[00:00:00] Speaker A: When you're selecting a vendor, you have to make sure that they've got all the basics in place. And if you're not doing that and a lot of people don't, because unfortunately, cybersecurity is still an afterthought, it's your fault you didn't have your ducks in a row before you decided to transact.
[00:00:20] Speaker B: This is KDcan as a primary target for ransomware, hand security and testing and performance risk and compliance. We can actually automate that, take that data and use it.
Joining me today is Alan Zenikannon, founder and lead consultant from Securia. And today we're discussing third party suppliers and breaches. So, Alan, thanks for joining and welcome.
[00:00:44] Speaker A: Thank you, Carissa, for the intro and it's glad to be here. Thank you for the invite.
[00:00:48] Speaker B: So, when we spoke a few months ago, you and I had a chat about the podcast, what we're going to cover et of. You came up with a big statement, which I like. I like people to have an opinion. I like people to sort of laddle the cage a bit. But one of the things that I really like that you sort of came out with was, stop blaming your vendors for your breaches. Be all, end all of the statement. So tell me more about this.
[00:01:12] Speaker A: Absolutely.
It rustles my feathers when I hear a data breach. And the statement is, oh, it was a data breach related to our third party vendor or one of our partners, you cannot pass the buck. It is your responsibility to do your due diligence on each of your vendors. If you're simply giving your customer data over to a partner because you find the price, the price point is good, or they meet your requirements in terms of serviceability, that's not good enough. You need to due diligence. Do they have ISO compliance? Do they store the data locally? Or is it in a data warehouse somewhere in Pakistan or India or Manila? Are they conducting cybersecurity awareness training for all their staff? All the things that you need to know before you hand over your customer data and, yeah, I just don't accept that as a cause for a breach. It's simply saying, it's not my fault, it was our partner. No, you've got to do the due diligence.
[00:02:12] Speaker B: Do you think it deflects blame a little bit, then? So it's like, oh, well, so and so got breached, but actually it wasn't really us, it was our partner. Do you think, like, from an end user customer point of view, would you say a consumer is thinking, well, it probably wasn't X company, maybe it was the third party, for example. Do you think people do think like that or do you think that customers are still like, well, you're the company that got breached, so the buck starts and stops with you.
[00:02:35] Speaker A: You're right. The end consumer or the actual owner of the information that was breached will often read the news and kind of agree with the notion I think most people in the world do. They sort of read the news and go, okay, well, yeah, it must not have been that company. But again, that's to protect their brand, right? And I get it, when you're doing an incident response, you want to try and do some damage control, but we in the industry know a little bit better, right? We know that there are third party risk management processes and it just tells me that that's not being done or it's being done in a bad way. So I think it does work to keep the trust, but again, when you're looking at it from a security perspective, it's a no go.
[00:03:16] Speaker B: Okay, so you said it does work to keep the trust, but does it though? Or do you think it's a bit of a coward move to be like, we didn't do it, he did it. I think what keeps the trust is actually owning it. Like, hey, we made a mistake. No company's perfect, no one's perfect. People make mistakes. Even companies, billion dollar companies do it.
I don't know. Do you think it's better that people own it fully rather than say, oh, it was these other people we don't even know that potentially caused the issue?
[00:03:42] Speaker A: It's a double edged sword because your regular client doesn't really know security too well. They couldn't really know one from the other. Cybersecurity is still an immature, I guess thing out there in the industry, so your regular consumer, depending on what the service is, doesn't really know any better. So again, they'll read the news and say, okay, well, okay, it wasn't really them, it was somebody down the line. But again, you and I know better. So do I think that it's better to be honest and transparent? Absolutely I do. But if I personally had billions of dollars at stake and it was a little bit easier to say it was a third party, I may consider saying that, but again, it's better to be 100% trustful and transparent because, hey, you got done, but you should say, this is what we've done to rectify it. This is what's going to happen to make sure it never happens again. And here's a couple of free services, such as identity protection, to, I guess, help with the damage control. So it's a double edged sword and a lot of people tend to use the easier route, which is not admit that it's them and kind of, again, point the finger that way a little bit.
[00:04:55] Speaker B: So do you think it softens the blow a little bit to be like, oh, well, he she, they did it.
[00:05:01] Speaker A: It definitely does soften the blow for the end consumer. But I lose trust personally again, because I'm in the cybersecurity industry and I know what should be done with my data. I've been affected personally by a lot of these data breaches. I'm not going to name any names, but when you think about health insurance, I'm sure a name pops up into your head. I was affected by that and I was absolutely furious that they were using that excuse. But it does soften a blow across your customer base and it keeps that money coming in because they're more likely to keep transacting with you. I'm not saying that's the right thing to do, but when it comes to business, business is business. You need to make money and that's what they'll more often than not do.
[00:05:44] Speaker B: So let's put the lens on the third party. So how does that third party feel that they've just been blamed then? Whether their name's out there or their name's not out there, they're still going to know, oh, they're definitely referring to us. How does that look from a partnership point of view? Hey, we're delivering services into you and you fully just blamed us in the media for this data breach. How does that look?
[00:06:03] Speaker A: Absolutely. And it's a very dangerous game, which is why the statements that are being made are really carefully constructed. So they won't name the third party vendor or the downstream partner. They'll simply say vendor or third party partner along those terms. So they won't exactly throw them into the fire in that sense. So they're very smart in terms of how they go about that, moving the blame away from them, but not necessarily naming names.
[00:06:30] Speaker B: Yes, you're right, they're not going to name names in the media. But if they're doing some type of forensics investigation and they figured out it was ex vendor that caused the issue, that vendor themselves is going to know that they are the third party. They're in all of the media statements. So how's that going to look moving forward from a partnership point of view? How are they going to feel?
[00:06:52] Speaker A: It is, and unfortunately I've been involved in such incidents and they don't feel very nice about it, but they pull the whole contract game. So they say, well we've obliged to our deliverables, we've done this and we've done that and we're 99.99% available. But our contract never stated that we were going to have annual penetration testing, that we're going to do cybersecurity awareness training, that we're going to enable MFA on all our user accounts. That was never the agreement we were just providing you with the service that you scoped out to require from us. So it's a little bit of a cat and mouse game in that sense. Now most of those partners that are involved or that are at fault, if going to use those terms, they've got their tail between their legs but they're also contractually obliged and they usually fulfill those contracts. Which is why, again, I circle back to you can't blame the vendor because you got to make sure that stuff's in the contract. You got to make sure your vendor obliges and has those basic cybersecurity practices, which in my mind are basic. You should be doing pen testing, you should have ISO compliance.
[00:07:57] Speaker B: So if you're a third party and they hit back to the company, that a breach, hypothetically. And they're like, well, like you just listed off before, here's all the things of the contract.
You as the client don't really have a leg to stand on because we fulfilled our obligation according to the contract, because you didn't stipulate all these other things potentially. So shouldn't it be on the client who are engaged? If they want all of these things hypothetically, they've got to be prescriptive with. If you're a regulated industry and we're going out to some vendor or some supplier to do some type of work or whatever it is, it's up to the client, wouldn't you say, to stipulate all the things that they need in order to reduce the risk of a breach, hypothetically? So then how is it fair that a client turns around and says, well, we got popped because of you guys, but then it's like, well, you didn't stipulate what you wanted. How is that fair?
[00:08:46] Speaker A: 100%. And it's not a fair game, really. This is exactly why we're talking today. It's about that third party vendor management process. When you're selecting a vendor, you have to make sure that they've got all the basics in place. And if you're not doing that and a lot of people don't, because unfortunately, cybersecurity is still an afterthought. And if it is not an afterthought, it's not as mature enough to look at the vendors. They're still looking at their own backyard, so to speak. So you're absolutely right. How is that fair? It's not fair. And a lot of the times it goes back to that primary company that had the breach. And I'm sorry, but it's your fault. You didn't have your ducks all lined up in a row before you decided to transact your sensitive information, which is now being stolen and identity theft is occurring, and hundreds of thousands of dollars, if not millions, are being lost to taxpayers such as you and me.
[00:09:43] Speaker B: So you said, getting the basics in place when engaging with a third party. What are the basics from your point of view?
[00:09:49] Speaker A: In my point of view, it's usually the top five things. So do you do cybersecurity awareness training? Do you hold my data in a sovereign place like Australia or at the very least the UK, if it's a GDPR scenario? Do you have MFA in place? Are you doing penetration testing? At least once a year. So those are kind of the top five. Now, I won't necessarily not transact with somebody that doesn't have ISO compliance if they adhere to the ISO principles, which are some of the things I've mentioned. But also, for example, have certain policies, like a fair user policy, a clean desk policy, work from home policy, that stipulates certain security measures. Some of the companies I've worked for literally ask you for a photo of your work from home environment just to make sure it's not in a compromising place. Now, it's lovely to have somebody that has ISO 27,000 in compliance because the checklist for that to achieve that certification is quite comprehensive. But again, it's not a deal breaker for me as long as they adhere or they follow the principles which I just listed.
[00:10:55] Speaker B: But wouldn't it depend on what type of one, what company you're operating in? Again, if it's regulated versus non regulated versus the engagement, the style, like if you're outsourcing to a system integrator, for example, obviously that's a little bit more critical than, I don't know, some random transport company, hypothetically. So would that then depend? Or else some of this stuff that you're saying is pretty heavy duty for someone that's providing transport services to transport the CEO from the airport to the office, wouldn't you say?
[00:11:23] Speaker A: I'd agree with that. It just depends on what type of data is being, you know, going on the bigger scale of town. Like a bank, for example, they're transacting not just personally identifiable information like PII, but they're also doing PCI, so payment card information or things that can be used to purchase financial products, which is at the large end of the fraud scale. The example you gave of a transportation company just taking someone from here to there, they're also taking a card payment. So where is that going? Is that going through a third party that's an overseas carrier? Is that being stored somewhere that we don't know where it is and it's not really regulated, so it depends on the data and what type of business. You're absolutely right. Is it a financial services organization? Is it PCI or only PII? Is it going to fall under Sarbanes Oxley, which is the American sort of compliance standard since 911, to make sure that terrorism isn't being funded? So things are being scrutinized a lot more and then you're talking about things like AML and anti money laundering. So again, it does depend on the business, but that's up to you as the company owner or as the CIO or CISO to make sure you're picking your vendors right based on what type of data they're transacting for you or holding for you. And that's why a data classification policy is so important. You need to know what type of data you're storing, where is it stored, who's touching it for how long, and all those things.
[00:12:51] Speaker B: Do you think people employ data classification models in your experience, or not enough?
[00:12:58] Speaker A: Absolutely not enough. I can name a handful of organizations that actually do that properly. A lot of people just classify data as data. It's stored on a shared drive. They might split it up into departments, finance information and such. Yeah, apart from that, they don't really do it in a granular sort of way because I think cybersecurity as a whole, not just globally, but in this country especially, is not mature enough. It's something that's still only very recently coming of age. The basics about ten years ago was if that having a penetration test. Now slowly we're diving into compliance like ISO and sock one, sock two. Now what I'm seeing is a high uptake of security operations center services, so 24/7 monitoring and such. And of course there's a massive cost behind it. You can't just download a policy off the internet, slap your logo on it and consider it done. There's a massive amount of work that has to go in through workshop discovery processes and then of course changes to the It infrastructure. Who's got access to what data, where is it stored, for how long do we need to retain it, and who's controlling that data being deleted after the fact. All these things take an immense amount of money and I don't think cybersecurity budget is quite there yet. We're giving a slither of money off the total budget and we've got to work with that. So people kind of look at the low hanging fruit first, maybe MFA or having a moving from Antivirus to EDR and maybe having some of the few basic policies that will give us a level of compliance. But data classification is a lot of heavy lifting involved and there's just not much budget being allocated. And of course the outcome of that is a breach occurs and you have a lot of a bigger bill than you would have if you actually gave a little bit more budget to prevent that.
[00:14:52] Speaker B: So then going back to some of our commentary before around the accountability, so would you say generally there's still a lack of accountability when a breach occurs, irrespective of if it's in regards to a third party or not?
[00:15:06] Speaker A: I would say that yes, I've only seen a handful of companies kind of admit and say, yes, we didn't do a good job. Now I recently got an email from a very popular pizza service and I like pizza, so I often order from them. And I got unfortunately, an email saying we've been breached, your data has been affected, but rest assured we're going to do the following things. We've upgraded our security systems. We've hired Mandiant, now owned by Google, to do some incident response and forensic, we'll keep you up to date as information comes to hand. So that sort of stuff I really, really commend because they're taking accountability, not passing the buck and kind of helping me and telling me what they're going to do and even spending a lot of money to prevent or soften the blow, rather, which is completely opposite to some of the other past the buck scenarios that I've seen.
[00:16:02] Speaker B: Well, here's another example. Through equifax I've interviewed at the time of this interview that we're recording, I interviewed Jamil Tharshi, who's the global sizer of equifax, and in the interview he said post breach we as an equifax poured in $1.5 billion into security. So that's like they're obviously taking it seriously. That's an example of trying to do the right thing, irrespective of, yes, there was a breach, et cetera.
But what about for people who are not really doing that, then? I'm under now the assumption that consumers are expecting more from companies and not just, oh, well, our data got breached. That's the BLM a little bit. Like, look at what happened last year. There's breach after breach after breach. I'm looking at these companies instagrams and the comments that are in there and what people are saying.
It was pretty intense because obviously people expect more nowadays. So it's not going to be enough to be like, oh, well, here's an email about what we are going to be doing. How do we know as a consumer this follow through? How do we know that they're going to actually do that? Because anyone can come out there and say, we're going to be doing these things, and then as a result, don't. What does that look like exactly?
[00:17:11] Speaker A: And you're absolutely spot on. I think as the time goes on, the consumer is expecting more slowly. And the real game changer, in my eyes was the introduction of the mandatory data breach notifications. Up until then, people didn't really care if they got breached, like, sorry, and they didn't even let you know. You didn't even get a courtesy email saying, hey, we've had a breach and your data might be affected. You just found out by having your identity stolen, your SIM card ported, or having some money missing from your account, or even some new loans being taken out into your name. People just didn't really care. They didn't want to spend the money on security, and they weren't being held accountable. But now they are. And I really love that. News outlets are starting to really jump on that a lot. They're kind of like hungry wolves. As soon as they hear about a data breach, they'll get on there and you'll hear about it. And the end consumer now is starting to slowly think twice about transacting with a certain company. A lot of people now are going to go to the website and click that privacy policy button and look at their privacy statement. If it's not there, they're kind of going to think twice and might go to the competitor. And that's also creating competition now amongst service providers. If you don't want to spend money on cyber or security, great, but your competitor will, and that's most likely going to end up in you losing revenue and your competitor blowing you out of the water.
[00:18:38] Speaker B: So I want to talk okay, those are great points. I was talking someone recently in the industry. This was on the podcast, it was just a chat. I asked the question, do you think as in consumers will become desensitized to breaches because there's been so many of them. Do you think it will just get to the point where people just don't care anymore because they've been in every breach, major breach in Australia, for example, because like, oh, well, it doesn't matter anyway because I've been breached here, here, and here. Do you think it will get to that point that consumers will just give up? Who cares about the privacy policy? Because stuff's out there anyway, and it's very hard to get back. It's not like it's out there, and you get it back. It's out there for good.
[00:19:18] Speaker A: No, I don't think they'll get what I like to call data breach fatigue. It will actually do the opposite. People really care about their information because their identities are being stolen. It's inconveniencing them at the low end of the scale, but they're losing money at the high end of the scale. So I think especially because there's a lot of figures being talked about in news outlets when it comes to a data breach, I'm hearing things of upwards of five and a half million dollars just to pay back clients, pay back the consumer from their losses of identity theft and financial services impersonation. And I think slowly, because those news outlets are drilling all that through and people love the news. We all like to listen, and we believe that what we read is true. I think it'll be on the other side of the scale. People will care more and more and more, and they won't just give up and say, oh, well, it's another data breach. Whenever there's a data breach, I can hear murmurs around the office and people are just complaining, it's another data breach. And I know, right, I'm affected. And you have all those water cooler conversations where people actually really do care, and there's that great service. Have I been poned? You can go and check if you've been affected by a breach, and it's a very popular service that will usually highlight these things, and that's a very, very public service. Even nontechnical people that I know are using it just to make sure that their information isn't out there. We're trusting more and more information online as we're transacting. We're moving from the bricks and mortar society to an online system for everything we want to eat. We order something online and it's there within 30 minutes. We want to buy clothes, we do the same thing. So as we trust more and more information, I think even the non tech savvy people are kind of recognizing that, and they're taking a little bit more care as to who they give their data to.
[00:21:12] Speaker B: So going back to your point before Alan around, if you're trying to procure a service from a particular company and you look at their privacy policy, they don't have one, they don't care. Well, whatever their agenda is with regards to security, and they're like, well, I'm going to go to your competitor, so let's just use it. A bank, for example, four major banks in Australia that typically are at the top end, how do they start to demonstrate as we care about cybersecurity? Because they do. Especially as a bank, you can't be super loose with we don't care about it. I'm not saying that they are, I'm just saying that it's a great point. Now end customers to demonstrate we care about security. Because the part that I'm wanting to really understand now is if you're an end customer like a bank, where are their security people talking about how much they care about security. I don't see them that often. I've had a few of them on my show. But where's their demonstration about how much they care about cybersecurity? Because again, they could just go to another bank, for example, if they're not demonstrating that. That's the other thing that I'm starting to ask questions around. What are your thoughts on that?
[00:22:20] Speaker A: Look, I'm starting to see the marketing department, and I love that you mentioned the four big banks because there are a couple of standouts where they're really having a marketing campaign around staying secure. So they've gone from having their websites, being a standard website, some standard logger, to having those secure logos and having like a big green lock saying protected or we're PCI compliant. I'm seeing a lot of PCI compliance logos exhibited on their website. And I'm also even sometimes seeing a TV ad, we're saying keeping you secure as even part of their brand, as part of their branding. So I'm seeing a massive uplift or uptake in that sense. And some of those banks that you mentioned, or sort of the top four biggest banks in Australia, they're not really doing that yet. They're just kind of entrusting that the consumer will assume because we're a bank, we're kept secure. Now the others know a little bit better, so they're kind of combating against it. And even emailing as part of soliciting a new client. I'm sure you've gotten that email saying, hey, a low rate Visa Mastercard, if you get one from us by this month, it'll be this particular rate. And by the way, this is what we do to keep your data secure. So it's becoming part of the pitch for their service. It's becoming a success criteria for them when they're offering their service. Not just, yes, we have a great rate, yes, we have great serviceability and great customer service, but we're keeping you secure as well. And that's the trend that I'm noticing lately.
[00:23:57] Speaker B: Well, I sort of see it as a marketing enabler. If you're saying, well, we really care about security, here's why, here's our sizer that's coming out and talking about this, I think more these sizers are going to come out in the media, have these conversations on my show to demonstrate that they really care about it. Because again, that's what's going to win customers, because to your point earlier, consumers are now being a little bit pickier with who they go with. Yeah, being around for 100 years, 150 years isn't good enough anymore. We want to see the other things as consumers. Why? Because people are getting breached left, right and center. These are the things now that I think is a good marketing strategy as well as taking security seriously. Is this something that you think will start to emerge more and then as a result of that start to displace these potential bigger, bigger organizations around for 100 plus years that the smaller ones could actually start to overturn them?
[00:24:51] Speaker A: Absolutely. And I think it's the reason that you do podcasts as well is because these CIOs and Sizos, they're recognizing that opportunity and they're getting out to shows like yours and they're speaking about their security posture because it's a marketing campaign as well. They might be doing it because they're passionate about cybersecurity like myself. But also there is an agenda behind that. They want to promote the fact that the business that they work for, the bank that they work for does all these things. So it certainly is a marketing strategy, but there is a disconnect in my opinion. The end user isn't usually invited to those podcasts or webcasts. It's usually cybersecurity professionals or people who are interested.
Your Dories and Margaret's who have been transacting with the bank for 50 years, they're not going to be invited to a podcast and join it and listen to a sizeo talk about all the security controls. So there's still a little bit of a disconnect in the way that we deliver this content because it's highly technical. So the end consumer doesn't really get a hold of it in an easy to digest manner. So really they're relying on that traditional marketing team and traditional marketing campaigns to drill that fact through and say, we are secure by nature, keeping you secure, keeping your data safe.
[00:26:11] Speaker B: Well, you're right. I don't know if there's too many Margaret or Dory's probably listening to this show because it is very industry focused, however, in saying that there are companies that cross pollinate with one another. So they're going to probably want to know, well, this sizer, they're very vocal in the market, they talk about what they're doing. Okay, well, I was actually talking to someone yesterday about they work with another sizer from an insurance point of view and that's why they talk a lot. So I think that there's that trust element of it. So I'm just always curious to see, I believe we do need more sizers out here talking about why they care about security, what they're doing about it from an industry perspective as well. Okay, but then also you've got your everyday marketing and all that to your consumers and people like Margaret and Doris for example.
[00:26:59] Speaker A: Yep, you're spot on. So we almost need to transform this panel and webinar and summit type scenario back to the end user because again, right now it's more the technical people that are joining and listening. To that stuff. And in my opinion, it needs to be your more traditional email solicitation. It needs to be baked into the offering. I want to see a lot of locks and a lot of green ticks. The word secure, all these things that are currently missing. And again, that's really the disconnect between what's currently happening and what needs to happen for the end consumer. Like you said the Margaret and dory's.
[00:27:41] Speaker B: Okay, so let's switch gears now and let's keep going with the third party stuff. I want to now talk about TPRM or third party risk management. So your view is that if companies were governing and managing their supplies better, there would be a decrease of breaches, which we've spoken about at length already. So walk me through your thinking, because what you're saying makes sense, but it's easier said than done, right? There's a lot of things that come into a TPRM. For example.
[00:28:10] Speaker A: Yeah, so my process is it's heavily tool based. There are actually a number of tools right now, or SaaS tools that help you make that process a lot easier. Now, I'm not here to plug any of those or promote them, but if you Google TPRM tools, there'll be a plethora out there, and they're actually quite affordable, and they're very automated. What I'll do is my approach is two pronged. I will send a questionnaire to the vendor asking for all the things, do you have ISO compliance? Do you do penetration testing? Do you have MFA? Do you do cybersecurity awareness training? Do you have the following policies in place? And one of them might involve modern slavery to make sure that they're not making use of adolescents or children to down their supply chain. So there's sort of a little bit of ethics in play as well. But apart from that, I'll also look at their online infrastructure. So I'll do a vulnerability assessment on some of their websites, any login portals, and I look for things like lack of SSL where there is a login portal. So that tells me they have poor encryption, and that all gives me a rating. And a lot of these tools will do the same thing. They'll give them an A to F rating. And that's not to say that a vendor that might rate good at the start will not eventually fall behind. They might have ISO at the start, and then five years down the track, they've just lost it because they haven't been keeping up. They haven't been doing their annual penetration testing, so they haven't got the evidence to show the ISO auditor. So they haven't really retained that certification and that security posture. So it needs to be an ongoing process. So you vet the vendor before you transact with them or before you sign up to them, but then you continuously every three months as per ISO compliance requirements. You got to re ask the same questions and see if they're still I guess living or walking the talk rather. So the two pronged approach there being is looking at the internet connected or public facing infrastructure to make sure that they're sound in terms of security, know things like certain ports being open like MySQL available to the internet without being filtered. I mentioned SSL already, but also the questionnaire side of things, do you have this policy, do you do this, et cetera.
[00:30:27] Speaker B: Okay, so you mentioned before like do you do pen testing? I want to get into this a little bit more. So hypothetically part of your question is that do you do pen testing? Just say you say yes, yes we do do Pen testing but we get Pen tested by the exact same firm every time, which doesn't really give a 360. Someone who worked in an internal pen testing team, historically we wouldn't just use the same firm every time. Like there are certain elements to it we would but to do something additional. People have different theories, different strategies, people miss stuff, right? So how does that then work? They're like yes we do pen testing but it's by the same firm that we've used the last 15 years. They might be missing stuff. So pen testing schmesting in my view. Because wouldn't you then have to demonstrate while we rotate the firms to make sure we're getting a very 360 view on our environment.
[00:31:15] Speaker A: I would disagree with that. I'm happily going to transact with someone that uses the same pen test vendor. Because the pen test process is not a 100% foolproof process. Just because you're doing Pen testing does not mean you're hack proof. If somebody is really motivated enough, they're going to get through eventually. Like a state sponsored attacker for a government agency wanting to go snoop around at another government, eventually they will do so for me, what I'm looking for is the basic hygiene because the pen test process will identify the basic vulnerabilities and more often than not an attacker. When you increase the time cost of an attack, they will more than likely give up and move on to an easier target. So the pen test process tells me that the vendor is doing the basic hygiene and they're going to find things like lack of SSL, they're going to find things like an open port that shouldn't really be exposed to the internet. They're going to find an SQL injection. All of these things every Pen tester does, me being one myself, we kind of go through a process. Pen testing is a process. You go and look for authentication based vulnerabilities. You try to bypass authentication or do some sort of session fixation or injection type vulnerabilities like cross site scripting and SQL. But again, it just tells me that they're doing that as a basic because most breaches actually exploit the basic vulnerabilities that are there. And if somebody had just looked at those and done some basic testing it would have prevented the breaches.
[00:32:45] Speaker B: And look, I agree with your point around though.
It's not like bulletproof. If you're like, yes, tick the box, we've done the thing. But it's just more so getting variation of different companies that may do things differently, that's all. Maybe if you're still using the same company every time you're filling out all the forms and you're using the tooling to do that, shouldn't you have some variation though, because you can't just say, oh, for the last ten years we've been using the exact same firm because things do get missed. Would it be wise to say there should be variation from, okay, once a year we get a new firm in to see if we've missed anything. Would you say that's a fair sort of ask from a third party or would that be too much to ask?
[00:33:30] Speaker A: No, it's not too much to ask and it's a nice to have. For example, when I'm looking for a company to do pen testing, I will usually do what you suggested, I'll shop around and it's always good to have a different set of eyes being thrown at the environment because all pen testers come from different walks of life and they've got different skill sets. So I'm not disagreeing with you on that part. But what I'm saying is it's a nice to have, it's not necessarily a must. So I won't just say no to a vendor because they use the same pen test company to me, they've checked the box and often I'll ask for a copy of the report. Now, that's sometimes a sensitive subject, sometimes they don't want to share it, in which case I ask for perhaps a redacted copy or they can walk me through it on a screen share session. But I'm not saying it's a must for me. I'm not going to just not transact with a vendor that ticks all the boxes, but they've been using the same pen test vendor for the past ten years. It just tells me that they're doing what I require. And hey, if they do have a different pen test company every year or two, that's even better for me in terms of grading them. But it's not a showstopper for me.
[00:34:38] Speaker B: Yeah, and that's absolutely fair as well. So going back to your point around, people don't want to share the report.
Any reason for that?
[00:34:47] Speaker A: Yeah, because usually it's kind of like lifting the skirt, right? They don't want to be embarrassed. Sometimes the pentest report will contain some pretty critical and nasty vulnerabilities and they kind of don't really want to win the contract with the customer. So they are reluctant to show you exactly how silly the vulnerability that they had actually was before they got it remediated. So more often than not, I am faced with a yes, we do do pen testing. We'll give you a screenshot of the first page, for example, which shows the company the date and time that it was done. So that tells me, yes, that there has been a pen test, but then they won't go further than that and that in itself tells me more than I need to know. It's kind of like, well, you're not sharing because there's some pretty bad stuff in there, isn't it? If it was clean or not too many vulnerabilities or not too many priority vulnerabilities, then you would share it with me, wouldn't you? So that's kind of the game.
[00:35:45] Speaker B: So have you ever read a pen testing report, didn't like what was in there, and then did not transact with the vendor because of the report?
[00:35:53] Speaker A: Yes, absolutely.
I mean, this is all part of the vendor management process or the TPRM process. You want to make sure that the vendor you select is not going to compromise on security. And it was a simple response of we decided to go with another provider instead because they were more suited to our needs. You keep it very generic, but yeah, I've seen some pretty nasty stuff that could have just simply been fixed. It just tells me that they don't have code hygiene, that the coding is being done in a very quick manner and let's just deploy, deploy, deploy and we won't really do any QA or we'll do security a little bit later. Now most penetration tests are done annually and that's kind of my base requirement. So that tells me that you've deployed it and it's been out there in the wild with this really bad vulnerability for up to twelve months potentially until you conducted that penetration test and that's not good.
[00:36:52] Speaker B: Wow. Yeah. Look, I totally hear your point right? Do you think though as well, and I understand the tooling side of it does reduce it, but there's still manual oversight. Depends on the criticality of the particular vendor, like I said. But how does that then all look for ongoing governance and management of that? Because if you just look at one vendor and depends on the size of the company, you could have thousands. How are you managing others? The tool is not it's a tool, right? It's to assist, it's not to completely replace, but there still needs to be manual people involved. So what are your thoughts then on that? If you've got thousands of suppliers and you've got to run through all of these things and then you're looking at the reports manually?
Talk me through that.
[00:37:36] Speaker A: Yeah. Look, it used to be a nightmare, to be honest with you. Some OD, ten years ago it was all a bunch of spreadsheets. You'd have a spreadsheet that you send out to your vendor and it would be upwards of 300 questions.
So it was a nightmare not just for the vendor who has to go and answer them, but then also for you to go and review all those questions and then give it a waiting. Now it's a whole lot easier with some of those the tools that are out there. Now, the tool only supports the process, right? The tool is not the silver bullet, but it does make things so much easier because rather than operating spreadsheets, you simply load up your vendor in one of these TPRM tools. You send it off to the contact, they receive an email, they log into the portal and it just prompts you. Says question one do you do this? Yes or no? And if you say yes, it says great, add an attachment to upload some evidence, then you go next. Do you do this or you're not? Yes or no? And then the same thing. And then by the end it's a fully automated system. Then you, as the customer, get an email saying assessment has been completed and it gives you an automated waiting. Some things that you might need to go and have a look at, maybe prompt you to ask some additional questions. Maybe the evidence the screenshot isn't sufficient enough. Maybe it lacks a date, for example, for when the last backup was taken, which is a popular question. Are you doing regular backups? And of course, having a tool also helps with ongoing management of the vendor. So it's not just about the vendor selection process I mentioned before. Maybe at the time of starting to transact with them they do have a pretty good security posture, but then they've laxed on it and it's kind of trending down, I think. Now having a tool is essential, especially if you're managing, like you said, 1000 different vendors, because it's also going to prompt when it's time for reassessment. It may be on a quarterly basis or six month basis or an annual basis, depending on the vendor and what type of service they're giving you. But again, it will largely automate that fact for you. The vendor does all the heavy lifting in terms of answering and then you use the tools, marking or weighting system to help feed your risk management process. And then you go to the board and say, this particular vendor we're transacting with, they've gone from an A rating slowly to a B, and now they're at a D. And it's up to the Risk Management Committee to decide whether they want to transact with them further or go to market and find somebody else and migrate that tartar across. And trust me, when you give that option to the Risk Manager or the Chief Risk Officer. And they have two choices either sign off on the risk and accept it, as in put their name on it, or go and sign off on a quote for an alternative vendor that has a better cybersecurity posture. Often than not, they're going to avoid putting their name and putting themselves in front of the scope because nobody wants to be responsible for a data breach.
[00:40:39] Speaker B: So Alan, is there any final thoughts or closings you'd like to leave our audience with today?
[00:40:44] Speaker A: Absolutely. I think I love technology and there's a lot of things around the corner that are about to happen. I'm sure you utilize AI things like Chat GPT in your business. I know that I do quite a great deal, but it's important for companies to understand, or businesses to understand. If you are going to use Chat GPT to streamline some of your processes, please be wary of what you're giving It access to. A lot of these there has been a breach with OpenAI and I dare say some of the users of OpenAI may have had some of their data compromised as a result of that. So if you are using Chat GPT, don't give it access to all your systems, all the sensitive data. Sure, use it as a chatbot for your customer service team or your sales team, but don't give it access to some of the sensitive information, because, again, that's a third party, right? That's a vendor. So you got to see where the data is going. And unfortunately, it's not going in a sovereign place, it's going somewhere else. And in terms of cybersecurity, I think AI is going to be very exciting. Right now, when you look at the average security officer or cybersecurity engineer, they are spending upwards of up to $100,000 or more over a period of years to get skilled up, which is why they can usually come with a very hefty bill, right? They cost a lot of money and I think over time, chat GPT or sort of generative AI is going to help supplement the whole cybersecurity engineering process, almost that we'll be able to reel that action back into the traditional It team. So imagine your network engineer or systems engineer being faced with a cybersecurity issue. Maybe they get an alert. Now the AI will be able to, in clear, plain English, maybe in a couple of paragraphs, say, this is what the problem is. Here's when it was detected, and here's what you need to do to remediate it. So it's almost like, I dare say, going to make the cybersecurity engineer redundant in a way. If not make it very easy, or kind of condense the time taken to get somebody skilled up in cybersecurity, because they're going to have a little bit of an assistant to help them out, rather than having to take the brunt of it on themselves, because it is quite a process heavy role. Being a cybersecurity engineer, you have to look at data from various different endpoints, various different machines, and then make sense of that and correlate that using your experience as well. AI will supplement that a great deal and hopefully save on a lot of money so we can claw back some of that cybersecurity budget into some other areas, such as AI.
[00:43:33] Speaker B: This is Kbcast, the voice of cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI media to get access today.
This episode is brought to you by Mercsec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out
[email protected] today.
