More Articles
Information Technology

Third-Party Risk Management: The Good, the Bad, the Ugly

David Levine

David Levine

Vice President of Corporate and Information Security at Ricoh, USA

David Levine, Vice President of Corporate and Information Security, CSO and CISM at Ricoh, USA

Third-party risk management can be critical to an effective cybersecurity strategy, but there are elements of it that can feel critically frustrating at times. 

Britt Erler, Quartz Network Executive Correspondent is joined by David Levine, Vice President of Corporate and Information Security, CSO and CISM at Ricoh, USA, to discuss the good, the bad, and the ugly of third-party risk management. 

David shares his thoughts on: 

  • Always looking through a risk lens 
  • The value and frustrations of questionnaires 
  • Refraining from painting with a broad brush 

Quartz Network: Would you mind giving us some context around your background and your current role with Ricoh? 

David Levine: I’ve been with Ricoh for more than 26 years. I’m the VP of Corporate and Information Security. So, I’ve got broad responsibility for security strategies, security operations, access management, and some of our governance functions. I have physical security, trade compliance, and I lead Ricoh’s global security team. Prior to moving over to security, I was running our infrastructure teams. Security was a blended piece inside of that function. And then, over nine years ago, we moved security out, stood it up on its own, and I’ve been doing that ever since. 

Quartz Network: Can you discuss third-party risk management strategy and why it’s such a critical component to ensuring you have an effective cybersecurity strategy? 

David Levine: I think we have to set the baseline here. The baseline is that you just have to do it. We have to have mechanisms and ways to understand the security posture of key vendors and partners anytime we’re sharing information or connecting to somebody. We’ve certainly seen recently, where supply chain attacks have been increasing. The risk is real, and it always has been. There are also an awful lot of challenges in this space. I think we need to find a better way to do things. We can’t just assume things are fine. We need a way to know how another partner or supplier is doing relative to governance and maturity and what risks exist with that entity. 

Quartz Network: There are obviously a lot of different ways to implement this type of program. What are some key areas that you believe executives should make sure are included? 

David Levine: There are the ways we’re doing it today and I think they all, unfortunately, have some flaws. Some are better than others, but I think there’s a lot of different mechanisms available to do that today. You have vendors that provide solutions that externally look at a company’s security profile, pull data from a lot of different resources, do risk ratings and risk scoring, and give you a view into what the posture may be, or what the issues may be. Now, there are challenges with that, and there are flaws with that, but it’s an important piece.  

We use a similar solution that helps us keep track of what we look like to the external world, what some of our key partners and suppliers look like, and what the competition looks like. That’s a piece—that’s a component you can certainly utilize.  

We’re all good at throwing crazy questionnaires at each other. That isn’t to say there isn’t value in doing that. It goes back to where we started, you know, there are flaws and concerns. At the same time, it comes down to what we have available today. You’ve also got some solutions out there that try to centralize some of that and manage that for you. You then have some outsource arrangements, where you can say, “I don’t have the time, or the staff, or the expertise, Company B, go do this on my behalf.” I think we run into some challenges when you do that.  

But I think, like a lot of things we talk about in security and governance, part of it is just starting and doing something. I’ve got a handful of folks on my staff that handle this area, among other things. I don’t have anyone 100% dedicated, but there’s that project inception point where you can look at implementing some of these things. So, before you start doing something with a partner, or vendor, or customer, do that kind of assessment.  

Then there’s the whole other piece around ongoing. In more mature instances of a third-party risk program, you have an ongoing process, and enough staff and bandwidth to revisit questionnaires or solutions, where you’re monitoring on an ongoing basis, annual basis, whatever is appropriate. I think it should always be done through a risk lens though. What I mean by that is a vendor or partner or customer with whom you’re sharing low to no-risk data that doesn’t have a lot of interconnectivity, doesn’t offer a lot of exposure. The way you view and handle that third-party risk is going to be different than a partner with whom you’re sharing your most coveted data with a lot of complex connectivity. All too often that stuff gets painted with a one-size-fits-all, broad brush, and that’s part of the challenge we have. 

Quartz Network: In your experience, you’ve seen what is working and what’s not working. In your opinion, what do you believe are those key factors? And in turn, what’s the solution? What’s the answer to that? 

David Levine: That’s a big one. Let’s talk about what’s not working and the challenges and we can go from there. This is a soapbox subject for me, because it kind of makes me crazy. 

One thing: questionnaires. Way too often, we get questionnaires that are 200-300 question questionnaires. In my opinion, that’s not a questionnaire, that’s an audit. That’s not just a cursory audit, that’s a full-on audit. What’s the purpose? We’re just causing a tremendous amount of work.  

The other thing is all too often those questionnaires are flawed in significant ways—mostly around applicability. I think it is because a lot of times these things aren’t coming from the security side of the house. They may have originally been written there, but they’re coming from, say, a procurement side of the house or sometimes a compliance side, and they don’t even necessarily have all the information. I can’t tell you how often the questionnaire makes almost no sense, given what we’re actually doing for the customer.  

Or, it goes the other way, and we’ve got a questionnaire that’s appropriate to answer, but we’re only given two options. The answer to the question is yes or no and that’s it. You can’t provide any context. The problem is that we’re selling them equipment on site, services on site, they have a hosted solution over here, and we’re running their mailroom. Well, guess what? That means every question you asked me could have a different answer. What do you do? It’s not constructed in a manner that allows me to do that, and when you go back through the channel you got it from, they don’t really know what to do about it, because they’re not knowledgeable enough in the solutions in the arrangement.  

What happens sometimes is you just have to answer it. But there’s a real danger in that, and this is something I’ve talked about internally. Some of our own folks ask, “Can’t you just answer it?” I’m like, “Well, there’s a real risk when we do that, because if I answer it incorrectly, I am literally misleading the vendor, the customer, whoever it is.”   

Circling back on applicability, a lot of questions just don’t make sense for what we’re doing. The problem is, we rinse and repeat this process endlessly. We do it again, and again, and again, sometimes even with the same customer. We’ve had situations where we’ve had three or four different groups within a very large fortune 10 or 20 customers, where we’re doing things with different groups, and then you get five or six questionnaires in over the fence. It can get confusing. There’s that breakdown in how we’re doing it and whether it’s appropriate. And very few of those take risk into the equation. They’re fairly binary. It’s, “Here’s your questions, answer them.” You’ve got some tools out there that are trying to solve this, but again, we frequently find that we’re just repeating over and over again.  

Now, if you add outsourcing into the mix, oh, my gosh. If you put an outsourcer in between what I just described, it all gets 10 times worse, because now, they’re incentivized to make sure that thing is completed 100% bar none. That’s not a good situation. We’ve almost got into arguments.  

Interestingly, what happens in these scenarios is with enough time and enough effort, you can eventually get to a peer, or whoever incited the partner, the vendor, and you can have a reasonable conversation that results in some agreement around how you’re going to go about it and what you’re going to do or not do relative to completing a questionnaire. But the problem is that we spent a crazy amount of time to get to that point. I don’t think any of us have that kind of time. That’s the problem, right? Do I hire 10 people to do that? That’s a tremendous expense for the company. 

I don’t want to lose sight of the fact that questionnaires are important. They are, but we try to write ours with a degree of flexibility. We try to remove the stuff that frustrates us and put it into a format that works.  

I’m not here to say, “Oh, it’s so broken, it doesn’t add value.” It does add value. We find stuff out all the time through this process that enables us to make important decisions on course and security. We try not to say no, but if something is really bad that we get back and say, “Hey, this puts Ricoh with way too much risk,” More often than not, if there are problems, it’s “Hey, let’s get on a call. Let’s talk about it. Let’s figure out something.” Again, it’s important to do it. But there are a lot of flaws in the way we do it. 

Quartz Network: When you implement a program of this magnitude, it’s not only affecting your company, but it’s also affecting your third-party vendors. What are some of the consequences or effects on them as a whole? 

David Levine: There have been a few that have been frustrating because we ended up not doing something with them, but that’s been rare. What’s been nice in a lot of cases—and it’s usually with much smaller organizations that have a cloud-based, niche solution—they just don’t know. They don’t have the maturity. They don’t have the staff, and so they fill out the questionnaire. All of a sudden, I’m looking at it and going, “That’s interesting, they’re using AWS and every answer here seems like it’s an AWS answer.” Well, great. That’s exactly half of the equation. It’s great you’re using AWS, but what are you doing in AWS? More importantly, what are you doing with the solution that you put in AWS? You’re missing the whole concept around how you’re securing and managing, and the governance and policies around what you put in there.  

I am shocked at how many times we’ve gotten blank stares. Even today, even at this point in time with everything going on in the cloud. Those have been interesting opportunities to almost consult with them and say, “Look, we’ve got some gaps here, but I think we can make this work.”  

We’ve actually had a number of occasions where we really coached them, put them in contact with some other folks, laid out a get healthy plan, and said, “Look, once you get to this point, we can engage.” It’s a win-win. We end up being able to use them for the purpose we wanted to, but at the same time, they had an opportunity to advance what they were doing and learn something along the way. Again, not that we have all the answers, but that’s been a positive thing that we’ve seen come out of this. 

Quartz Network: What were some of the impacts on this third-party risk management strategy that you have in place due to the pandemic and everything switching to the cloud? Are those impacts sticking or is it something where eventually you’ll see it go back to normal? 

David Levine: I think that depends on how we define normal going forward. There were definitely some impacts. I mean, everybody went home, right? I’ve told this story before, but I’ll tell you here, because it just still amazes me today. This was early in the pandemic when everyone was rushing to send people home and figuring out what they were doing.  

We had a very large company that did work for us. When this was all going on, they sent us a letter that said, “Hey, there’s a pandemic. We’re sending everybody home. The security at home isn’t like it is at an office, so if something happens, it’s not our fault.” I was like, “What? Yes, it is.” Yes, a home office is probably not as secure, but I’m sorry, you are not off the hook. It was one of those they wanted you to sign and release them from responsibility. We refused. I don’t think they were successful with that tactic, but it did raise an interesting point. Your home office for most people is not as secure as your corporate office, so your risk is much higher.  

One thing I also like to talk about is the fact that people are the most complicated piece of security. If you look at how breaches happen and they get in, it’s usually down to human error. It was because somebody mistakenly did something. That, or it’s adversarial or insider threat.  

I think the pandemic brought on a new kind of insider threat, which is the unintended insider threat. You’ve got the folks that are there to do something bad maliciously, but you also have folks that are just working at home, they’re trying to make it work, and they end up introducing risk into the equation that didn’t exist before. You have to put different tools in place. You have to go about things differently to help shore up that risk as best you can. 

Quartz Network: Based on these new risks that we’re seeing due to COVID, remote work, and then implementing this third-party risk management program into an organization, what do you see for the future moving forward? If you could paint a perfect picture, what are your recommendations to executives that are just the beginning stages of putting this in place? 

David Levine: I think we need to get to a place where we do assessments once or twice a year and update them quarterly in a format that is universally accepted and offers the right level of flexibility. I’m asking for a lot in that. If I was wanting to do business with somebody and I had a source I could go to, and I could see what certifications they have, I can see a baseline questionnaire that checked all the usual boxes, and then I could say, “Okay, we’re going to use this service and that solution, and then get a drill-down for those.” If we could all agree on that, it would be phenomenal. It’s a lot of work up front, but then it’s just maintenance from that point forward.  

You could integrate things in like the services that do external monitoring, you can have evidence of the certifications you have. Again, making sure things are appropriate and applicable. I’d like to see that. 

I think we have a gap when we’re talking about remote workers. I guess I’d have to sit down and think about it a little more, but when you’re doing these assessments, people are not scanning my home office. That’s kind of under the radar. Most of these questions are still centered on the solutions and the services, and not that David Levine working in his home office really shouldn’t necessarily show up on a questionnaire, but it’s the fact that in some cases it may be relevant because you may have people performing key tasks relative to a service or solution rather than in the corporate network.  

Interestingly, I haven’t seen a lot of questionnaires go down that path. I think these are things we need to continue to look at and consider going forward. I’ve seen some contract language around this, which is good. It’s an indication that it’s being thought of. We certainly talk about it a lot. I’ve participated in lots of peer discussions and webinars on remote work. We discuss things like how you secure it and how you monitor it, but I don’t know that we spent a ton of time talking about it from that traditional third-party risk program piece. 

Quartz Network: Any final pieces of advice for executives as they’re going on this journey? 

David Levine: I’ll double down on some of the things I said earlier. Whatever you do, do it through a risk lens. Not all things are created equal, so try not to paint everything with a broad brush. If you’re not started in this regard yet, just get going. There are companies that will help you do this, that’s one route. If you’re going to develop your own questionnaire, my advice is to just create one that has the appropriate flexibility so that the company answering it on the other end can give you honest answers. It doesn’t help anybody if the information isn’t right.  

I hosted a roundtable discussion a couple years ago about this. One of the interesting things that came up was that they said they go another step and do on-site audits. What’s interesting is when they show up on site, it’s actually better than it was stated in the questionnaire. That’s why applicability and flexibility are important.  

For more industry best practices and insights from leading IT executives like David, join Quartz Network