[00:00:00] Speaker A: If you don't have a framework in place at all or you're just assessing vendors upon the due diligence process when it comes to procurement, I highly suggest that you take that step back and you look at the data, because essentially that is going to drive to a certain extent how you rate your certain vendors, right? You want to make sure that you know who in your environment, in your organization has access to it. But then also which of your third or fourth parties or your supply chain also has access to that. As a result, this is KBCat as a primary target for ransomware campaigns, security.
[00:00:41] Speaker B: And testing and performance risk and compliance.
[00:00:44] Speaker A: We can actually automate that, take that data and use it.
[00:00:49] Speaker B: Joining me in person is Tulan Sevjin, director, national security for Minter Ellison. And today we're discussing third party risk management. So Tulin, welcome back to the show. You were a really early interview that I conducted. Now we're in the 200 mark. So welcome back.
[00:01:04] Speaker A: Thank you. It's so great to be here and so great to be able to chat with you again. I'm looking forward to this chat.
[00:01:11] Speaker B: So third party risk management, now, there's a lot of people talking about this online, of course, with supply chains, things that have been going on the last few years, a lot of stuff going on. Let's just start with that. Let's start with third party risk management. What does this mean to you? And then give me your view on it.
[00:01:26] Speaker A: Yeah, of course. So I'm sure everyone has heard of the terms of third party risk management, supply chain, cyber risk management, for example, being thrown around all over the place. We've seen a lot of software as a service, companies even popping up all over the place around the management of third parties and ongoing monitoring and all of that. So what it is, it's basically your suppliers. So companies, people, contractors, subcontractors that you may be using to deliver your products or services to your clients. For example, we use the Microsoft suite, so we use OneDrive, so that is essentially a third party provider. And so as so many companies now operate, and a lot of organizations utilize third parties to one extent or another, right? If you think about even retail, like they use Australia Post, they might use DHL and all that kind of stuff, those are considered as third parties because you're essentially extending a service and you're paying them to provide a service to you to deliver your product or service. So essentially that's what it is. And in my opinion, I think if you are a business and an organization who is functioning in today's world, especially in the last decade, you are definitely using third parties. Every business is online. If you are online, you're using a third party, whether you think you are or not. And you have to get far in your business and to actually succeed. Right. Because nowadays everyone, the economy and how it's going, they're using more and more third parties, which might be cheaper for them to run certain parts of their business. And so to get far, I think especially now, and to do the work smarter, you need to use third parties.
[00:03:04] Speaker B: Well, I think you'd be really strapped to find a company that isn't leveraging third parties. There's no real way around it other than governing it and doing the DD on these companies, which is a problem. So before we jump on the interview, you talked about fourth and fifth parties.
[00:03:19] Speaker A: Yeah. So it's not a new concept. I think it's something that's always existed, but no one's really talked about it or taken notice of it. And I think that probably comes from the process of, well, we trust our third party because we signed a contract and so we trust what they're doing with whoever else they're doing business with. Essentially, your fourth and fifth parties and so forth are the rest of your supply chain. Right. So when you think about using an organization, so for example, you provide services kb, to your clients, right. And then you might be using Google Cloud, for example, to store documents, to store proposals, signed agreements and all that kind of stuff. Now that is essentially a fourth party for your client to consider. So they're utilizing you and you're utilizing another service provider to deliver that work.
[00:04:07] Speaker B: So a third party for me, but a fourth party to my client, correct?
[00:04:10] Speaker A: Yes. So essentially that's where a fourth and then a fifth party might come into the play.
[00:04:15] Speaker B: So what's a fifth party? So many parties.
[00:04:17] Speaker A: I know there are so many parties. So there's like whoever your fourth party provider is using to deliver that service. So we get this right, let's get some examples going.
[00:04:27] Speaker B: KBI media is the client. Someone delivers into me as a. I don't know, I can't even think of an example. Think of a third party. It doesn't have to. Just make it up. I don't know. A catering business. John's catering. John's catering then uses Google Cloud.
[00:04:41] Speaker A: Yeah. To send your invoices. So the fifth party can be something that the system that he's using to deliver the service. So it doesn't exist for everybody.
[00:04:52] Speaker B: Why doesn't it exist for everybody?
[00:04:53] Speaker A: Well, it depends. Some companies will, for example, if you're using that request system, but then they're probably not providing any other service to you other than that. Right, to deliver the end product or the end service to your client. Places like Australia Post probably use. It'll be a fifth party for you.
[00:05:12] Speaker B: Because they outsource it to someone else.
[00:05:13] Speaker A: Correct. In a small mum and dad shop, a catering business, for example, might stop at that request and that's it. So it really depends on the complexity of the supply chain environment. And that's why we just call it nowadays, we just say supply chain environment, rather than going down the route of the third and the fourth and the fifth and the 6th, et cetera. It's very convoluted.
[00:05:33] Speaker B: Okay, so there's a lot of stuff going on here, so let's just focus it back now on a security company. You got to focus about the people that are their own employees. Then you've got the people on your supply list. Large corporations got thousands. Then those thousands have got thousands, then those thousands have got thousands. So, like you could have upwards of 100,000 different companies, all interconnected. How do you handle all that?
[00:05:55] Speaker A: That's a very good question, and it's a very common question we get from a lot of clients and just even a lot of friends that I speak to in the industry now, seeing that people freaking out from all the breaches that have been happening and security incidents and people taking security more seriously with all the regulations and laws, et cetera, I think one thing to keep in mind is what I tell my clients is you need to build a supply chain risk management framework or a cyber risk management framework that is suitable to your environment and suitable to your complexity of the business. Now, there are certain things that will sit outside of your risk appetite and there are certain things that will sit within. And obviously, every company has a different risk appetite when it comes to cybersecurity and specifically around their supply chain. And so you're not going to go out, and realistically, it's impossible to go out there and assess that. You can't do that. That's impossible. Right. Even if you had an army of 10,000 people just doing it, it's not feasible from a financial perspective, you're not going to get it done. So that's why you have your risk appetite, right, which gives you those tolerances of what you're willing to accept and not accept when it comes to your business. And that really will help you define how you build your framework. And when I say that is, you might do your procurement process of onboarding these vendors, some of them might be low risk to the company. So then you don't need to reassess, you don't need to do a deep dive assessment or an audit on them every year, and it might be a once every two, three year occurrence. Right. And then you might have your high or critical vendors, which you might need to reassess every year or once every two years, and then only if there's a strategic change in the services they're providing or a strategic change in their company that might shift the risk appetite for you is when you'll do another deep dive assessment on them. I think organizations really need to use that to their advantage and that will help them define what that looks like. Obviously, you're not going to have 100% coverage all the time, and there are just certain things, certain cyber related risks that companies have to be willing to accept when it comes to their supply chain. Yeah.
[00:08:03] Speaker B: Okay. So my mind is going 1000 miles an hour because I have a lot of questions. So, okay, you're a company. You are looking at third party risk management. What about when you get to the fourth parties? So how do you as a company enforce any security, governance, whatever? If your third party is then using their third party, which is technically your fourth party, can you enforce that? Because then there's one removed. It's like, well, the fourth party is probably saying, well, I'm delivering to this company. You guys have got nothing to deal with. So how does that work?
[00:08:35] Speaker A: Yeah, so basically how that will work is a lot of it will be defined within the procurement process. And so what you'll find is organizations will now embed like a cyber related questionnaire and just security related questions when it comes to the DD part of procurement. So the due diligence is what I meant when I referred to DD. And essentially that's where they'll identify things like, okay, which fourth part are you relying on? Any suppliers to deliver key components of this product or service that you're going to be providing to us? And so that's where they'll hash out the details. And in that instance, they might ask for certain certifications, they might ask for SoC reports or any other audit reports, or if they're going to be mining data for you. That is critical information for your organization. Right. So I think it's only for mostly their critical suppliers that will be either managing data or have access to their network or the infrastructure or anything like that is where they'll really deep dive into that fourth party. Otherwise it's usually kept quite high level. An organization will just want to know if you're using other suppliers to deliver it. And then they might want to know the basics, like, have you done your due diligence on them to make sure in the event of an outage or an incident, like will they inform you in this time frame and blah, blah, all of that. So it can get very complex, especially.
[00:09:57] Speaker B: When we talk about fourth parties, because then you're technically governing two sets of people for the one.
[00:10:02] Speaker A: Well, usually what you'll see is your third party provider will have already done their assessment on them. And so when they're going through that due diligence process and you're writing out your contract and your terms and conditions and all those clauses, especially around the right to audit and the incident reporting and the incident notification, they've already done their research and their homework on the fourth party supplier. So they already know the answer. And they wouldn't align their slas for these things without knowing that their fourth party supplier can also comply to it. So essentially, you are relying on your third party to do a lot of the work for you when it comes to a fourth party. But in some instances, depending on the criticality of that fourth party vendor, you might want to see what they've done. So you might just want some reiteration of like, okay, can they provide us with an incident notification if it was to occur within 48 hours? Type of thing? So depending on what your rules are. So, I mean, yeah, you won't see them going in a deep dive unless it's like a real requirement, which is quite rare to see anyway.
[00:11:09] Speaker B: And I guess, like you said, you would obviously school them. Like, not all of your 10,000 suppliers are going to be going through this rigmarole.
[00:11:15] Speaker A: Exactly. And if you think about, you got APRA regulated entities who are mostly the financial services industry, and APRA kind of, they round endedly kind of say, it's up to you how you want to interpret and implement what they're saying in their regulation and their prudential standards. And essentially it has to match your risk appetite and your risk management framework. Right? So they're not saying go and assess 10,000 vendors. They're saying if you're saying in your framework that you're going to do your high and critical vendors once a year or once every two years, they expect to see that happening. And they expect that if you're saying something in your policy procedure, that you're actually doing it. So I think people, some organizations will rush to the thought of like, oh my gosh, we need to assess everyone all at once in twelve months. But no, that's not the case and that's not what they're saying from my interpretation, of course.
[00:12:10] Speaker B: So large companies, which I know because you work with them, there is a large procurement process. So would your stuff in terms of building out the framework from a third party risk management point of view back onto the procurement, is it embedded into it? Do you think that's what the gap is in the market? Because a procurement person doesn't have all the knowledge in your mind as a risk personnel. So how does that work? How do you embed it into the process? That way the procurement people are covering the stuff that you want to know.
[00:12:38] Speaker A: Yeah, of course. So what we've seen more recently, especially with clients who have come to us for the development of their third party risk management programs, is that we are speaking with not only their cybersecurity function to cover off the technical aspect of the assessment and the program, but also you're bringing in procurement, you're bringing in legal, you're bringing in even it and teams like that. And from a procurement and legal perspective, you need to have them embedded in the process. So of course, procurement in every organization already have their built out procedures and policies around what they do and how they follow their process for procuring a new vendor. And essentially what you want to do is embed that cybersecurity component into that procurement process. You don't want to make it so much harder and complicated. It usually starts with a very simple questionnaire around security, which will then help give you either a score or give you some sort of idea of what the risk profile is like for that vendor before you then venture into a more deeper due diligence questionnaire or assessment.
[00:13:46] Speaker B: That's interesting. Even that is still a lot of work that's involved. Okay, now I'm curious to know, would you say in your experience with what you just outlined here, that there are certain organizations that aren't embedding in what you do into their process? Or it's get missed, or it's like, oh, these supplier already work with them, oh, we better do a third party risk management assessment like they were doing it as an after fact, which I get because it's not as easy, it's easy for us to sit here and talk about, oh, we'll just do it and you just embed it, bend it into the process. But these things are easier said than done. So what happens if people aren't doing it what happens?
[00:14:20] Speaker A: Yeah. So essentially, if you're not doing any type of due diligence on your supply chain when it comes to cyber, and you're not doing assessments or you're not doing ongoing monitoring in any shape, way or form, then essentially you're leaving your organization to a pretty big gaping hole when it comes to cyber risks and breaches. Essentially, as we hear every day almost, there are data breaches occurring regularly that are linked to a third party provider. And so essentially, you will probably be one of those organizations sooner rather than later if you don't implement an appropriate program, if you choose to just ignore it. And I think it's pretty hard to just ignore it anyway.
[00:15:00] Speaker B: Do you think people are ignoring it, though?
[00:15:02] Speaker A: There are definitely some organizations who. I don't think they're ignoring it, but I think it's more like too hard basket. Too hard basket. Or there's a few other things we have to do before we get to that. It can be anything. It can be around, like procurement stuff, or it can be, we need to get this tooling sorted first, which will then help us understand where all our data is and how we're managing it all. So that is one of the largest questions. Right before starting a TPRM program, we have a lot of clients who will ask us, well, okay, before we build a TPRM program, we don't even know where our data is. We don't know how much of it we're holding. We don't know if we should delete some of it. We don't know who has access to what.
That's very common amongst a lot of organizations. They're not very mature in terms of data management and data ownership. And then, of course, as the recent breaches that had occurred, the large ones in Australia, were mainly because holding data that they didn't need to for more than the period that they needed to when it came from a compliance perspective. So we try to help our clients understand that first and be comfortable with what they've got, where it is, where it's being stored. Because then that essentially will also help you look at your supply chain and look at, okay, which vendors now have access to that data and what are they doing with it, and then that will help you kind of also shape your TPRM program and put those vendors into specific baskets of how often you should be monitoring and assessing them and all of that kind of stuff.
[00:16:32] Speaker B: Do you think there are companies out there that don't even know who their suppliers are?
[00:16:36] Speaker A: Yes.
[00:16:37] Speaker B: If you don't know how do you start knowing? How do you know?
[00:16:40] Speaker A: Yeah, look, that's a very interesting question. As you mentioned, whoever's paying the bills, there's a supplier.
[00:16:45] Speaker B: Exactly.
[00:16:46] Speaker A: So some companies have tens and thousands of vendors. Right. And hundreds and thousands, like the larger organizations in Australia have hundreds and thousands of vendors. Yeah. I'm not even kidding. So for companies like that, a lot of the time they know where most of them are. They know who most of them are, and it's just a matter of kind of trawling through it, putting them into certain baskets of what services they.
[00:17:09] Speaker B: How do you find them?
[00:17:10] Speaker A: That is a hard one, and that's usually the specific tools. And there's other companies out there will help you with that.
[00:17:17] Speaker B: But would that cover all the bases, though? You got 100,000 people. That's pretty big surface area to get.
[00:17:22] Speaker A: That's right.
[00:17:22] Speaker B: It's surely going to be something that get missed out.
[00:17:24] Speaker A: Yeah. So usually what we rely on when we work with clients who don't know who all their suppliers are unsure about, which ones would be a cyber risk, for example, for them, we will go through their list from procurement. So procurement will usually have a list of all of the vendors, whether they're accurate or not. And then sometimes it is a bit of a manual activity to kind of go through, and you can bucket them into specific services. So if it's like hospitality, and then you might have, I don't know, some sort of infrastructure when it comes, maybe like road infrastructure or something else, or if you've got cars and all of that kind of thing. So you can kind of group them into specific areas and they usually have that grouping already. And so you can rely on that and then you can truncate the list down to the ones that might have access to data and the ones that are specifically it.
[00:18:13] Speaker B: This could take months.
[00:18:14] Speaker A: Yeah, it can. So if you've never really done it before and you've got quite a large number of vendors, it can take a little while to get across. Yeah.
[00:18:22] Speaker B: So you mentioned before identifying companies that may be a cyber risk. Would you say in your experience that you've gone into a client and a supplier that they're leveraging? You said these people could be, or this organization could be a risk from a cybersecurity perspective, and that blindsided them, like, oh, we didn't even think about it like that. Do you think there's a lot of that that goes on, people not thinking like the obvious ones like it and stuff like that? Maybe it's someone else that's holding something that they didn't think about.
[00:18:49] Speaker A: Yes, definitely. So that's happened quite a few times in my previous lives, in previous roles. So what we've seen is we'll start maybe assessing a vendor or looking at a particular vendor grouping at a client, and they may think, so it could be like a group of low risk vendors, for example. So, like the lower priority, they don't have access to specific data or whatever. And so we'll look at those. And then when you dive into the service they're providing or the product they're providing to the client, you start seeing stuff like, oh, but they do have access to some data. But it's this data which sits over here. So if it's not configured. Yeah. And then you are bridging the gaps between how, if something goes wrong at some point, then someone can have access to XYZ. So we've picked up on quite a few of those. It's very common. Yeah.
[00:19:40] Speaker B: So what's the response when you say, hey, did you notice this low category.
[00:19:45] Speaker A: Vendor is actually like, so generally the response has been like, oh, really? Okay, well, maybe we should assess them. Maybe we should reconsider their rating. We've never really had a big pushback from clients in terms of like, no, that's just a low, don't know where you got that information from kind of thing. They're usually quite on board with. Oh, okay. We didn't realize that. Maybe we changed the service or they've increased what they're doing now. So, yeah, it makes sense. They've got access to that and we should have picked that up kind of thing. So there can be things that slip under the radar occasionally, and I think that's normal when it comes to humans doing the job. And even if you're working with computers. Right. Like fat fingering or doing whatever, mistakes happen, things get skipped over. And that's why when you have people that come in and look at stuff for you, they can pick up those little errors which could potentially cost something big in the future.
[00:20:38] Speaker B: So let's talk about maybe just still on that point, though, as I'm thinking what's coming, my mind just so hypothetically, what sort of questions should people be asking if there is potentially a vendor that could be a risk to an organization that they may have overlooked? Is there anything specifically that sticks out that people may think after this interview I should look into that? Is there anything that, from your experience, that illuminates to you that people could focus on, perhaps as a starting point?
[00:21:02] Speaker A: Yeah. So usually where these things occur is after they've been procured and they're onboarded and they're an existing vendor. And it's usually like if you ask that vendor to provide an extra service or an extra product, right. And then you might not think that that's a big change in terms of what they're delivering to you and what they might have access to. And so that's usually the point where sometimes people will overlook and they might skip over or they might forget because they just want to get going with the work. And so that's the point where we will sometimes see that it's being overlooked. And so in that instance is usually when that happens, you should probably do a little bit of due diligence around. Okay, is this going to impact us materially? Is it going to be sitting outside of appetite? What data will they have access to as a result of adding these additional services and products? If it's infrastructure related, you might have a few infrastructure related questions. So it's just more about baking that into your procurement process almost, and having a separate set of questions around cybersecurity just to make sure that it's still sitting within appetite and you don't have to kind of change anything in your environment to then protect yourself against cyber threats that might come up from it.
[00:22:16] Speaker B: So you're saying even if you've got a vendor, which may be low risk, but if they change the service, just one change of a service could actually unleash more problems?
[00:22:27] Speaker A: Potentially, yes. Depending on what.
[00:22:29] Speaker B: Interesting.
[00:22:30] Speaker A: Yeah. What they'll be doing. Yeah.
[00:22:32] Speaker B: Wow. And I can understand it would get overlooked because they're probably looking at that vendor as in totality rather than a specific. Yeah, we've already done it, they're cleared next. But open up a new service. Could open up a can of worms.
[00:22:44] Speaker A: Yeah, exactly.
[00:22:45] Speaker B: Okay. What about implementing the right framework, the right approach? How do people get started? What do they think about, like you said, which hundreds of thousands, a lot of things going on. Then you've got third, 4th, 5th parties to consider. One change of the service, you got to go through the whole rigmarole process again. What would be your advice to implementing something? Maybe start off small and then you can talk more about scale.
[00:23:06] Speaker A: Yeah, of course. So when you're building a framework and looking at what type of framework to implement, there are so many considerations. Right. You need to think about do you have any regulation requirements, compliance requirements, and so you might already be aware of that yourself, or you might bring someone in from your compliance team to tell you what your obligations are there, and you might have some other legal obligations as well. Right. Depending on your company and you're providing. So that will really drive and push you towards a certain framework. And there are already so many frameworks out there that you can kind of follow and use. If you're not obligated to follow a specific one due to regulations, then we always suggest the NIST cybersecurity framework. That's a very good framework to start with because you can build on that as your company grows and changes. And so it's flexible. It offers a lot of flexibility in terms of responses. You don't have to follow everything to the t in the NIST CSF. You don't have to be certified against it or anything like that. It's very easy and simple to assess against and also do maturity assessments against for yourself as an organization. But generally speaking, if you already follow a cybersecurity framework internally, then that's the framework you should be assessing your vendors on. Essentially, you don't want to be following something completely different. So if you're already at that maturity where you're following something, then you should be assessing your vendors on that. So you're at the same kind of benchmark.
[00:24:32] Speaker B: What about governing these people, though, these companies?
[00:24:35] Speaker A: Yeah. So what we usually say is it's obviously up to the company and their appetite and how frequently they want to assess their supply chain network. And we usually say annually is okay for mostly your critical and high risk vendors and usually regulated industries or non regulated in both. I'd say, again, it's dependent on the risk appetite. Right. It's dependent on how comfortable are you with only assessing them once a year versus once every two years or twice in a year. People do it twice a year. There are some companies that do it twice a year, so their risk appetite is super tight. Yeah. So again, it just depends. Like, we've worked with companies that will do it once every two years, and then with their mid to low, the low ones, they might just do it upon initiation, and then if any services will change, they'll do it again. Otherwise they just do ongoing monitoring of their vendors using certain SaaS tools and then their mid tiers. They might do it once every three years. And sometimes it'll be on a subset of questions. So it won't be a wide, like a really in depth kind of cybersecurity assessment based on an entire framework covering all controls, and it will just be like a subset of an area of cybersecurity, which they'll rotate every couple of years. And so they cover different questions, almost like an audit scope. If you're going to do like a audit, for example, and you're not going to do everything in it all at once, in one year you might focus on application security controls, or one year might focus on infrastructure and physical security controls, for example. So you could take that approach as well with how you assess your vendors. So you don't have a 400 question assessment to get through with them, which is a nightmare.
[00:26:17] Speaker B: I was just going to ask you about that. So from my experience of talking to people on the show that spoke a lot about arduous, monotonous questionnaires, of 400 questions, people have said, that's not that helpful.
[00:26:28] Speaker A: It's not. Talk me through it. So I think sending a questionnaire that's over 100 questions is just ridiculously long. It takes way too long for someone to do it, and it's usually not just one person who is answering that questionnaire. It'll be different people from different parts of the organization. So you're essentially utilizing quite a lot of time. So it's a very expensive exercise from a business perspective. And I think.
[00:26:54] Speaker B: Third party, you mean?
[00:26:55] Speaker A: Well, yeah, for the third party completing the questionnaire, how long do you think.
[00:26:58] Speaker B: It like depends on how much detail do you think people go into?
[00:27:01] Speaker A: Well, if it's a really lengthy questionnaire, so I imagine if it's over 100 questions, then you will need people from specific teams to have their input because it will cover so many different areas.
[00:27:11] Speaker B: But how long would one question be? A couple of pages?
[00:27:14] Speaker A: No, it'll be like one question or it'll be a one question, depending on your answer, will go to a subset of other questions.
[00:27:20] Speaker B: But do you have to provide detail to some of these things?
[00:27:23] Speaker A: Sometimes it can do, it can ask for like a free text response can ask for evidence as well. So you'd have to attach stuff. It just depends on the type of the question. It could be a simple yes or no, and then it could ask you for mitigating controls for the response you provided or further detail to what you provided. So it's really dependent on who has created it and how they've created it. And I think even for the person who's assessing it on the client side, once they receive that questionnaire back, that's a lot of man hours in itself for someone to look at. It can take half a day, if not longer. And then there's usually follow up questions. They might need more evidence. Like, there's so much stuff that goes into it after the fact as well. So it's not just you answer the questionnaire and it's complete. Like there's another person on the other end who's reviewing it who will come back to you with more questions and will probably ask you for more evidence. So it goes back and forth for a bit and can take a little while to complete, like fully end to end.
[00:28:20] Speaker B: So hypothetically, company has arbitrary 100 question questionnaire. Send it to a company that could take days, weeks, and then it comes back to the person in the company.
How do they assess it?
[00:28:33] Speaker A: So usually they'll look at their responses and it depends on how high tech this questionnaire is that you've sent. Right. It depends if you used a tool to send it or if you're doing it manually through a spreadsheet. Yeah. There are people who still use the manual spreadsheet way of assessing their vendors.
[00:28:52] Speaker B: Yeah, but how do they have ongoing monitoring that if it's in the spreadsheet? Because when you look at it, you're not going to remember it ever again, are you? So what's the point in doing it?
[00:28:59] Speaker A: Yeah, exactly.
[00:29:00] Speaker B: Well, I mean, look, I'm always about efficiency. I'm just curious. I mean, these are questions that I want to know.
[00:29:05] Speaker A: Exactly. Right. Like you want to make your business as efficient as possible.
[00:29:09] Speaker B: How could you be across that, though?
[00:29:11] Speaker A: You couldn't, you can't. And that's where it fails. Right. If you're doing it manually, that's where it fails you. One, will forget to follow up with them. Two, you've got to find all these emails, you got to find all these files, like, goes back and forth. It gets sent to everyone and then.
[00:29:24] Speaker B: It gets, your lost file gets corrupted.
[00:29:26] Speaker A: Exactly.
[00:29:26] Speaker B: No backup.
[00:29:27] Speaker A: Exactly. So these things happen all the time. And that's why more and more of these tools are being used in a lot of organizations where they're able to store everything in one place. And some of these tools are great where you're able to assess and it'll give you a score. It'll tell you which answers are more high risk than others. And so which ones you might want to focus on in terms of doing a follow up and all that kind of stuff. So, yeah, there's so many tools out there you can rely on. There's tools where they've already even done assessments on your vendors that you can leverage. So you could use that for your lower risks. For example, if you don't want hands on approach from your team, you can purchase those assessments and use those so.
[00:30:05] Speaker B: You purchase that assessment on x vendor from the vendor that's providing the service, correct?
[00:30:09] Speaker A: Yeah.
[00:30:10] Speaker B: Okay. So let's talk about tools. So you make a great point. A manual thing perplexes me, but again, tool doesn't cover everything. So would you say in your experience, people are relying too heavily on tooling? Because as we've just spoken about at length, these things take time. There's a lot of stuff that's involved, there's a lot of manual hours, expenditure, cost of reviewing these things manually. So I understand the reasoning for the tool, but it wouldn't capture 100%. So would you say people are relying too much off tooling to do the heavy lifting?
[00:30:41] Speaker A: I think in some instances, yes. I think some people go into it thinking like the tool is going to solve all their problems, but unfortunately the tool is going to be pretty useless if you don't already have an existing framework and a pretty robust process in place when it comes to your supply chain cyber risk management or third party cyber risk management. Right. So if you don't have a framework in place, how are you going to use the tool? Like how are you going to know which vendors to assess on what level and how frequently so the tool doesn't.
[00:31:11] Speaker B: Come in a box and you just.
[00:31:13] Speaker A: Not just like a switch on with a light switch.
[00:31:15] Speaker B: But is that people's assumption though?
[00:31:17] Speaker A: Yes. So that's, a lot of people's assumptions are like, we can just purchase this and then just use it and it'll fix all of our issues. And it's like, no, what I would do is I'd look out, I'd establish my framework first, I'd understand it, I'd make sure it works properly because then essentially that's going to help you define how you use the tool. Because if you don't know how to define your high, medium, low risk vendors, then essentially going to have this tool with thousands of vendors in it and you still don't know what to do with it. Right. You're still going to sit there and be like, well, what, am I sending the same assessment to all of them? Am I doing this every year for 1000?
[00:31:49] Speaker B: Well, you have to change the assessment. Well, that's.
[00:31:52] Speaker A: Again, it's up to you. Like I mentioned before, you might do a deep dive assessment on your critical ones versus your low risk and medium ones. Right. And then you've got to also, there's other complexities as well to consider. But essentially you can split up your vendors in these tools by your critical high, medium, low risk vendors and then you can set up things like to send assessments once every two years or once a year, and then you might have different levels of assessments for each vendor. So you can create those and send them to certain vendors at certain times. And essentially these tools will kind of monitor and keep all of that in one place, and some of them will offer all the other bells and whistles as well, depending if that's something you're interested in purchasing. But essentially it's almost like a repository for all your vendors. So you need to understand how to categorize. Yeah, it does a monitoring, but you need to know how to categorize it and you need to know how to best use it so that it helps you. Because if you put it into an environment where you don't know how you're assessing your vendors, it's going to be pretty useless to you. You're going to be overwhelmed again because it's going to force you to then create that framework, understand your appetite, how you're rating these vendors before you can then go ahead and do these assessments.
[00:33:03] Speaker B: But you say that's pretty common.
[00:33:04] Speaker A: It is common.
[00:33:05] Speaker B: So you said before, establish a framework and make sure it works. How do you know it works?
[00:33:10] Speaker A: Well, you do test runs, right? So you'll establish a framework, you have it reviewed, you make sure your risk management team, your procurement team, your compliance team, and your cybersecurity team have all been across it, they understand it. And then the next step would be to almost do like a walkthrough of what that looks like realistically for one of your vendors or a couple of your vendors, so you can kind of test the process out just to make sure that it works realistically and practically. And then that will help you then kind of adjust and change your framework if you need to. So what we'll usually do is we'll help clients create that framework and then we'll do a test run of a couple of vendors, see if it works before any tooling, and then we'll see what the outcome is of that. And usually most of the case is you have to adjust it. You have to make a few small changes because everything you write down isn't realistically going to work when you try to practically do it right. And that's with anything in the real world, I think. And so you'll do it practically, you'll test it out, it works. And then you might look at tooling to help make that easier for you and faster. Yes, exactly.
[00:34:13] Speaker B: Wow, that's interesting. So what happens if people don't know where to start? Because again, you saw that, like categorization, like risk management, a lot of things going on here. What would be your advice on where people can sort of get started?
[00:34:26] Speaker A: Yeah, I think if you don't know at all, if you don't have a framework in place at all, or you're just assessing vendors upon the due diligence process when it comes to procurement, I highly suggest that you take that step back and you look at the data. So you look at your data ownership, you look at where your data is stored, you look at who has access to it, and also understand what critical data or personal information or commercially confidential information means to you and how you rate that data. Because essentially that is going to drive to a certain extent how you rate your certain vendors. Right. Obviously, you'll have your service providers and then you'll have certain products you might use, but essentially what drives that is data. You'll have your crown jewels, which are the most important information to you. Would you want that breached? So you want to make sure that you know who in your environment, in your organization has access to it, but then also which of your third or fourth parties or your supply chain also has access to that as a result. So I think starting there will really help you in establishing and building an appropriate framework down the track and then.
[00:35:35] Speaker B: Going back to the ongoing side of it. You mentioned before, if it's biannually or annually, or if you change the questionnaire, how do you know how to just that? I guess it depends if it's regulated and depends on the maturation, all those things. But do you have any sort of rule of thumb or guiding light things that you follow from your experience?
[00:35:51] Speaker A: Yeah. So I usually suggest doing for your low risk vendors, if you're not regulated, I would probably just do it upon the procurement stage. And then again, if there's any change or introduction of more services with that vendor, then you do another mini assessment on them. And that could just be like, okay, what data are you going to have? What data will they have access as a result of this additional service? And then that will help you define whether you have to reassess them fully or they have to go up in the ranks in terms of their risk rating. And then for your medium rated vendors, your medium risk vendors, I would suggest doing once every two years or three years if acceptable, in your risk appetite, and then your critical and high vendors, I would say annually, minimum, just in case. I think you don't have to cover off absolutely everything. It could even be depending on how comfortable you are. It could just be us, send us an updated SoC report or send us your certification. Your updated certification. It could be even based on that. Or it could be on specific areas of concern that you might think they're lacking in as a result of some of the services they've been providing. So things like that, that's my suggestion. That's kind of like a little bit of a rule of thumb, but again, it's, every organization is so different. Their risk appetites are different, their compliance needs are different. So again, you really need to think of those things as well. Sometimes the compliance requirements will really drive how you will perform these assessments.
[00:37:15] Speaker B: One of the things I'm hearing that you're saying is, especially if you're a third party looking to work with a large organization, how do companies, as third parties, provide assurance to company like yours or something like that? How should people going about like, they take risk seriously, they take security seriously. Is there anything that I can sort of do that may be cost effective that demonstrates, hey, yes, we want to work with you, a large organization, we may be small, but these are the things that we do care about. Is there anything that sort of comes to mind?
[00:37:40] Speaker A: I don't suggest companies go out there and get all the certifications just because it ticks boxes. Certifications are very expensive, so I wouldn't start there. There are some pretty handy tools in place where you can set up almost like your security, like a landing page. But then it also provides a bit of a high level overview of your cybersecurity control environment, what you're doing, what you're working on, and almost like a maturity level, if you're able to provide that. If you're using a specific maturity framework for your own framework internally, you can provide a glossary of documents that you're happy to provide to your prospect client or your existing client. So that can be anything from certain certifications, if you've got them, any audit reports or anything else that you could use potentially, like if you're using Google Cloud services or Microsoft or Azure or whatever it might be, you can provide their certifications or reporting as well and just explain how you're using them and what you're using them for. So kind of having one place where you can direct people to get that information is always helpful, especially if you've already got completed assessments or questionnaires that you'd be able to share as well. That's super helpful. And that way you're kind of triaging everyone to go to this one place. Have a look there first and then if there's any gaps or you can't find something, then come to us and we'll be more than happy to chat to you about it.
[00:39:06] Speaker B: Do you think as well that this will demonstrate the assurance in companies getting on the front foot? Are we going to start to see more of this happening?
[00:39:14] Speaker A: Definitely. Yeah, definitely. I think given that third party breaches are increasing, they're not actually decreasing. And if you look at the latest report from the ACSC, like the third party breaches have increased in comparison to last year. And so what that shows us is there will probably be more of a focus on that from a regulatory perspective and even like a compliance perspective. But even like a framework perspective, I think a lot of frameworks will be adjusted and updated to include more around the supply chain cyber risk management. So I think it will become a heavier focus.
This is KBcast, the voice of cyber.
[00:39:56] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:40:04] Speaker A: This episode is brought to you by Mercksec, your smarter route to security talent Mercksec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out
[email protected] today.