Episode 157 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Third Party Risk Mgt (TPRM) needs an intervention

Channels

Description

Kamal asserts that Third Party Risk Management (TPRM) needs collective and coordinated intervention--in the form of extraordinary leadership and concerted action by security leaders on a scale we might not have seen in our professional lifetimes. Demonstrably counter-productive mechanisms and practices are deeply entrenched which ignore the realities of Cyber-Economics. Without this intervention, enterprises will not achieve meaningful reduction in the numbers or severity of data breaches and serious security incidents.

Homework

More from Kamal

Takeaways

  • ⚡ TPRM is most commonly undertaken by procurement departments. Vendor certifications don't mean much. Questionnaires sent to vendors are ineffective. Vendor exchanges could work (i.e. multi-party federations), but private exchanges operated by commercial vendors can't get enough vendors to achieve network economies. All this has lead to record number of breaches from vendors who had passed prior year's TPRM reviews.

  • ⚡ Processing this useless TPRM noise makes a bad situation worse--it wastes the time of the procurement department, and distracts them from the other important and effective things they could be doing with their time.

  • ⚡ Define “outcomes” versus means. For example, not "Use MFA"... but "Exporting PII from a consumer database requires phishing resistent authentication". BEWARE: overly prescriptive "means" results in a nightmare scenario where your business wastes time and money on technologically-ancient security guidelines.

  • ⚡ In supply chains or other enterprise ecosystems, multi-party federations which allow automation are probably the answer to drive down costs and improve security. But for many industries, a "Public-Private" partnership may be needed.

Livestream Audio Archive

Will be Here