SERVAAS VERBIEST (SV): Welcome to IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available. 

I’m your host, Servaas Verbiest, and today, I'm joined by John Beattie, Principal Consultant at Sungard AS and we're going to be discussing third party risk. 

John, thanks for joining us on the show today.

JOHN BEATTIE (JB): Servaas, thank you so much for having me. It’s a pleasure to be here.

(SV): Oh, yes. And I've been excited because I haven’t had the opportunity to have you on the show with me as host, but you have been here before.

And this is a topic that I know comes up pretty frequently, especially because of the increased awareness around the risks that are inherent from leveraging third parties. A lot of organizations are trying to mitigate against so many things and inevitably, you're not going to be able to keep everything in-house when you run a business. You're going to be reliant on someone to provide you something.

So, as Gartner mentions, things like a vendor risk management program or process that service providers and IT suppliers go through will help identify these things, but I know there's still a ton of questions and uncertainty that come up around the topic. 

John, as somebody who spends a lot of time talking with customers about third party risk, what do they typically broach when they bring up the topic? What are the typical concerns that come up?

(JB): Well Servaas, there are multiple dimensions to this whole third party risk management thing. And I've been involved in these kinds of initiatives for 10 or more years now and a lot has been changing and evolving in that world. 

So let me start with what I call the basics, and that's really about understanding the preventive and reactive controls within the world of your third parties. That is, of course, very interesting and very valuable and a lot of organizations tend to focus just on trying to get some sense of that, but that really isn't sufficient just to check the box, so to speak, and ask a variety of control questions. You truly have to understand - and I'm using the word understand very specifically here - you really have to understand: are they truly ready to react, recover and resume operations, and at what pace and at what speed? At the end of the day, it really is about you truly having a reasonable understanding about what you should expect from your third parties through their thick and their thin, so to speak. So, you know, it really is about understanding that preventive side: what do they have in place to keep things from happening, and what do they have in place to be more reactive at the time of something happening?

(SV): Those are good points. I mean, one of the things I like to bring up when I speak to anybody is when you're going to leverage a third party, things are going to inevitably happen. The really good measure of whether you've chosen the right person or not, isn't just the frequency of things happening, but how quickly they react once something happens. As you mentioned, a lot of people focus on preventing things from happening, right? But we obviously know they're going to happen at some point or another.

What risk does a business really open themselves up to when they focus too much on prevention and they don't really think about what they're going to do when something takes place? 

(JB): Well, first of all, prevention is good. I mean, you do need to really understand that. And organizations doing their best to prevent something impactful from happening really is essential and part of that understanding that you need to have. An example is we keep data centers away from combustible materials in order to reduce the risk of a fire, but we also install fire extinguishment systems and position fire extinguishers in those work areas, and those are the reactive controls. So, again, you need to understand, have they truly done what they can do to prevent something and have they done something on the reactive side?

So, let me address your question I guess through the lens of cyber attacks and cyber intrusions, which are top of mind in most organizations today. Organizations spend a lot of time, a lot of effort, a lot of people power, a lot of money, trying to prevent cyber attacks from happening, but we know they do, it's going to happen. So you need to understand what those organizations are doing on that prevent side. There’ll be questions you'll be asking about firewalls and intrusion protection and multifactor authentication and probably hundreds of other questions you're going to be asking, but, again, the reality is that cyberattacks are going to happen, so you need to understand how well positioned they are on that reactive side, because it's just going to happen. 

Cybercriminals are always finding new ways to bypass what's in place for protection. So we need to understand what our third parties are doing to minimize their risk of a failed response and recovery effort. And that's a major differentiator of third party risk programs over the past several years is getting more to that reactive side.

(SV): And I like how you parlayed into that example, because you really can't throw a stone on the internet and not hear about ransomware these days and cyber incidents connected to that kind of illicit activity. And given it's such a hot button issue, it needs to be addressed. 

So, just to provide an example, how does a third party evaluate risk as it pertains to ransomware when they're working with a client that wants to consume their services?

(JB): Well, that's a great question. And that's certainly an area that has been getting a lot of attention with regard to third party risk, whether it's a third party that is providing you a SaaS service - and of course, if they're providing a service, they have your data - whether it's a an organization that you're relying on to be a processor of sorts, they're actual people doing work on your behalf - and again, they have your data. So it's very important that we understand the ransomware readiness, if you will, of our third parties. And there's so many controls, capabilities, plans, disciplines that all have to work together in a programmatic style so that the organization - your organization or your third party’s organization - are really ready to respond, recover and resume after the attack. 

So, let me share a couple of high level thoughts on this particular topic and some questions that you might want to make sure you know the answers to when you're probing your third parties. First of all, you need to understand if your vendor’s disaster recovery program recognizes that data recovery is a special recovery case. It's the second DR if you will - disaster recovery on the traditional side, data recovery on the modern side. Do they know what makes data recovery different than traditional disaster recovery? And, my thought here is that, without the recognition of those differences, good luck getting them to get through an attack successfully, and therefore, forget about any contractual SLAs. That’ll be out the window. 

Other questions relate to: do their backups have characteristics that are necessary in order for what Gartner and others call modern backup capabilities? That's with immutability, extended retention cycles, anomaly detection and many more characteristics, but if that's not in place, they have not done a good job of reducing their risk of a failed data recovery effort. Do they have plans? Do they have conducting exercises? Do they have the right SMEs on retainer that can jump in? 

Servaas, here’s one of my favorites. Do they have a recovery playbook for decrypting data after a decryptor has been acquired or purchased, if you will, from the threat actor? So they pay the ransom, they've gotten the decryption key because that's the only way they have of getting their data back. And that happens all too often with 50% of organizations paying the ransom where they're legally allowed to. Do they even know the first thing about how they're actually going to decrypt it? Where are they going to do it? How are they going to do it? Who's going to be involved? Is your DRFI firm going to be involved? So that's one of my favorite things that I like to look for because if an organization has thought that far through it, they probably thought through a lot of other things too.

(SV): I like that, right? Because it's the age old saying, the devil’s in the details, and you did a fantastic job of really diving deep there. But if we could take a step back, and maybe refine it into one or two good risk areas that you see post-ransomware recovery because I love the example that we’ve used. Every business is dealing with it today. I think that would really help our listeners relate to how they could take those two things and use them as mechanisms to evaluate the third parties they leverage today. What would they be? 

(JB): Okay. Well, a couple of key areas come to mind and I may stretch it to three. So one risk area is - and I'm using an interesting approach here - traditional disaster recovery has been around for years and we've used the term RPO: recovery point objective. And very few organizations have actually documented in their BC plans, or wherever else, how the business is going to fill the gap. And what I mean by that is if the system's got an RPO of 24 hours, when IT does its recovery, they're going to recover that data most likely to that 24 hour mark. But then how does the business fill that gap? What’s more interesting is in the world of cyber attacks, ransomware attacks, there's a pretty strong likelihood that you may not recover that RPO equal to 24 hours. You might be losing a day's worth of data, you might be losing a week's worth of data. We've seen data loss for multiple weeks. So how does the business fill that gap? So a big risk area to me in many organizations is that the business is unaware of what they might be called upon to do to actually cover their fair share of data after IT has done the best they can with what it has. Many times they may meet the RPO value, but in many situations - a lot of situations - they simply don't. So is the business ready for that? So let me check that off as one of those key risk areas. And let me finish that by saying, what we'd like to see in organizations is they have multiple data recovery strategies that, based on the circumstances that have occurred, they are in a position to make a decision on which recovery path or paths they want to pursue based on the particulars of the compromise. 

Secondly, and maybe from a slightly different perspective, is the operational risks emanating from what I call lack of recognition. It’s a risk to an organization to have their C-suite on down truly not understand what's likely to befall the organization. If the C-suite is not aware of what can happen - they haven't been involved in exercises, they're not fully briefed on what challenges the organization may face - then you can expect that organization to not be able to recover quickly. 

And the last point I want to bring up is that data protection is very, very important. We mentioned earlier that whole modern data protection capability with all the new parameters that are essential to ready an organization for compromised data recovery. If they don't have a modern backup solution in place, then they are at deep risk. 

The business recognition, the C-suite recognition and the data backup capabilities, to me, are three hot topics. If you don't have that, you're not in a good shape.

(SV): And I agree with you for the most part. There's one place I do have a slightly different position and I think you touched on a little bit, right? The technology is important. Technology is going to enable us to achieve a certain outcome. But when we talk about where things break down, you mentioned the executive team understanding risk. Do you think communicating it in a language in a form that is easy for them to digest - because in most cases they're not subject matter experts - is important or pivotal? Because it seems like if you don't, they don’t understand the risks and it's not a problem, right? So what can you recommend to try to help with that process? 

(JB): I think there's an issue on both sides of this equation. So, many executives do understand the threat. And if there's any one thing that we've seen in many organizations it’s that there is funding that becomes available out of budget because executives are concerned about cyber attacks. When executives are concerned about something, then somehow money just seems to show up. But where we see a big issue is that the folks in IT, the folks in information security, haven't thought through it enough to know where they have risks, where they have gaps, where they're not covered. So they really haven't thought through all of the nuances, all of the strategies. And I’ll go back to my example earlier. Do they have a plan to actually decrypt data should that be the path that executives decide to take based on the circumstances? So there's a bigger lack of understanding even within IT organizations and InfoSec organizations about what all of the elements are that are essential to have in place, and therefore there is a misunderstanding in the third party risk assessment programs because organizations are not asking their vendors all the details because they don't understand them themselves. So that's kind of how I'm thinking about your question here.

(SV): It's a great point and it really goes back to the beginning of the conversation where you emphasize going back to basics, because if you don't understand what you're trying to accomplish and the risk you're trying to mitigate against, you can’t evaluate it. And if you can't balance between prevention and reaction, you're going to inherently create gaps in your strategy that expose your organization to further risks. Having the ability to have the example of ransomware, which is a prevalent risk that organizations are trying to mitigate on a daily basis for our listeners to use as a benchmark to how they can evaluate their third parties for not just that, but other risks, I think is going to help people come up with strategies around how they want to maintain and mitigate third party risk with the vendors they use today. 

So John, I really appreciate you taking the time to run through all that material with us. I always love listening to you and it was a pleasure having you on the show. 

(JB): Servaas, the pleasure was all mine as well, and thank you for the opportunity. 

(SV): Fantastic. John Beattie is Principal Consultant at Sungard Availability Services. 

You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow. Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they're available. IT Availability now is a production of Sungard Availability Services.

I’m your host, Servaas Verbiest, and until next time, stay available.