The rise in third-party and environmental, social, and governance (ESG) risks impacts all areas of the business — including information security teams. AuditBoard’s own VP of Information Security, Richard Marcus, sat down with Tom Field of Information Security Media Group (ISMG) to discuss what CISOs need to know about today’s critical risks, as well as:
- How to determine top risk priorities.
- Best practices for building rapport with senior leaders and the board.
- Strategies for closing the talent and skills gap.
Watch their conversation below, read the highlights, and download the full ISMG and AuditBoard ebook, TPRM, ESG, Risk Quantification: What CISOs Need to Know for more insights.
Why TPRM, ESG Risk, and Risk Quantification Are Critical
Tom Field: Third-party risk management; environmental, social, and governance risk; risk quantification: Why are all these topics critically important as we enter a new year?
Richard Marcus: Risk quantification is important because we see risk velocity increasing. As information security professionals, we’re constantly stretched to worry about a broader scope of assets – more data, more people. The emerging risk landscape is accelerating faster than we can keep our arms around, so risk quantification is important to make sure that you’re identifying, categorizing, and prioritizing risks. Then you can spend your limited investment in the smartest way possible to control that risk.
It’s the same story with third-party risk management. As digital transformation has resulted in the decentralization of our data, we’re called to use more and more third parties to do our important work, so you’ve got more and more risk sitting outside of the organization that has to be assessed and measured. ESG has become a popular emerging theme across our customer base. It’s a cultural phenomenon as well as a regulatory phenomenon. There’s a call for more transparency – more accountability for what you do and how you do it as an organization. That impacts environmental and social topics. It’s also starting to creep into the security and privacy world. People want to know more about what you’re doing as a business to secure your customer data and privacy.
Determining the Top Risk Priorities
Tom Field: There is so much happening on so many different planes today for every organization. How does one determine which risks and threats are the top ones to their organization and to their sector?
Richard Marcus: It starts at the top with a well-thought-out risk and threat assessment. That’s where you seek to work with the business to understand their objectives and what kinds of scenarios can impact your ability to deliver against those objectives. Then you can think about how those threats might manifest and what key controls you need in place to prevent that from occurring. So, it’s specific at an organization-by-organization level, but it’s about bringing the people together to discover those risks and come up with a plan to address them.
Tom Field: What are your top risk priorities as we go into 2023?
Richard Marcus: I’m focused on software and the needs of my customers. Third-party risk is certainly top of mind for us and, more specifically, software supply chain. Like any software, it’s going to be made up of some first-party components and some third-party components. So, can you speak to the security and integrity of those components and how the software is built? Third-party supply chain and software supply chain are big for us, as they are for most folks.
We’re starting to see supply chain incidents and threats manifest more and more. Lots of our competitors are worried about these topics. Because we’re in a service business, insider threat is also pretty high on our minds. We’ve seen a couple of high-profile breaches this past year and a couple of different companies in our space get hit with insider threat, not just from malicious and privileged insiders but also from employees that might be falling victim to social engineering – compromised employees and their credentials being used to get you from the inside.
Over the last couple of years, the industry has focused on shoring up infrastructure security and application security. We’ve hardened the front door, and we’re finding that more and more attackers are looking for that side door or back door to get what they’re after. So we’re thinking a lot about what secondary entry points we need to shore up, and that lands with securing the user, the employee, the subcontractor, and the supply chain folks that might introduce risk. That is not the first thing that you’re always thinking about.
Getting Buy-In From Leaders and the Board
Tom Field: What are some best practices for building rapport and then getting buy-in from senior management and the board?
Richard Marcus: A lot of it is timing. We intentionally schedule our risk assessment right before the end-of-year budget planning cycle, before the next year begins. A lot of folks watching this interview are probably entering or hopefully working through their 2023 plans right now, and it’s helpful to have those conversations together. You don’t want investment asks to be coming in from left field without context. You want those two things to be aligned. So, we go through the assessment process. There’s an educational aspect to it. They’re learning about the risks and threats that their businesses face and then they’re followed up with an ask.
That investment is tied to, hopefully, key controls that are going to reduce or limit some of the risks and threats that were identified in the assessment. So, it’s helpful to connect the dots. We’re not just a cost center. We’re doing things to help the business go fast and unlock opportunities. Sometimes, it’s about telling the story right and connecting those dots and showing them we’re not just doing this for security’s sake – we’re doing this to help the business achieve what it needs to in the next year.
Filling the Skills Gap
Tom Field: Given the skills gap that impacts every organization and the inability to build, recruit and retain appropriately, how can one plan to better incorporate technology to help fill the gap?
Richard Marcus: At the rate that the velocity of risk is increasing, we’re dealing with a lot more surface area but not always with more people or more budget. Most teams shrink and budgets shrink over the next year, so the question is: How do you do more with less? The key is to leverage platforms that allow you to work smarter, and the connected risk concept is about bringing people together and bringing data together in one platform. Automation is a key part of that, but you want to avoid the duplication of efforts.
You’ve got a lot of teams across the organization – whether it’s IT, InfoSec, risk, audit, or compliance – all generating the same kinds of work product. Maybe they’re testing the same controls or collecting the same evidence. So, getting those teams to work together in one platform, de-duplicating efforts, and reusing evidence are all great ways to add more bandwidth to your team if you’re limited in resources. They also get your teams out of the manual work. Mapping controls, collecting evidence, and doing continuous monitoring and reporting take a lot of human effort if you’re doing them manually in spreadsheets or email. The more you can automate and use technology to get people out of those processes, the more time you have to do the meaningful work.
Thinking Differently in 2023
Tom Field: How should security leaders be thinking differently today about third-party risk management, ESG risk, and risk quantification as we go into the new year?
Richard Marcus: If you think about third-party risk, ESG, and risk quantification in general, it may seem like a big challenge, and it is, but it can also be a big enabler for your business. Ultimately, all of these things are practices that, if you do them right, allow your business to go faster and farther and have a higher chance of success against your company objectives. Companies don’t want to do business with companies that are not ethical, not secure, or not handling risk appropriately. So InfoSec is a business enabler and a revenue driver, and if you get it right, it’s much more than a cost center.
Given the scarcity of resources, the battle for talent, and the explosions of scale that we deal with, security leaders should think about how to do this in a way that doesn’t require them to throw piles of money and people at the problem but rather leverage technology in meaningful ways and connect your risks, people and data together so that you can solve this risk equation in a much more meaningful and cost-effective way that reduces risk for your organization.
Download the full ebook, TPRM, ESG, Risk Quantification: What CISOs Need to Know, for a deeper dive.