Virtualization Technology News and Information
VMblog Expert Interview: Brenda Ferraro of Prevalent Talks Third Party Risk Programs, Cybersecurity and Data Privacy


Over the past year, we witnessed mounting scrutiny and penalties tied to regulatory and data privacy requirements and significant third-party breaches that led to customer losses and legal actions.
While each of these factors spotlights the importance of managing third-party risk, gaining an understanding of vendor controls and policies can be an elusive target to hit. By analyzing trends, challenges, and initiatives impacting third-party risk management (TPRM) in light of current best practices and modern global realities, there are key insights to be gleaned.

To learn more, VMblog reached out to Brenda Ferraro, a member of the senior management team at Prevalent and a US/UK Shared Assessments Steering Committee Board Member.

VMblog:  Do you see a disparate difference between Third Party Risk Programs that are placing an increased focus on TPRM but not expanding their program past using manual spreadsheets?

Brenda Ferraro:  It is encouraging to see 83% of companies report there will be a greater focus on TPRM as a result of the pandemic, but shocking that only 40% of those companies are planning to expand their programs. It shouldn't be a surprise though considering that 42% of companies are currently using manual spreadsheet-based methods to assess their third parties, and that approach will never be able to scale to meet the increase in organizational focus. Manual spreadsheets are proven to cause questionnaire fatigue, fail to fulfill reporting requirements, and lack the automation to address the complete trust-verify-validate methodology. Companies will need to look to an automated risk approach instead.

VMblog:  Vendor Management and Vendor Risk Management seem to be converging, what can procurement and sourcing do to integrate TPRM information into their selection process within the vendor lifecycle?

Ferraro:  Not having good pre-contract due diligence is the biggest challenge faced by companies that responded to our annual survey. To me, that's where vendor management and vendor risk management converge: vendor management owns the vendor relationship, contracts, performance, etc., while vendor risk management should be assessing which vendors are within risk tolerance to do business with from the start. Without good pre-contract due diligence neither of those two teams' needs will be met. Procurement and sourcing need to incorporate risk information during the selection process to address this gap. Using threat intelligence and automated assessment techniques to define the vendor's security posture will reduce unknowingly accepting vendor risks. Conducting due diligence after the contract is signed can open the company up to surprise vulnerabilities that will subsequently need to be tracked and managed.

VMblog:  Cyber-security and Data Privacy historically are what most regulatory compliance bodies audit, what is being added for a more holistic risk view?

Ferraro:  Cybersecurity and data privacy remain important to the regulatory compliance bodies, however they are now looking for risk triggers such as, geo-political issues, labor standards, environmental, human rights, trafficking and slavery, as well as ABAC. A significant percentage of companies admitted to not tracking these types of risks as part of their holistic risk view. Until they are added to the overall risk formula companies will be unprotected from potential reputational damage.

VMblog:  Covid 19 brought to our attention that non-cybersecurity risks can cause major disruptions, is there a huge disconnect on how assessment could or should support supply chain management?

Ferraro:  Fewer than half (44%) of companies that responded to the survey are assessing non-cybersecurity risk such as supply chain resilience, which is particularly concerning considering that 22% of respondents indicated they experienced a supply chain disruption affecting their ability to deliver goods or services. A fire at a plant, an acquisition, a bankruptcy, work-at-home risks - all these things are often not considered as supplier risks on the same level as a breach.' Expanding beyond traditional cybersecurity risks and involving vendor management, procurement and sourcing departments across the company - keeping customers, employees and partners safe will require the key stakeholder teams to work together.

VMblog:  Assessments are in place to identify risk when either the vendor is onboarded or while they are providing service.  What are companies doing to actively track risks as vendors are transitioned or offboarded?

Ferraro:  The fewest number of respondents to the study (27%) are actively tracking risks as they offboard vendors, but it's at the offboarding stage when a company should ensure adequate data destruction, decommissioning of storage devices housing customer data, de-provisioning third-party user access, etc. That's a glaring risk that will leave companies exposed long after the contract has ended. Third-party lifecycles can be automated to secure contractual obligations from due diligence start to end.


Brenda Ferraro, Global Governance Risk and Compliance Executive

Brenda Ferraro is a member of the senior management team at Prevalent and a US/UK Shared Assessments Steering Committee Board Member. She is a 2020 honoree of The Top 25 Women in Cybersecurity and The Most Influential Women in Arizona and recognized on the Tech Innovators list of the ‘2021 Leaders to Watch’. Brenda has brought surmounted attention to true risk management and third-party risk by economizing sector agnostic third-party processes and programs. Her strategic leadership paves way for corporations, consortiums, and Information Security and Analysis Centers (ISACs) to recognize value, remove program complexities, perform compliance readiness, and implement a flexible enterprise risk solution. Prior to joining Prevalent, Brenda’s over 2 decades of experience has led organizations through control standardization, regulatory compliance, incident/crisis management, process improvements, KPI/KRI reporting, and risk governance at companies such as; Edwards Air Force Base, Arrowhead Healthcare Centers, Charles Schwab, PayPal/eBay, Coventry and Aetna. She prides herself on personal growth and mentoring individuals and teams to continuously improve within their area of passion. 

Published Tuesday, April 27, 2021 7:30 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2021>