Blog
Prevalent-Blog-Logo

As I type the words of my very first blog, the weight of writing a blog worthy of your reading is heavy on my mind. You may have seen my name or watched one of my presentations where I hoped to influence companies to move away from compliance checklists to adopting shareable third-party assessment techniques.

Yet this blog isn’t about me. It’s about how third-party risk continues to crawl towards an economic approach across all industries.
My passion in life and career is to help companies resolve the snail pace of evolution from the vast frameworks and methodologies used across the globe to a standardized third-party risk governance using a flexible model for all companies, large and small. We all know that third-party governance is supposed to minimize risk in a fast-paced changing cyber landscape. It is beyond my comprehension why companies fail to understand that identifying and managing risk is necessary to minimize risk. Especially when we allow third-parties to handle our most sensitive data.

Read More

Prevalent-Blog-Logo

We are continuing to learn more about the breach at Larson Studios which resulted in the release of 10 episodes of Orange Is The New Black (OITNB) as well as other titles from Netflix, ABC, CBS, and Disney.  While the analysis of the event in Variety provides insight into the devastating effects of a ransomware event, it fails to provide insight into how this could have been prevented.

Until most recently only banks really focused on third party risk issues due to regulatory requirements.  They were then joined by healthcare providers as their regulators began to require robust third party practices as well.  Most recently insurance companies have joined the ranks of the third party risk conscious along with other firms whose boards and senior management recognize the risks that third party service providers create from the unauthorized access to customer data and company networks.  However, the Larson Studios incident reinforces the fact that assessing data protection and IT security controls at vendors isn’t just for industries whose regulators require such programs.

Read More

Prevalent-Blog-Logo

On June 7th, the OCC issued a welcomed update to the 2013 Guidance on how to manage third party relationships (OCC Bulletin 2017-21). While much of the guidance provides insight into how to address issues related to fintech companies, there are several key areas that have received little, if any, previous formal comment by the OCC.  This first in a series of blogs will address an area of the Guidance that will substantially improve the TPRM process.

Read More

Prevalent-Blog-Logo

Security professionals are a smart, resilient group.  Whether it is dealing with the constant barrage of threats from hackers, software vulnerabilities, privacy concerns, and compliance activities, security professionals are generally in a constant state of learning from on the job experience, technical books, journals, and conferences.  However, I have often wondered how many security professionals have an opportunity to reach the C Suite.  Certainly, the CISO position has increased in importance and relevance over the last several years, but I am not sure it is a path to the CEO role.  There is also no generally accepted reporting structure for the CISO – is this a technical position reporting to the CIO, a financial position reporting to the CFO, or a strategic position with a line to the Board?

Read More

Prevalent-Blog-Logo

An Ode to Narcotics

I admit, the title of this blog was written to grab your attention.  But it was also legitimately inspired by recent personal events.  About a month ago, my daughter underwent shoulder surgery, and given her multiple shoulder injuries over the years, it was an extensive procedure that involved bone graphs and several medical terms I don’t understand and can’t pronounce (or spell).  We brought her home with a collection of Schedule II narcotics that would make the members of Aerosmith (circa 1978) salivate.

Read More