Transcript for "Ratings Alone Aren't Enough: How Intelligence Transforms Third-Party Risk Management": Alright. I think we're good to get started. Right, guys? Well, welcome. Welcome. Welcome, everybody to our, great May, Tuesday, May 19 webinar on ratings or alone or not enough. My name is Jerry Hodge. I am, working the product organization at Recorded Future, where one of the things that I get to look after is the, capabilities that we bring to bear around third party risk management. I'm joined today by two, great guests and I'm not gonna steal their thunder, but I will let them introduce themselves, and just to give everybody a little bit of an idea of a layout today. We're gonna treat this almost like a fireside chat. So this will be an open discussion. We've got a number of kinda questions to talk to talk to the guys about, but we want your engagement too. So don't be bashful, don't be shy, drop your questions in the chat and we'll either pick those up in chat or, you know, incorporate them directly into the conversation. But without much further ado, Roderick, I'll let you, intro first. Hello, everybody. Thank you for all for joining. My name is Roderick Chambers. I'm the governance risk and compliance manager with Recorded Future. Spent more than fifteen years in the threat intelligence community, public sector for more than ten, and then private equity and other areas as well. Third party risk management is is something I just wake up to nowadays. So this is a very timely discussion. Thank you, Jerry. Yeah. Glad to have you. John, you wanna jump in? sure. John Eric, vice president, ecosystem risk solutions for Mastercard. Been in the third party risk space, for about twenty two years now. I had the great pleasure of working in some major international banks doing this, also in the health care space and also, cofounded and was past president of a group called the third party risk association. So like, Roderick, third party risk is something that I live and breathe every day and, spent basically my entire professional life, focusing on it. So really excited for this discussion. I know it's gonna be great. Yeah. Well, thanks again, both of you, for being here. You know, given, the context that we're walking into this conversation, obviously, it's been about a year and a half since Mastercard acquired Recorded Future, so we closed on that transaction in December 2024. One of the big focus areas that we've had for those of you on the call that are not aware is, you know, bringing together the capabilities of risk recon and, recorded future. So with that as the backdrop, I I I wanna start with a little bit of framing here from from both of you in terms of how third party risk management programs have changed over the last, five to ten years. And maybe more importantly, from your perspective, what's what's driving that change? And do you see that continuing? No. No. Definitely. I mean, it's for for myself and for the organization, the groups I've worked with, last five to ten years, it's just evolved completely from a a decentralized kind of like a a back office procurement checkbox. Alright? And it it was usually just spreadsheets and everything, and now it is extremely critical. It's mission critical. It's it's board level. It's a strategic mandate, lots of compliances. And I would say that this evolution is just isn't a shift in corporate philosophy, especially for the Mastercard, risk, recon, and recorded future. No. It's a forced adaption to a rapidly changing digital threat landscape. And, you know, speaking from the intelligence background, I I grew up on the many, many years with the Verizon data breach investigative report. I use it every year. A lot of people on this, you know, attending and see this, that over from the previous year, it has been it's it's actually grown. 30% of confirmed security breaches for third parties was doubled, okay, over the last year. That's like a a glaring sign that we still have issues with third party risk management. Why are we learning? It's here. It's always been here. We're still here. Yeah. To to jump in on that, you know, I think why what's driving the change? Obviously, the the threat actors right there. They're always bigger, stronger, faster than everybody. When I first got into this is this is largely something you did in finance. And then, you know, when we got into health. care and it was just looking at business associates and, you know, if you look at the way we do business, it's it's a global economy now, and no company, even a company like Mastercard, has to outsource so much. And, you know, we we spend, as organizations, sometimes hundreds of millions of dollars putting in all these defenses to secure our fortress. And then we take the same data that we call our crown jewels, and we leak it out the back door to some vendor down the street that has to do, you know, statement printing or something for us. And, the the bad guys aren't dumb. Like, they know big companies are are pretty secure. They know that the vendors they work with largely sometimes are not. Right? And if I'm gonna be, let's say, a motivated but not wanna do a whole lot, threat actor, right, as you know, we wanna get, passive income is the dream for threat actors. So I'm gonna go for the the the little hanging fruit. I'm gonna go for the vendors that have access to the same data or or critical resources to one of those vendors, and I'm gonna target them. So we have to go. It it it just it's become a must. Yeah. Absolutely. I love that. I Yeah. Go ahead, Roger. like no. I love what you said, John, about with that, you know, the threat actors. That's the beauty of threat intelligence. And I, you know, I like to tell us when a picture that, you know, from my you know, a decade ago, you you know, we were manually tracking dozens of suppliers on spreadsheets. Okay? And if you look at it right now, there are thousands upon 10 thousands of vendors that are out there. So with it, you know and I love the word intelligence. This is what we work with. But if we look at their intelligence standpoint, you know, the barrier to entry for acquiring new tools okay? And think about this in your organization. It's literally vanished. Okay? Business units can spin up new software with a a corporate credit card in a few minutes. They bypass all those traditional IT procurement methods that we have. Your procurement system, your secure vendor program, all those things went in there. And so because the exponential growth in these areas, third party risk management programs, what we call head and I call it the headcount wall. We used to be able to manually go against threat actors and our third party suppliers. You know, the relationship between the vendor count and analyst headcount was linear. You know? But, eventually, and which is why, you know, risk recon, of course, what you can about is because organizations realize they can't hire their way to scale. It's it's literally impossible. So when you look at that, you got notes your software as a service. You got your cloud expansion. Alright? And it shifted from, you know, our physical supply chains and on premise hardware. Remember that way way back? Now it's all cloud. You you speak about a a company that has it on prem. You wonder what what year or what decade they're living in. What what has happened? You know? So but that also builds a problem now because now companies have to account for your fourth party vendors. I've seen these in questionnaires. I'm pretty sure people have seen them too. Tell us about your fifth party, your sixth party, your seventh party. But to what Jonathan was saying, which was perfect, was threat actors. It's still a barrier. You know? You have SaaS. You have cloud infrastructure. Your your sensitive data no longer resides within your own four walls. Vendors from massive cloud providers have niche AI subprocessors. We we I think we're gonna talk about it later about AI subprocess as well, but that's also a new factor in here. So when you have these overlapping attack services, you know, you have the many of misconfiguration that third party cloud providers, they've changed. They can expose your data, your customer data, your IP. It's a very big piece here. That makes perfect sense. And I you guys have touched on a lot of things I know that'll recur kind of, you know, later on in the conversation, but I think the notion of the the broader attack surface not being able to hire your way into scale as well as some of these dynamics that the business is the business is operating under, become really critically important. I'd you know, so great great comments there. I I I think with that as the backdrop, one the place that might might be kind of intriguing to think about is if if one and, I mean, you referred to this earlier, Roderick, a little bit. But if one looks at the metrics, the year over year incidents that have occurred either due to directly or involving a third party, it it it might be a little cynical sounding, but one might say that our third party risk management programs are failing. That we despite the investment, despite the changes and processes, we're still seeing an uptick of exposures and events due to the third party ecosystem. Why do you guys think this is the case? You know, is there anything that we can we can do about it? But Yeah. I'll I'll I'll I'll start with that. It's an uphill battle. Right? I mean, I think I saw a stat, last week that the the time to, expose you know, take a CVE and lead to exposure went from something like fifty six days in '24 2024 down to, like, ten hours now. Right? So things that when new when new vulnerabilities get out there, they're breached so much faster. We we we can't keep up. You know, third party risk teams, I've on all the teams I've ever worked on, I never had infinite resources. So even if you had infinite resources, you can to Roger's point, you can't hire yourself out of this. And vendors are an awful lot like, taxes. Right? You all your politician always says, hey. We're gonna just put this tax in for one year. That tax never comes out, and it never actually gets spent on the thing that, you know, is in there for it. It just keeps growing. And and that's, that's kind of what, you know, your your vendor ecosystem is like. You you maybe you get rid of one or two and you add 20, and you can't scale that fast to be able to do sorts of stuff. So even though we've made great strides in the capabilities, you know, we went from the Excel based questionnaire to stuff that's delivered via the web. We've brought in ratings tools. We've done more on-site reviews, all that sort of stuff. We still can't keep up because, you know, we're the the people that we're up against don't have any more restrictions. They they're able to do whatever they want. They don't have to take six months, you know, to go through a process to onboard a new tool to be able to do this sort of stuff or get hiring approvals and all this. It's it's an uphill battle. Absolutely. Absolutely. And I mean, you know, I I take this in the way that I you know, I got a very strong team, and it's always trying to, bridge the gap between the new technology and the old technology. You know, I told them, like, you know, it's from the outside end limitations. Okay? When we're looking at third party risk management analysts are there, they're looking at things. This is where it falls short here. It's where it's the public Internet. You got expired certificates. We've all used these tools and different ones to find certificates or SSL open ports or DNS hygiene. But that's important, and we're wrong. But what's important is the internal controls of that vendor, identity access management, encryption at rest, employee background checks. I deal with this from both ends, attesting for the company, but also receiving in those questions as well too from clients ask us about this. So I'm consistently seeing this this outside in limitation. But then we also look at the asset attribution in the context. This is what, you know, the the the analyst should be really focusing on and looking at that, and we we do fall short here is that they're usually ratings platforms. Okay? They focus quite a bit on the IP addresses or domains that have been to no longer use. So if you had a a lovely event or a a a lunch and learn that is gone away, it's it's gonna show that it's expired, SSL cert. But does it really impact the vendor and what they're providing? That's the context that's really big. And then the last part that I always see and I I I really do care about is the teaching to the test that I tell my analyst is where, you know, as organizations, we can see our risk score, which is good. You know, third party risk management platforms can see those. But when you give us that intelligence, that information, we can build we can fix those public facing issues that make us look really, really well. There could be a lot of problems under the engine in the engine, and we really have to find ways to see and discover those findings. That's what really matters with our third party risk management programs. That's where I kinda feel like they're they're kinda falling short there, but we are bridging gaps to getting there. Okay? Always, I think kinda teaching to the test, Roderick, and maybe this is a a good question for you, John, is that, obviously, a company like Mastercard is under fantastic regulatory and compliance scrutiny, you know, a a million different things that that Mastercard has to adhere to as as its role as, you know, one of the largest payment processors in the world. Is it fair to say that, you know, even Mastercard is, you know, like, even Mastercard maybe knows due to that regulatory burden that even that's not enough in terms of securing the network and the the need to kinda push beyond that. I mean, how do you think that Mastercard's background of being operating in the space that it's operating in informs its its knowledge of where regulatory and compliance standards succeed and where they fall short. Yeah. I mean, and not to speak for, you know, the other departments with the Mastercard because they get angry if I. do that. Yeah. I'll speak anecdotally. You know, they I think, you know, as a company, Mastercard realizes the what we do is critical to, you know, the the everyday economy. Right? And getting, you know, doing ratings alone are, you know, it's a great I guess, the topic is great. Ratings alone are not really enough. Right? We have to move past that, and I think that's largely what drove the acquisition of Recorded Future and seeing the, you know, the capabilities that and the evolution of this really important aspect of, cybersecurity and saying, you know, it it isn't enough. We we have to go past it. We have to drive that change, in our ecosystem, and, you know, that leads to, you know, a change in the larger economy because of all the touch points that we have. Yeah. That's a great comment. Absolutely. I mean, I've yeah. Go ahead, Roger. You get a No. yeah. No. No. Something. out of there. Absolutely. I mean, I don't wanna speak from that. No. Again, from Mastercard or anybody else, but we're all We're all in the same boat with third party risk management. We all have them no matter how we're gonna escape Yep. You know? You know? And I know the the, you know, the compliance trap, I'd say. You know, we we use that as a as a guide, as a boundary all the time. But I I look at the things that, you know, the third person managements are are looking at. They're looking at your SOC two reports, the CAIQs, the SIG reports, you know, and they're they're literally a point in time illusion. Okay? That's why, again, teaching analysts how to look deep in there. That one day when you finally get to your auditors and they check off and give you your SOC two report, for that day and that day only, you you that is what you're attesting to. But what about the other eleven months from that stock to report before you get renewed? What happens? A lot of times, it's like an open book test almost. You know, we we again, you your your third party can sign, let's say, a data processing agreement. We know all know DPAs or they can sign those t's and c's and they work with their lawyers. But what's what's happening is the regulators and and, again, we're not gonna speak to regular point, but we're gonna say what their what their objective was was that risk is can legally be transferred on paper, but the operational risk of a breach has not been reduced at all. We, as a subscriber to the vendors, are responsible for those for those issues with our vendors. We're responsible for breaches. That's the spirit of it. You know? And so when we're looking at things like those one time SOC two, CAIQs, others, how do we ensure that throughout the year, you're still adhering to those same security standards? That's in essence the third party risk management piece that we have there. Very important for us all. We we've seen these things, you know, you know, direct vendors and, you know, I think Jonathan put it best as low hanging for vendors upon vendors. We've seen SolarWinds. We've seen MoveIt. We've seen Log4Shell. They'll go after you know, our vendors are so plugged in with so many other comp company to look at portfolios. It just takes a an an interest into a subprocessor or, you know, a vendor that somebody primarily relies on, you know, and and they literally have access to hundreds upon hundreds of vendors and organizations. You know, we were all battling to to prevent that, but we get bogged down with, you know, the we they passed the SOC two. It's wonderful. Yeah. Good. So I think with that, you know, we've, obviously, we the title of the webinar is, you know, ratings not being being enough, but don't wanna be too disparaging at all to the space because I I think ratings have progressed the third party risk management space in a in a in a really important way. And they've actually played a very seminal role in our ability to cross validate, you know, what our third party say that they do, maybe even get insight into things that it's not easy to, assess from there. But where where do you guys feel like the ratings have had big wins in the third party risk management space? And, you know, alongside of that, you know, where where do they continue to fail either because they've been misapplied or just because they lack some core capability? Oh, man. This is great. We're talking about wins now. This is great. I think this is where we get get a really continuous monitoring. Alright? Ratings. That is the key. The ratings are continuous monitoring, especially when you're bringing on new vendors and old vendors. You bring on a new vendor and they have a a great rating score, guess what? You can fast track them to procurement, but you're still gonna monitor them. And the vendors that you still have in your portfolio, you can always put them on alerts. You can say, hey. They when there's smoke, there's fire. That rating drops. We need to have a discussion with your vendor, see why those ratings have dropped. Is it public? Internal? There's lots of things right there. That also helps out to the scaling for triage process. Those scores helps my analyst. You know? You you can't hire to scale in. I can't put one analyst on every vendor, and I have I have a team of, you know, of of of half a million people working with this thing here. So the triage process, you know, you have your high risk, you have your medium, you have your low risk. I'm able to triage. I'm able to really hone in and focus, you know, what vendors are having the issues, what criticality they are in my organization's environment, what we need to really dive in and focus on. Okay? It's a really big thing. And then the the biggest piece, I think, Jonathan, this this I think you you're you're hitting this here that the the translation. We talked about this intelligence, threat actors, low vendors. What does my board, what does my organize what do my CEOs wanna see? Okay? I could talk all day about technical pieces and how to fix identity access management, but they wanna know in their critical vendor portfolio. Okay? What is the average score? Is it good? Is it bad? Show me that numbers and what that looks like. Exactly. They love that. Quickly able to identify success or some shortcomings and gaps that need to be filled. It helps us. It helps them. See, it's a huge process. Huge win on ratings that we have. Yeah. If we're talking wins, I I'll I'll put some in the this in kind of the analogy of a car because, obviously, Mastercard is a sponsor of a, a very well known, racing team right now. But, you know, like, when I started, you know, we talk about having things in in an Excel document. And Roderick mentioned that point in time, you know, one month to look at the the SIG or, you know, that sort of stuff. I look at that as, like, you can take your car to the the inspector. I live in New York. I take get my car inspected every year. I drive my car in. They look at the brakes. They look at the headlights. They, you know, they look at all sorts of stuff, the emission standards. Someone stamps it. I drive away for another year. Right? That's your that's your questionnaire. Nobody knows what happens when I leave that mechanic shop for the next year. Where I think ratings succeeded is ratings brought that visibility to you know, they're they're the dashboard lights. Hey. Hey, dummy. You know, your tires are low. Your your oil's low. You're about to run out of gas. You're overheating. Whatever. That that's the the continuous monitoring capabilities that the ratings brought to third party risk, which was essential because, you know, at at the end of the day, my greatest use case, I think, as a as a third party risk professional with with a ratings tool is like a smoke test. You look at, you know, how you see me on the screen. I'm not I don't have a big recorded future bureau painted behind me. Right? And I used to use this example in, during COVID of, you know, you send someone a questionnaire, and they say, yes. I do patching. Because everybody says they do patching. You know? Well, how good are they at patching? I don't know. They said yes. It's, you know, it's probably a sales guy that answered the questionnaire. But I had this great slide that was, you know, me sitting on a beach taking a call. And, like, I used to say, like, hey. I'm I'm in COVID, but I'm locked down, but I'm locked down in The Bahamas. I'm taking this call right in the water. It was great. And that was the questionnaire. It's what I wanted you to believe. It was a curated perception of reality. But you turn off that virtual background, and I had two of my kids strangling each other behind me. Like, that that's the reality. It's dirty. It's messy. You're hiding all the bad stuff, and you're curating just this rosy perception of reality. And that's where ratings are great. They can tell you all that sort of stuff to say, hey. This they're not really doing what they're what they say they're doing or that they're doing it doing something different than they even know. Shortcomings, you know, we you're there's always gonna be the the inside piece that you can't see, those challenges. There's also, you know, not a a standard really when it comes to there are other ratings companies out there. There's multiple ones and, you know, certain companies do things differently and you'll get vendors that say, hey. Well, I'm good here. Like, well, what does that mean? You know, there's no there's no actionability to any of the data that you have in that one. How do you even know if you're good? They're just giving you an arbitrary grade. So, yeah, I I think ratings have made third party risks so much better. It's it's to Roger's point, you can see all those that great information. Hey. Something something have gone bump in the night. How does this impact my vendor ecosystem right now? Right? That those are the wins that for third party risk professionals that, you know, trying to do that with you know, we'll get 500 questionnaires when your CSO says we had a, an incident, you need to know who is impacted. It's it's a nightmare. It's. a a? simple book test. It's very good. It's like open book test for everyone. Yep. It's it's you know, you go in there and get your library. What what can we say we have there? I love that. I love that analogy. It was really good. And it's it's it really is. It's not the silver bullet for ratings. You know, it's it's the, it's the smoke. You see the smoke. You know, there's smoke, there's fire. You gotta investigate. But it's better than just me looking into the vast wide open guessing. It does. help me at least point a finger on where should I be focusing my efforts. Love. it. Absolutely. No. I I think those are great comments, and I think, you know, when at least one of the things that we're seeing at at Recorded Future at least is that, while there's a great win and the ability to report up on the state of the third party ecosystem, one of the things that happens with ratings, and I'm curious if you guys agree with this, but is that it it incentivizes behavior that in means, like, I'm driving towards getting a better score, which necessarily means that there's something you can do to fix that score. So much of what constitutes what we might call a traditional rating or things that you can fix. Well, you can't fix data leaked on the dark web. You can't fix, stolen credentials. You can't, you know, you can't fix, you know, malware propagation that breaks through poor network segmentation necessarily. Right? So there's a sometimes a mismatch of the the actions that need to happen and the behavior that the the tools actually drive. But curious if you guys have any additional thoughts on that front, but that's one of the things that I I've at least observed from some of the customers I'm I'm meeting with. Yep. 100%, agree. I mean, I 100% agree with you. I mean, it's, some of these things you can't change. That's getting behind that's getting into under the hood of the car. You know, that that car looks really nice on the outside. The body is there and everything. That's that's an open book library that you have there. That security questionnaire they send in, that CAIQ, that sock, you look great. But when you get underneath that hood, you know, like you said, it's a lot of times with especially when you know when you when you talked about the Mastercard and joining a risk recon and recorded future, is that a lot of people, hopefully, on the you know, in this session here, if you're working in private equity firms, you know, you're you're looking at, you know, something you're about to acquire, you you wanna know what you're what you're what you're gonna accrue, what you're inheriting. And but just like Jerry said, you can't change leaked information in the deep and dark web. You can't change stolen credentials. But what I do wanna see from those organizations, what did you do to prevent that? What did you do to learn from the data that's out there that target? It's a fantastic one that you have there, Jerry. Fantastic. So, kinda I think this is a great kinda chance to step into the kinda world of intelligence. And, you know, ten years ago, I think if you went to a lot of, you know, even large companies and said, hey. We think that you need to do threat intel. They would have said, that's not what governments do. Like, that's that's not for me. That's not that's not for me to do. And and here we are today where where Gartner's just released their magic quadrant on cyber threat intelligence, which, coincidentally reported Future was named a leader there. The notion of intelligence seems to be everywhere now. We have people appending the word intelligence to just about every application you you can imagine. But I think it's worth asking the question of, you know, how do you define intelligence and why are folks so why the transition from, like, isn't that what governments do to, like, no. This actually might be the answer to a lot of the problems or at least part of the solution to a lot of the problems that we're having. Yeah. I'll I'll I'll kick that one off. And to go back to my car analogy, you know, if you've ever seen any, any footage of of modern race cars and the telemetry that those cars have, you know, we talked about having your car having the dashboard with your dummy lights, your your the oil and that. Modern race cars, I think, track something like a million data points per race. Right? And to me, that is intelligence. Right? That is that is the difference of saying, hey. Your oil's low or not too. This tire is running two degrees hotter. You're you could expect a problem in the next two laps. You know, you need to change something or or to me, that is that that's intelligence, and that's the application to third party risk. It's it's what is going on at this very moment beyond what I can see from a point in time questionnaire, beyond what I can see from a a ratings tool. It's it's it's altogether, it's it's a security onion. Right? You gotta you gotta have all these layers together, and intelligence is the one that makes it, you know, that takes us to the next level. To me, it's a necessary step. And and why did it go from, hey. This is something the governments do? Because governments are attacking your organization. Right? It's it it the bad guys aren't just some guy in his basement with a bag of Cheetos trying to get rich. It's nation states. It's it's all sorts of stuff. Right? So you you can't sit you can't bring, you know, a pencil to a gunfight. You gotta be able to have you gotta try and level the odds, and and that's where intelligence is key and and necessary. And if you're not building into your your program, you're gonna be behind. Oh, absolutely. Absolutely. And, I mean, to to to all your points of intelligence, we're we're surrounded by lots of data. We're inundated with data, and we have so much information. And I tell people all the time, it's when you take those two data information and merge them to analyze it and provide an actionable foresight. Okay? These IP addresses belong to ransomware gangs c two command and control server that is targeting the financial sector. What are you gonna do? Block them immediately. You take away all that data, take away all the information, and you get me to the core. Ransomware gang attacking my industry. What are we gonna do? Block them immediately. That's that is intelligence at the core, taking it together and getting that one minor back. When when I look at organization, I always way back, you know, depending on what you know, as organizations or as people, we as people, we use intelligence all the time. We just don't realize we're doing it. You have professionals showing you. I mean, my my kids are all you you look at your kids. They they use intelligence. They don't understand they're doing it. They know that they can ask dad to to take him to McDonald's, and dad's probably gonna say no or yes. Who's gonna say yes first? No. Mom's gonna say, you gotta take me to McDonald's and she'll take us. They're using intelligence. They're taking a bunch of data. They're taking information, and they're getting what they want. And that's what we're doing as organizations. We're taking a lot of data and a lot of information, and we're saying, we've been breached two times. How is that happening? You have a lot of data, a lot of information. Let's bring that intelligence together. You're working with somebody like Recorded Future with Threat Intelligence. We're finding lead credentials on the dark web. We're seeing identity and access management pieces. We see the industry. Guess what? We now have some actionable intelligence. We're gonna take some action against this. That's a game changer for third party risk management when you start adding them in there. Predictive versus reactive. It's beautiful. Yeah. It's just jumping quick on that, Jerry. You know, you know, in the in the in the world of Mastercard, right, obviously, we're very fraud heavy and you you generally don't see fraud until the issues happen. Right? It's it's a reactive thing. Somebody stole my credit card and did this. I don't know that they stole my credit card until someone decides to buy a bunch of ski lift tickets, which actually happened to me this year. Somebody went ahead and agreed ski vacation on my dime, had this took a took a while to get the money back, but, you know, I didn't know that anything happened until I saw those tickets being bought. And I think that's the driver of intelligence. Right? How can I get ahead and move everything left? Right? I don't wanna wait until I have an issue. I don't wanna wait till because you know what? Everybody has breaches. The best companies in the world have breaches. They have, you know, Yeah. other they have ransomware events. They have all sorts of stuff. If intelligence gives me a little bit of a a a leg up to say, hey. I can get ahead of this. If I can stop this before you know, maybe there's a a a a little crack in the dam, but I don't want the flood. I wanna be able to go plug that crack and fix the issue. That's the value that intelligence, brings to a third party risk organization and and why I think it's a must. Absolute third warning. It's a it's a early warning system. You become predictive versus reactive now. You know, you're getting your traditional third party risk management platforms. You know, you find out a vendor has been breached, and then then, ultimately, vendor sends out a a PR email thirty days after the fact. I even know beforehand. You know, threat intelligence monitors when you're digged dark web, underground forums, and ransomware gangs, like, as Jerry mentioned, if you if if we can tell you that an initial access broker is actively selling compromised VPN credentials, okay, we all use them, belong to your vendor before the ransomware event, we've done a ourselves a very good job. You know? You look at things like the contextualized vulnerability prioritization. We when you look at that Verizon data breach piece and you start looking at the that pie chart, and it tells you exactly what were the attack vectors. You look at vulnerabilities. Alright. We get a ton of them. AI is speeding it up as well too. Security ratings might flag that your vendor has 50 open vulnerabilities, which is great. Okay? It's that risk rating, which causes panic and all kind of delays, but the threat intelligence provides the context. It tells you exactly you know, out of those 50 CVEs, only two are actually being exploited by threat actors in the wild right now in your industry. So now my team can go and focus on that vendor fixing on what exactly matters rather than chasing 50. I know I have two. I still gotta care care about the other 48, but I know these two are immediate. We're breaking that up right there. And then but I I I love the point of, you know, the third party risk management and how it works, but we and this really this is one of my, my criteria. It's the reliance on self reporting. Okay? I think we we pretty much beat this up that companies can study for the test. They can see their ratings. They can target public items. But with advanced intelligence, okay, like Recorded Future, you can map out digital dependencies. Okay? This doesn't tell you about your direct vendor. It can identify that your vendor relies on specific open source libraries and overseas subprocess for that which is compromised. It illuminates all of your supply chain risk that are out there. So what we wanna do is we want to take that self reporting where I can make myself look very, very well and really find out what's really going on out here. That what what what what how big of a risk are you in my ecosystem? So this is a a great point to kind of use to pivot to some of the questions that have turned up in the chat, but there there's a couple really around either driving interest on the part of so you've identified all these things you guys are talking about, but there's a cup couple questions like so how do I drive interest on the part of the third party? My main contact is like an IT director or an application owner, driving interest there to actually respond. And and then kind of with that, like, how would you use, like, a threat intel data point or profile to challenge the static, risk rating? And I'm sure this could come up in two different ways. You know, one such being like, hey. My I've got an a rating, or I'm I'm a tippy top. I'm in the, you know, top top 5% of my industry. So, I mean, I'm curious your guys' thoughts on on that front of either, you know, driving interest or or using this as a credible challenge to what, you know, the vendor might perceive about themselves. Yeah. I'll I'll start that, I guess. And, you know, it's funny because that that question, Jerry, the, hey. This is a I I I I'm good. I wanna challenge this. It's the same thing we used to hear in this continuous monitoring space for so long. Hey. I said I'm good at patching. Here's my SOC too. I'm, you know, I'm clean. And then you come back with a continuous monitoring tool that says, no. You're not. This is the you know, this is an issue. It's the same thing with with using intelligence data points. It's that next layer of, you know, the smoke test. Like, hey. I'm I I you've passed the first gate. Now you're past the second gate with ratings. But, hey. I I know something else right now that isn't available to any of those tools. That that's another gate, and it it I've never used that as a and I've never wanted it to be used as a gotcha. Right? For me, it was I I'm a partner with my vendor because if I want my vendor to succeed, I want them to be secure because they have all my stuff. Right? Just like I don't want my bank to go out of business and and take all my money. So my interest as a practitioner was always to to partner with them and make them better. And oftentimes, that included taking you know, kinda selling them on the idea that, hey. What you said is good, but we know a little bit more. We can see other things that sometimes and let's be honest. A lot of times it's sales guys filling out questionnaires. You know? So the the answers you get are just yes to everything. So you need that ratings tool to then check that, and and ratings tools are limited in their scope. They're only outside looking into. There's a lot of blind spots. They don't necessarily know right away that, you know, somebody left a laptop in a taxi cab and it's for sale on the dark web this afternoon because, you know, somebody's, you know, needs to buy, you know, whatever rare Pokemon card or something they're using the the Bitcoin to pay for. Right? So, like, it it's it's a it's a evolution of of that and how do we, it's never a, like, a a combative thing. Right? It's like, hey. Like, I'm I'm helping you. I'm helping your company to succeed. Because if you go through one of these issues, you might not come back. Like, I'm I'm a big company. We have an issue. It's a bad news cycle, you know, whatever it is. But if you're a small mom and pop vendors, let's say, and I'm and I'm providing you with this intelligence, say, I know something's going on in the dark web. Like, that that should be, like, free consulting. Right? That that's that's a lot of money that they would pay to get that information when we were to help them. So I I I try to always make it non combative and and see the value of all the tools, whether it's ratings or it's threat intelligence that we're bringing to the the discussion to to consult with the Absolutely. I mean, it's it's I love the partnership. I've seen a lot of I've worked with a lot of companies that do that exact same process where they'll have not just the risk rating, but they'll take the intelligence from that and. work with that partner, work with that vendor to improve their, you know, their their their posture, their security posture. And it's great. It's collaborative. Its focus is there. But as a as a organization and back to, you know so kinda where that question was leading to was every business unit can benefit from third party risk management. Okay? Your chief financial officer's looking at, you know, SaaS applications, saying, you know, we've had this vendor for ten years. Sometimes vendors get a little laxed if they've been there a long time. They they know that, well, this is a recurring one. We always get this every year. Sometimes when they get relaxed, their security standards and their services relax too. As a owner, you can continue to watch and see how are they are they updating their patch management on time? Are they taking care? Are they sending out notifications to us, or are we on the back burner because they know that we're gonna be a an automatic easy renewal? Okay? You can use that from the CFO standpoint of saying, is this contract you know, do we need to look for another vendor? What are the vendors in our ecosystem? Is this truly best in class? Not what the vendor always tells us based on that clean sock to report, clean ice or report, but are you truly best in class, unbiased, when we view you against your industry and your industry partners? You know, if you look at, like, your your, your HR, your compliance, your legal team, if they have particular vendors I'll I work with a company, and they had a very, you know, a a lovely process. They had put their vendors in a yearly where they have them for one year, and they review them so they know they're on a constant collection. They have their three year vendors, and they're reviewing them on a on a different kind of cadence. They have their vendors who needed to respond to maybe a a a CCPA compliance piece or a GDPR piece. They have those vendors on collection. So they could easily triage if something happens or work with them. You know? And I I can go on and on to each business unit, but people know I love where it is to say, well, third party our third party risk management team is one who uses, you know, this this intelligence, this this information with them. No. But every business unit can benefit from it. You know, you you you just have to tune it to what you care about. You know, what does your what is the focus what's the mission of your business unit? I can guarantee you, you can use third party risk management to to drive your business unit's goals and make you more efficient and, for many people, save some money for those on a on a tight budget. So it's very beneficial here for the long term. Great. Great commentary. And thank thank keep the questions coming in the chat. So, and I'll I'll come back to a couple of these at at the end, for for for input there. But, since you guys are have been talking about the continuous monitoring, Cynthia just asked in the chat, you know, what what category the vendors should you put into the continuous monitoring, track, from from y'all's perspective? definitely. Good. I. mean, maybe it's because I'm speaking for, the company, but everyone. Right? I I would put everyone in there that that has any sort of material risk in any fashion. You know, they they could cost the company $10 to, you know, 10,000,000 is the people I'm probably leaving out are the the people that water the lawns and, you know, water the plants and that sort of stuff. But it's it's not just your your data vendors, your not your IT vendors. If you're in pharmaceuticals and one of your organizations, you know, puts a builds up a small piece that goes into one of your drugs that makes $10,000,000 or $10,000,000,000 for your organization, I wanna know everything about them. I wanna know if they're gonna have an issue. And I I look at it, you know, from I look at the continuous monitoring pieces like the smoke detector. Right? I can't monitor everybody, and I can't actively talk to everybody all the time, but I wanna know what happens when there is a small fire or a big fire, and I wanna get ahead of it before it's a a blazing inferno. And and that's where continuous monitoring comes in. And and sometimes you can't get any information from vendors, and that's where a tool, like a risk recon can step in and say, hey. I can at least tell you something because this, especially fourth or fifth party, won't you know, that you're not you're not obligated to to get any to give you any data. So, you know, what can a tool like that tell me about, about my fourth, fifth, and sixth parties to find out who they are? Absolutely. I I love that, Jonathan. It's in theory, yes, everybody. I'll take it no. Add to this one is the strategy behind everybody. You know, you some companies use tiered systems. You know, your tier one mission critical items that if this vendor fails, our organization will have a huge loss. You know, your recovery time objective, mean time to detection, all those backup planning facility, it's about strategy. You know, your tier ones, you wanna know about every you want all the intel you can on those tier one. I call them where your most critical, those crown jewels, ransomware detectors, VPNs, IP addresses, domains, one, everything. But then, you know, you might have another have other tiers, tier twos, tier threes, tier fours. Maybe they're business operations. You have those vendors in there reviewing those, and maybe you don't need the full suite of intel on them. Maybe you need a very specific, you know, financial data or if they've been or they use a set processors that might be, you know, in the on the rocks in a different region. You wanna monitor that and maintain that your data is kept in a sovereign location where you have that. And, of course, you have your tier threes and tier fours. But the Jonathan said is you wanna bring all your vendors in. It's about the strategy in which you bring them in and the intelligence you collect against them. Remember, lots of information, lots of data were inundated, but the real value is the intelligence piece. When you put all your vendors in there and you're looking at all this into in data, information you're getting from it, what's the type of intel we want? What is the end goal that we're trying to get from our vendors? Absolutely. Put everybody in there. Folks in the strategy, though. Definitely think strategy. Yeah. And and just one quick quick thing to add on to that. You know, you you spoke about kind of, you know, the the intelligence you wanna get from that. If if I'm if I'm a practitioner and like I said, I was a practitioner for a really, really long time, and I got this unfortunate experience numerous times, but, hey. Something's gone wrong. There there's there's a new, like, there's a new vulnerability out there. What's my exposure in the vendor world? If I'm monitoring my 10 most critical vendors only, I'm limited to just what those 10 if they're using that piece of software or not that we can see with the tool. If. I have, you know, a thousand vendors in there, I have a lot more telemetry. And sometimes, you know, Roderick mentioned, you know, the the tier ones, tier two. Sometimes those twos and threes, at a given point in time, they're a much bigger risk than anything that's going on with one of those tier ones. Right? So you wanna know. And, you know, you can you can say ignorance is bliss. I wasn't monitoring them. I didn't know. But at the end of the day, someone's gonna still ask why your fancy program didn't catch this stuff. Great great comments. This actually, I wanna I wanna address some of, Richard has asked a couple questions in the chat before he kinda keep moving. But, just to kinda tie a couple pieces together, there there's been a couple questions on does Recorded Future risk free account have visibility into the internal networks of third parties? The answer is no. We don't. Although I I once had a director of third party from a very large, like, consumer retail company, tell me that he was gonna deploy Tanium agents in all of his third parties. Checked in back with him six months later, it obviously had not been a successful program. He didn't get anybody to sign up for that, but I appreciate the the boldness of the move. Really, where we would come in is the ability to take what we observe externally and overlay that with the stated controls and capabilities that your third parties claim that they have. And either you say, like, yes. It looks at least from an external perspective that you have that, or to say these two things don't say the same thing. There's obviously some some issue here. So, just a a quick clarifying point on that. In regards to the this continuous monitoring and who should we look at and, you know, the ideal is everyone, I think a lot of people on the call are probably thinking what I'm thinking is, you know, oh my god, you've just introduced a massive scale problem, Yeah. which is also the opportunity to bring up, so everybody get your eye rolls ready. The world has pivoted so hard towards the these AI capabilities, and I would be absolutely, remiss if I didn't mention this in the third party risk management space. Is there a world where we get to with the right data elements that we get to an autonomous third party risk management operation? You know, what what does that even look like? What's required to get there, before it to be actually be effective? Does it answer that scale problem that you guys just introduced with the, you know, monitoring everyone? No. It's it's I will say this right here is that, you know, I love AI. I love the invention of it. You know? But it won't I don't think it can ever be a 100% used for vendor onboarding, continuous monitoring, access revocation, etcetera. I think it's a it's a kind of AI augmenting a hyper automated third party risk management ecosystem where you still need the human in the middle. And why why I say this then? Because okay. We we beat up on the SOC two CAIQ's other reports. Instant document parsing by the AI. Let the AI parse it, let it compare and contrast years before, give me the intel I need. Great. Predictive risk modeling. Okay? We talk about risk modeling all the time. So instead of moving we can move away from the static scores. Alright? And then you can look at the vendor's tech stack. Okay? And you can map it against current traffic campaigns and predictive vendors. AI, wonderful. Very too hard for a human to do that and take them too time too long. But what this the benefit of AI, this this, you know, this is like a shared space to have there is that I'll need my analyst to focus on the heart of the heart. Okay? We don't wanna wake up to a major breach, to a major vendor, and operations are going down. We have to answer that. So while the AI is doing 80% of the work, parsing documents and threat actor mapping and campaigning and getting that intel, the 20% that pops up that's high risk, I need my analysts to have the human touch. I need them on the phone with my vendors. I don't need to email, send out 400 emails to the 20%. Maybe to respond, you gotta keep pinging them for the email. I need you on the phone, need you in contact. I need to know what is the impact to my organization through this vendor, and what are you doing to stop this, and how long will it take. That's that shared that shared environment with AI. It it it I don't think we can ever get to a 100% full AI autonomous life right there. Yeah. I I would agree. I you know, if you're in third party risk at this point, I would say I'm I'm not worried about AI replacing, what I you know, me as a as a practitioner. What I what I think it does is to Roderick's point is, you know, we're we drink from the from the fire hose in third party risk. Right? It's maybe some I've I've talked to companies with a 100,000 vendors. Like, how do you even keep tabs on that? Or even even a small company that has, Yes. you know, maybe a 100 vendors or 200 vendors is generally just one person trying to monitor all that. So AI is going to be the, in my mind, the thing that starts to level the playing field between us and and the bad actors because you have all these data points coming in, whether it's data from questionnaires, SOC twos, cake, cake, light, sig, you know, you name it. You have data coming in from continuous monitoring tools. Now we're talking about bringing data in from from, you know, cyber threat intelligence tools. That's a massive amount of data. And at the end of the day, to Roger's point, something's gotta crunch that information and tell me what stuff I need to care about. And it's not like, hey. These these are my high risk vendors. These are the ones I care about. I wanna know what I need to care about right now. Because something went, you know, went bump in the night, and now now there's a bigger you know, my my medium risk vendor is a much bigger risk than my my high risk vendor. Or there's a war in The Ukraine and this vendor is impacted. Or there's, you know, any number of things. The straight over moves is closed. You name it. All the all sorts of things we need to kind of build into what I would call our our perfect third party risk program, which is this multilayered approach with massive amounts of data. At the end of the day, there's a person behind the keyboard. You know, until, you know, the Optimus robots can go do on-site reviews, on-site assessments are still something that and and we we laugh. You know? After COVID, they became something that we're like, hey. We don't do on-site reviews anymore. I could speak for hours on the horrors I've seen on the probably thousand plus on-site assessments I've done, where everything looks good, and then you get there and you're like, you know, your your data center is underground next to a river. Like, you know, you have all glass that no one knew about. Right? So at the end of the day, it it's gonna allow third party risk practitioners to focus on what really matters and not just try and, you know, do compliance or one step above compliance where we're kinda doing this rudimentary stuff, but we still can't keep tabs on everything. Hopefully, it leads to a more secure, you know, ecosystem of of vendors for everybody. Because if if if that happens, then, you know, it's very much rising tide raises all ships. My vendor is your vendor. As they get better, we both get secure. Both of our data is secure. And suddenly, we start winning or at least get a lot closer to winning than than we are right now. That's. great. So we've we've covered a lot of grounds here over the last, you know, fifty some odd minutes or four forty eight, forty nine some odd minutes. We've, talked about some of the wins that ratings provided in terms of being able to report upwards, but we've also talked about the limited visibility that those things might, provide. We've kind of covered a little bit on getting visibility into, like, the overall asset value of what a a what what a domain or an IP or a digital asset is actually used for and using that as a prioritization mechanism, as well as covering things like vulnerability exploitation and using that as a prioritization mechanism and sort of everything in between in terms of seeing how we scale out to a broader third party risk management program that's not isolated just to the top 10, but actually has credible capability to to look at the ecosystem as a whole. If you guys were going to give, you know, three recommendations or two recommendations to the folks on the call of how to start implementing intelligence into the third party risk management program or, you know, kind of top recommendations that you'd you'd give them walking away from the webinar today, what what would those be, and how would you go about actually implementing them? I'll start at I'm I'm gonna start with some really basic ones. Because there's a lot that you know, there's been a lot of information that's come out here. And if if you're somebody who's in third party risk, you're like, I just send Excel documents. Like, I'm I'm and, you know, it it's pretty daunting to hear people talk about continuous monitoring tools and, you know, threat intelligence and all sorts of stuff that we're ingesting to do this stuff. I would say this to you. The the slowest person in the marathon is still faster than the person that's sitting on the couch. Right? So the fact that you're doing third party risk or you have the interest in doing third party risk and you're on this webinar puts you ahead of a lot of organizations. So don't get don't get daunted by the fact that suddenly you feel like maybe you're really far behind. Learn from people. Go out and, you know, network. Go to LinkedIn. Connect with people like Roderick and Jerry and myself. Ask questions. People in this space love to talk about what they're doing, how to how they're improving their programs and all the great things that they're doing, what tools they're using. You know, tools like risk recon and Recorded Future and how they're building programs to try and level the playing field against against the bad guys. Third party risk is one of those areas that's like, it never even got sunlight. It's like the, you know, the stepchild that he locked under the stairs, and he came out when he was in his twenties. Like, when you talk to somebody to a practitioner in third party risk, they're going to wanna talk about what they're doing. It's a great, great universe of people. So go out and meet make friends. And then at the end of the day, you know, look at what you can do. How can I take my my program from maybe what it is right now to what it could be and and start to build towards that eventuality? We'll get tools, we'll get the data you have, find out what's really important to you. And and at the end of the day, I'll say, don't just focus on confidentiality. Right? Because to to me, third party risk for a long time and security in general is focused on the the c portion of the triad. The availability and integrity pieces for me, so much bigger risk. Right? We can shut down look at what's going on in Iran. You shut down the Strait Of Hormuz suddenly. A lot of countries really have a hard time getting oil. Right? So there's a whole lot of issues that can go on, whether it's a ransomware event that that shuts it down. Like, look at all the possibilities and then, you know, ideate. Think about it and come up with something really cool because there's a lot of possibilities out there. Absolutely. I mean, the and from, you know, from from my experience, I would say I would challenge everybody on this webinar to sit with your GRC analyst, your third party risk management team, and just take one vendor and and work with that one vendor from beginning to end. Okay? From looking at that vendor's name to looking at all the documentations manually or through your tool from beginning to end. And at the very end of that, sit back and ask yourself, was this hard? Was this easy? Do I feel confident with the information that I have that this vendor is not gonna get breached? That's why I put myself in the shoes of my analysts, and I know exactly what they go through trying to make a a decision to protect the company or organization that we're working with and maybe not having all the information or the intelligence that's there to make educated decision. Well, if I feel that way, I want my analyst to feel a little bit more confident as well to do their job. I think that would really put, you know, the the teeth behind why third party risk management is as important as it is is because if you are sitting there in that technician's stand and you still have that that missing feeling in your gut that something could go wrong, then we need to do something about that. And there's lots of tool in your recorded future, risk recon. We talked about intel. The fact that you're on this webinar now, you're collecting intelligence. We gave you lots of data and information, but you're walking away with a lot of strategies. You're going back to your office talking about your vendors and your third party risk management and looking at your rating tools. And, you know, was Roderick right about looking at the the public facing piece? Was Jonathan right about scalability. You're using intelligence to find some gaps. So we're all in the intelligence world, not designed for anybody, but we're we're learning from this call here. So I would definitely challenge you to to look at your tools, look at your vendors, go through a full process and read it, see how you feel. Look up Recorded Future and Risk Recon. Very powerful tools, best in the industry with threat intelligence. Again, strategic and strategy, operation to build out. Put the test. I I feel very confident that it stands with anybody or any other group or solution that's out there to give you the rating. So try those. Great. Well, I wanna thank you thank you both for your participation and kinda talking through your own experiences and day to day work, in this space and the application of, you know, data and intelligence to to drive, you know, more effective third party risk management programs. I think wanna thank those on the call for for participating and asking lots of good questions. There there was a question about, can you serve the small to mid market, companies? And the answer is yes. We can. Actually, here, around, June 1, there'll be a release within the risk recon rating called threat pressure that will give a summarized view of the relevant threat intelligence data points, from Recorded Future about any of the vendors that you're you're you're looking at. And, of course, that can be expanded out into a a broader, recorded future solution that is giving you visibility not just into those security exposures, but also things like ransomware activity, compromised credentials, malicious network traffic, looking at how malware is being propagated and to getting, really comprehensive coverage on, cyberattack, reports as well. So much more to come from Recorded Future and team on the third party risk management space. I thank you you all again for your participation. I wish you the very best of Tuesdays and a great week moving forward.