"Managing Third Party Risk"

Technology users throughout the world put reasonable steps in place to control technology risks internally. They use firewalls, anti-malware tools, content filtering, patch policies, and training. They develop internal tools following very strict guidelines, testing, and controls through the whole process. Many small companies these days spend as much time on risk management as on creating their own technology. However, when they purchase new computers, cell phones and office software, they "assume" that these technology assets are at least as secure as the internal assets.
Third parties introduce significant risk into the technology environment of their clients. Clients selling technologies pass these risks to their clients. As a result for opaque technology  risk management processes within large vendors, smaller vendors may be assuming significant undisclosed risks into their own environments and then passing those to their own clients.

About SafeView

The SafeView Research Report is intended to give you a snapshot of technology risk management issues. Airius Internet Solutions manages SafeView data and provides strategic, tactical and emergency risk management consulting. If you have any technology risk issues, please contact Airius with your questions at info@airius.com.

 

The Event

Considerations for Development and Acquisition in Securing Software in the Supply Chain

You’re invited to a complimentary afternoon event designed to help you measure and improve the risk posture of software applications. Aimed at IT and business leaders, the event will address the needs of banking, insurance and capital markets firms as IT innovates to meet increased demands for customer preferences, data security, privacy, and regulatory requirements. Thought leaders from the Airius, American Banking Association, Sprint, Synopsys, CISQ, and OWASP will share best practices for improved software security and reliability in IT development and acquisition.

Sponsored by: The Consortium for IT Software Quality (CISQ) and the Open Web Application Security Project (OWASP)

Hosted by: Sprint

Supported by: Airius Internet Solutions and Synopsys Software Integrity Group

Date: Tuesday, May 17, 2016 from 1:00pm – 6:00pm

Location: Sprint Executive Briefing Center (EBC), 2nd Floor, 1166 Avenue of the Americas, New York NY 10036.

 

The Agenda (Download agenda here)

  • 1:00pm Registration & Networking
    • Please check in to pick up your name badge
  • 1:15pm Welcome and Introductions
    • Brian P. Bursch, Business Solutions Account Manager, Sprint
    • Tracie Berardi, Program Manager, Consortium for IT Software Quality (CISQ)
    • Tom Brennan, Open Web Application Security Project (OWASP)
    • Dan Perrin, Founder, Council to Reduce Known Vulnerabilities
  • 1:35pm Security Management - Stuart Mitchell, Systems Engineer, Sprint (Download presentation here)
  • 2:00pm SafeView Security Demonstrations addressing Privacy, Device Protection and Management - Ernest Park, Principal, Cyber Risk, Security & Crisis Management, Airius (Download presentation here)
  • 2:45pm Software Supply Chain Management: Enabling Enterprise Resilience - Joe Jarzombek, Global Manager, Software Supply Chain Management, Synopsys Software Integrity Group, former Director for Software & Supply Chain Assurance, U.S. Department of Homeland Security (Download presentation here)
  • 3:45pm Cybersecurity Assurance Relative to Cyber Insurance - J. Kevin A. McKechnie, Executive Director, American Banking Association (ABA) HSA Council and SVP & Director, ABA Office of Insurance Advocacy (Download presentation here)
  • 4:45pm Networking Reception with Refreshments and Tool Demonstrations - Synopsys Software Integrity Platform Tools - CAST Tools - SafeView Security Tools - Sprint Tools
  • 6:00pm Meeting Adjourned

 

01_new

The Results

Sprint has an elegant executive briefing center that they are justifiably proud of. While we were in that building, they put us in the overflow room, next to the super nice conference rooms. Over seventy five guests attended the meeting, greeted by another twenty staff from Airius, Synopsys, and our host, Sprint.

The event went well, with the presentations focused on understanding third party risk, measuring it, and then being aware of the impact to your business.

The facilities are right in midtown New York. Sprint's EBC staff were gracious and accommodating. Sprint has supplied additional handsets, networking devices and accounts with which to test and document secure mobile computing capabilities.

A personal story about our host

In early 2011, a client rushed my team and I to Daytona, Florida. His company suddenly got involved in NASCAR racing, bought cars, contracted with a team, and was going to race. It turns out that there are a number of critical data management responsibilities in automotive racing.

When we arrived at the track, it was Friday. The car still had to warm up, qualify, stay in one piece until Sunday, and then race in the Daytona 500.

The car was blue and primer. It seems that nobody sent the artwork to the printer. I had to find a vinyl printer and then send the car images. Good thing that I came, since the content was on the company cloud storage, protected by a VPN. There was NO COVERAGE, despite my Verizon data card and my T-Mobile backup device. I went to the Sprint Experience area, and I was given two phones with no question.

In minutes, I had a strong signal, was able to authenticate, collect the file, and give it to the vinyl printer at the track.

Interesting experience when technology risk consultants get to touch the information that they protect. We harvested the files from the server, got it to the printer, raced across the facility and applied the vinyls ourselves.

The race went well. My client's driver had the car in top ten for half the race, and number one for a little while.

Then things got ugly.

The race car was covered for a week solid for having been caught at the head of the lead pack that all crashed.

We finished the race, the first of many, and our driver Andy Lally won Rookie of the Year. As it turns out, there are a number of critical decisions that have to be made throughout the race, the majority of which are driven by server farms located in those car haulers. The race teams have to calculate risk, probability, cost of mitigation, cost of remediation, cost of event, and so on. The team owner constantly calculates the cost/benefit of the running car each lap. I would have never guessed that our technology risk management skillset was such a perfect fit in competitive motorsports.

We have since provided technology risk consulting to other very competitive racing teams, those who value knowing the cost and probability of any given event, at any time.

Richard Petty, former number 43, and one of the most recognized race car drivers in history

Sprint inherited NASCAR from their Nextel acquisition, and held onto it through the contract. Their participation in NASCAR will be missed, but was always appreciated by the teams, the fans, the owners and me.

Summary

This inaugural event went very well. Synopsys and Airius (sponsor of SafeView) sponsored the event. We got strong industry backing from OWASP and CISQ. All of this would not be possible without the facility host, Sprint. We are all grateful to Sprint and eagerly look forward to working with them in the future. All the parties involved had a common message, and our guests were sincerely interested in hearing more. We will be having another event towards the end of the summer. Please reach out with your interest to RSVP at risk_events@airius.com.

The Chevrolet Lumina #71 race car after the Subway Fit Fresh 500 in Phoenix, AZ in 2011