34 min
566. Craig Callé, Third Party Risk Management and Cyber Security Unleashed - How to Thrive as an Independent Professional
-
- Careers
Show Notes
Craig Callé talks about third party risk management (TPRM), with an emphasis on cybersecurity. TPRM is a subset of Governance Risk and Compliance (GRC), which aims to help organizations achieve their objectives, address uncertainties, and act with integrity. TPRM is crucial as over half of all data breaches occur through insecure third parties. Companies need to understand their third party relationships and monitor them more carefully, which requires a variety of tools and processes. Craig explains that TPRM can cover a variety of risks, including cybersecurity, but also financial viability, compliance with privacy, sanctions and other regulations, reputation management, supply chain issues, and alignment of ESG and sustainability objectives.
Defining GRC and Third Parties
Craig explains that GRC is a broad category that includes TPRM, but also enterprise risk management (ERM), business continuity or operational resilience, policy management, controls compliance, privacy and ESG. ERM typically includes a risk register, which compiles all the potential threats that can affect a company, and it is crucial to building a more predictable and measurable system to achieve its objectives at the lowest possible risk.
He mentions that the term “third parties” should include not just vendors and suppliers, but also often overlooked entities such as outsourced service providers, software as a service (SaaS) apps, cloud hosts, contractors, ecosystem partners, technology partners, and financial counterparties.
GRC Frameworks
He mentions that a lot of the governance aspect of GRC work involves picking a suitable framework and building a program around it. For example, in cybersecurity, a popular standards body would be NIST, and he mentions a few others that give leaders a roadmap apropos to achieving high standards of operation.
Organizational Relationships
The head of GRC is responsible for ensuring that the organization operates within its control frameworks. For example, in a Fortune 500 company, the executive responsible for GRC might report to a Chief Risk Officer, if there is one, with a dotted line to the board audit and risk committee.
Since many TPRM programs have an exclusive focus of cybersecurity risk, the head of TPRM often reports to the Chief Information Security Officer (CISO).
Third Party Risk Management Responsibilities
The head of third party risk management is responsible for several processes, such as onboarding new third parties, periodic audits, ongoing real-time monitoring, reporting functions, and investigating and dealing with incidents and responses. However, the responsibilities depend on the organization’s level of maturity and the complexity of the process. Craig offers a few examples to clarify the complexities that have to be taken into consideration, including the fact that risk management processes can be seen as blockers, and additionally, offers a tip on how to overcome this issue.
Software for Third Party Risk Management
Craig talks about the importance of selecting the right software for clients, highlighting the pros and cons of a best of breed approach versus a multi-module suite. Craig mentions examples of TPRM workflow automation platforms, including ProcessUnity, MetricStream, ServiceNow, LogicGate, BitSight, and many others. These platforms facilitate questionnaires and other assessments issuance, response review, routing of issues to specific people or groups within an organization, risk scoring and reporting to stakeholders.
Cyber risk ratings, which have been around for over 10 years, are now a natural complement to workflow platforms. Ratings provide objective data that help triage the community of third parties by quantifying vulnerability to data breaches. They provide easy-to-digest results that don’t require an IT certification to understand, based on FICO-like scores or letter grades.
He explains that companies may want to sha
Show Notes
Craig Callé talks about third party risk management (TPRM), with an emphasis on cybersecurity. TPRM is a subset of Governance Risk and Compliance (GRC), which aims to help organizations achieve their objectives, address uncertainties, and act with integrity. TPRM is crucial as over half of all data breaches occur through insecure third parties. Companies need to understand their third party relationships and monitor them more carefully, which requires a variety of tools and processes. Craig explains that TPRM can cover a variety of risks, including cybersecurity, but also financial viability, compliance with privacy, sanctions and other regulations, reputation management, supply chain issues, and alignment of ESG and sustainability objectives.
Defining GRC and Third Parties
Craig explains that GRC is a broad category that includes TPRM, but also enterprise risk management (ERM), business continuity or operational resilience, policy management, controls compliance, privacy and ESG. ERM typically includes a risk register, which compiles all the potential threats that can affect a company, and it is crucial to building a more predictable and measurable system to achieve its objectives at the lowest possible risk.
He mentions that the term “third parties” should include not just vendors and suppliers, but also often overlooked entities such as outsourced service providers, software as a service (SaaS) apps, cloud hosts, contractors, ecosystem partners, technology partners, and financial counterparties.
GRC Frameworks
He mentions that a lot of the governance aspect of GRC work involves picking a suitable framework and building a program around it. For example, in cybersecurity, a popular standards body would be NIST, and he mentions a few others that give leaders a roadmap apropos to achieving high standards of operation.
Organizational Relationships
The head of GRC is responsible for ensuring that the organization operates within its control frameworks. For example, in a Fortune 500 company, the executive responsible for GRC might report to a Chief Risk Officer, if there is one, with a dotted line to the board audit and risk committee.
Since many TPRM programs have an exclusive focus of cybersecurity risk, the head of TPRM often reports to the Chief Information Security Officer (CISO).
Third Party Risk Management Responsibilities
The head of third party risk management is responsible for several processes, such as onboarding new third parties, periodic audits, ongoing real-time monitoring, reporting functions, and investigating and dealing with incidents and responses. However, the responsibilities depend on the organization’s level of maturity and the complexity of the process. Craig offers a few examples to clarify the complexities that have to be taken into consideration, including the fact that risk management processes can be seen as blockers, and additionally, offers a tip on how to overcome this issue.
Software for Third Party Risk Management
Craig talks about the importance of selecting the right software for clients, highlighting the pros and cons of a best of breed approach versus a multi-module suite. Craig mentions examples of TPRM workflow automation platforms, including ProcessUnity, MetricStream, ServiceNow, LogicGate, BitSight, and many others. These platforms facilitate questionnaires and other assessments issuance, response review, routing of issues to specific people or groups within an organization, risk scoring and reporting to stakeholders.
Cyber risk ratings, which have been around for over 10 years, are now a natural complement to workflow platforms. Ratings provide objective data that help triage the community of third parties by quantifying vulnerability to data breaches. They provide easy-to-digest results that don’t require an IT certification to understand, based on FICO-like scores or letter grades.
He explains that companies may want to sha
34 min