I urge you to get your hands on a presentation entitled “Digital Business KPIs and Risk:  Identifying and then Measuring Value” by Paul E. Proctor, which examined a shift in the risk paradigm from impact v. likelihood to a business view of value v. risk appetite.
  3. Take a wider view and include business ecosystems and supply chains in risk management and cyber security.  Consider how business occurs today with complex ecosystems of third parties: upstream vendors and down-stream partners working through physical and digital supply chains.  These are dynamic and wholly interconnected relationships.  Think about how many data breaches, involving critical IP or PII, have originated with third-parties. The revised NIST Cyber Security Framework 1.1 enshrines supply chain risk management recognizing the importance of taking this wider view when building cyber security programs.  In fact, the US Government coined April Supply Chain Integrity Month to emphasize the ecosystem’s importance.  
  4. Finally, consider the enabling role of technology and vision of Integrated Risk Management.  If you partner with Prevalent or with any other number of technology vendors, how do you leverage technology to enable better risk management and cyber security?  Both Gartner and NIST talk about Integrated Risk Management (IRM), which I interpreted as the technology stack of the future.  It cuts across the stovepipes of different risk disciplines and enables the business units and the ecosystem to play a direct and dynamic role. IRM is evolving, with a strong vision for the future. 

I came away from all these great events thinking that Prevalent’s unique value proposition and market-leading approach to third-party cyber risk closely match Gartner’s analysis and the emphasis the US Government and NIST are placing on supply chain risk.  Our holistic view around third-parties impacts how we define and approach risk, using multiple methods and tools from assessment to monitoring.  Likewise, we don't just look through the soda straw of technical cyber threat intelligence but equally look at the strategic context by integrating business intelligence into our cyber risk solutions.

Finally, I want to close with a look at ecosystems and communities by talking about the Washington Capitals, the Stanley Cup, and Alex Ovechkin.  The Stanley Cup and the Championship Parade brought together hundreds of thousands of people in the DMV who make up an “ecosystem” or community.  It showed the importance of how ecosystems can operate so powerfully together, and how one great event cascaded across an entire region, across states, and even across countries with players representing their communities from around the world led by Ovechkin and Russia but others from Canada, Austria, Czech Republic, Wales (UK), Sweden, and Denmark.  It's a rare thing to see in one's life, as well as in business; such a powerful community coming together as was visible throughout the parade.  For both the DMV and for our companies, let's hope that with awareness of the overall objective, what's most important, the ecosystem and community involvement, and the right tools or technologies with IRM, that we can continue to leverage the power of communities for continued success.

To learn how Prevalent’s unified platform helps make business relationships more secure, download a copy of our Comprehensive Approach to Third Party Risk Management.

 

Jared Feinberg is Senior Director for Threat Intelligence and a leader in Prevalent’s product management organization. He focuses on enabling companies to operate securely with their business partners and vendors around the world by designing industry leading technology solutions. He leverages 15+ years of professional experience at the intersection of the national security and international business communities, advising senior executives on business strategy and risk management.