Third Party Risk Management; The Good, The Bad and The Ugly

David Levine

Vice President Corporate and Information Security, CSO CISM at RICOH USA, Inc.

Learning Objectives

Please Join the Vice President, Corporate and Information Security, CSO CISM of RICOH USA, Inc., David Levine in this Executive Interview where he will discuss how a third party risk management program is a critical component of an effective cybersecurity plan.


"Whatever you do, do it from a risk lens. "

David Levine

Vice President Corporate and Information Security, CSO CISM at RICOH USA, Inc.

Transcript

Britt Erler

Hello, and welcome to the CISO Vision Cybersecurity Virtual Summit hosted on Quartz Network. My name is Britt Erler, QN Executive Correspondent. Thank you so much for joining us. I’m pleased to welcome our Executive Speaker here with us today, David Levine, Vice President of Corporate and Information Security, CSO and CISM at RICOH, USA, as he discusses third-party risk management and why it is so crucial to an effective cybersecurity strategy. Welcome, David.


David Levine

All right. Thanks, Britt. I appreciate that.


Britt Erler

Of course. It’s a pleasure to have you here and really excited to gather your insights. But before we begin, if you wouldn’t mind giving us some context around your background and your current role with RICOH?


David Levine

Sure, absolutely. So, I’ve actually been with RICOH for a really long time. I’ve been well over 26 years in RICOH through a couple acquisitions. Today, as you stated, I’m the VP Corporate and Information Security. So, I’ve got broad responsibility for security strategies, security operations, access management, some of our governance functions. I also have physical security, trade compliance, and I also lead RICOH’s global security team. So, I also have a background in infrastructure, prior to moving over to security was running our infrastructure teams. Security was a blended piece inside of that function. And then, well, over nine years ago, we moved security out, stood it up on its own, and doing that ever since.


Britt Erler

Fantastic, so you have a really extensive background and have seen this business from really all aspects and what makes an effective cybersecurity program and also what doesn’t. So, I want to start by kicking off on this third party risk management strategy and why it is such a critical component to ensuring that you do have an effective cybersecurity strategy, especially right now, with all the changes we’re seeing in the industry.


David Levine

A great question to start with. I think that we got to set the baseline here. The baseline is, you got to do it. We have to have mechanisms and ways to understand the security posture of key vendors, partners, anytime we’re sharing information or connecting to somebody. We do have to have a way to do that. We’ve certainly seen recently, where supply chain attacks have been increasing. The risk is real, and it always has been. I think, and we’ll talk about it a lot, I’m sure, in the next 30 minutes, there’s also an awful lot of challenges in this space as well. I will clearly say for all the things I’m going to talk about today that I think we need to find a better way to do things. At the same time, the reality is we have to be able to do it. It’s reasonable. It’s rational. We can’t just assume things are fine. We need some way to know how another partner or supplier is doing relative to governance and maturity and, ultimately, what risks exist with that entity.


Britt Erler

What are some of the key components to this program? I’ve seen in a lot of articles and things that I’ve read that there are a lot of different ways to implement this type of program. What are some key areas that you believe executives should make sure are included?


David Levine

It’s a great question. I think that’s part of—the ways we’re doing it today. I think they all, unfortunately, have some flaws in some—don’t get me wrong—some are better than others, but I think there’s a lot of different mechanisms available to do that today. You’ve got suppliers that are—I shouldn’t say suppliers—but you have vendors that provide solutions that externally look at a company’s security profile, pull data from a lot of different resources, and do risk ratings and risk scoring and give you a view into what the posture may be or what the issues may be. Now, there are challenges with that, and there are flaws with that, but it does, it is a piece of it. I think it’s an important piece. We use a solution like that helps us keep track of not only what we look like to the external world, because it’s important too, but what is some of our key partners and suppliers and, quite frankly, what does the competition look like? That’s a piece—that’s a component you can certainly utilize. We’re all really good at throwing crazy questionnaires at each other, and we’ll definitely talk about that. That isn’t to say there isn’t value in doing it again. It kind of goes back to where we started, you know, there are flaws there, concerns. At the same time, you know, what we kind of have available today. And then, there are also—you’ve also got some solutions out there that kind of try and centralize some of that and manage that for you. You literally then have some outsource arrangements, where you can say, “I don’t have the time, or the staff, or the expertise, Company B, go do this on my behalf.” I think we run into some challenges when you do that. But I think, like, a lot of things we talk about in security and governance, you know, part of it is just starting and doing something is a piece of it. I’ve got a handful of folks on my staff that handle this area, among other things. I don’t have anyone in 100% dedicated, but there’s the sort of that project inception point where you can look at implementing some of these things, so before you actually start doing something with a partner, or vendor, or customer doing that kind of assessment. Then there’s the whole other piece that you get into around ongoing. In very more mature instances of a third party risk program, you have an ongoing process, and enough staff and bandwidth to revisit questionnaires or solutions, where you’re monitoring on an ongoing basis, annual basis, whatever is appropriate. I think a concept though that I’ll throw in, early in this conversation though, is with all of this, it should always be done with a risk lens, right? What I mean by that is, a vendor or a partner or a customer that you’re sharing, what we might consider to be very low to no risk data that doesn’t have a lot of interconnectivity, doesn’t offer a lot of exposure. The way you view that and how you handle that third party risk is going to be different than a partner that you’re sharing your most coveted data with a lot of complex connectivity. I think part of the things we’ll talk about when we say what’s not working right is all too often that stuff gets painted with a one size fits all broad brush, and that’s just part of the challenge we have.


Britt Erler

Absolutely. We talked about the different components, but clearly, in your experience, you’ve seen what is working and what’s not working. In your opinion, what do you believe are those key factors? And in turn, what’s the solution? What’s the answer to that?


David Levine

Oh, no, that’s a big one. What’s the answer? Let’s talk about what’s not working and what are the challenges and we can kind of go from there, because I think they’re numerous. This is kind of a soapbox subject for me, because it kind of makes me crazy, but this area makes me crazy. It’s funny, I talked to other peers, and they say the same thing. Then, we can constantly still do the same stuff to each other, so that’s the landscape today. One thing: questionnaires. Way too often, we get questionnaires and they aren’t getting any shorter folks. We get questionnaires that are crazy—200, 300 question questionnaires. In my opinion, and I’m sure there will people that won’t agree with me. At that point, that’s not a questionnaire, that’s an audit. That’s not just a cursory audit, that’s a full-on audit. What’s the purpose, right? I think part of that is that challenging that I think, we’re just causing a tremendous amount of work. The other thing is all too often those questionnaires are flawed in significant ways. Mostly around this one subject and that is applicability. I think it is because a lot of times these things aren’t coming from the security side of the house. They may have originally been written there, but they’re coming from, say, a procurement side of the house or sometimes a compliance side, and they don’t even necessarily have all the information. I know, as a group that has to work with our internal folks on filling these out when we get them, I can’t tell you how often where the questionnaire makes almost no sense, given what we’re actually doing for the customer or goes the other way, and we’ve got a questionnaire that certainly is appropriate to answer, but we’re given two options. The answer to the question is yes or no and that’s it. You can’t provide any context, but the problem is—guess what? We’re selling them equipment on site, services on site. They have a hosted solution over here, and we’re running their mailroom. Well, guess what? That means every question you asked me has a potentially different answer. What do you do? It’s not constructed in a manner that allows me to do that, and then what gets worse is you back through the channel you got it from and the people on the other end don’t really know what to do about that, because they’re not knowledgeable enough in the solutions in the arrangement. What happens sometimes is you just have to answer it. Well, okay, but there’s a real danger in that, and this is something I talked about internally too. We get our own folks to go, can’t you just answer it? I’m like, “Well, look, you got there’s a real risk when we do that, because if I answer it incorrectly, I am literally misleading the vendor, the customer, whoever it is,” and so there’s a real risk in doing that, so that’s a piece of it. Then a lot of times, again, just applicability, a lot of questions just don’t make sense for what we’re doing. The problem is, we rinse and repeat this process endlessly. We do it again, and again, and again, for sometimes even with the same customer I’ve had. We’ve had situations where we’ve had three or four different groups within a very large—and it’s usually very large fortune 10, 20 customers, where we’re doing things with different groups, and then you get five and six questionnaires in over the fence. It can actually just get confusing, so I think that’s part of it. There’s that breakdown in just how we’re doing it and whether it’s appropriate in those seldom take risk into the equation. I mean, they’re fairly binary, it’s your questions’ answer. I think that’s a bit of a problem. You’ve got some tools out there that are trying to solve that, but again, we find again frequently that we’re just repeating over and over again. Now, if you add into this mix, and I mentioned, one of the ways to deal with all this is you go outsource it, right? Oh, my gosh, let me tell you—if you put an outsourcer in between what I just described, it all gets 10 times worse, because now, they’re incentivized to make sure that thing is completed 100% bar none. That’s not a good situation. We’ve literally almost gotten in arguments. Interestingly, what happens is, in these scenarios, with enough time and enough effort, if you can eventually get to my peer, or whoever incited the partner, the vendor, you usually have a rational, reasonable conversation, and you come to some agreement around how you’re going to go about it, and what you’re going to do and not do relative to filling a questionnaire out or whatever the situation is, but the problem is we expended a crazy amount of time to get to that point. I don’t know about anybody else. Well, I kind of do it, because we talk about it, but I don’t think any of us have that kind of time. That’s the problem, right? Do I go hire 10 people to do that? I mean, that’s a tremendous expense to the company. I don’t want to lose sight of the fact that these are important—and let me be clear—before somebody emails me and start saying, “hey, you sent us questionnaires.” I do, you’re right. I do, but we did try and write ours in a way that the flexibility that might be needed. I’m not saying I haven’t solved, but I did try and take the stuff that frustrates us and put it into a format that maybe works. That’s true, because I don’t have another better way to do it today. It does add value. That’s the other thing, it goes back to that baseline, we got to do it. I’m not here to say that, “oh, it’s so broken, it doesn’t add value.” No, it adds value. We find stuff out all the time through this process that enables us to make really important decisions on course and security. We try not to say no, but if something is really bad that we get back and say, “Hey, this puts RICOH with way too much risk,” Sometimes, and more often than not, if there are problems, it’s “Hey, let’s get on a call. Let’s talk about it. Let’s figure out something.” Again, really important to do it, not here to say it’s not. There’s a lot of flaws in the way we do it.


Britt Erler

Sure. Now, when you implement a program of this magnitude, obviously, it’s not only affecting your company, but it’s also I would assuming affecting your third party vendors. What are some of the consequences or maybe effects is a better word on them as a whole?


David Levine

There have been a few that have been frustrating because we ended up not doing something with them, but that’s really been rare. What’s actually kind of been nice in a lot of cases—and I’ll be fair—it’s usually with much smaller organizations that kind of having a niche solution that it’s usually cloud based that we’re looking at, they just don’t know. They don’t have the maturity. They don’t have the staff, and so they fill out the quick—here’s the telltale: they fill out the questionnaire. All of a sudden, I’m looking at it and going, “that’s interesting, they’re using AWS and every answer here seems like it’s an AWS answer.” Well, great. That’s exactly half of the equation. That’s great, you’re using AWS, but what are you doing in AWS? More importantly, what are you doing with the solution that you put in AWS, because it just being there or is your pick your plate? Doesn’t matter, any of them. That piece of it’s fine, but you’re missing the whole concept around how are you securing and managing, and what’s the governance and the policies around what you put in there. I am shocked at how many times we’ve gotten blank stares. Even today, even at this point in time with everything going on in the cloud. Those have been interesting opportunities to actually almost consult with them and say, “Look, we’ve got some gaps here, but I think we can make this work.” We’ve actually had a number of occasions where we really coached them, put them in contact with some other folks, and really just laid out a get healthy plan and said, “Look, once you get to this point, we can engage and we absolutely have.” I mean, you know, that’s a win win, right? We end up being able to use them for the purpose we wanted to, but at the same time, they had an opportunity to advance what they were doing and learn something along the way. Again, not that we have all the answers, but that’s been a positive thing that we’ve seen come out of this.


Britt Erler

Now, you talked about everything switching to the cloud. I think this leads perfectly into my next question about remote work and the pandemic that obviously impacted this industry tenfold last year, and is still making strides this year as well, but we are starting to come out of it now. What were some of the impacts of this on this third party risk management strategy that you have in place? Are those impacts sticking or is it something where eventually you’ll see it go back to normal?


David Levine

I think that depends on how we define normal going forward. That’s a good question. Well, there were definitely some impacts. I mean, everybody went home, right? I’ve told this story before, but I’ll tell you here, because it just still amazes me today. This was pretty early on last year in the pandemic when everyone was kind of rushing to send people home and figuring out what they were doing and what did it mean. It definitely changed the risk profile. I don’t know that we really, I mean, I will tell you I see provisions in contracts now that talk about, “Hey, you know, what’s the expectation if you have people working at home?” I have seen some of that, so I think that’s a permanent indicator of change, for sure. We had a very large—they will remain nameless—but we had a very large company that did work for us, not in the US. When this was all going on, they send us a letter. They literally said, “Hey, pandemic. We’re sending everybody home. The security of home isn’t like it is an office, so if something happens, not our fault.” I was like, “what?” Yes, it is. True statement, yes, their home office or wherever is probably not as secure, but I’m sorry, big well known company, you are not off the hook. We refuse to sign, and it was one of those they wanted you to sign and basically, release them from responsibility. I thought that was amazing. We only had that happen once. I don’t think they were successful with that tactic, but it did raise an interesting point though, and we still talk about it. That is, your home office for the vast majority of people is not as secure as your corporate office, so your risk is much higher. One thing I also like to talk about is the fact that people are the most complicated piece of security. If you roll back—we talked about a lot of things and how to breaches happen, and how do they get in and what—in almost all cases, not always, but in most cases, if you roll back and you really dig in, it was human error. At the root cause, it’s because somebody mistakenly did something or if it’s adversarial or insider threat. I think the pandemic brought on a new kind of insider threat, which is the unintended insider threat. You’ve got the folks that are there to do something bad but maliciously, but you have folks that are just working at home, they’re trying to make it work, and they end up introducing risk into the equation that didn’t exist before. We don’t necessarily always have great visibility to that, so probably could have a whole Q&A on this area as well. You got to put different tools in place. You got to go about things differently to help kind of shore up that risk as best you can.


Britt Erler

Based on these new risks that we’re seeing due to COVID last year, this remote work, and then based on this idea of implementing this third party risk management program into an organization, what do you see for the future moving forward? If you could paint a perfect picture, what are your recommendations to executives that are really just the beginning stages of putting this in place?


David Levine

Great question. I think in a perfect world, so if we could say, how do we fix this, and I don’t know that this is a silver bullet answer, but I think we need to get to a place where we kind of do assessments once a year or twice a year and update them quarterly. In a format that is universally accepted, and offers the right level of flexibility. Now, I’m asking for a lot in that. If I had a source I could go to, if I was wanting to do business with somebody, and I had a source I could go to, and I could see what certifications they have, I can see a baseline questionnaire that ticked all the usual boxes, and then I could go, “Okay, we’re going to use this service and that solution, and then get a drill down for those,” that kind of thing. If we could all agree on that, that would be phenomenal, because it’s one thing to go. Sure, it’s a lot of work upfront, but then it’s just maintenance from that point forward. I think something like that would be valuable. You could integrate in things like the services that do the external monitoring, and that can be part of it, you can have evidence of the certifications you have. Again, making sure things are appropriate and applicable. I mean, we could ask for certifications all the time, and it’s like, we have that, but you’re buying that service over there. That doesn’t relate to that. We get that stuff, too, so we get education, applicability. I’d like to see that. Now, I do think we have a gap when we’re talking about remote workers. I guess I’d have to sit down and think about it a little more, but when you’re doing these assessments, people are not scanning my home office. That’s kind of under the radar. Most of these questions are still centered on the solutions and the services, and not that David Levine working in his home office really shouldn’t necessarily show up on a questionnaire, but it’s the fact though in some cases it may be relevant, because you may have people performing key tasks relative to a service or solution. Not in the corporate network anymore. Interestingly, I haven’t seen a lot of questionnaires go down that path. Even this far into, and I think these are things we need to continue to look at and consider going forward. I have seen some contract language around this, which is good. It’s an indication that it’s definitely being thought of. We certainly talk about it a lot. I’ve participated in lots of peer discussions and webinars on remote work. How do you secure it, how you monitor it, and what do you do, but I don’t know that we spent a ton of time talking about it from a sort of that traditional third party risk program piece.


Britt Erler

I think it’s so important that—I mean, this is a long term effort. This is something that you can just put in place, let it sit there. As you said, there’s so many updates in the industry. It’s something you have to constantly revisit, reevaluate, to make sure that it’s working for the program and for the partnerships that you currently have in place. I think some sort of consistent questionnaire, some sort of way of establishing those guidelines is crucial for the business as a whole. I think that’s a great way to move forward, but we are seeing so much uncertainty right now. I think, as you said, it’s going to be day by day for everybody. As we wrap up this conversation today, you’ve provided incredible insights on what this looks like for an organization, the benefits that it has to offer, really why companies should invest in putting this in place. Any final pieces of advice for executives as they’re going on this journey?


David Levine

It’s a couple things. I’ll go back, I’ll double down on some I said earlier. Whatever you do, do it from a risk lens. Not all things are created equal, so try not to paint everything with a broad brush. If you’re not started in this regard yet, just get going. There are, you know, companies that will help you do this, that’s one route. If you’re going to develop your own questionnaire, my guidance—if that’s the route you’re going to go, my guidance is just create one that has the appropriate flexibility so that the company answering it on the other end can give you honest interview answers. It doesn’t help anybody if the information there is not right. I hosted a roundtable discussion a couple years ago about this and what was interesting. One of the interesting things that came up was that they said, you know, we actually go another step, and we do on site audits, which we see as well. It’s in most contracts, but they said what’s interesting, though, is you would tend to think that what we would find is stuff that wasn’t as good. In reality as it wasn’t the questionnaire that would usually be the concern right? They said half the time it’s the opposite, we show up on site, and it’s actually better than it was stated. That’s why applicability and flexibilities important. Just like a lot of things, if you’re not doing it, get started. Use risk is an appropriate lens on your actions.


Britt Erler

I couldn’t agree more. David, thank you so much for taking the time to educate all of our executives that are here with us today. I think this is a crucial tool that’s not going to go away, anytime, anything. It’s gonna be a major part of the marketplace, and people are gonna be scrambling to try to put something like this in place. This gives people an excellent starting point, and I appreciate you providing your insights. Thank you to everyone who has joined us today as well. If you do have further questions for David, there will be a discussion forum underneath this presentation. Enjoy the rest of the summit. Thank you again for joining us at the CISO Vision Cybersecurity Virtual Show. Thank you.


David Levine

Thank you.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden