If third-party risk management becomes too broad, it effectively becomes worthless. But too narrow and you’ll miss critical risks. So how do you strike the right balance?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Erik Decker, CISO, Intermountain Health.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Praetorian
Full Transcript
Intro
0:00.000
[David Spark] We’re all struggling trying to manage third-party risk. Those hated questionnaires seem like simple compliance checkbox efforts. No one really believes any of it reduces risk. No one has the time, the staff, or the money to go so granular.
So, what’s the right approach and how do you strike the right balance?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And guess what? I have Geoff Belknap. He’s the CISO of LinkedIn and also the co-host of this very episode. Geoff, say hello to the very nice audience that is joining us today.
[Geoff Belknap] Hello, all very nice people and you, David.
[David Spark] Oh, thank you very much, Geoff. Our sponsor for today’s episode is Praetorian. Praetorian, they are your offensive security partner and they’ve got a great philosophy of taking that red teaming you usually do at the end, they front-load it so you can better design a security program.
More about Praetorian later in the show. But let’s get to today’s topic at hand. “What are the 20% activities we do that mitigate 80% of the third-party risk,” asks Robert Wood, who’s the CISO of the Centers for Medicare and Medicaid Services in a post on LinkedIn.
Now, this is the classically known, the Pareto rule, that 20% of what we do has 80% of the impact, like not everything we do has equal impact. This is, if you believe it, the Pareto rule. So, I think all of us can agree that third-party questionnaires do not fall under that 20%, but they get sent for regulatory purposes and it takes little effort to send them out.
Filling them out is another story altogether. Geoff, I’m going to ask you, do you struggle finding that 20%? Do you agree that possibly the questionnaires fall under it? I don’t know. And do you feel you found any of it?
[Geoff Belknap] I think I struggle morally and ethically and just professionally with these all the time, and hopefully we can have…
[Crosstalk 00:02:09]
[David Spark] Now, “these,” are you referring to the questionnaires?
[Geoff Belknap] About the questionnaires, and every time I think about like, “Oh, these questionnaires are terrible,” I remember my team sends these exact questionnaires out to others. And I think it’s a good time to reflect and think about how we can make this all better and just stick to the basics.
[David Spark] Well, figuring out what we can do that it really has true impact. That is the point of our discussion today. What does actually have true impact in figuring out third-party risk? And we have a guest that’ll help us get through this very discussion, and I met him in the wonderful city of Miami, and he’s here for us now.
It is the CISO for Intermountain Health, Erik Decker. Erik, thank you so much for joining us.
[Erik Decker] Thank you, Dave, and thank you, Geoff. It’s great to be here. I don’t know if I have all the answers to this question, but I’ve got a lot of opinions about this question, [Laughter] so we’ll see where that goes.
[Geoff Belknap] As long as somebody’s got opinions, we’ll be fine.
[Erik Decker] That’s right.
[David Spark] Actually, we don’t guarantee answers. We do guarantee opinions.
Why is this so darn hard?
3:07.251
[David Spark] Troy Fine of Drata (now Geel Norton) said, “Why are organizations going through the third-party risk management/supply chain risk management process in the first place? Is it to reduce security risk or is it to show the outside world that they did their proper due diligence so that when something happens, they don’t have to take responsibility for the breach?” And Todd Hammond, CISO of TMJL Group, said, “Doing it the right way should mitigate risk and also provide evidence of due diligence, which if an incident did happen would more than likely steer the organization from negligence claims and ramifications.
So, Todd just says doing it the right way. I don’t know what doing it the right way is here, but do you have an answer to doing it the right way, Geoff? I mean, I think Todd’s right if we could figure this out.
[Geoff Belknap] Yeah, no, I get the spirit of what Todd’s saying. I don’t think there is a right way to do this because if there was, we’d all be using that way. Nobody wants to send these giant questionnaires out, but they all start…
[David Spark] By the way, I’m sure there’s plenty of vendors that would argue that they have the right way.
[Geoff Belknap] The vendors would be very excited about it, but I think most of the people that are behind them aren’t as excited about them. But they come from a good place, which is people just wanting to understand what risk do you as a vendor bring to me, and how do we think about that, and how do we solve for that?
They’ve kind of turned into, in a worst case, just a really difficult beginning of a long relationship. And that beginning is going to be these 400 in-depth questions about the last time you flossed and what kind of floss do you use, and it just is not as productive as it could be.
[Erik Decker] And we also have this thought that just because we ask the questions up front, and we spend the two, three, four months in the process of actually conducting these assessments if you’re doing it through questionnaires and back and forth with the vendors, we think that we’re doing all the work up front to identify the risk.
But the fact is, is once that relationship is established, risk continues, and things change, widgets move, configuration files adjust. And if you don’t have a way of continually understanding how the postures change, a lot of that work that you’ve done up front is actually kind of for naught.
So, we spend all this time on this upfront work, and yet, what’s the real value at the end of the day?
[David Spark] So, there’s two things that come to mind when you say that. One is, we have this sort of philosophy in our heads of, aren’t we shifting left here because we’re doing our due diligence up front and left? And the second time, I remember putting this out there, I said is there anything in cybersecurity, and I mean anything, that’s set it and forget it?
And the answer is nothing. Literally nothing at all. So, this is kind of a concept of shift left that just isn’t working for us. Is it, Geoff?
[Geoff Belknap] I don’t think this is really shift left, right? This shift left is about building that relationship, being there at the beginning, being there as part of developing whatever you’re going to develop. In this case, this is probably the worst example of shift left if you want to use it because we’re saying like, “Hey, before you, your organization is allowed to be friends with my organization, I got some rules you need to follow to make sure that we can even have this relationship.” It’s sort of starting the conversation off on the wrong foot saying, “I don’t trust you.” And I think the reality is it starts from a good place to say, “We want to work together.
We want to make sure this is mutually beneficial.” But we need to do the initial part of the conversation in a way that is productive for us from a security perspective.
[Erik Decker] I’ll throw another insight in here. I think part of our profession has really focused in on the fact that if they can just ask the right question, the magic question, all the answers will be understood, and everybody thinks that they’ve got the right question.
I mean, there’s a lot of time that is spent on the question itself that will get there. And at the end of the day, honestly, the questions themselves probably really don’t even matter that much. If Geoff and I share a vendor in common, and he asks this vendor questions, frankly, I don’t think there’s going to be anything that he asks that’s going to be novel to the kinds of things that I ask.
So, I ask the question, why are we asking all these questions over and over and over again, instead of just getting into the meat of the matter, which is managing the risk, at the end of the day, of the things that we know that we care about?
How do we handle this?
7:45.946
[David Spark] Aldo Febro who’s the CISO over at Continuant said, “The two keywords that came to mind are relevancy and probability. The relevancy part is determined by how this particular component changes the risk posture of the production system. For the probability part, it’s about assessing the likelihood of exploiting impact.
The hard part is to maintain records of asset and service dependency updated, but when we have one, the questionnaire can then be scoped to that particular spot in the dependency map.” I really like this. This throws out the questionnaire, it just says, “Okay, what exactly is our relationship with you, and at what point, let’s only look at that?” Erik?
[Erik Decker] So, I like this. There’s really three things I think that we really need to care about with vendors and third party in general. And we always think about data, they’ve got our data – sensitive data, corporate data, whatever that might be, regulated data.
And our profession came up under information security, and so we always think about data security, protect the data, protect the data. I work in healthcare. So, my profession is around patient safety, patient lives. We have their data, of course, that’s the classic case.
We also have life safety and mission critical safety services and applications that are run, and more and more of that is actually in the cloud or with services and third parties. So, I care not just about the data, but I care about are you life critical to my organization and institution?
So, that’s another factor. That’s the second.
The third factor that I care about is not novel, it’s something that we’ve all known about, we’ve learned about it since the Target breach back in ’14, I believe. It’s who is actually connecting into us. They might not have our data, they might not be important, but they might have network connectivity to us.
So, if we could apply questions that factor around, those are my impacts, those are the things that I care about. I want to zoom in on who’s connected to me and are you a risk of, if you get compromised, I want to know immediately so I can take action and my SOC can do some work.
Or if you’re a life safety mission critical, then I need to have redundancy inside my environment. So, expecting that thing to fail and ready to roll in the case it does. And I think that’s where all of this needs to go is, again, it’s not about the 500 questions that we ask these vendors, it’s about the applicability of how they work and interact with us.
[David Spark] So, one quick thing I want to point out is that you brought up the issue of data, but the third-party relationship, and actually Aldo was kind of tipping to this, also refers to talking about components. I think about Mike Johnson who’s one of our co-hosts, who’s the CISO of Rivian, the car company.
And we had the CISO for Lexmark on a while ago, and he was talking about the hundreds of different vendors that manufacture parts for the different copiers and printers that they create. So, there’s the fact they’re data sharing and then just like to this, this one component, how critical is this one component to my car, to my printer?
What would it cause? Like how do I need to make sure that this always stays secure? So, depending on your company, this conversation is very, very different. Geoff?
[Geoff Belknap] It is. So, at my current company, it’s going to matter very little to me whether janitorial supplies show up on time or not, and the interaction between us ordering those and managing those and those arriving. But if I’m a car company CISO, maybe that really does matter to me, or if I’m a hospital CISO, maybe that matters to me.
Those supplies might be essential to how I operate my business, and the conversation really needs to narrow or widen based on that. The problem is today, we just kind of blanket out the same spreadsheet to everybody.
[David Spark] That’s a really good point. So, let me ask, have either of you sort of adapted as a result? Or do you keep finding yourself iterating, “This isn’t working, so let’s try this”? Just give one example of that, Erik.
[Erik Decker] So, one thing that we’re doing right now is we have, through the platform we use, the ability to automatically ingest when our third parties are compromised. That creates an alert to us, and we take that into our SOC as a playbook and look at, “Okay, what kind of connectivity do we have with these vendors?” and I actually have that in our platform that shows, “Are they connected to us or not?” So, some of this is easy to get and pull out once you have inputted it into the system, and we use that to help protect against that third-party conduit attack.
Which in healthcare, I totally get the point about components and manufacturing lines and getting into the SBOMs and things like that. I mean, I’m not talking about SBOMs or componentry here. What I’m talking about is, how do I make sure that that vendor is not going to be the avenue for my organization getting shut down through a ransomware attack?
Because in healthcare, that means harm. And so, highest risk issue, and that’s ultimately what we’re focusing on right now in that vein.
[Geoff Belknap] I think that’s a great suggestion, and I think the risk is where we focus. So, what I’ve learned is over time, you can really build the right focus on risk if you build a relationship. But you can’t do that with every single one of your vendors.
So, what you do is sort of look at, who are my highest risk vendors? I’m going to spend the most time there, going to come back to them at least once a year and have a real person-to-person conversation and not just manage the relationship and the risk through a spreadsheet.
So, I think tiering your risk and then focusing the time is another good suggestion there.
Sponsor – Praetorian
13:36.039
[David Spark] Before I go on any further, I do want to mention our sponsor, Praetorian. Now, Praetorian, for those of you don’t know, they are an expert-driven offensive security company whose mission is to prevent breaches before they occur. And when I say offensive security, I’m talking about testing your defenses with their offense.
So, Praetorian helps organizations shift from an assume breach mentality to adopting a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before threat actors can exploit them. Now, from red team engagements and attack simulations to continuously managed penetration testing.
Praetorian’s human-led tech-enabled suite of offensive security solutions allows organizations to proactively identify and remediate risk while staying in control of their constantly evolving attack surface. Find out why the world’s leading companies trust Praetorian and create a future without compromise.
Go check out their website, it’s praetorian.com.
Would this work?
14:47.466
[David Spark] Walter Haydock of StackAware said, “Having a way to continuously monitor software supply chain risk using a variety of factors such as vulnerabilities present, prevailing configurations, and data security measures in place is the future.
Now, a suite of tools that help to measure this using SBOMs, the OSCAL format, and related standards will be the way to measure supply chain risk in an effectiveness manner.” This sounds awesome, it’s not here today.
Dustin Sachs of World Kinect Corporation said, “When you have weak processes or processes that aren’t followed, you create an opportunity for things like cognitive bias and poor decision analysis. The key is to avoid ‘security theater’ and look at whether the actions you are taking are appropriately coupled to the goal you are trying to achieve.” So, Erik, I think you kind of teased a little bit at what Dustin just said here, in that we do all this work on the front end, thinking that “Isn’t it great that we’re doing our due diligence and we’re doing all this stuff?” And it sounds like the way you describe it is, it’s kind of like the security team developing its own security theater, yes?
[Erik Decker] Yes. Actually, one of the cool things about generative AI large language models, I asked DALL·E to present to me an image of hundreds of risk analysts, raised with their clipboards up into the air, screaming at one another while the city around them burns because that’s what it feels like.
[Laughter]
[Geoff Belknap] And it did. It was…
[Crosstalk 00:16:29]
[David Spark] I have it on paper.
[Geoff Belknap] This is…
[Crosstalk 00:16:34]
[Laughter]
[Erik Decker] That’s right. I want to dream here a little bit. I feel like we could get to a point where if we all just kind of got rid of this baggage of the questions and the uniqueness of my questions and all of that, and if we got to a point of saying, “Let’s contemplate what third-party SIEM looks like, a third-party risk SIEM model looks like,” and I’m not talking about log data or any of that kind of stuff.
What I’m talking about is, if Geoff goes and asks a question, and I go ask a question, or one of my other friends goes and asks a question of a vendor, and I have specific integration points with that vendor and the products and services that we use, and things trip up, I want to know.
And I build a rule, I build an engine that says, “In these cases – mission critical, remote access, massive amounts of data, whatever that thing might be – if we could just leverage the engine of all this information kind of flooding in, we could standardize on it.
Couldn’t we actually then get to real continual assessment and monitoring and understanding what matters to us in a true risk management manner? Classic example, if two factor fails for some reason or a vulnerability pops for some reason and it matters to me and I need to take an action, then I need to take an action to do something to protect my patients, my organization, my members, etc.
It doesn’t exist, not yet, but I do know people are talking about this, and I want that to happen.
[Geoff Belknap] Remember, listeners, if you’re looking to invest in Erik’s new startup, he’ll send you the link after the show.
[Laughter]
[David Spark] Well, Erik, I think, has painted a beautiful dream scenario, which is not too far from Walter Haydock’s dream scenario that he described in that first comment that I put out there. By the way, we’re all for it. I mean, I’m assuming you’re for this dream scenario, Geoff, would you add anything to it?
[Geoff Belknap] I would be one of the first investors. I kind of made a face while we were talking about Walter’s quote, and I think the reality is, I deeply believe that this and kind of the vision Erik just laid out is 100% the future. But maybe I’m cynical or maybe I’ve just been around the block enough that I realize the real problem right now is we’re all arguing about where the clearinghouse for this data is going to be and what should the questions be.
We’re all talking about our special questions. And as soon as we get over that, and to Erik’s point, start sharing the information and just putting it in a place where I as a vendor can just put my evidence for all my control validation or whatever risk information is right for me to share, put it in one place, everybody can use it.
It makes the whole world, A, more safe because you can build a lot of automation on top of that, and B, it makes everybody’s job easier. We can just move on to managing bigger problems.
[David Spark] Hold it. All right. I’m going to play a little bit of devil’s advocate because I think what you’re alluding to, it’s not the technology problem. It’s the us problem that doesn’t allow this to happen. But wouldn’t sort of continuous monitoring of your third-party vendors, whatever variables you can sort of lock into to be able to watch and monitor, and if any of these things pop like you described, would be wonderful to know so you could take action, so you could respond.
But then, doesn’t that then introduce new risks to your vendors? You’re like, “Well, I don’t want to do that. That’s going to create new risks for me to have all this kind of thing.”
[Geoff Belknap] What’s the risk though? The risk is that other people are going to know that you have a risk or that you have an unmitigated concern?
[David Spark] Well, no, but it’s now these communication paths are now going out that weren’t going out before. Like anytime I’m sending information out continuously creates new risk for me. So, I think that we’re all getting in the way of ourselves, and it’s understandable though at the same time.
In a perfect world, we’d all use the same exact tool to do everything, and we’d all know the same program, we’re all using the same thing.
[Geoff Belknap] I don’t think that’s what we’re saying at all. I think if I’m…
[David Spark] No, no, I know we’re not. But what I’m saying is, if there was a unified operation that we all operated on for everything, that would make things a hell of a lot simpler. Yes? I mean, I’m doing it like quasi like. There aren’t 4,000 security vendors, but there’s 5, and we’re all using their five products, you know what I mean?
[Geoff Belknap] I think a really common powerful example here is, you know what? When I go to the grocery store, there’s a common set of nutrition facts, and I can make an informed decision about what I do. Today, when I go to vendors, there is no [Inaudible 00:21:05], and if we just had a basic set of whatever that might be that I could agree on, that each vendor wanted to report, it would be a much better place.
[Erik Decker] And let’s even talk about just responsible vulnerability disclosure. I mean, look at what happened when Log4j happened. Every single one of us went looking into our environments, looking for that vulnerability. And every single one of us went to our vendors, asking them where that vulnerability lies in their product.
I can’t even imagine what it was like on the vendors because they must have been bombarded with all of this stuff. So, it’s being asked and answered is the long and short of it. It’s just we need a way better way of actually getting this stuff out there safely.
Let the vendors control it, that’s fine, like on who they get to send that information to and so forth. But what we do today doesn’t work.
What’s the most critical issue?
21:54.881
[David Spark] Duane Gran of Converge Technology Solutions Corp. said, “The most important part of third-party risk management are the discussions with the vendor,” which we’ve alluded to many times so far on the show. He goes on to say, “I ask them what other clients like us are doing to be more secure using their platform or service.” So, ah, this is sharing information, it’s great.
He goes on and says, “Often we are already doing the right things, but now and again we learn how to work better together. TPRM should really be about relationships, not questionnaires.” So, Geoff, this is great advice I think by Duane of, “All right, we’re using this service.
Hey, is there someone like us that’s using it? How are they using it with you and could we adopt some of that same philosophy, too?” Do you do anything like that? It seems like a wise move.
[Geoff Belknap] Absolutely, and this is a great suggestion. This is kind of what I was alluding to when I talked about, in an earlier segment, sort of risk-tiering your vendors and deciding who you’re really going to spend a lot of time with. Because that time is not extra spreadsheets, it is legitimately time in a room with other people on the other end where you have this kind of conversation.
You can have a conversation about what kind of controls you should have in place. This exactly what Duane is saying, what are your other customers asking you? What controls are they having in place? And then just refresh yourself on, who do we contact if there’s a problem?
What’s your business continuity plan? You can have all those questions answered in an hour. You don’t really need to do this sort of cookie cutter approach. Relationship trumps all.
[David Spark] Good point. An hour also beats the months and months beforehand, doesn’t it, Erik?
[Erik Decker] Yeah. Well, I think there are ways that we can do some of the basic vetting. I mean, there is that reality, unfortunately, that we have to do that basic vetting. We have to demonstrate our due diligence. And that’s why we’re in this mess that we’re in.
But I think as well, I believe in the adversarial mindset, which is always look at how we’re getting beat, always look at how the bad actors are trying to do what they do, and then apply that over top of where everything intersects. Both third party, your on-prem stuff, your cloud, your whatever.
And then pick out those pathways and those channels, which are the things that scare you the most, and really apply the juice on that. And then all the other pieces. So, this goes back to what I was saying – your life safety, mission critical services and such.
And healthcare, we have imaging systems that are in the cloud that connect to linear accelerators, devices that beam you with radiation while doing radiation oncology. If that thing in the cloud goes down, the physics doesn’t get permuted into the linear accelerator, and you’re no longer caring for a patient.
That matters to me. Or if my ability to pull an image while doing CT scans or MRIs is reduced, and I have a Level I trauma center, then the acuity and the wait times for telestroke or strokes in general go up. And the longer you wait on that stroke and you’re waiting for that decision – do I put the clot mechanism in or the clot buster mechanism in – is the decision between do I kill the person or save the person.
And if that thing isn’t there, that system isn’t available because it’s in the cloud and it got whacked, I got a problem on my hands. So, that’s the mindset that you have to be thinking in.
[David Spark] Well, I should mention because you’re working in healthcare, it’s…
[Erik Decker] Well, but others though, yeah, yeah.
[Geoff Belknap] A little heavier conversation there, but yeah.
[Laughter]
[David Spark] You work in an industry; we’ve talked about this with a few. Like for example, I was mentioning Mike Johnson works for Rivian, a car company. That’s where technology very much meets the physical world, that technology can have a real impact, and real impact when you’re talking about healthcare, real impact on health.
I mean, that’s the most direct line when you’re working with a hospital like you are. So, you have the most extreme, I think, the most extreme case of this can truly cause harm.
[Erik Decker] Well, other industries do it too. Water, if our water systems go down, I mean everything.
[Geoff Belknap] Transportation.
[Erik Decker] Yep.
[Geoff Belknap] There’s lots of critical services.
[Erik Decker] Energy. Yeah, there’s a lot, yeah. So, the point being, think about that versus the person who’s providing you with napkins in the kitchen, as somebody who’s critical.
[David Spark] Yeah, and you obviously have to look at what are your most critical dependencies here, going back to an earlier quote they had, which is the way you should be looking at it, not generic questionnaires for everything.
Closing
26:42.595
[David Spark] That brings us to the point of our discussion, and there were a lot of really good quotes here, so I’m going to have to ask you to isolate it to one, your personal favorite. Erik, which quote was your favorite and why?
[Erik Decker] I think it has to be Rob Woods, and I’m being biased here because he’s a buddy of mine, but I do love the idea that we need to apply the 80/20 rule to this. I talk about this a lot.
[David Spark] Rob is the one who set up this whole discussion about the 80/20 rule, yes. So, you’re going with his philosophy of you got to focus on what is going to have the greatest impact. Okay. Geoff, your favorite quote and why?
[Geoff Belknap] There were a lot of good ones here. I want to for a minute go back to Todd Hammond’s quote from the TMGL Group, “Doing it the right way should mitigate risk and also provide evidence of due diligence, which if an incident did happen would more than likely steel the organization from negligence claims and ramifications.” And I think at face value, this is like, “Well, yeah, sure, if you can just do it the right way, this is what you should get.” But I think it’s a reminder to focus on, you want to mitigate the actual risk that you have and think about what are you going to do when that risk actually happens.
The rest of it, maybe you don’t need 60-minute incident notification for the person that gives you napkins for your kitchen. But in a life safety context, you really got to think about how you’re going to manage that incident.
[David Spark] Excellent point for which Erik mentioned as well. Well, that brings us to the very end of this episode. I want to thank our sponsor Praetorian. Remember their web address is praetorian.com. Please go check out what they’re doing on their site because they can help you build a better security program with their offensive-first security program to test your defenses at the beginning of your program.
Not an after-the-fact, not a compliance-led driven thing. No. Build a better security program. Take a look at what they’re doing at Praetorian. Geoff, thank you as always for joining us as well. Erik, we’ll let you have the very closing comment here.
You can mention if you’re hiring or anything or you’re part of any organization or you want to pitch your hospital, like, “If you’re getting sick in our area, please come to us,” whatever you’d like.
[Erik Decker] Well, if you do live in the Mountain West region, you absolutely should be a patient, as well as get your insurance through Select Health, which is our health plan. What I will say is, I mentioned critical infrastructure a little bit, I chair a cyber working group in partnership with Health and Human Services, which is where I know Rob, and anybody who’s a critical infrastructure operator should be participating in the 16 critical infrastructure partnership and doing the good work, the superhero work of trying to keep the bad guys out of our world.
[David Spark] Excellent point. Well, thank you again. That was Erik Decker, who is the CISO for Intermountain Health. I’m assuming people can find you on the LinkedIn. Yes, Erik?
[Erik Decker] Of course.
[David Spark] All right, we’ll have a link to that on the actual episode for this show in the blog post. And thank you, audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.