Digital Transformation, Third Party Risk, & Private-Public Partnerships with Edna Conway

Episode 15:

Digital Transformation, Third Party Risk, & Private-Public Partnerships with Edna Conway

On this episode of What Lies Beneath?, we talk to Edna Conway, Vice President of Global Security, Risk & Compliance for Microsoft Azure. Having served at Cisco for 20 years prior to her time at Microsoft, Edna is a renowned expert in third party risk, and is consistently recognized as one of the most important innovators in the field. She is a recipient of the 2019 Cyber Futurist Award, and we talked all about: 

  • Digital transformation, and what we should be doing to capture opportunities while recognizing the risks. 
  • The need for a holistic approach to managing third party risk
  • The role of private-public partnerships and how it is shaping up to evolve over the next few years
  • The approach needed to start addressing the complexity of today’s global supply chain in the wake of the current pandemic

Listen & Subscribe!

To learn more, check out the podcast above, or on Stitcher, Apple Podcasts, Google Play, Spotify, or wherever you listen to podcasts. If you like what you hear, please rate and review the show, or share it with a friend! New episodes air every other Tuesday.

To learn more about how Interos can help you with Section 889 Part B compliance, visit Interos.ai.

Guest Bio

Edna Conway: Edna Conway, VP of Global Security, Risk and Compliance for Microsoft Azure. Prior to working for Microsoft, Edna served at Cisco for 20 years and was the Chief Security Officer for their Global Value Chain. A recipient of the 2019 Cyber Futurist Award, a Federal 100 Award, and many, many other awards, Edna is a renowned expert in third party risk and is consistently recognized as one of the most important innovators in the field.

 

Insights From Cybersecurity Experts Series: Protecting Enterprise Operations

Interos’ 2020 summit for the Financial Services Industry (FSI) featured FireEye CEO Kevin Mandia in conversation with a panel of leading cyber and risk executives discussing what they’ve learned navigating the ever-growing threat landscape alongside compliance and regulatory requirements. This second session included Meg Anderson, VP-CISO, Principal Financial Group; Jim Routh, CISO, MassMutual; and Phil Venables, CISO, Goldman Sachs.

With decades of experience in digital risk, their talk provided lessons-learned on how to integrate risk into C-suite and Board conversations and priorities to help improve enterprise resilience against epic business disruptions. This blog will provide a brief overview of some of the topics raised in their conversation. For the full talk and the rest of the Interos summit, click here.

What keeps you up at night?

Kevin Mandia kicked off our panel with a simple question: What current and emerging risks are top-of-mind for our panelists? Their responses reflected a wide array of concerns:

Jim Routh stated that his chief concern was “using conventional controls for enterprise third party governance.” Routh went on to clarify that “that’s because enterprise third party governance evolved from doing assessments against industry standard practices, several decades ago, and there a point in time view of the risk of a third party relationship to the enterprise. And it’s typically an annual assessment…it’s highly labor intensive and built for a specific point in time which doesn’t make a whole lot of sense anymore.”

Phil Venables agreed with Routh’s points and added: “I think another thing that’s a challenge for companies is just making sure that you know what providers you’ve already got…making sure you know who your providers are, who their most critical providers are and, even before you onboard them, making sure that they were able to conform to your control expectations…Once the providers are onboarded and you’ve signed the contract, you’ve got less leverage to make sure they’re conforming.” Routh offered MassMutual’s model up as an example, citing the criticality of risk scores that are updated daily from live data feeds, and the importance of creating separate control requirements for different sub domains.

Meg Anderson highlighted the importance of concentration risk, particularly as it pertains to resiliency, remarking that it was vital to understand “what are the critical business processes that rely on those third, fourth, fifth parties.” She clarified that it was equally important to keep an eye on vendor strategy. “What’s their roadmap look like? And how does that play into how you’re planning to use that vendor in the future, making sure that they are not divesting of the capability that you’re relying on them for?”

What Cyber-specific risks are you concerned about right now?

Kevin Mandia then turned the panels attention towards cyber-specific risks. What cyber risks should everyone’s suppliers and third parties be most aware of?

Phil Venables highlighted the importance of maintaining a strong baseline level of security controls, enabling companies to filter out the constant background noise of would-be attacks, and focus on the third parties that handle their most sensitive information.

“But I think mostly if many organizations across their supply chains, just got their vendors to a reasonable baseline level of control so it wasn’t straightforward for them to get caught out by just the routine set of attacks that go on out on the internet every day, that would be a … reduction of risk in the supply chain for many companies.” Venables also cited ransomware as a specific risk companies should pay more attention to.

Jim Routh took a moment to dive deep into ransomware, explaining that cybersecurity insurance policies may, ironically, be increasing the prevalence of ransomware attacks because insurers are in many cases guaranteed to pay out the attackers.

Routh went on to state that “recovery takes some investment and time because in the middle-to-large tier enterprise, we’ve spent two decades improving our ability to replicate data at speed across environments. And that in of itself, is now a vulnerability. Because if there’s data destruction, malware, that spread throughout our environments, we’re toast and our recovery capability goes down. So we actually have to create a time capsule of critical data that we can separate from our environments and use for recovery purposes, rather than facing that dilemma of do I recover with what I have or try and attempt that? Or do I pay the ransom?”

Meg Anderson spoke on the importance of communication and information sharing regarding ransomware attacks and data breaches. Anderson highlighted that oftentimes, larger financial technology and services organizations can have a slightly adversarial relationship with the many startups and small businesses they work with:

“Oftentimes we think about all the paperwork that comes in, and there’s a little bit of adversarial relationship: Tell us about your security program, make sure you get the test right. And instead, we really need to be partnering with our supply chain and making sure that if there’s an emergency, if there’s a crisis, we can be helpful to them, not that we are a service provider, but we want them to be upfront and be a partner for them prior to an event, but also we can help in the event that something does happen.”

Kevin Mandia put it succinctly: “It’s the responsibility of Bigs (as I call them) to help the Smalls because Smalls lack the resources sometimes to both prevent the threats from becoming reality and to handle them when they do become a reality.”

More to come!

Stay tuned for further content from the Interos summit including more blogs from this conversation, and talks from Dr. Richard Haass, Valarie Abend, and more!

Click here to view the summit in full or visit the rest of our website to learn more about Interos.

Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain w/ Trey Herr, & Stewart Scott

Episode 14:

Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain w/ Trey Herr, & Stewart Scott

On this episode of What Lies Beneath?, we talk with Trey Herr, & Stewart Scott, co-authors of the recent Atlantic Council report, “Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain.”

For too long, when people have talked about supply chain security, it’s been all focused on the physical hardware. Where is the physical box? What chips make up that box? Who built it? Where does it live? But the digital supply chain is something that needs to be paid attention to.

Attacks against the digital supply chain can impact nearly any company, but the defense organizations are particularly susceptible to these kinds of attacks. But why is that? Is it similar to the reasons we see for other kinds of supply chain attacks?

Trey & Stewart spend the better part of this episode talking us through their report, and highlighting, among other things:

  • Why digital supply chain security is so crucial
  • Why defense organizations are especially vulnerable to these attacks
  • Untrusted technology, specifically in the 5G space
  • Why you can’t talk about 5G security without accounting for software security

You can access the Atlantic Council paper here!

Listen & Subscribe!

To learn more, check out the podcast above, or on Stitcher, Apple Podcasts, Google Play, Spotify, or wherever you listen to podcasts. If you like what you hear, please rate and review the show, or share it with a friend! New episodes air every other Tuesday.

To learn more about how Interos can help you with Section 889 Part B compliance, visit Interos.ai.

Guest Bio

Dr. Andrea Little Limbago: Andrea Little Limbago is a computational social scientist specializing in the intersection of technology, national security, and society. As the Vice President of Research and Analysis at Interos, Andrea leads the company’s research and analytic work regarding global supply chain risk with a focus on governance, cyber, economic, and geopolitical factors. She also oversees community engagement and research partnerships with universities and think tanks and is a frequent contributor to program committees and mentorship and career coaching programs. She has presented extensively at a range of academic, government, and industry conferences such as RSA, SOCOM’s Global Synch, BSidesLV, SXSW, and Enigma. Her writing has been featured in numerous outlets, including Politico, the Hill, Business Insider, War on the Rocks, and Forbes. Andrea is also a Senior Fellow and Program Director for the Cyber and Emerging Technologies Law and Policy Program at the National Security Institute at George Mason and a Fellow at the Atlantic Council’s GeoTech Center. She is an industry advisory board member for the data science program at George Washington University, and is a board member for the Washington, DC chapter of Women in Security and Privacy (WISP). She previously was the Chief Social Scientist at Virtru and Endgame. Prior to that, Andrea taught in academia and was a technical lead at the Joint Warfare Analysis Center, where she earned the Command’s top award for technical excellence. Andrea earned a PhD in Political Science from the University of Colorado at Boulder and a BA from Bowdoin College

Dr. Trey Herr: Dr. Trey Herr is the Director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council. His team works on the role of the technology industry in geopolitics, cyber conflict, the security of the internet, cyber safety, and growing a more capable cybersecurity policy workforce. Previously, he was a Senior Security Strategist with Microsoft handling cloud computing and supply chain security policy as well as a fellow with the Belfer Cybersecurity Project at Harvard Kennedy School and a non-resident fellow with the Hoover Institution at Stanford University. He holds a PhD in Political Science and BS in Musical Theatre and Political Science.

Stewart Scott: Stewart Scott is a program assistant with the Atlantic Council’s GeoTech Center. In this role, he manages a wide range of projects at the intersection of emerging technologies and dynamic geopolitical landscapes. He also conducts research and provides written analysis for publication on Atlantic Council platforms and works on joint projects with other centers in the Atlantic Council.

Stewart earned his B.A. from Princeton University at the School of Public and International Affairs along with a minor in Computer Science. His course of study centered on misinformation, social media policy, online extremism, journalism, and American political and economic history. He joined the Atlantic Council after interning with its Cyber Statecraft Initiative in the Scowcroft Center for Strategy and Security.

Supply Chain Standouts: October 2 – Bioelectric Vehicles

Freight trucking is an essential link in U.S. supply chains, transporting more than twice the value carried by other modes combined.  Its dominance is expected to increase by 50% over the next 25 years. However, the transportation industry is thelargest emitter of greenhouse gases (GHGs) in the United States, a significant portion of which is links back to trucking. In 2018, freight trucking in the United Statesproduced more CO2 than the entire United KingdomFortunately, there are some big changes underway in freight trucking to minimize their environmental footprint while maintaining operational efficiency.  

New energy sources—natural gas, electricity, and hydrogen—are being increasingly implemented to reduce emissions and make trucking a safer, renewable industry.  A new reportthe State of Sustainable Fleetscovers the state of technology in the auto transportation industry and recently surveyed the rapid innovation in fuel efficiency and vehicle emissions. The report highlights new methods to reduce carbon emissions in trucking. The results are optimistic—among early adopters, 98% plan to maintain or increase their usage of eco-friendly trucks. 

The most popular alternative fuel currently is natural gas, which produces 84-96% less GHGs than diesel, and 90% less carcinogenic particulatesConverting all diesel trucks in California to natural gas would reduce 3.4 million tons of GHGseach year, roughly equal to the emissions of Iceland. The efficiency of this process can be increased by collecting natural gas from other industries, such as waste management. The Noble Road Landfill Renewable Natural Gas Project, currently under construction in Ohio, will fuel approximately 725 trucks annually with natural gas that would otherwise be released into the atmosphere. One of twelve planned projects, the entire landfill system will reduce emissions equivalent to taking nearly  half a million passenger cars  off the road. While initial costs are usually the most prohibitive aspect to alternative fuels, diesel engines can be retrofitted to use natural gas relatively cheaply. Anheuser-Busch recently announced that it is transitioning 180 of its trucks30% of its dedicated fleet, to natural gas. This change will keep the company on target to reduce carbon emissions across its value chain 25% by 2025.  

Battery-powered electric vehicles (BEVs) also are increasing in availability and popularity for commercial fleets. Depending on the local electrical grid, these vehicles can reduce GHGs by nearly 50% compared to diesel and produce zero tailpipe emissions or pollutants. Compared to natural gas and even fossil fuels, fueling stations are easy to construct anywhere—business and fleet owners just need a 240 Volt AC plug. Several companies around the world have chosen to convert their entire fleets to BEV. The Indian e-commerce platform Flipkart will be fully converted by 2030to ship between their 1,400 locations, and converting to BEVs will allow the UK division of ABB to reduce their total GHG emissions by 20%. According to the State of Sustainable Fleets, among companies that have already purchased medium- or heavy-duty electric vehicles, 69% plan to pilot or purchase more soon.  

Anticipation is building for the next form of alternative engines: hydrogen fuel cells. The only emissions produced from these engines are warm air and water. Depending on the production method, hydrogen produces 45-98% less GHGs compared to diesel. Three times more energy dense than gasoline, hydrogen fuel cells are expected to achieve parity and surpass the driving ranges of diesel trucks within a few years. Current technology already allows drivers to travel an entire day without needing to refuel. Fleet-ready fuel cell freight vehicles have just been released by Hyundai, Nikola, and a partnership between Daimler &Volvo. Anheuser-Busch has plans to purchase up to 800 heavy-duty fuel cell trucks soon, further reducing their carbon footprint. While more fueling station infrastructure is needed before hydrogen can be implemented on a national scale, further innovation will only make this technology more attractive. 

Governments around the world have pledged to make help this transition easier. California has ordered all trucks in the state must be zero-emissions by 2045 and has significant incentives for fleets to convert or purchase alternative fuel vehicles. This effort is paired with a mandate to phase out gas-powered passenger vehicles by 2035. The E.U. has also provided significant incentives for manufacturers to invest in and produce low-and zero-emission vehicles. The E.U. previously released a directive in 2014 to increase investment in infrastructure for alternative fuel vehicles. The Canadian government recently provided funding for 837 EV fast chargers, 23 natural gas refueling stations and 8 hydrogen refueling stationsThese investments are critical for increasing the adoption rates for alternative fuel vehicles. 

After nearly a century of diesel power, these new technologies present a paradigm shift.  As climate resiliency becomes a greater priority, paired innovation and adoption of eco-friendly fuels is crucial for delivering the two-thirds of goods that travel by truck smoothly with less harm. As these technologies become cheaper and more available, they will decrease emissions in supply chains across industries, minimizing their environmental impact and increasing resilience for the future. 

Check out our previous Supply Chain Standouts or read Interos’ recent survey on COVID-19’s impact on supply chains.