Businesses grow based on trust, but they have to operate in a world of risk. Even cybersecurity operates this way, but when it comes to third party analysis, what if we leaned on trust more than trying to calculate risk?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and our guest co-host is Yaron Levi (@0xL3v1), CISO, Dolby. Yaron and I welcome Dan Walsh, CISO, VillageMD.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, TrustCloud
Full transcript
[David Spark] Businesses grow based on trust, but they have to operate in a world of risk. Even cyber security operates this way. But when it comes to third party analysis, what if we leaned on trust more than trying to calculate risk?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, producer of CISO Series. And joining me as a guest cohost, a frequent guest but now a guest cohost, is Yaron Levi, CISO of Dolby Laboratories. Yaron, thank you so much for joining us.
[Yaron Levi] Thank you, David. It’s an honor to be on the show again. I think this is my seventh time on the show, so happy to be here.
[David Spark] Awesome. Awesome. Well, seventh on CISO Series overall, because we’ve had you on multiple different programs before.
[Yaron Levi] Actually, well, no. Seventh on Defense in Depth.
[David Spark] Really?
[Yaron Levi] I think it was twice on the CISO Series, with Mike, and one time on the video. So, I think that’s the tenth one.
[David Spark] Oh, that’s fantastic. Well, I didn’t know that. That’s awesome. I think the reason also is I should point out that you have created some really great conversations that we’re going to do an episode right here on one of your conversations. But hold tight. I do want to mention that we are available at cisoseries.com. And we have other programs to listen and watch, and videos, and things like that. So, please check us out at cisoseries.com. And our sponsor for today’s episode is TrustCloud. Thrilled to have TrustCloud on board. Brand new sponsor with the CISO Series. Automate your compliance, risk, and security questionnaires. Anyone like doing this? No, nobody does. So, you’ll be interested in what they have to say later in the show.
Yaron, let’s get to the discussion at hand. Yaron, you posited on LinkedIn that we have a glass half empty attitude towards third party risk, and what we should have is a glass half full attitude towards third party risk. You wrote, “Instead of measuring the risk by trying to uncover what the third party is hiding, wouldn’t it be better to measure the level of how much we can trust the third party?” And trust is actually how we normally operate in business, but this desire for questionnaires to calculate third party risk doesn’t actually build trust at all. So, what were you hoping to get from this? I really kind of like this take because it does start with, “I want to do business with you. I want to trust you. Let’s see how we can work this out.” Yes?
[Yaron Levi] Yeah, so for me I always try to challenge my thought process and try to think about different things from the different sides. In other words, just the fact we have done something in a certain way for so long doesn’t mean that’s the right thing to do. So, I find it helpful from time to time to stop and try to reflect on the different side. And many security or many businesses practices in general are based on trust. Maybe the extreme example is the diamonds business, when you have deals in millions of dollars done on nothing more than a handshake and wishing [Speaks foreign language 00:02:58], which is in Hebrew just wishing you good luck and blessing. And that’s it. There are no papers. There’s nothing, and millions of dollars in diamonds. We don’t have that in our industry obviously, and we’re actually not a very trusting bunch usually. And in fact in the industry, we’re always reaching for zero trust. So, I wonder if we need to think about our trust issues in the industry and think about it differently.
[David Spark] I think this is a really good topic. And by the way, some really, really great insight from our audience. And thrilled to also have our guest on, who is a frequent guest as well. So, I’ve got two major regulars on this show. Very excited to have him on as well. He’s the CISO for VillageMD. Dan Walsh. Dan, thanks so much for joining us.
[Dan Walsh] Thanks for having me, David. It’s great to be here.
What are they doing right? What are they doing wrong?
3:41.411
[David Spark] Anthony Cusano of Quest Diagnostics said, “Love the idea of trust over fear. Perhaps trust is the sum of fear and safety. The more controls a third party has in place, the higher our trust. Similarly, the more risk/vulnerabilities, the higher our fear. And Jamil Farshchi, who is the CISO of Equifax, said, “I agree with trust. But at its core, every third party program is already centered on trust, stated or not. The key question is how you gain it and maintain it. The answer lies somewhere at the intersection of transparency and validation.” I liked Jamil’s last comment there, is we kind of understood that we’re building on trust, but how do you actually gather it, and how does it stay solid. So, what were your original thoughts on that, Yaron? Because we are all doing that. But how systematically are we doing it?
[Yaron Levi] Yeah, so first I think it’s worth mentioning that in this day and age of tangled web and third party…tangled web of like third party services and open source, etc., third party risk is probably the highest exposure potential that we have. And a lot of our systems and processes were designed to operate inside some kind of a perimeter, not just out there. And quantifying a potential risk is close to impossible. And especially when we think about it, then we need to do it continuously. That’s even harder. So, many of the current practices we have, whether it’s a questionnaire, an external risk [Inaudible 00:05:21] or audits, usually they fall short due to lack of context and also the complexity of the systems.
So, that’s where I started to think maybe we should turn the tables and look at it from a trust perspective. And I really like what Jamil said. You mentioned, David, about the intersection of transparency and validation. Because trust not only needs to be earned, but it also needs to be maintained. So, yes, we need to know what the third party’s [Inaudible 00:05:47] for their security practices are, but it doesn’t end there. There are many other things that need to happen to continuously be able to earn that trust. And not just technical controls but also other things around relationships, collaboration, business operations, etc.
[David Spark] All right. I’m going to throw this one to you, Dan. Can you have or can you make some suggestions…is there some systematic mechanism that you have deployed…? And it could just be a single element. I’m not asking for the entire program. But to either build and/or maintain trust?
[Dan Walsh] Yes, but I’ve done this in different ways depending on the situation. So, as an example, when I worked for a product company as the vendor being scrutinized, often times we wouldn’t check every single box on a third party questionnaire because we couldn’t. Because there were extenuating circumstances. And so I would invariably meet with the person that was just looking to check a box, and my position with them was we take a risk based approach, here’s my phone number. If you have any questions, you can call me.
But here’s how we approach this, and here’s how we think about this. And we’re basically addressing our risks in a ranked sort of way. And that went a very long way from a purchaser point of view, me as the vendor. Then in terms of being on the buying side, one of the things that we ask for at VillageMD when we’re purchasing software as an example is we ask for a software bill of materials. Because it gives us an indication of the quality of software. Now, we don’t necessarily beat the vendor up over every single vulnerability that we find in that SBOM, but it’s a quick way that we can really understand the risk of the software that we’re going to use.
Does anyone understand what’s going on?
7:31.155
[David Spark] Matthew Davies of SureCloud said, “Organizations are conducting point in time assessments which in most cases are just ticking boxes for compliance. Organizations need to focus on building trust with their suppliers and having a common risk culture.” And I think this feeds into what Jamil said and what you also said, you wrote about maintaining the trust. And Paul Stefanski of the Bi-State Development Agency, doing business as Metro, said, “I may have a solid established relationship with my account manager, and I trust her. And thus that leads me to trust the company. But that does not mean the company has their back end systems in order.” I kind of really like that example. It’s like we do work with people. We want to work with people. The people we are working with can be completely trustworthy. But there could be operations that are happening in the back end that we can’t trust. I’m sure you’ve run into this, Dan, yes?
[Dan Walsh] Yeah. And Paul’s example, he trusts the account manager. What’s in her span of control?
[David Spark] Right.
[Dan Walsh] The relationship with the account, the renewal. It’s not the product. It’s not the back end systems, to Paul’s point. So, how can Paul gain trust with those back end systems that ultimately runs the product that he is reliant on? And that very likely has his customers’ data in it.
[David Spark] Yeah. Throwing this to you, Yaron. The thing about the… And we’ve heard this time and time again. Essentially filling out the questionnaires is it is a point in time. They’re so rarely updated. You do it once, and sometimes years go by. And you don’t know what has happened. It can put you in an enormously risky situation. And this really doesn’t play into the maintaining trust that we need to do.
[Yaron Levi] Right. And I think that’s the key because trust is over time. As long as over time you don’t give me reasons to not trust you then we can continue and maintain that trust. There are many components to that trust. If you have your certifications, if you have SOC2, or ISO, or whatever, it doesn’t mean that everything is solid. And even those are somewhat point of time. But at least it tells that you are at least committed to do something about security continuously. But it’s only one component. It’s not just everything. But then we also have to remember that there are a lot of things from the business side that we have to do in order to maintain that trust. Like for example, is your pricing model pretty straightforward, or do I need like a PhD in math in order to understand how you calculate pricing, and how should I prepare for my budget.
Is the model predictable, or will I be surprised every year? How do I hear regularly from the partner or the vendor? Or I only hear from them at renewal time, once every two or three years? Who do I have access to in your company? Do I have regular access, or do I have transparency access to the CISO, for example, if I need to talk to them? Or to the CEO, or the CFO, or somebody else. Or is it all guarded behind high walls that I can never get access to? And then what if something bad happens? What level of transparency do we get? These are just a few of the examples. But I think the mindset must be long-term partnership than just a short-term transaction.
[David Spark] By the way, something you just said at the end we’re going to get to in the next segment as well. But you list off a lot of key things, and there’s… I’m going to throw this to you, Dan. There is no one thing you can do, but there are things that have sort of higher priority than others. And I’m sure certain things that set off red flags, you’re like, “Oh, geez, this isn’t going to work.” And obviously don’t mention anybody, but you can tell me sort of both sides of the equation. Something like, “Oh, this allowed me to trust them more. This set off a red flag.”
[Dan Walsh] Yeah, sure. One of the things that Yaron talked a bit around was culture. If the sales team is shady and they’re only going to show up at renewal, what does that say about how they’re maintaining their engineering side on the software side, right? Or I won’t mention this vendor, but we had a vendor that basically said, “Look, we’re going to match the price of this competitor that you’re looking at that’s cheaper than us. We’re going to give it to you for 90 days free. And if you decide in 90 days you want to back out, you can back out at no cost to us.” The bent over backwards because they said, “We’re so confident in our product, and we know that you will be, too.” And that transparent communication, that, “Hey, we’re available for your questions in the sales process,” gave me trust and comfort that, to Yaron’s point, if there’s an issue or they lose my data, they’re going to call me right away about it. Because things are going to happen. There are going to be breaches, even from partners that you trust. But the key is what are they doing about it so I can be in a position to be successful
Sponsor – TrustCloud
12:27.060
[David Spark] Hey, before we go any further, I just want to ask you, Yaron… Yaron, you’ve now been at Dolby, I’m going to ask…has it been like two years or three years? How long have you been at Dolby?
[Yaron Levi] Yeah, it’s going to be two years in January.
[David Spark] All right. You were in health prior to this. I’m interested to know what has been the big difference from going from health insurance to essentially not health insurance. Let’s just say it like that.
[Yaron Levi] Oh my God.
[Laughter]
[Yaron Levi] I would say it’s moving from a more let’s call it traditional industry to more engineering, high tech industry. And actually Dolby, we’re in the fun business. We’re doing fun things for people. Dolby Atmos, which is University of Technology for Audio and Video, Dolby Vision. So, we are in the fun business, not in the sick business. So, I think that’s been a big thing for me.
[David Spark] That’s a good point. Dan, I’m thrilled to have you back on board. By the way, one of your former employees, DJ Schleen [Phonetic 00:13:27], has been on our show as well. So, we’ve been siphoning some of your… Well, he’s now your former talent.
[Dan Walsh] He is. He is.
[David Spark] But he’s been on actually in both cases, before and after for that fact. Are you looking for more talent to fill great people like DJ as well?
[Dan Walsh] I am. We have some opportunities with our AIM program, as well as GRC analysts. So, we are looking to fill in those areas.
[David Spark] All right, all that information available… And if they drop that they heard you on the show, does that help in any way whatsoever?
[Dan Walsh] Yeah, I actually think it would because it’s going to tell the recruiter that they’re engaged in the community.
[David Spark] Good point. Very good point. Before we go on any further, I do want to mention our sponsor, TrustCloud. Remember, they do some pretty awesome stuff around questionnaires, automating them. So, security and compliance are too often viewed as a cost center instead of driving real business value. So, TrustCloud’s mission is to change that. Listen up – TrustCloud is the only all in one predictive risk and compliance platform that helps your entire team automate work and build a more secure business. So, reduce the time and cost of completing audits with programmatic control verification. TrustCloud’s automated evidence collection and common controls framework actually helps you meet requirements to many standards at the same time.
So, you see where I’m going here? Map wants and meet multiple standards, yes. Does your team struggle with security questionnaires? I know, it’s a redundant question. Just stay with me. TrustCloud makes reviews faster. First, go to Trust Portal to showcase your security posture so fewer customers send questionnaires. Then let TrustCloud’s AI engine answer questions for you so you can spend your time on the most important projects. Are you managing your risk register and spreadsheets? TrustCloud connects to your systems for continuous business wide monitoring to identify risk and suggest solutions. TrustCloud maps liabilities so you can tie contractual commitment to your compliance posture and prove the value of your security program. That’s huge. All right. This is what I want everyone to do – visit trustcloud.ai. That’s like it sounds, trustcloud.ai/cisoseries and connect with one of their specialists today to learn how you can transform security and compliance from a cost center into a profit driver with TrustCloud. Once again, that’s trustcloud.ai/cisoseries.
What does successful engagement look like?
15:49.490
[David Spark] Rich Friedberg, CISO over at Live Oak Bank, said, “Relationships and informal collaboration with key vendors and partners has to be the focus. Just think about the recent Log4J triage. For the vendors I had a relationship with, a quick text or email to their CISO, ‘You guys on it? Want to exchange note?’ and in 30 minutes you have a better confidence level than a ten-page questionnaire.” And Chad Dumkey of TECO Energy said, “Companies and individuals alike have to mitigate risk, but we also have to come to terms that we need to absorb some of that risk. Driving is a perfect example. Must companies and people subconsciously accept the risk that they may get into an accident when they drive their car?” And lastly, Siva I. of ServiceMax said, “You trust the handyman to do a good job, but you also verify what is done and is up to code.” I’ll start with you, Yaron, on this because you brought it up. I think Rich’s comment at the beginning was on the money. It’s like who are the vendors who are talking me through this. That’s the trust I want. We always talk about this like it’s not that you got the breach, it’s how you handle the breach. When you’ve had incidents, have you had vendors who have been just on the money?
[Yaron Levi] Yeah, absolutely. I completely agree with Rich. And I think you can see that when you have major incidents or major events. And who is jumping immediately and pick up the phone and call you and say, “Hey, just giving you a heads up. We don’t know much. We’re still working on this together. I’ll share more information when I know.” But that collaboration or that partnership is immediately there.
[David Spark] And by the way, that’s a key thing you just said there. They’re calling you even when they don’t know something.
[Yaron Levi] Right.
[David Spark] They’re just saying, “We’re here. We’re working on it. And we’re going to keep you up to date on it.” That’s key.
[Yaron Levi] Then there are others who you know something happens, you hear it through the grapevine. You never hear from them. You reach out, and maybe you hear like four days later, “Oh, yeah, we had something happen.” So, there’s a lot of things that are done, I would say, behind the scenes within the community. There’s a lot of collaboration that is let’s call it unofficial. But I think in order to gain and build trust officially between the organizations this needs to be more officially defined, and stated, and practiced as opposed to, “Oh, yeah, I know Dan, so I’m just going to call Dan on the back end. And he’ll let me know what’s going on.”
[David Spark] So, speaking of that, Dan, do you have in your contracts like something about the communication flow, and are you doing tabletop exercises with your vendors?
[Dan Walsh] Nothing in the contract about communication flow. We’ll sometimes put in the contract a right to audit. We will do tabletop exercises with vendors. I think to Rich’s point, it is great just to pick up the phone and be like, “Hey, what’s going on here?” That’s what the CISO community does anyways. So, if you as a vendor are going to do that with your customers and have that type of communication, that’s going to get around the community. And you will actually, I think, increase your ability to sell into the community because people want to trust you.
[David Spark] Right. Very good point. I want to though get into also the things about we all trust, but we all know that there’s going to be risk. Like the idea of you can have the world’s safest car, but you’re driving it. You know?
[Yaron Levi] Right.
[David Spark] And so you’re absorbing a certain percentage of the risk yourself. What’s sort of the analogy in security of like we do have good products here, but we’re the one managing it. Does this come down to how we’re configuring it, Yaron?
[Yaron Levi] I think it’s more of the understanding of the shared responsibility between you and the third party. And even though Cloud has been around for, what, maybe 15 years now, and we’re more and more putting things into the Cloud, with Cloud services, whether it’s software, or infrastructure, or platform, probably the biggest mystery that most companies still don’t understand is that shared responsibility model. What the Cloud provider are responsibility for, and what you’re responsible for. And, again, it’s a shared responsibility. You’re not just going to outsource everything.
[David Spark] Do you have that outline, the shared responsibility, in your contracts?
[Yaron Levi] Yes. Yes. Because it’s not just, “Okay, I’m just going to punt everything to somebody else, and I don’t have to worry about this.” No, I very much do. Do we have the mechanisms to work together to achieve and accomplish that shared responsibility.
[David Spark] And I’m assuming you have the same. Yes, Dan?
[Dan Walsh] We do, absolutely. And thinking about the car analogy, there is a shared responsibility there. We don’t want the manufacturer to manufacture a car that has a gas tank that explodes every four times you fill it up. But we also have a driver’s license, so we know people are capable of driving the vehicle.
[David Spark] Yeah, that’s a good point.
Why is this so darn hard?
20:39.879
[David Spark] Phillip Miller, who is the CISO of NetApp, said, “I would suggest that it is vitally important to assess how resilient the organization is to failure caused by each third party. We should measure a third party’s alignment with our values to inform buying and retention decisions while focusing on how to build mechanisms to side step or recover from failure by a third part.” And Gene Melendez of MUFG said, “With a third party I want to understand the service provided, impact on the business model should it cease to exist, what data they have access to, how the business would be impacted should the third party incur a security incident requiring the services provided to be disconnected. I’d say verify before you trust.” So, I’ll start with you, Yaron, on this one. This is really interesting. You want to do business, but, A, something may not last forever. And also a third party could go completely down. So, do you have sort of in your tabletop exercises…have the understandings of if this service goes down how do we manage that?
[Yaron Levi] Yeah. And I think this is part of the due diligence that you have to do. When you do those due diligences, you have to look at it from a business lens and then from a security lens. So, for example, you asked questions like how critical is this service or product to our business. Put security aside to our business. What happens if it goes down? What impact can it have on our financials, for example, on our data, or whatever the case may be. And then what impact it can have on our security and privacy, regulatory impact, etc. I think having these questions answered, we can have a better informed conversation with the vendor about the controls and the practices, and also have them understand what’s important to us. And if they focus on that, it will be very helpful for trust building and maintaining that trust over time. It’s also important for third parties to be very clear about what they do and what they don’t do, and what they will never do. Because as Dan mentioned earlier, if I send an RFP out and I get yes or comply on every single question, something is not right. So, probably the best advice I can give, stay away from our BS meter because that will not going to work.
[David Spark] So, as I was reading this, I was thinking this can’t be a part of the job anybody enjoys – thinking about and dealing with what happens should this organization cease to exist or goes down completely. I guess how do you sort of manage this part so it’s not as painful as it looks, Dan?
[Dan Walsh] So, a couple things. I think, one, really understanding what the business importance is.
[David Spark] Like what Yaron just said? Yeah.
[Dan Walsh] Exactly. And then incorporating that into a business continuity recovery plan. I think the other thing is, frankly, for things that are core to your business function and critical, you really need to go with an established third party established vendor. You really don’t want to entrust that… In the healthcare space for a health system to go with some fly by night electronic medical record system, you probably don’t want to do that. You want to go with an established one that can demonstrate that resilience, that can demonstrate their BCDR and their program that they’ve got something that’s well established and well tested. Also making sure that financially that they’re going to be around as well.
[David Spark] Let’s just pause on that right there. Because patient records is critical to your business. That goes down, you don’t have a business, do you?
[Dan Walsh] Yes and no. So, if that goes down, long-term it’d be very difficult. We have our business continuity plan to go to paper. So, we would just go to paper forms and continue to deliver care. But yeah, that’s very core. Or on the other hand if that data is lost, the damage that that does to patients, which is why we went to make sure that we are really vetting out third parties that have access to PHI.
[David Spark] Excellent. Now we have come to the point of the show where I ask both of you to pick your favorite quote and why. And by the way, I think this episode was chalk full of great quotes from the community here. This was all based on Yaron’s post where he asked this question about should we be thinking more about trust rather than dealing with these endless questionnaires to determine what the risk is. So, I’ll start with you, Dan. Which quote was your favorite, and why?
[Dan Walsh] Well, I think I like Rich Friedberg’s post.
[David Spark] He put the whole quote about having the engagement of an incident like Log4J.
[Dan Walsh] Yeah. Because nothing warms my heart more… And I mean this seriously. When there’s just that collaboration across the security community. Because like Log4J was bigger than any one company. It’s the only one that’s bigger than any one company. This had massive impacts to our society and to our industry. And so when we can have that type of collaboration, that means we’ve reached that pinnacle, that eutopia of trust that we’re all striving for.
[David Spark] And, Yaron, you always talk about you don’t want a vendor. You want a partner, and that very much speaks to that as well. I’m sure you like that quote. Is there another quote that is your favorite?
[Yaron Levi] Yeah, I was contemplating doing this one or another one, and then I chose Jamil’s quote.
[David Spark] Oh, his is excellent as well.
[Yaron Levi] Yeah, about trust and trust being gained and then maintained, and how do you do that is that intersection of transparency and validation. I think that’s the key. It’s gained over time. It’s very easy to break.
[Dan Walsh] Yeah.
[Yaron Levi] Don’t give me any reasons to not trust you. And as long as you can maintain that transparency I think our relationship is going to go a very long way.
Closing
26:36.531
[David Spark] Excellent. Well, I want to thank both of my guests. Dan Walsh, who’s the CISO over at VillageMD, and my cohost, guest cohost of this very episode… He is the CISO over at Dolby Laboratories. Thank you so much, gentlemen. Huge thanks to our sponsor, TrustCloud. It is spelled exactly the way it sounds, trustcloud.ai/cisoseries. Go check them out. Trustcloud.ai/cisoseries for more information. Check them out. And I want to thank the audience, as always. As I say, we greatly appreciate your contributions. But a big thing… And I just want to remind you – if you see a great conversation online… It could be on LinkedIn. It could be on Twitter. Reddit even as well… The reason I kind of like LinkedIn is that I can quote individuals. It’s kind of hard to quote a specific person on Reddit, but I think we did one episode on a Reddit discussion. But if you see a really, really great conversation, we can turn that into an awesome episode like what we did right here with Yaron. So, thank you for starting that conversation, Yaron. And thank you as always for your contributions to our audience and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to Defense in Depth.