Moving from Sharing is Scary to Sharing is Caring: Leveraging Reusable Content to Expedite Third-Party Risk Reduction Efforts

Storing your information security content and associated artifacts in a shareable network will stop the pandemonium, opening opportunities to reduce risk, and face resiliency head on.
Brenda Ferraro
Vice President of Third-Party Risk
April 04, 2019
Blog Laptop

“Sharing is caring!” We all heard this phrase growing up and in today’s information security world it still proves to be fundamentally true. I’ve spent the past six years working with companies to influence their third-party risk management program, and encourage the adoption of an economic approach. As a practitioner, I test techniques to help companies mature their program to meet regulatory compliance requirements. As an advisor, I assess company programs to help organizations step away from processes that prevent them from re-using relevant standard content and design custom evolutionary approaches – all in the spirit of expediting risk awareness for resiliency. Yet still, the concept of information sharing keeps me up at night…

How third-party risk information sharing is evolving

Collectively, industries across the globe are working towards what I call ‘stop the questionnaire pandemonium’ by way of implementing profile-type content gathering. There has been a shift from gathering information about all of a vendor’s operations, to the collection of meaningful content, relevant to the service being provided. At the most mature state we have observed a trend towards simply collecting content specific to key or must have controls. We mustn’t forget that the three most critical aspects to support all risk frameworks and meet regulatory requirements such as NIST, ISO, FAIR, and others is to;

1) Know your companies’ key controls,

2) Share standardized content and artifacts,

3) Identify and track risk closure to better understand risk tolerance.

Seems simple, right? Not always but it can be.

How the Shared Assessments content library can help

The Shared Assessments content library toolset (notice I didn’t refer to a questionnaire) has significantly become the most flexible and reusable content library of information on the planet. The content library literally can be right-sized by profiling to ensure that information collected is relevant for risk management. Furthermore, the sharing of content yields machine learning opportunities to address the top vulnerable security controls. Implementing a standardized content library approach removes delay and waste from the collection of content and artifacts, making room for risk management. Storing your information security content and associated artifacts in a shareable network will stop the pandemonium, opening opportunities to reduce risk, and face resiliency head on.

To learn more about the best practices to finding greater assurance in your third-party business relationships, join me next week at the 12th Annual Shared Assessment Summit in Arlington, Virginia. I’ll be leading a panel discussion on Risk Framework and Risk Appetite and co-teaching a four-hour workshop session on Cybersecurity and Continuous Monitoring featuring an audience participation third-party risk scenario table-top exercise, among other experts.

If you happen to be at the Summit, please stop by and see me at the Prevalent booth; I’d be happy to share my experiences with you!

For any questions regarding Prevalent, contact us today.

Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk

Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo