Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Step Up Your Data Security Against Third-Party Risks

17 views

Published on

This presentation was delivered to the Hacks & Hops event attendees in the Spring of 2019. The event featured a short keynote following by a moderated panel discussion. The panel experts provided excellent guidance for all risk managers, CISOs, vendor managers, etc.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Step Up Your Data Security Against Third-Party Risks

  1. 1. _________________ #hacksandhops
  2. 2. • Please remember to silence your phone • Post using #hacksandhops, and check out the Snapchat filter • You can download this presentation at the end Several notes: WELCOME! DEFEND!STEP UPYOUR DATA SECURITY DEFENSESAGAINST THIRD-PARTY RISKS #hacksandhops
  3. 3. THANKS TO OUR SPONSORS DEFEND!STEP UPYOUR DATA SECURITY DEFENSESAGAINST THIRD-PARTY RISKS #hacksandhops
  4. 4. Founder& CEO,FRSecure • Founder of FRSecure ® and SecurityStudio® • Co-inventor of FISASCORE® andVENDEFENSE® • Author of UNSECURITY • 25+ years of “practical” information security experience • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.) • Member of the Forbes Technology Council • Written more than 750 articles about information security, dozens of television and radio appearances EVAN FRANCEN KEYNOTE #hacksandhops
  5. 5. #hacksandhops
  6. 6. BEFORE WEGO MUCH FURTHER… Why should you care about your vendors? #hacksandhops
  7. 7. VENDORS ARE A SECURITY RISK Don’t believe me? _______ #hacksandhops • Only 35% of enterprise security professionals are very confident in knowing the actual number of vendors accessing their systems. • Only 52% of companies have security standards for third-parties. • Just 34% know the number of individual log-ins that can be attributed to vendors. • 69% of respondents say they definitely or possibly suffered a security breach resulting from vendor access within the last year. • On average, organizations spent $10 million responding to third-party breaches over a 12-month period in 2016. • 63% of all cyber attacks could be traced either directly or indirectly to third parties. Sources: Bomgar survey, PwC, Soha Systems, CSO Online
  8. 8. FOUR APPROACHES TO VRM Where do you fall? #hacksandhops
  9. 9. FOUR CATEGORIES OF ORGANIZATIONS Common issues: • Several people having to work on VRM • Knowing who all your vendors are • Categorizing 'high risk’ vendors • Gathering accurate vendor information • Tracking and acting on results • Keeping up with scheduling _______ #hacksandhops GOOD PARTIAL PAINFUL NONE Doing VRM using an internal process that is working Doing VRM but using spreadsheets or some other messy solution Not doing VRM but know they should Not doing VRM but don’t think they need to
  10. 10. WHERE DO YOU FALL? NONE Several reasons, including: • You just didn’t/don’t know any better. • You don’t know where to start. • You’ve tried before and gave up due to complexity or shifting priorities. • You don’t see the value in establishing a good third-party information security risk management program. • You don’t have the time or money • Executive Leadership do not feel it is a priority • Other? _______ #hacksandhops GOOD PARTIAL PAINFUL NONE
  11. 11. PAINFUL • Trying to do VRM, but it’s painful • Want to do the right thing. • Forced to do it. • Usually manual, difficult to manage, disruptive and subjective • Overall ineffective at managing risk and defensibility is variable. • The painful approach is expensive and a waste of valuable resources. #hacksandhops GOOD PARTIAL PAINFUL NONE WHERE DO YOU FALL? _______
  12. 12. PARTIAL • Only covers part of “information security” • Information security is managing risk to information confidentiality, integrity, and availability considering administrative, physical, and technical controls. • Typically focused on technical controls because they’re easy; however, aren’t people the greatest risk? • Good at partial, but not likely to address how breaches will occur; partially defensible. • The partial approach is incomplete and leads to a false sense of security (sometime worse than no security at all). #hacksandhops GOOD PARTIAL PAINFUL NONE WHERE DO YOU FALL? _______
  13. 13. GOOD • Rare, but effective and streamlined. • Doesn’t compromise on our definition of “information security”. • Simplified – no unnecessary steps; easy-to- follow. • Standardized – objective, same processes for all third-parties. • Defensible – logical, organized, objective, auditable and completely effective. #hacksandhops GOOD PARTIAL PAINFUL NONE WHERE DO YOU FALL? _______
  14. 14. STANDARDIZE One-Offs Hurt #hacksandhops
  15. 15. STANDARDIZE • Once we’ve established the standard process, don’t deviate unless it’s absolutely necessary. _______ #hacksandhops • If deviations from the standard process must be done, make sure they’re documented and signed off on. • Each deviation from the standard process erodes defensibility.
  16. 16. STANDARDIZE • Big vendors (Microsoft, Google, Amazon, etc.) may not participate in our VRM process; these are common deviations and are exceptions that can easily be explained away should something bad happen. _______ #hacksandhops • Standardization comes through documentation, training, and automation. Every step in the process that can be automated should be automated.
  17. 17. DEFENSIBLE The True Motivator #hacksandhops
  18. 18. THE TRUE MOTIVATION: DEFENSIBILITY • Defensibility in your VRM is arguably the most significant “why” for doing it in the first place. • If/when something bad happens, attackers become customers, regulators, opposing counsel, etc. _______ #hacksandhops
  19. 19. THE TRUE MOTIVATION: DEFENSIBILITY • Ask yourself about defensibility constantly during VRM activities. Examples: • How many vendors do we have? Defensible? • How many high-risk vendors do we have? Defensible? • Have you vetted all high-risk vendors? Defensible? • Non-definitive answers (assumptions, guesses, etc.) are more likely to be indefensible. _______ #hacksandhops
  20. 20. PANELISTS _______ #hacksandhops
  21. 21. Vice President & CISO,Provation • BIO INFORMATION MILINDA RAMBEL-STONE PANELISTS #hacksandhops
  22. 22. TODDTHORSEN, CISSP, CISM,CIPP/US PANELISTS #hacksandhops Senior ManagerInformationSecurity, RiskManagement& Compliance,Code42 • BIO INFORMMATION
  23. 23. ARIN BROWN PANELISTS #hacksandhops ChiefTechnologyOfficer, SeaChange • BIO INFORMATION
  24. 24. PANEL DISCUSSION _______ #hacksandhops
  25. 25. QUESTIONS?_______ #hacksandhops
  26. 26. NEXT HACKS& HOPS PLACEHOLDER _______ #hacksandhops
  27. 27. • STATS FOR NEXT H&H OR OTHER INFORMATION PLACEHOLDERFOR NEXTH&H NEXT HACKS & HOPS AMBUSHED!INSIDETHE MINDOF A HACKER #hacksandhops
  28. 28. WANT THIS PRESENTATION? Text DEFEND19to 555888to get acopyofthis slidedeck. ________ #hacksandhops
  29. 29. THANK YOU! _______ #hacksandhops
  30. 30. • Last call at 4:40; head downstairs by 5 • Share your opinion with Andy • Keep posting using #hacksandhops to appear on our social wall Several notes: THANK YOU! DEFEND!STEP UPYOUR DATA SECURITY DEFENSESAGAINST THIRD-PARTY RISKS #hacksandhops

×