Maturing 3rd Party Vendor Risk
Programs
GORDON SHEVLIN, CEO, ALLGRESS
TONY UCEDA VELEZ, CEO, VERSPRITE
SCOTT TAKAOKA, VP BUS. DEV. , VERSPRITE
MARCH 1, 2016
Slide 2
Slide 2 text
Agenda
Programs That We See Today
• Program definition of risk – often legal, financial, reputational, cyber
• More mature assessing financial risk, least mature assessing cyber-risk
• Ramping programs/where to start – product, asset or organization centric
• Moving from audit related to active risk management
Legal Business Risk Security
Slide 3
Slide 3 text
VRA Program Maturity Study
* S H A R E D A S S E S S M E N T, 2 0 1 5 , V E N D O R R I S K
M A N A G E M E N T S T U D Y
Category C - Level VP/Director Level Manager Level
Program Governance 2.9 2.8 3.2
Policies, Standards, Procedures 2.8 2.8 3.0
Contracts 2.7 2.8 2.8
Vendor Risk ID and Analysis 2.4 2.7 2.5
Skills and Expertise 1.9 2.1 2.7
Communication and Info Sharing 2.2 2.3 2.6
Tools, Measurements and Analysis 2.0 2.3 2.9
Monitoring and Review 2.6 2.7 2.8
Slide 4
Slide 4 text
Takeaways – Discomfort at C-level
Challenges
o Understanding risk of cyber-attack
o Communicating risk
o Resourcing/improving VRA process
Slide 5
Slide 5 text
Understanding Risk
o Single framework based approaches
focused on security are common
o “Check box”, considered in its own silo
o Often lacks granularity and context for
accurate measurement of vendor risk
Security Posture
Slide 6
Slide 6 text
Expanding Context for VRA
o Business/compliance context – more
comprehensive view
o Map controls to business operational
impact
o Consider hybrid – ex. NIST CSF + HIPAA
Business /
Compliance Impact
Security Posture
Slide 7
Slide 7 text
Expanding Context for VRA
o Business/compliance context – more
comprehensive view
o Map controls to business operational
impact
o Consider hybrid – ex. NIST CSF + HIPAA
o Threat provides focus for controls
o Which controls are most important
Business /
Compliance Impact
Security Posture
Threat
Slide 8
Slide 8 text
How? Organizational Threat Model
o PASTA (process for attack simulation
and threat analysis)
o Business impact – examine
outsourced process
o Threat
o Identify top threats, map to processes then
vendors
o Now evaluate security posture
o Identify key controls
o Identify metrics + sensitivity
o Identify remediation opportunities
Business /
Compliance Impact
Security Posture
Threat
Slide 9
Slide 9 text
Path to Automation
o Ensure controls are commensurate
with maturity level of program
o Measurable – ensure control
activities can be collected and
expressed in metrics
o Understand the impact of controls on
the business
o Measure over time
Simple Metric Intermediate Value Add
Yearly policy review # of security technical
standards
Demonstrates
sustainable
governance program
# High risk items
remediated <30 days
% of control gaps
remediated
Shows a process for
addressing security
gaps
Participation % in
awareness training
Social engineering
ploys foil by
employee security
awareness
Demonstrates
successful
operationalization of
security
Slide 10
Slide 10 text
Communicate Risk
Slide 11
Slide 11 text
Modular Solution
Vulnerability
Analysis
Security &
Compliance
Assessment
Risk
Analysis
Incident
Management
Policy &
Procedures
Third Party
Vendor
Management
Risk
Register
Insight Risk Management Suite
Slide 12
Slide 12 text
The Allgress Solution
o Centralized data facilitates seamless
oversight of the entire risk, security,
and compliance management life-
cycle
o Automated prioritization allows
organizations to efficiently remediate
what matters most
o Real-time reporting presented in a
business context enables
communication amongst IT
stakeholders up to senior
management
Slide 13
Slide 13 text
Vendor Risk Management
o Automatically identify high-risk
vendors
o Out of the box surveys and/or
customizable survey generation
o Rapid turnaround with accelerated
response times
o Alleviate manual efforts with
automated workflows and
notifications
o Comprehensive reporting with real-
time status updates
Slide 14
Slide 14 text
Vendor Risk Management
Slide 15
Slide 15 text
Policy Module
o Map policy to both regulatory
standards and frameworks
o Centralized repository for all
information and security policies
o Author, review, and publish policies to
your organization’s user community
o Library with over 2,000 policies
o View past, present, and draft versions
of policies in the same location
o Easily identify version differences
through versioning and archiving
capabilities
Slide 16
Slide 16 text
Risk Module
o Enable prioritization of security budgets
and expenses based on the probability
of adverse events, and prioritize
remediation tasks based on evaluated
risks
o Security risk scenario modeling
provides organizations with insight into
how decisions impact risk
o Heat-map bubble charts display
associated risks of business units,
networks, asset type and asset groups
o Risk communicated in a business
relevant context
Slide 17
Slide 17 text
Partnership to Improve VRA Process
o Controls and metrics development
o Organizational threat modeling
o Vendor risk assessment as a service
o Automation support in Allgress
o Extend finding into Allgress risk register and other modules
Slide 18
Slide 18 text
Maturing 3rd Party Vendor Risk
Programs
GORDON SHEVLIN, CEO, ALLGRESS
TONY UCEDA VELEZ, CEO, VERSPRITE
SCOTT TAKAOKA, VP BUS. DEV. , VERSPRITE
MARCH 1, 2016