Brad Keller, JD, CTPRP, Senior Director, Third-Party Strategy, Prevalent Networks, examined third-party vendor risk management and how today's businesses can bridge gaps in a cyber security program in his presentation to Argyle's CISO membership at the 2017 Chief Information Security Officer Leadership Forum in New York on Feb. 2. In his presentation, "A Smarter Approach to Third-Party Vendor Risk Management," Keller provided tips to help businesses identify and address third-party vendor cyber security threats.
According to Keller, the success or failure of a business' cyber security program often is dictated by the company's third-party vendors.
"Your cyber security program is only as secure as the cyber security program of your key and critical business partners," Keller stated. "[Your third-party vendors] are your critical business partners, and they're the key to [your cyber security program]."
Companies must find out how their third-party vendors handle cyber security dangers. If a company uses a third-party vendor that lacks the necessary cyber security programs and protocols, the business, its employees and its customers may be at risk.
"Not only do you have to manage [your cyber security program], but you need to make sure that your partners are managing [your program] as well," Keller noted. "If you're struggling with [cyber security], imagine what's happening with your vendors."
Furthermore, Keller stated many businesses understand that cyber security threats exist, but few companies know how to address such issues effectively. The lack of cyber security insights – and the inability to generate these insights day after day – may cause serious problems for companies of all sizes.
"When you think about the time it takes to do a [cyber security] assessment of a critical vendor … it is a time-consuming process."
Keller also pointed out that cyber security assessments usually are insufficient. In many instances, these assessments can be costly and time-consuming and fail to provide businesses with real-time cyber security insights.
"When you think about the time it takes to do a [cyber security] assessment of a critical vendor … it is a time-consuming process," Keller said. "Regardless of the assessment that you do, the numbers indicate that you'll spend about 50 percent of your assessment time sending out your assessments and performing due diligence."
In addition, Keller noted cyber security assessments often provide cyber security insights that are relevant for only a short period of time.
"[An assessment] takes place at a static point in time," Keller pointed out. "The information isn't good the day after it was written up because you don't know what is going to change."
A unified approach to threat management can make a world of difference for businesses. This approach ensures companies can learn about prevalent cyber security threats, find out the sources of these problems and respond accordingly.
"[Threat intelligence] solves the point in time dilemma. It solves the stale data dilemma. It's giving you more real-time access and real-time information about what's happening with your vendors."
To take a unified approach to threat management, Keller said a business must focus on three areas:
Keller indicated that businesses must be able to classify their third-party vendors based on the types of data they use, systems accessed and availability. Companies also should examine whether a vendor stores data on- or off-site.
Moreover, businesses should evaluate the role that a third-party vendor plays in a company's day-to-day operations. By doing so, companies can determine what types of data that this vendor should be able to access and implement cyber security protocols as needed.
"It's not just the system that they go into, but also the systems where they can go," Keller said. "You've really got to think about the authorization that you provide."
2. Threat Intelligence
Threat intelligence can make or break a business, and perhaps it is easy to understand why.
Keller stated ongoing threat intelligence provides businesses with real-time insights into how a third-party vendor evaluates cyber security dangers. He pointed out that threat intelligence may provide cyber security insights beyond those that businesses can obtain with traditional cyber security assessments as well.
"[Threat intelligence] solves the point in time dilemma. It solves the stale data dilemma," Keller said. "It's giving you more real-time access and real-time information about what's happening with your vendors."
Many third-party vendors are developing cyber security information packets that show how these companies handle cyber security issues. The packets offer valuable cyber security insights and may make it easy for companies to determine whether to work with various third-party vendors.
"I think the future looks at how you share information," Keller said. "With collaboration, we're not talking about you sharing risk controls; we're talking about sharing data."
With the right approach to cyber security, companies can make more informed decisions to protect their sensitive data. In fact, businesses that allocate the necessary time and resources to understand the cyber security landscape may be better equipped than other companies to minimize cyber security threats both now and in the future.
Brad Keller has been developing and leading risk management programs for more than 25 years. During this time Brad has developed and implemented vendor and business risk management programs at several financial institutions that have substantially improved risk management while also passing federal regulatory scrutiny.
Focusing on the risk of doing business online, he has implemented leading edge programs for the identification and mitigation of identity theft and online fraud. He has testified on behalf of the financial services industry at Congressional hearings on customer privacy issues; and, is a frequent member of financial industry led initiatives that address issues related to risk management, anti-phishing, online fraud, customer privacy, and authentication issues.
Today, Brad is the Senior Director of Third-Party Practice Lead at Prevalent, where he focuses on the delivery of Prevalent’s third party risk management and assessment solutions, and the consulting to support those solutions.
Prior to joining Prevalent, he was a Senior Vice President with The Santa Fe Group focusing on the management of the Shared Assessments Program. At Shared Assessments he led the development of Shared Assessments tools, training, and the risk management professional certification program.
Brad graduated with honors from the University of Missouri with a B.S.degree in Finance and received his J.D. with honors from St. Louis University School of Law. He is admitted to practice law in Oklahoma.