Interos’ 2020 summit for the Financial Services Industry (FSI) featured FireEye CEO Kevin Mandia in conversation with a panel of leading cyber and risk executives discussing what they’ve learned navigating the ever-growing threat landscape alongside compliance and regulatory requirements. This second session included Meg Anderson, VP-CISO, Principal Financial Group; Jim Routh, CISO, MassMutual; and Phil Venables, CISO, Goldman Sachs.
With decades of experience in digital risk, their talk provided lessons-learned on how to integrate risk into C-suite and Board conversations and priorities to help improve enterprise resilience against epic business disruptions. This blog will provide a brief overview of some of the topics raised in their conversation. For the full talk and the rest of the Interos summit, click here.
What keeps you up at night?
Kevin Mandia kicked off our panel with a simple question: What current and emerging risks are top-of-mind for our panelists? Their responses reflected a wide array of concerns:
Jim Routh stated that his chief concern was “using conventional controls for enterprise third party governance.” Routh went on to clarify that “that’s because enterprise third party governance evolved from doing assessments against industry standard practices, several decades ago, and there a point in time view of the risk of a third party relationship to the enterprise. And it’s typically an annual assessment…it’s highly labor intensive and built for a specific point in time which doesn’t make a whole lot of sense anymore.”
Phil Venables agreed with Routh’s points and added: “I think another thing that’s a challenge for companies is just making sure that you know what providers you’ve already got…making sure you know who your providers are, who their most critical providers are and, even before you onboard them, making sure that they were able to conform to your control expectations…Once the providers are onboarded and you’ve signed the contract, you’ve got less leverage to make sure they’re conforming.” Routh offered MassMutual’s model up as an example, citing the criticality of risk scores that are updated daily from live data feeds, and the importance of creating separate control requirements for different sub domains.
Meg Anderson highlighted the importance of concentration risk, particularly as it pertains to resiliency, remarking that it was vital to understand “what are the critical business processes that rely on those third, fourth, fifth parties.” She clarified that it was equally important to keep an eye on vendor strategy. “What’s their roadmap look like? And how does that play into how you’re planning to use that vendor in the future, making sure that they are not divesting of the capability that you’re relying on them for?”
What Cyber-specific risks are you concerned about right now?
Kevin Mandia then turned the panels attention towards cyber-specific risks. What cyber risks should everyone’s suppliers and third parties be most aware of?
Phil Venables highlighted the importance of maintaining a strong baseline level of security controls, enabling companies to filter out the constant background noise of would-be attacks, and focus on the third parties that handle their most sensitive information.
“But I think mostly if many organizations across their supply chains, just got their vendors to a reasonable baseline level of control so it wasn’t straightforward for them to get caught out by just the routine set of attacks that go on out on the internet every day, that would be a … reduction of risk in the supply chain for many companies.” Venables also cited ransomware as a specific risk companies should pay more attention to.
Jim Routh took a moment to dive deep into ransomware, explaining that cybersecurity insurance policies may, ironically, be increasing the prevalence of ransomware attacks because insurers are in many cases guaranteed to pay out the attackers.
Routh went on to state that “recovery takes some investment and time because in the middle-to-large tier enterprise, we’ve spent two decades improving our ability to replicate data at speed across environments. And that in of itself, is now a vulnerability. Because if there’s data destruction, malware, that spread throughout our environments, we’re toast and our recovery capability goes down. So we actually have to create a time capsule of critical data that we can separate from our environments and use for recovery purposes, rather than facing that dilemma of do I recover with what I have or try and attempt that? Or do I pay the ransom?”
Meg Anderson spoke on the importance of communication and information sharing regarding ransomware attacks and data breaches. Anderson highlighted that oftentimes, larger financial technology and services organizations can have a slightly adversarial relationship with the many startups and small businesses they work with:
“Oftentimes we think about all the paperwork that comes in, and there’s a little bit of adversarial relationship: Tell us about your security program, make sure you get the test right. And instead, we really need to be partnering with our supply chain and making sure that if there’s an emergency, if there’s a crisis, we can be helpful to them, not that we are a service provider, but we want them to be upfront and be a partner for them prior to an event, but also we can help in the event that something does happen.”
Kevin Mandia put it succinctly: “It’s the responsibility of Bigs (as I call them) to help the Smalls because Smalls lack the resources sometimes to both prevent the threats from becoming reality and to handle them when they do become a reality.”
More to come!
Stay tuned for further content from the Interos summit including more blogs from this conversation, and talks from Dr. Richard Haass, Valarie Abend, and more!
Click here to view the summit in full or visit the rest of our website to learn more about Interos.