By Marc Lieberman, Third Party Cyber Intelligence, Citigroup Cyber Intelligence Center
Marc, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I’m a member of Citi’s Cyber Intelligence Center, one of the teams within our broader Cyber Security Fusion Center. While my day-to-day includes intelligence collections to help serve the varied needs of our own analysts, partner organizations within Citi, and our ever-expanding network of business contacts – as well as some core vendor management responsibilities – my real passion lies in my work leading our Third Party Risk Intelligence Program. Successes include alerting and comprehensive reporting on a number of major cyber events, escalation of intelligence-derived insights into third party compromises and suspected malicious activity, and work to enhance our supplier continuous monitoring. I’m proud of what we’ve accomplished to establish and better-define processes to get the right information to the right people at the right time.
At the Vendor and Third-Party Risk USA conference, you will be speaking on your insight regarding ‘Leveraging intelligence to support third party risk due diligence across the life cycle’. Why is this a key concern right now? And what are the essential things to remember?
As threat actors (those looking to carry-out malicious activity against enterprises and specifically via third-party channels) continue to evolve in intent, motivation, sophistication, and sheer numbers, cyber professionals (the good guys/gals!) must do everything we can to position ourselves to anticipate threats and threat activity earlier and earlier. We need to be able to look beyond disparate strings of information to discern nuance and context – to (as much as possible) move from reactive crises response to an anticipatory state where we do everything we can to keep ourselves a step ahead of our adversaries. One of the ways to do this is to leverage intelligence to extract meaningful patterns and learning from past events. With advances in technology and our increased reliance on third parties, now more than ever – we need to expand our ability to tap into our existing knowledge-base while continually expanding both our internal/external intelligence-sharing communities. We need to move beyond overreliance on processes to ensure that we’re also communicating with the people behind these processes to affect longer-term changes in behavior and habits.
What are some of the main challenges when bridging the gap between disparate teams to leverage internal knowledge?
Throughout this work, I’ve learned a great deal about the importance of really understanding another’s perspective and helping facilitate meaningful collaboration between teams and individuals. There is a certain degree of reluctance that comes more from a deeper understanding of existing processes and the, so to speak, ripple effect that introducing changes could bring that is not always understood and possibly could even be misinterpreted as the other party being “territorial.” This often comes from people representing different areas fundamentally speaking different languages. Especially with intelligence – something not always understood within the context of ultimately reducing risk (and specifically when operational or business risk is concerned) – it’s important to meet internal stakeholders on their own turf so that they better-comprehend the value of what you’re trying to bring to them. There are those that get it better than others. One of the ways we’re working to address this is to firstly understand a business’ perspective when it comes to their risk tolerance and then work to educate them on why, as an enterprise, certain threats – if not addressed – will take us beyond our acceptable risk threshold as an enterprise. Another primary challenge we often encounter is trying to bridge the gap (and expand the conversation) between what we call “situational awareness” and “actionable intelligence.”
Please can you give our audience an insight in to adding due diligence to all phases of the third-party life cycle?
As is well-known to this audience, our third party supplier relationships often exist over a long continuum. Any additional perspective we can attain at various points in time along this continuum can impact the overall relationship by helping us establish better and more-concrete ways to ensure that, as an enterprise, we’re safeguarding ourselves in the long run. For example, the initial vendor selection process can be extremely manual – particularly when it comes to assessing information security risk. Utilizing a variety of resources, we get more information to businesses up-front, in advance of established processes, so that they have better visibility into issues or concerns that may impact the relationship down-the-line. Having said this, from a process and governance perspective, it’s essential that intelligence introduced at the earliest phases of the lifecycle (say, initial vendor selection and enhanced due-diligence added at that point) be documented and appropriately carried through to others involved later (assessment and beyond). As world headlines involving major, globally-resonating cyber events have continued to draw focus, we’ve seen increased interest for enhance due-diligence and awareness at the business level, which is a very good thing indeed.
What is the importance of leveraging system driven inputs and human analysis to explore tools?
Didn’t someone once say something like a tool is only as good as the person behind that tool (with some extreme paraphrasing on my behalf)? Throughout our third party risk intelligence journey, we’ve navigated a fine line between using new technologies and system-driven tools – of which there are many – to the value and perspective that human analysis provides to this process. From a resource perspective, we’ve concluded that there are things that it just makes more sense to outsource to an external provider or to use a tool or platform to derive. However, sole reliance on what we obtain externally (or via a system or tool) will never do as we’re extremely discerning and work a great deal to correlate findings from a variety of sources and, if you will, funnel these things through the sieve of our own internal knowledge. For example, while we may assimilate information from a variety of sources, it is the human mind and the continually-refined analytical approach that ultimately yields what we call “intelligence.” As we continue to explore new technologies, there will always be a good measure of human analysis in the mix.
How do you see the Vendor & Third-Party risk landscape evolving over the next 6-12 months?
There are many ways to answer this. Here are some ideas. As GDPR comes to bear, and with it mandatory notification when it comes to data breaches, I think that Internet of Things (or IoT) – or the vast (and increasing) number of devices connected to the internet – will make things more complicated. Companies developing new products are increasingly adding sensors to track and report performance as part of their effort to leverage technology to continually improve their products. This greatly increases the number of devices that are susceptible to being compromised and, with GDPR’s directives on notification to impacted individuals, this could cause a lot of challenges for organizations and third parties tasked with detecting and reporting incidents. Additional clauses about consent from customers/users – and the complexity added by GDPR requirements regarding one’s understanding about how one’s data is being used, will effectively mean that organizations/companies utilizing IoT devices will need to consider this even before rolling-out these products to the public. From a third and fourth party perspective, this causes a lot of challenges – specifically as new requirements emerge which require organizations be able to divulge to clients exactly where their data is being stored/processed, etc.
Beyond GDPR, reputational risk continues to carry weight and the landscape of vendors and technologies that position themselves to reveal potential entry points for malicious activity and even rate companies based on their external-facing security hygiene will continue to receive attention. Given some of the perceived challenges with this risk rating space, financial services and other industries will need to continue to work to together to establish accepted standards and fair practices for leveraging these types of technologies.