By Tom Garrubba, Senior Director & CISO, Shared Assessments & The Santa Fe Group
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I am a Senior Director and the CISO at The Shared Assessments Program; a member-driving program recognized as the global trusted authority in helping organizations of all sizes protect against third party risk. I am one of the primary instructors for the Shared Assessments Certified Third Party Risk Professional (CTPRP) and Certified Third Party Risk Assessor (CTPRA) programs that certifies competence in third party risk. I am also an active writer and blogger on business IT and third party risk. I also bring to our membership the view of a practitioner in the third party risk space. Prior to joining Shared Assessments, I was a Senior Privacy Manager at CVS Health in the US where I implemented and managed their third party risk program. I help to establish it, develop it, refine it, and monitor it, fine-tuning it into a world-class third party risk management program per our external auditor firm. I also have also held various security, audit, and compliance positions in the private sector, notably banking and manufacturing, as well as IT audit roles in public consulting.
My current focus is to educate – officially through the certification classes, and informally through writing, speaking and consulting with members and non-members on challenges that impact third party risk programs.
What, for you, are the benefits of attending a conference like the Vendor and Third Party Risk Europe 2019 and what have attendees learnt from your session?
The threat landscape and regulatory environment are constantly shifting. Conferences are a great opportunity to dialogue with a variety of people and perspectives about how, as risk professionals, we can meet those challenges. I provide a point of view and also listen to what obstacles practitioners are facing. And I always leave the conference smarter than when I arrived.
Business resiliency is an important and timely topic. Regulators the world over are asking harder questions on this topic and are requiring deeper documentation to evidence you’re on top of thinking through, these challenges. I pushed the discussion on what to focus on regarding identification of critical functions and provide a glimpse of what auditors and regulators may want to see from you.
In your opinion, how can we look to effectively test exit plans and update them manually?
I’ve rarely seen organizations test an exit strategy. Usually, they’ve rigorously scrutinized the vendor and have invested much time, money and effort into developing a solid relationship with them that they do not want to let them go. When you have such a relationship it’s very difficult, timely and expensive to try to separate, so they often reason “why bother?”.
When it comes to actual continuity testing, I’ve seen companies conduct testing in “phases” over time, or even test a single critical function once. When they do test, they tend to use small samples for their testing, which is not the most effective technique. Testing strategies should be mutually agreed upon by the business unit or units and the vendor with an understanding as to the actual representative sample of their transaction volume.
Additionally, if the vendor provides services to multiple business units, it’s wise to have a process or function recovery priority list and recover these in the agreed-upon order. An optimal test strategy is to do this during the normal course of business to resemble as closely as possible, an actual business continuity scenario.
What are the key considerations that need to be made if suppliers do not deliver?
The rules are constantly changing as regulators are applying additional scrutiny to what you have tested with your critical providers and making sure you have prioritized these adequately.
It’s important to have key performance indicators (KPI’s) built into the contract and the means to monitor these. If the vendor is not hitting these KPI’s consistently then you need to be prepared to look for alternatives. You should also periodically re-evaluate any key risk indicators you may have and get these into the contract as an addendum.
What are best practice methods for successful processes for longer supply chain resilience?
Perform and provide the analysis into the prioritisation of recovery for your processes or functions, particularly for those that are cross-departmental. Document everything that you do and test. I educate people to try and think like an auditor; what would they want to see? If you can have that “Devil’s Advocate” mindset, it will serve you well.
For longer durations, have in the contract a testing schedule for the processes or functions and the expectations, including testing locations if needed. Additionally, inform your vendor as to when you plan to re-assess them based on the scope(s) of work they’re providing to ensure they’ve maintaining a cyber-resilience posture along with their typical business continuity and recover plans.
Lastly, be prepared to explain your test plan, provide evidence of your test results, and expect to reply to next steps in the event key recovery indicators (e.g., recovery time objective, recovery process objectives, etc.) are not met. They may also ask you of alternatives – either new vendors or the possibility of moving the function in-house. Regardless of how the conversation goes, be prepared with documentation.
How do you see the impact of third party risk evolving over the next 6-12 months?
I see outsourcers asking third parties how they are addressing IoT (Internet of Things) devices within their enterprise. This ties directly into the vendor’s cyber resilience and into your own business and disaster recovery efforts. Many security professionals are predicting that IoT breaches are going to be on the rise and assessing and questioning your vendor’s cyber resilience is just as important as business recovery.
