NETWORKING EVENTS - SIG RiskRecon 4122016 Webinar.pdfThe SIG Webinar will begin shortly. Once the...
Transcript of NETWORKING EVENTS - SIG RiskRecon 4122016 Webinar.pdfThe SIG Webinar will begin shortly. Once the...
The SIG Webinar will begin shortly.
Once the webinar begins, the sound will come from your computer
speakers.
In the meantime, please take a look at the upcoming SIG networking events listed on the right side of your screen
and plan to join us if you are in one of these cities this fall.
NETWORKING EVENTS
GLOBAL SUMMITSApril 19-21 – Orlando, FL
SYMPOSIUMSSept 15 – SF Bay Area, CA
Sept 22 – Toronto, CANREGIONAL ROUNDTABLES
May 5 – Chicago, ILMay 12 – Sydney, AUSMay 24 – Atlanta, GA
Sept 27 – Cincinnati, OH
For more information and to register for all SIG events:
www.sig.org
RECENT POSTINGS
The SIG Career Network is
bursting with opportunities.
New jobs are posted daily by some
of the best known global companies in the world for those
seeking careers in sourcing, outsourcing, procurement and
related functions.
For more information go to: www.sig.org/career-center.php
NEW to the Career Network!
• Guidewell/Florida Blue – posted April 11:
• Sourcing Manager – IT
• Sourcing Manager – Delivery
• Sourcing Manager – Professional Services
• Adobe – posted April 11:
• Sr. Sourcing Specialist – Contingent Labor
• PennyMac – posted April 7:
• Sr. Assoc., Commodities Mgt & Procurement
• J.Crew – posted April 1:
• Mgr – Central Procurement and Profit
• Hudson’s Bay Company – posted March 22:
• Vice President, Procurement
• FedEx – posted March 14:
• Associate Sourcing Specialist
• Chubb– posted March 7:
• Global Procurement Category Mgr
• Westfield Group – posted March 7:
• Procurement Operations Leader
• LINAK U.S., Inc. – posted March 1:
• Bi-Lingual Sourcing Specialist
• Unum Group – posted Feb 26:
• Category Manager
special member
benefits
• 6 months of free buy-side
access to the Vendor
Evaluation & Assessment Tool (NEAT)
• 2 free Market Intelligence
Reports
• 15% discount on direct
hire placement fees
For more information, go to: http://sig.org/member-discounts
• $20,000 discount on Enlighta
Govern or Risk pilot
• 5 relationship assessment
surveys
• 20% discount on assessment
or implementation services
• 20% discount on research
reports on Chinese cities,
technology parks, providers
and advisory services
• 50% discount off fees
associated with GSOS
Health Check
• Receive current market
labor rates for your top 5
job openings
• Join SkillsVillage, learn
more
bit.ly/SIGLinkedIn @SIGinsights bit.ly/SIGfacebookbit.ly/SIGYouTube
Join the discussion in SIG’s Peer2Peer Resource program too!
Stay connected with other SIG members through various social media channels
SOCIAL MEDIA
bit.ly/SIGBlog
New Topic Each Week
NEW TIME!!8:00 am PST
11:00 am EST
4:00 pm GMT
5:00 pm CET
Upcoming Free SIG Webinars:
April 26, 2016 The CPO’s Agenda for 2016: Tackling Procurement’s Key IssuesPresented by Zycus
April 28, 2016 Solution Deep Dive: Procurement & Sourcing Usability for AllPresented by Coupa Software
May 12, 2016 Solution Deep Dive: Avoid a Risk Knowledge Gap with Better Due DiligencePresented by LexisNexis
Register at www.sig.org
For more information and to register for all SIG events:
www.sig.org
Upcoming Town Hall Teleconference:
May 11th
From the Trenches to the Treetops: Supplier
Market Intelligence in the Real World
Presented by:
Kelly Barner
Buyers Meeting Point
SIG Town Hall Teleconferences
bring a small group of buy-side ONLY attendees together for a facilitated
discussion on top-of-mind issues in an open-mic, private conversation. Town Hall Teleconferences are NOT recorded.
Calendar of Town Hall Teleconferences
Taking place at 1:00 pm Eastern on the following dates:
February 10 August 10 March 9 September 14 May 11 October 12
June 8 November 9July 13 December 14
For more information and to register for all SIG events:
www.sig.org
SIG Symposiums and Regional Roundtables provide education and local networking for members and invited non-member corporate users
Symposiums 2016:
Silicon Valley, CA – Jan 14
Minneapolis, MN – Mar 24
Columbus, OH – Apr 7
San Francisco Bay Area – Sep 15Toronto, CAN – Sep 22
New York, NY – Sep 29
Regional Roundtables 2016:
Chicago, IL – May 5
Sydney, AUS – May 12
Atlanta, GA – May 24
Cincinnati, OH – Sep 27Pittsburgh, PA – Nov 3
London, UK – Nov 9
For more information and to register for all SIG events:
www.sig.org
SIG Global Summits are semi-
annual events with 350-450
decision-makers in attendance
• Non-commercialized
• Hundreds of industry thought
leaders
• 70% buy-side
• 4-5 keynote sessions
• Global brands
• 3 days of networking
• Executive Roundtables
• Over 50 breakout sessions
69% of delegates are director level or above, of which 43% are VP/C-level
Recent speakers include:
For more information go to: www.siguniversity.org
Online learning environment
Sourcing and Governance certifications with Professional and Executive level courses
Modules with lessons, formative assessments, summative testing and final proctored exam
Certification good for 5 years
Certified Sourcing Professional course starts June 27, 2016!
Certified Governance Professional course starts May 2, 2016!
For more information go to: sig.org/student-outreach.php
Partnering with Universities
Introducing students to seasoned supply chain executives
Sharing thought leadership with students in class, SIG University courses and at SIG events
Giving access to internship and job postings on the SIG Career Network
Allowing students to get real world insight into supply chain careers
Finding tomorrow's supply chain professionals today
Confidential
The Quality of Your Vendors’
Security Programs is no Secret
Control your third party risk
Today’s Speaker
Kelly White
RiskRecon Founder and CEO
Career Summary
- 8 years security consulting Fortune 500
- 10 years top-30 US Bank- CISO / Director of Information Security
- Manager of Security Architecture and Threat Intelligence
- Manager of Customer Fraud Protection
RiskRecon Fast Facts
RiskRecon enables dramatically better enterprise
vendor risk management through frequent, accurate,
actionable measurements of vendor information
security performance.
- Founded 2015
- $3 Million seed round led by General Catalyst
- Providing risk assessments at scale to Fortune 500
- Services accessible through customer online
portal
The New Security Team
Confidential
Vendor Management is the new
Information Security Team
Why?
Confidential
Why?
New Corporate IT World
Confidential
The IT Landscape
Changed
SaaS has exploded
….and it isn’t over
Corporation Circa 2000
Confidential
Corporation Circa 2015
Confidential
• Top 30 U.S. financial services company app portfolio – 10% SaaS in 2005, now 60% in 2015
• Top 30 U.S. financial company has > 300 SaaS providers
• Top 3 U.S. financial company has > 3500 SaaS providers
• SaaS = $67.3 Billion market by 2016 (IDC)
• SaaS spending in 2016 = 20% of all software spend (IDC)
Information Security Impact
Confidential
Info Security Landscape 2000 Info Security Landscape 2016
Information Security Risk
Confidential
Vendor Risk
Internal Risk
Information Security Objective
Confidential
Rapidly enable the business to safely pursue its
objectives.
The Big Vendor Question
Confidential
Will this vendor protect my assets with the same or
better care?
• How to I quickly select the right vendor?
• How do I ensure the vendor continues to
perform to security standards?
Information Security Objective
Confidential
Rapidly enable the business to safely pursue its
objectives.
Vendor Management
Select good
partners
Hold partners
accountable to
performance
Act on
performance
gaps
Standards
How?
Confidential
• Hundreds of vendors
• New vendors weekly
• Rapidly changing technology
• Rapidly changing threats
• Regulatory requirements
• Executive management
reporting
• The stakes are
REALLY HIGH!!!
Data
Confidential
Common Vendor Risk Mgmt Data
Confidential
Surveys, Document Review,
and Vendor Attestations
3rd Party Auditors
Interviews and on-sites
Common Vendor Risk Mgmt Data
Confidential
Surveys, Document Review,
and Vendor Attestations
3rd Party Auditors
Interviews and on-sites
• Infrequent
• Time consuming
• Attestation may not
match reality
Common Vendor Risk Mgmt Data
Confidential
Surveys, Document Review,
and Vendor Attestations
3rd Party Auditors
Interviews and on-sites
• Infrequent
• Time consuming
• Attestation may not
match reality
Did the vendor patch against the
DROWN vulnerability?
Common Vendor Risk Mgmt Data
Confidential
Surveys, Document Review,
and Vendor Attestations
3rd Party Auditors
Interviews and on-sites
• Infrequent
• Time consuming
• Attestation may not
match reality
Did the vendor patch against the
DROWN vulnerability?
Are they really hosting my data in
authorized countries?
Common Vendor Risk Mgmt Data
Confidential
Surveys, Document Review,
and Vendor Attestations
3rd Party Auditors
Interviews and on-sites
• Infrequent
• Time consuming
• Attestation may not
match reality
Did the vendor patch against the
DROWN vulnerability?
Are they really hosting my data in
authorized countries?
Are they really handling malware
threats well?
Common Vendor Risk Mgmt Data
Confidential
Surveys, Document Review,
and Vendor Attestations
3rd Party Auditors
Interviews and on-sites
• Infrequent
• Time consuming
• Attestation may not
match reality
Did the vendor patch against the
DROWN vulnerability?
Are they really hosting my data in
authorized countries?
Are they really handling malware
threats well?
Are they really hardening the
security of their systems?
Data
Confidential
Surveys, Document Review,
and Vendor Attestations
3rd Party Auditors
Interviews and on-sites
• Infrequent
• Time consuming
• Attestation may not
match reality
Did the vendor patch against the
DROWN vulnerability?
Are they really hosting my data in
authorized countries?
Are they really handling malware
threats well?
Are they really hardening the
security of their systems?
Are they properly encrypting my
sensitive informaiton?
Uncommon Vendor Risk Mgmt Data
Confidential
Surveys, Document
Review, and Vendor
Attestations
3rd Party Auditors
Interviews and on-sites
Continuously measure the vendors security
posture and security program quality
Yeah…
Confidential
Call it “Vendor Voyerism”
• Observe their IT practices – hosting providers,
locations, systems, software
• Measure their security effectiveness
• Get actionable information
All helpful in better managing vendor security risk
When companies do things on the internet….
Confidential
…they reveal a lot of stuff
Confidential
What can harvest from one web server?
Confidential
Alot!
Confidential
Some of the data out there…
Software patching?
Web application security?
Encryption practices?
DNS security practices?
Email security practices?
Malware defense?
A view in to one company
Confidential
Big Vendor (name changed to protect the guilty)
What you can learn starting with just the company
name
- No inside information
- No hacking
- JUST LOOKING
Big Vendor Systems – Internet View
Confidential
Big Vendor Hosting Providers
Confidential
Big Vendor Hosting Countries
Confidential
Big Vendor Hosting Cities
Confidential
Big Vendor Software
Confidential
Big Vendor Email Providers
Confidential
Big Vendor Corporation IT Summary
Confidential
Big Vendor Overall Performance
Confidential
Big Vendor Software Patching
Confidential
Big Company Software Patching
Confidential
Big Company Encryption
Confidential
A View of 21 Financial Services Vendors
Confidential
What is the point again?
1. You can rapidly measure the security program quality of any vendor based on how they operate on the Internet
2. You can do this without breaking any laws, without obtaining any information from the vendor
3. You can enrich your current vendor risk management processes with accurate, actionable data
Confidential
Benefit
1. Faster procurement decisions for new vendors
2. Continuous vendor security performance monitoring
3. Hold vendors to high standard of accountability
4. Better allocation of vendor risk analyst time / resources to vendors that require attention most
Confidential
Keys to watching your vendors well
1. Automate – enable frequent, rapid measurement
2. Be accurate – false positive can destroy the operation
3. Be legal – no hacking, no scanning, no grey areas
Given these conditions…
4. Be really good at finding all assets
5. Harvest all information
6. Read the tea leaves – extract security measurements from everything you collect
7. Make it actionable....or it isn’t worth much
Confidential
Thank you
Every enterprise reveals the quality of its security program through what it does on the internet.
All you have to do is know where to look and how to read what you find.
(and don’t break any laws.. and automate it…and be accurate…and be actionable…)
Confidential