I know, I know. This title sounds more like the start of a bad dating app more than it does a title to a blog, but these two seemingly different functions have much more in common than they think they do. Or they should. These unlikely coworkers working closely together and understanding each other’s roles are crucial to your organization’s security. I’ve read many research and thought leadership articles discussing the “digital partnership” of the CMO and CIO relationship, especially with the rise of marketing technology and tools. In fact, Gartner even predicted that CMOs will spend more on technology soon than CIOs will. While this partnership is important, I can argue that the CMO and CISO relationship is just as, if not more, important.
Law firms know that they are a perfect target for a cyberattack due to the volume of sensitive information that they store and have access to. A recent Robert Half Legal survey found that 41 percent of U.S. lawyers said that their law firm or company plans to increase spending on cybersecurity-related tools and services in the next 12 months. Law firms are also under increasing pressure from their clients to assess and manage the risk of outsourced services. Whether it’s an eDiscovery vendor, title company, or other outsourced service, they have an obligation to protect their client’s information should they choose to share it with a vendor. However, the process of managing vendor risk is a costly, time consuming, and a non-billable proposition. Fortunately, Prevalent has teamed up with top law firms to address this issue.
Great yet another blog talking about the need to get ready for the European Union’s General Data Protection Regulation (GDPR). Wouldn’t it be nice if just once someone really helped me deal with GDPR instead of reminding me of all the work I must do? Well folks I’m here to do just that.
Determining vendor compliance with GDPR requires a fairly rigorous process. It starts with determining what data you provide or share with your vendors, whether it is data that is covered by GDPR and if so what requirements are associated with that type of data. Vendor contracts must be modified to include new language to define the vendors role. Since most vendors will fall under the definition of a Data Processor their responsibilities will be defined by Article 28 of GDPR (however, it is possible to be both a Data Processor and a Data Controller). I could continue with a litany of issues you’ll be faced, but that would just add to your problems not help you solve them.
As I type the words of my very first blog, the weight of writing a blog worthy of your reading is heavy on my mind. You may have seen my name or watched one of my presentations where I hoped to influence companies to move away from compliance checklists to adopting shareable third-party assessment techniques.
Yet this blog isn’t about me. It’s about how third-party risk continues to crawl towards an economic approach across all industries.
My passion in life and career is to help companies resolve the snail pace of evolution from the vast frameworks and methodologies used across the globe to a standardized third-party risk governance using a flexible model for all companies, large and small. We all know that third-party governance is supposed to minimize risk in a fast-paced changing cyber landscape. It is beyond my comprehension why companies fail to understand that identifying and managing risk is necessary to minimize risk. Especially when we allow third-parties to handle our most sensitive data.
We are continuing to learn more about the breach at Larson Studios which resulted in the release of 10 episodes of Orange Is The New Black (OITNB) as well as other titles from Netflix, ABC, CBS, and Disney. While the analysis of the event in Variety provides insight into the devastating effects of a ransomware event, it fails to provide insight into how this could have been prevented.
Until most recently only banks really focused on third party risk issues due to regulatory requirements. They were then joined by healthcare providers as their regulators began to require robust third party practices as well. Most recently insurance companies have joined the ranks of the third party risk conscious along with other firms whose boards and senior management recognize the risks that third party service providers create from the unauthorized access to customer data and company networks. However, the Larson Studios incident reinforces the fact that assessing data protection and IT security controls at vendors isn’t just for industries whose regulators require such programs.