Let’s Go Shopping: Third-Party Vendors and CyberRisk

Good afternoon everybody and welcome back to Besides Las Vegas proving grounds. This talk is titled Let's Go Shopping: Third Party Vendors and Risk by Rafael Lyala. And a few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors Adobe and Iikido and our gold sponsors, Drop Zone AI and Run Zero. It's their support along with our other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live and as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to silent. So, if you haven't already done so, please set your phones to silent. If you have a

question, you'll be using the audience microphone so YouTube can hear. As a reminder, the besides Las Vegas photo policy prohibits taking any pictures. So, please do not uh please refrain from taking any pictures. These talks are all being recorded and will be available on YouTube in the future. With that, without further ado, let's get started. Please welcome your speaker.

>> Hello everyone. First, just mic check. Works for everybody in the room. Great. Um, we're going to go shopping. We're going to go grocery shopping to uh better understand thirdparty risk management and how we can protect our our businesses. As we go through this talk, we're going to go through some brief introductions. We're going to look at third party risk broadly. We're going to consider criticality, inherent risk, and residual risk. We're going to take what we learned there and apply it as we go grocery shopping. And lastly, we'll turn that back to our businesses. So this talk is to help us empower our co-workers, family members and friends who are going to be buying products, who

are going to be buying software. If you work in risk management or you work in cyber security, this might feel very surface because this is again to help us empower our co-workers, families, and friends. The views expressed are my own don't represent my company. I'd like to introduce all my talks with Sirino de Berserk. Sirino de Berserak is a renaissance man, lots of interests and he uses it for the good for the public good. Similarly, people in cyber security have lots of diverse interests. We all come from different fields and we're doing this work to try to help others. For my own part, I got an undergrad in neuroscience and psychology. I've been a coach for 15

years in wrestling and track and field. I got a masters in philosophy. And before coming into cyber security, I was a high school math teacher. like everybody here, super diverse backgrounds and it's been one of the things that cyber security has really helped foster is is that type of inclusion. So what is third party risk management? We're going to consider it simply as the return of investment compared with the risks of impact. There's lots of products out there, software, AI, we're seeing these all grow with so many choices. How do we decide what we're going to go with? Well, I think we can use similar ways that we go grocery shopping to make up our minds.

Is this a product that I need or is this a product that I want? I might really like Cinnamon Toast Crunch, but my doctor might think that Cheerios is going to be better for me in the long term. Is this something that I already have? I might have three boxes of cereal at home. It might make sense to buy a fourth. We're all going to make a different decision there. And there's not really going to be a wrong answer. We're making that decision as we're comparing that risk and that return. Now, getting a little more technical, we're going to consider criticality or what I'm going to be calling the impact of the purchase. If I buy something, is it going to

improve the return on investment for the organization or does it open us up to more potential risks and loss? The inherent risk is what we're going to consider as the probability of impact if we buy a product. What is the probability that we will be affected? And lastly, exploring how the controls reduce our risk. So really exploring that residual risk from the controls that are in place either from our own parts or from uh from our business parts or from other entities. In risk management, we've all seen uh graphics similar to this where we where we're actually uh trying to plot this. What is the impact? What is the probability of that impact happening? Different companies will consider this

differently. Some will be more conservative in their assessments and some will be a little bit more risk forward. All companies are have competing resources. So, as a third-party risk analyst, I need to decide with my company where am I going to invest a majority of my time. In this simple graphic, which is not representative of anything, it's just a graphic that I found online. There's 26 vendors. About eight of those vendors are in this colored zone and three are in that highest risk zone. If I'm working with a company that is very risk tolerant, maybe I'll only assess th those three vendors in that highest uh zone. If I'm a little bit more riskaverse, maybe I decide to uh do an analysis on

the eight vendors in the colored zone. If regulation requires that I do more assessments, maybe I will assess all of them. But again, there has to be a business decision made there with how much time are we going to invest in each of these assessments. So now let's let's take what we just learned about impact and uh inherent risk or probability and we're going to go grocery shopping. So, for this part of the talk, I want everybody to take off their cyber security hat, put on your walking shoes. We're going to go through this grocery store and see how we do this all the time uh when we go grocery shopping. So, we're at the Bides conference. We want

to get out of the conference for a little bit. We go to the grocery store and we're going to stop by the deli because it's lunchtime. We're hungry. We need to get something to eat. And this part, uh, feel free to to speak up. I'll also repeat it for the recording. What are we what are we thinking about when we're approaching that deli? What would be the what's the possible impacts that I might experience?

Cost, right? There's going to be a question of cost. I'm going to spend some money here, so my pocketbook is going to feel it. What other things am I considering as I'm going to the deli and and looking to buy food? >> Quality, right? What's a possible impact if the quality is low? >> Tastes terrible. >> It might taste terrible. Again, we're looking at cost. Maybe I bought a bad product. I don't want this product and I regret the purchase. Stomach issues. Maybe I bought a sandwich and the meat was a little bit older. It didn't taste very good. And even worse, maybe I get affected. Maybe I I feel sick for the rest of the day.

Can't attend the rest of the conference. Now, what's the probability of that impact being felt by us? I like that people are kind of nodding their heads to side to side. It's ambiguous, right? We're dealing with ambiguity. Now, within a deli, we might consider that there's going to be store policies, government policies that will help reduce that probability. So, I'm going to place the the deli uh food that I bought maybe in the second quadrant. The impact that I'll feel if um if the food is bad could be a little could be higher than other cases, but the probability is low. There's controls that are in place, and we'll explore these controls more. Now, continue

shopping, realize that we need to get some cleaning supplies and paper goods. What are using those same ideas? What's the impact of of uh the paper goods being bad? >> House stays messy. It's inconvenient maybe. Um so the impact's not going to be too high. Now at the stores, what's the probability again of of this of the items being bad? Also not very high. they are rotating these items regularly to make sure that the products if they're damaged, even if just the casing is damaged, uh they're not going to leave it out. So, we might consider that to be in that lower lower risk area. All right, we keep going. We realize we have a barbecue this weekend.

I need to get some meat for this barbecue. What are we thinking about on the possible impacts for this meat? The risk goes high, right? The risk raises. I see some people put uh putting the thumbs up. What could happen? >> Hm. >> Same as the deli. >> Same as the deli. There's going to be an impact there. And now we're dealing with with raw meats that are going to have a lot more uh a lot more changes than we would have at the deli. The deli is going to have a lot more control. The meats are going to have some types of controls as well, but there's a lot more steps in between. So, we saw that the

impact is going to be higher and also our probability seems like it's going to go up mostly because of the number of steps between when we bought the meat and when we get home. So, I suggested that the meat might be a little higher. Again, there's no right answer with with these. We're we're all we're all going to make our decisions differently and we all have our own things to consider. So, now we're going to go through the fruit section following the same ideas. If we have uh bad fruit,

has anybody been to the grocery store and seen somebody grab a grape, just pop a grape in their mouth? What is that telling us about the confidence that we have in in the fruit? >> Low confidence. >> High confidence, right? we have higher confidence because you're you're willing just to like walk by and grab it, take a take a try it out. We're not doing that with the raw meats, right? So, we see that maybe the impact might be perceived as lower. What's the probability of the fruit going bad or being bad um not being bad on the shelves, but what's the possibility of of the fruit being bad once when we buy it? Has anybody ever bought a bag of oranges

that had that one bad orange in it? >> Yeah. Yeah, you open that bag of oranges and there's that like one green one in the middle and you saw it spread to the other four. So for for raw uh fruits and vegetables, it might be a little bit higher, but again, we said that that impact might be a little bit lower. This has been probably one of the most fun sections to work on because people see the risk on fruits and vegetables so differently. And again, there's no real correct answer. It's what are we willing to tolerate ourselves and then what are those around us going to be willing to tolerate as well. Now for the last se last uh part of the

store. Flowers.

>> They look good. They go bad pretty quickly at home. Um so what's our impact there? >> Expensive. Maybe you lost some money. Are we seeing it as having a higher impact than the uh paper goods or than the deli meats? Higher impact or lower impact? Pardon? >> Maybe a little bit lower, right? And then if we're at the store, are they going to put out dead flowers? Hopefully not. If not, you should probably not buy from their deli. Just just keeping that in mind, right? So, we might consider that that is going to be a little bit lower of a risk and a lower probability. Now, what you didn't realize is it's not actually besides Las Vegas. It's

Valentine's Day. You are at the store and there's no flowers left. What was initially low impact and low risk just shot up, right? Having the right flowers could make the difference between sleeping on the sofa or not. Having ordered the flowers on time, right? That's the probability. Having ordered the flowers on time is also going to contribute to that difference. So, we see that it's a dynamic field. It's not going to be static. This is I think one of the things that we need to keep in mind within thirdparty risk management and that we want to make sure that our again employ uh co-workers, family and friends are keeping in mind. It is a dynamic

field. It is not going to be static. Looking at one more uh unexpected interruption 2020, right? Who got stuck without toilet paper? I'll I'll admit it. Okay. Here we saw that there are other things that affected the way that uh we perceive the impact. So first we said uh paper goods cleaning supplies quadrant 3 overall low imp uh low impact but then we saw what we actually felt when there was a disruption to the supply chain. Now I'm considering that we're not going to shift the probability up for this one because it's not something that we expect all the time. If we did we'd have a lot more people stocking up on toilet paper throughout the year as compared to

a point in time difference like what we saw on the Valentine's Day example. Any questions so far? Pardon? >> There we go. >> So, now we're going to start talking about the residual risks and how what controls are there in place. So, we've talked about this a little bit. Let's talk about meats for a moment. What controls are there in place to make sure that the meats that we buy are safe? >> Expiration dates, right? So, you have something from the producer, from the store itself. They're going to put the expiration date, their best buy date. And why do they do that? just because goodness of their hearts >> regulation >> regulation there's government regulation

that's going to involve uh that's going to affect this there's going to be company policy so the store policy the meat packers uh policies so we're going to see that there's layers and layers that help us make sure that the impact uh that the that the risk is reduced okay a lot of times we see these uh regulations and policies as burdensome and I think for those of us in the room that are working with co-workers that haven't thought about that yet or that aren't thinking about that as a regular part of their practice. They might um you might appreciate how this is felt. So, we've all we've all we've all I at least have experience where people say,

"Why are you slowing me down?" And I think I've heard that throughout this conference. Why are you slowing me down? Why are you slowing me down? Let me just have the product so I could you know generate revenue. Okay. Okay, looking at some other sections as well. In the Delhi, we already talked about store policy also government regulation, right? There's uh food handling courses that people have to follow to make sure that uh that the policy that the food is being handled safely. Okay, we see say so I suggested earlier that what we can do is provide the schema to our co-workers and family and friends of how you already do this risk analysis on your own when you go grocery

shopping. Now we're going to bring it inhouse. I'm going ask us to like only kind of put our cyber security hat on. Um still suspend belief for a little bit. Now the examples that I'm going to use again are not meant to endorse anybody or not meant to rebuke anybody. It's just cases that have drawn public attention. So I think everybody in the room will will recognize them. If we're considering cyber security and business operations, where are we going to place HVAC systems?

>> Pardon? >> Uh super high quadrant one. Okay. Uh for every business or for specific types of businesses? Okay, great. Anybody else?

Okay. So great. So we heard the perspectives which is really the key takeaway here. From a cyber security perspective, if we already know what things that have happened or you know how the connections work, then yeah, we're saying this might be a high-risisk vendor. Without that view, we think about the uh the business impact of an HVAC system and unless you're a data center, it's not going to be felt quite the same. So initially we might think it's in that section two or three. Now cyber security can you can put that whole hat all the way back on. Now 2014 Target was breached and the way the vector that they were breached was through their

HVAC that breach costs target $162 million in expenses related to that breach. Okay. So we're seeing how our third party vendors had a significant impact even when uh heating and ventilation is not a primary operation of Target. It's something that the store uses. It's for our convenience. We feel more comfortable in the store. It helps draw people in especially if it's a hot day but on their operation side the sales that it's it's not going to affect them in the same way and yet it led to a significant loss. Now Crowd Strike it's a well-established company cyber security uh they proide cyber security tooling they were they've been a recognized leader in the industry and now we're going to suspend belief

for a little bit. It's 2020. Where are we placing Crowd Strike on this heat map? Maybe in quadrant two. So, I'm suggesting it's going to be in quadrant 2. I forgot that I put that back up already. It's 2020. Before we saw the impact that was felt, it it was a company that already had rapport. It was established. It was recognized. We fast forward to the summer blues of 2024. We saw how big the impact was, right? We saw how embedded it was in so many places. part of why they were able to get into so many systems is because they had that trust. So now we start to again with more information we're starting to understand

how third party risk is really a dynamic field. When it was first being reviewed it would have been it's looked at as a company that's well established has good controls good policies in place. It wasn't until after the until after their incident that most of us became aware one how widespread their impact could be and two where the vulnerabilities were and then we ask ourselves well were they able to mitigate or remediate these uh the situation. Now this is um among this has brought up a lot of controversy in the other talks that I've other times that I've brought up this talk and again it's just showing us how diver how dynamic this is and how once trust is

shaken it's hard to get back start bringing this back together now I suggested that one of the things that we can do in thirdparty risk management to help our co-workers is get them to ask the same questions that they would ask when they go grocery shopping within the business is Is this something that I need or is this something that I want? Is this something that will affect my organization as a whole or my work personally? And have them consider that before they start making their requests. Is this something our organization already has, especially with the with how many tools are coming out and the different types of tools, it might make sense to have more than one u for these

examples AI model. It might make more sense to keep one or to separate them out depending on what the business function is. So there's no right answer on whether you should just use one or have uh many and how many can also be another question. Uh but it is again seeing what's already available within the organization. Have them consider criticality and inherent risk in the same way that they would uh assess criticality and inherent risk in grocery shopping. What would the impact of the organization be if this tool goes down? And what's the probability of this tool impacting our organization? And lastly, and probably most controversially, asking the business owners, are you or your co-workers, are

you willing to own the risk of this purchase? And I'm not suggesting that we change the policies to say, you are in charge of the risk here, but having them have that as a schema in their head that they're asking themselves, if this tool were to go down, would I be willing to accept that risk? And if their answer is no, then it's informing then it's one informing them and it's also helping inform us. So, we still have some time for questions. Um, if anybody has questions or comments, uh, do you have the mic? Okay.

>> Will will your sides slides be available after? Okay. >> Yeah. Um, I'll see if uh I'm planning on on sharing them with the Bside. if uh so they can they can share them out. I'm also going to just you know consolidate so we're not going through all the clickthroughs within the shared slides. Was this schema helpful? Do we think that we could apply this with with our within our organizations? So I think one of the things it's left some time right okay so one of the things that I'm trying to figure out is how do we get these these kinds of talks to happen within our organizations when first off from from our perspective do

we think that this would be a helpful schema to to offer to our co-workers and employees >> um how do you compare I mean with different products that have different vectors how do you determine which vectors to actually measure the risk with. >> So that I think is a question more on the operational side of TPRM which this talk is trying to to to kind to pull back from. So that's something that we can talk more about um on a Zoom call. But as far as just like within the context of this talk, I think it it stays out a bit outside of the scope question up here.

So, I love the grocery store analogy, but the problem that I run into in our business is the person walking into the grocery store has never walked into the grocery store before and can't actually make the distinction of is this tool going to work or not work. Oftentimes, they've just heard from a co-orker or a acquaintance that hey, this tool will solve your problem and they have no idea what the actual landscape is. How do you solve for that? >> Great question. So, um I'm not sure if the mic picked that up. The question is, uh if if the person asking for the tool that can't know directly or doesn't know directly, they they've gotten the uh

they've gotten a suggestion from a friend or a co-orker. Is that on lines? Okay. Again, the so understanding the exact impacts and the exact um risk or the exact probability is not not going to be something that we're going to be able to know directly every time, right? So, we then can start to ask the questions about well, what type of data is this touching? Is this touching everybody's calendar in the organization or just mine right for some of those project management tools? Um, is this going to touch what is you know we we hear the term crown jewels in cyber security a lot. Will this touch the crown jewels of the company? And then from there having

that be their point to start from and if they don't know that's where third party risk uh analysts can help support that and say hey you want to ask for this let's see where it could impact. So to to Jeremy's question like yes that's that's where that's where we come in and support more. This is trying to do be the schema before they get to that point. So no direct answer to that right because it it is that same question. You go to the store and there's a new type of cereal that you haven't had before. Your friend says it's good and I don't know they have different tastes. Maybe they like they like a lot more sugar

than I do. So everybody's going to have a little bit of a different tolerance on that too. Does that answer the question? >> Okay.

Hi, do you have a opinion about 27K certification or shock too? Because I'm a little bit skeptic because if it's if they are available, they really don't tell that much about the the vendor and the security status. >> So again, operational question. Um I think as an analyst, you have to jump in and definitely, you know, do your due diligence. So all the companies have to do the due diligence. Uh it's a helpful place to start. I don't I don't again my opinions I don't think it's the end end all be all. It is a helpful place to start.

So I was curious uh you talking about like vendor vendors how do you think about like the impact and probability of like doing something like getting a vendor or doing it inhouse >> I think that's a great question and I think it's like again the question of resources what resources do we have um earlier there was a talk about leveraging resources that there are tools are part of leverage so um you know am I am I going to build up my own um guey for a graphic interface Right? I'm making charts. We make charts all days all day. Is it better to get Tableau or is it better to to build a chart inhouse? That's really goes back

to a question of resources. If our if our business is built based around building graphics, let's build that in house. If that's not part of our business function and it's something that we need, then we start to explore that. Does that does that make sense? >> I I really think that goes back to what is the what are the resources? If we have all the resources and people, then yeah, build it in house. we have limited resources, which is part of why we go to these tools that are supposed to help us be more efficient and take care of some of that heavy lifting. I think that's a great question. >> Also, I use I worked for Target right

after they had that breach and it had a very big impact even on the people who worked in the stores. So, yeah, >> sorry to hear >> something that had nothing to do with like us like it affected us like even emotionally. So, yeah, I just wanted to share that. >> Thank you so much. I think we're at time there. So just one more slide if anybody wants to speak outside I'm more than happy to. Um really want to thank Bides for this opportunity and also carpent for mentoring me in giving this talk and thank you all for coming.