Governance, Risk & Compliance

Governance, Risk & Compliance
What are some approaches to security reviews of third-party vendors that are more effective than questionnaires?

Top Answer : When I went to Cylance, I approached it differently than I had before, partly because I had a greenfield. When Stuart McLaren and I sat down to talk about it I said, “Let's decide what the design goal is. I have a safe in my house and I know it can withstand two hours of a fire at a certain temperature. I understand that the variations change, but let's start with a design goal.” Our design goal was that only a nation state actor should be able to get in and they should have to work for it. We validated whether we’d met that design goal when we did our external penetration testing. I didn’t care if they had to pop an executive system in their home system to pivot in. They ended up having to develop a zero day and it took three weeks for the Dell systems management tool to pop a system. We were on it in under 10 minutes; we were elated that we could do that. Being at a security company now, I've started using that approach: establish the design goal and then figure out some way to validate it. That way I have a story that I can tell so that people trust me beyond the questionnaire. And I ask my suppliers the same question: what's your design goal for this security program? If they don’t understand, you ask them which level of threat actor they have in mind, and how much effort is involved. It simplifies the entire dialogue because if they don't know, then you should probably be worried. I'm in the process of turning that into a trust and security white paper so that I have a narrative that makes it easier for them to actually think about this, which means you're probably doing it better than you would if I send you 200 questions.

Should there be legislation designed to create better cybersecurity regulations for small- and medium-sized businesses (SMBs/SMEs)?

Top Answer : We have financial audits that happen quarterly, as well as annual ones, so maybe we should have something similar in the data security space. There should be at least a minimum requirement that a company has to meet to store data, especially personal data.

Related Tags

What is the current state of ransomware attacks? What level of defense and preparedness do companies have from their backup support?

What's a greater concern for returning to the office? Comment how you are prioritizing...

Top Answer : The majority of our focus is definitely on the human factors as the technical factors are mostly related to things we had to solve as we went distributed.  We will need some additional technical stuff to support the human factors (eg. scheduling software to limit the # of people in the office at the same time) but solving the human factors of helping people to feel comfortable, ensuring that safety precautions are being followed, etc... are much harder and why it will be a while before we go back.

How do you establish the proper scope for third-party supplier risk management?

Top Answer : With regard to scope, it's almost too narrow if we just stay within the typical IT domain or cloud capabilities, etc. At Cylance, we were in shared buildings, so the property management and building supplier were a concern, as were outside law firms. When Cylance was being acquired by Blackberry, the banker was a concern. At Intel, Applied Materials was a manufacturing supplier for equipment used to manufacture processors, so that was a concern. Sometimes we get too myopic on the IT stuff, versus looking at those other third parties and vendors that aren't in our typical scope. In some cases, these create a more dramatic risk portrait that we have to manage. My philosophy is don't go along to get along. We have to get things done and sometimes there's only one right approach.

Government Response to Cybersecurity: The Tech Leaders’ ViewGovernment Response to Cybersecurity: The Tech Leaders’ View

What are the perceptions of recent US Governmental actions to address cybersecurity?

Do you think insurance companies will eventually stop offering cyber liability?

Top Answer : Insurers just won't insure certain things if they’re too risky. They provide the insurance because they're effectively making a hedge that they'll make more money on the premiums. Cybersecurity is one of the things that can have a catastrophic loss impact; if they're forced to have a catastrophic loss impact with enough frequency, then it becomes better for them to step out of the space because they won’t make any money on it. The worst case scenario is that cyber insurance gets super expensive and the only people who can afford it are the people who don't need it. When I was at JP Morgan, we actually considered putting $100 million into a fund and letting our trade desk invest it, which is effectively saying, "If we don't have a breach in 10 years and we can grow this at 10%, we're going to have over a billion dollars, and we can self-insure forever then.” I think you have to have different calculus, but liability insurance is really valuable for more mid-market enterprises, where a $30 million policy is truly meaningful to them.

How are companies coping with rising premiums for cyber insurance? Is self-insuring a feasible solution?

Top Answer : There are plenty of models where organizations self-insure. If you look at a retail organization, they will largely self-insure on product loss, waste. It becomes a cost of doing business. Or, if you're selling sandwiches and you have a bunch of meat at the end of the day—you can't sell it, so you'll throw it away. There are a lot of examples of how organizations can self-insure, but the challenge is that it takes away an aspect of protection for a lot of the organizations that cannot afford to self-insure. About 47% of the US GDP is the SMB market. They can barely grasp cybersecurity and when you think about it from that perspective, we have to have guardrails and things that enable them to be successful, otherwise the only ones that will be theoretically safe are the super big fish that can pay vast salaries, say, "We'll just add another $300 million a year or we'll lose the cyber stuff," and then just go from there.

Related Tags