Navigating the Risk Landscape Ahead: Where We’re Heading and Risk Intelligence’s Key Role
December 8th, 2022 •
Hannah Tichansky • Reading Time: 7minutes
As the cyber threat landscape, and ESG requirements continue to grow, business leaders realize they need to take a comprehensive approach to managing risks in their extended enterprise. Aravo’s Colin Campbell sat down with Jeffrey Wheatman, SVP & Cyber Risk Evangelist at Black Kite, and Aravo’s CTO, Eric Hensley, to discuss how automation is opening up risk assessment and risk intelligence opportunities, and why integrating these tools is so important in identifying risk exposures.
Colin Campbell: Eric and Jeffrey- can you both introduce yourselves?
Eric Hensley: My name is Eric Hensley, I’m Chief Technology Officer at Aravo. I’m responsible for our product strategy and delivery. So, I have many years of experience building third-party risk management programs, cybersecurity risk management programs, and the use of automation in risk intelligence data and analytics to solve this problem at scale.
Jeffrey Wheatman: I’m Jeffrey Wheatman, Senior Vice President and Cyber Risk Evangelist for Black Kite. We are a streaming service vendor that provides data, insight, and input into third-party risk management, GRC, IRM, etc. Prior to Black Kite, I spent two decades in advisory and consultative roles working with executives and practitioners on how to better manage risk. In my current role, I’m focusing a lot more on third-party risk, vendor risk, and supply chain risk management, which are increasingly becoming inordinately outgrown components of enterprise-wide risk management.
There have been interesting cyber data points that Black Kite was involved in. Can you share more?
Jeffrey: We found that a significant proportion of organizations that we have data on- 70% of them are highly susceptible to ransomware which is one of the biggest, if not the biggest attack vectors that folks are struggling with. We looked at 2,400 data breaches over a five-year period and found that 58% of organizations that were victimized by ransomware in the last two years had either open administrative reports to the internet, had open file shares to the internet, or both. Think about how significant that is, a lot of organizations are not doing those basic things.
There are correlations in Aravo’s latest TPRM benchmarking survey that align with that point. What is the data is telling us?
Eric: We find that the maturity of TPRM programs strongly correlates with the severity of cyber incidents and how often they occur. The vast majority of ad hoc or fragmented programs are reporting significant business disruption or reputational damage from these incidents. For those with mature programs, it’s far lower. So, assessing the maturity of your program is critical. It means that you’re taking it seriously so that you can operate at scale.
How can a lower-maturity organization start making incremental improvements to its program?
Eric: The number one low maturity activity that we find is they want to over-assess everybody. And assuming that as long as people are assessed, and the answers they’ve gotten back are up to some sort of standard, that they’re going to be okay. That’s not high maturity, because assessments are not living documents. They’re points in time and they’re based on individual people’s responses. So, a key thing to do is look at risk intelligence data and add information from a third party like Black Kite. They know where risks are, and what risks are more likely to be impactful so you’re not just dependent on answers from your maybe hundreds or thousands of third parties.
Jeffrey: To me, the biggest challenge in any sort of technology and risk-based discipline is are we getting the right people involved in the process? The reality is most people are not getting business stakeholders, the non-technical people involved. This is where I paraphrase Animal Farm by George Orwell: all risks are equal, but some risks, partners, threats are more equal than others. And one of the things that is really important is we can’t just make a decision based on one data point.
Furthermore,there’s this problem of scope and scale. If you grow as a company without also scaling your risk management you just take all those large risks and mash them together while paying less attention to risks lower down in your supply chain. But we know lower-order failures multiply… We don’t know what’s going on in our supply chain, digital or physical. Suppose someone who’s a critical part of our supply chain gets hit with ransomware and they’re down for a week. How long are we then down for because of it? We don’t have that visibility and without that, we can’t look ahead, we can’t plan, and therefore we get caught flat-footed.
Governance helps organizations understand who their suppliers are so they can manage them and build a solid footing. What about governance do you see as being priorities for this to be successful?
Eric: When starting with governance it’s good to have a repository of information about your supply chain. If you’re putting a more mature program in place, you’re going to want to implement whatever supplier management, lifecycle management, governance processes you already have in your company; that’s how you are going to drive program acceptance through the extended enterprise. Without doing that, you will end up with a silent program. So, how do we onboard suppliers and decide if they’re performing? Having a single-minded focus on assessing risk will tend to become consequentialist about specific risks, and you won’t have a holistic view. If you haven’t put those governance controls in place, you will miss assessing your risk.
Jeffrey: Governance, such as AI governance, is this weird abstraction and people don’t necessarily know what it is. It’s about visibility and decision-making. Do people who own the asset (physical, digital, etc.) understand what their risk exposures are? Are they making decisions and are they held accountable for those decisions?
Eric: Just thinking from a business standpoint can override good governance and this can be a common source of governance failures.
Jeffrey: I think within the context of third-party risk, if you go back 10 years ago, third-party risk was quite simple. If legal and finance were okay with the contract you signed and you moved forward. Well, we know that is just not enough anymore, but a lot of that mentality is still around that checkbox. And I think that’s why the security people get sidelined… the problem is we don’t know who owns this. And therefore, we don’t necessarily know where that accountability falls.
How do you balance the need for meeting business objectives while also ensuring security in terms of risk intelligence, with consideration to the work Aravo is doing with Black Kite?
Eric: These are our scale and automation benefits, and that assists you in your decision-making. Having low maturity programs causes governance failures, it causes people to make decisions that are counter to their best interests from the point of view of risk. If you have to wait around for your assessment process to be completed and it’s a manual assessment process, then you’re going to end up making bad decisions.
So, when people are building cybersecurity risk management programs for their third parties, we encourage them to get as much risk intelligence data as they can early in their processes because it will tend to be more correct. It’s faster, and you can achieve business goals and not feel like your governance processes around cybersecurity risk management are undermining your business goals. They are in fact, in favor of your business goals.
Jeffrey: People tend to use the words data and information interchangeably, but they’re not the same thing. Data is ones and zeros. Information is what you do when you apply some intelligence to that. So, to me, this is the difference between information security, let’s patch everything, versus risk management. And I think that’s important.
Also, I don’t think a lot of people tier third parties in their supply chain. Part of that is because they don’t always understand the impact on the bottom line or the context. We work with Aravo to look at 1,000 vendors in your ecosystem and we can tell you, these 50 are doing a poor job from a program perspective and we know that because of our technical score… We can also look at a subset of controls and people’s exposure to ransomware. So, bringing in these different pieces of context provides more information and better, defensible decision-making… Are we going to make the right decision all the time? Of course not. But we will make more of the right decisions and therefore expose our organizations to less risk.
What are best practices focusing on key risks while assessing vendors, but still meeting compliance obligations against standards like NIST and ISO?
Jeffrey: Not all of your partners are the same or provide the same value to your organization’s objectives. Not all will give you the same exposure if they have a breach. So, prioritizing even something as simple as critical vendors and non-critical vendors is a great first step. Some may be more aggressive. With others, you may be okay doing a questionnaire once a year and moving on. Some you may want to validate that questionnaire to put in real-time monitoring.
The second piece is being very open and honest about what you know and what you can share. Sometimes people are loathe to admit if there is uncertainty. And when we do that, we undermine our value to the organization. Asking questions and saying you need help is a show of strength, not a show of weakness….
Eric: Cybersecurity and information security are technological disciplines. A lot of cyber security people have been placed in a role where they also have to do risk management. And risk management is not really a technical discipline. Managing risks requires judgment. And sometimes cybersecurity personnel have a hard time wrapping their head around a series of actions that are largely judgment-based because it feels loose and not very objective. But, completing an assessment should not cause you to remove judgment from the necessity of risk management; in fact, that can make your judgment worse… and undermine good risk management. You need to remember that not everything you are assessing is the same. Different vendors have different levels of importance. You need to learn that from other people in your business.
On the relationship side, rather than operating in a silo, some organizations are getting in early and working with relationship managers who know those vendors and suppliers. Can you give practical thoughts about their experiences?
Jeffrey: Part is figuring out how to do a bit of a down and dirty assessment. Come up with five or six questions. Is the data regulated? Is it accessible, does it require a login? Is it accessible by managed or unmanaged equipment? Based on that you can quickly place those into high, medium, and low-risk profiles. Then, for the high, you would do a deeper assessment. For the other ones, establish pre-predefined rules: the score you need to hit, a 3-page questionnaire instead of a 300-page questionnaire, etc. So, prioritizing quickly with the understanding that it’s not going to be 100% accurate is a good practice.
We have started to hear from people and we’ve seen survey data that indicates board members and C-level executives are gearing up to increase their risk appetite; how much risk they’re willing to accept in order to achieve business goals. We, as security and risk practitioners and leaders, need to understand that’s because we can’t be so hardline in security interests to say we are not allowing that. We saw it during COVID- companies that never would have let people work from home send people home with old computers with no security tools on them. Why? Because they needed to do business. So, focusing on the fact that risk appetite may be shifting over the next 6, 12, 18 months or longer is important.
This interview has been edited for length and clarity.
To learn more about the important role risk intelligence will play in managing cyber, vendor, and ESG risks in the future, check out Aravo’s integration with Black Kite.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.