Culture is something that seems to be a very human thing. We love to build tribes and around those groups; we add layers of knowledge and characteristics that describe the beliefs and traditions of a particular set of people. This is no less true in business. In fact, the culture of a business can influence everything about an organization, from its decisions, to its strategies, the way it operates, and how its people interact with each other, third parties and customers. It is with this in mind that the Ponemon Institute has created a new study focusing on third party risk management. The study looks at how risk management is impacted by a ‘top down’ C-level, culture driving important strategies and practices in this area. The study is called; “Tone at the Top and Third Party Risk” and this post will take a look at the report, its results and recommendations in third party risk management.

Setting Out The Landscape

Ponemon interviewed 617 respondents for the report. Their collective view was that cyber security, coupled with disruptive technologies is a major game changer in vendor risk management.  Cyber threats are increasing and 2015 has left everyone with a cyber headache – PWC concurring, finding 76% of executives are concerned about the effects of cybercrime on their organization. This is likely due to the massive increase in cyber threats that came out of 2015, an example being the Anthem breach, which resulted in 80 million records being exposed.  The report goes on to say that the introduction of new and disruptive technologies such as the Internet of Things (IoT) is compounding the issues by adding a new layer of threat to the already worrying cyber threat landscape – in the Ponemon study, 78% stated that their vendor risk profile is significantly impacted by these changes.

Why Are C-Level executives Not Engaged in Risk Management?

With the kind of press that cyber attacks are getting, and understanding the impact across the supply chain that a breach can have, you would expect full engagement from all levels in an organization. However, the report found a lack of interest in vendor risk management by top management. The reason for this lack of concern is thought to be because 63% of executives don’t believe they have ultimate accountability or responsibility for this area. In a related vein, board members were also disengaged from the vendor risk management process – communication was decoupled resulting in a lack of understanding or engagement.

It’s About Good Communication

One of the pre-requisites of cultural exchange of ideas is good communication.

The Ponemon report shows that poor communication is an issue in the majority of the respondents, with only 11% feeling they had effective communications with both internal groups and third party vendors. Seamless and effective communication is the ground stone of any organization – we may live in a digital age, but you still need to communicate to make things happen. The idea of ‘tone at the top’ is to have a top down approach to communicating the core values of an organization across the extended eco-system, drawing in third party vendors. In the study, 41% of respondents said that they expected this communication to start at the door of the CEO. Positive tone at the top, which incorporates ethics and values of the organization, will then filter down into the relationships with third party vendors resulting in better all-round trust and reduced risks.

But Its Also About Good Assessment

Two thirds of the respondents in the study admitted that their internal controls over the suppler eco-system were lax. Many of the respondents said that their third party management processes were undefined and ad hoc, with only 26% having effective controls in place. This lack of control extends out to the third parties themselves, with 33% of respondents saying that they wouldn’t terminate the contract of a third party who didn’t meet their expected levels of control. The areas that came up short were in the process of assessment and metrics. Over half of the respondents couldn’t identify what intellectual property was in the hands of third parties. Worryingly, less than half of those asked did any cyber security risk assessment of their third party partners. This ultimately leaves all open to increased risks.

A recent advisory put out by the U.S. and Canada to warn of ransomware attacks across the supply chain, is a stark warning to all that we need to get our houses in order.

Some of the Statistics From the Report

Section 2 of the report looks at some of the key findings. Here is a round up of some of the most interesting:

·      75% believe that third party risk levels are increasing and serious.

·      The IoT and cyber attacks are the most significant in terms of increased third party risk

·      Minimizing downtime and business disruption is the main objectives in managing risk

·      There is a serious lack of formal programs for third party risk management

·      50% of respondents didn’t believe that their risk management was aligned with business gals and that C-level management and board directors were not engaged in the process

·      41% expected their CEO to set a positive tone for the entire organization which in turn results in more trustworthy relationships across the supply chain

·      Third party risk assessment is ineffective in 74% of respondent organizations and that checks are generally informal

·      Even if lack of controls were found in the third party vendor, their contract would not be terminated by most

·      49% did no cyber security risk assessment at all

Having a Positive Tone at the Top

The report conclusion has a list of ten recommendations to improve the culture of vendor risk management. It also points out that ignoring the issues can cause ‘severe’ consequences citing an average of $10 million spent annually by the respondents on problems created by malicious or negligent third parties. The ten recommendations focus on positivity, communication and assessment to reduce risk. The conclusion is that the tone coming from top level executives will filter down through the company and across to partners and other third parties, imparting the vision and strategy of the organization. Communication of values and vision, especially around risk appetite will be part of this dissemination of the risk culture. The recommendations also focus on assessment, such as understanding the impact of disruptive technologies like Cloud and IoT and the threat of cyber security attacks.

The consensus of the study is that the engagement of C-level and board executives, is a vital part of the equation in managing third party vendor risk. By having a positive tone at the top, the message around company ethos, vision and strategy are disseminated across the third party vendor eco-system. This will result in a more coherent and tightly controlled extended organization that can better manage risk in a changing and disruptive environment. 

Why Enterprise, Automated Governance is Critical for Growing Retailers

August 25, 2016 | Michael Janeiro

How many retail locations and how stretched is your geographic footprint? A half dozen locations in a metropolitan area? Thirty stores in a specific region of the U.S.? Hundreds of outlets across the country?

Do you also, like most retail companies, enable customers to shop online? Do you have mobile apps that enhance the customer experience?

Consider the totality of your physical and digital presence. With each location, website, computer terminal, server, data center, cash register, etc., you have increased your company’s exposure to:

•    City, county, and state regulations on building codes, employment laws, and consumer protection.

•    Multiple entry points for hackers and potential data thieves.

•    A more complex supply chain that at any point can be the catalyst for business disruption, product liability, and non-compliance with standards and guidelines such as conflict mineral sourcing.

•    An employee base that causes any number of incidents, disruptions, and legal issues.

•    A network of third parties that extend your infrastructure beyond much of your control and increases the chances of disruption, IT security risks and non-compliance with increasing regulations.

The role of corporate governance

Creating, administering and enforcing policies throughout your company, as well as managing the relationships among your various stakeholders, is the role of corporate governance.

Whether you realize it or not, you have a corporate governance program. How effective and how visible it is across your expanding retail organization may be an entirely different matter.

One of the challenges faced in most retail organizations is the need to expand geographically and/or digitally to increase sales in an ever-competitive environment.

At the same time, any expansion increases the aforementioned risks and regulations, necessitating greater governance. Without it, your retail enterprise, regardless of its size, lacks consistent processes, policies, procedures, and technology requirements.

Consider the common governance challenges facing expanding retailers:

•    Increasing compliance with regulations and standards ranging from Payment Card Industry Data Security Standards to conflict minerals reporting.

•    Collecting and correlating data for regulatory compliance.

•    Developing policies in timely response to changes in laws or to specific incidents that occur.

•    Timely review and update of policies, communicating new and changing policies across the organization and ensuring all stakeholders understand and acknowledge governance policies.

•    Maintaining visibility into corporate governance objectives and results, especially to key stakeholders such as shareholders, directors, and executives.

•    Identifying, prioritizing, and addressing multiple risks throughout the enterprise, including compliance risk, IT security risk, operational risk, vendor risk, business continuity risk, and audit risk.

•    Maintaining an IT asset list to know how they are potentially impacted when certain threats and vulnerabilities arise.

•    Communicating incidents that occur at a single location up to the corporate parent and then across the enterprise. If not, smaller issues can become much larger ones over time.

•    Prioritizing incidents among billions of data points received. How do you know which ones to address and which ones are irrelevant to your organization before spending the resources to investigate?

•    The onslaught of data breaches that have hit retailers large and small. Although many consumers have accepted the risk of security breaches as a trade-off for convenience, one recent survey found that 39 percent of shoppers spend less at retailers that have experienced a security breach than they did before the breach occurred. Another 34 percent of shoppers don’t shop online due to fear of security breaches.

An enterprise, automated approach

The increasing risk and governance challenges posed by physical and digital expansion necessitate an enterprise approach to corporate governance. Introducing other types of activities into their business model can create new complexities and risks, which call for a broader approach to governance.

Managing corporate governance on an enterprise level, however, can be an arduous task, often requiring multiple employees dedicating long hours at extensive cost.

Therefore, retailers need an efficient, effective and automated solution to help their business processes and their security requirements work together to deliver improved efficiencies while strengthening their overall governance program.

The right automated solution can enable retailers to enforce policies and procedures, establish best practices, mitigate and manage risks, and comply with regulatory standards and requirements.


Here we are in the middle of 2016 and the cybercrime wave that has been the hot topic for more than two years continues to rumble on. We are in fact in a bizarre situation where we, as well as commercial competitors, have cybercriminals competing with us. The competition in this case is for data, an item that straddles all industry sectors. Cybercriminals make a lot of money from the data they compromise. It is estimated that currently, cybercrime is costing the global economy around $450 billion annually. Some, like Juniper Research, are predicting those costs will spiral to around $2 trillion by 2019. Once you start describing losses in the trillions, rather than billions, you know you really do need to take stock. Analysts, HPS, have shown that cybercrime is truly a globally competitive business, comparing it to the likes of Apple and Microsoft in terms of revenue generation. Cybercrime is a formidable and successful competitor in today’s data stakes.

Source: HPS

Source: HPS

With a business model this effective, cybercrime is set to continue as a major threat to normal business operations. Changes in the threat landscape, such as models enabling cybercrime, like ‘Malware as a Service (MaaS)’, make this onslaught of attacks even more likely. We are left with no option but to take this all very seriously. It’s too bad though that the old methods of defense, like anti-virus software, are showing cracks in their armor. With anti-virus vendors like Symantec stating that anti-virus software is only effective against 45% of viruses. We need to move to a new paradigm in our approach to mitigation of cyber threats – the war against cybercrime is now about a simple concept…awareness.

The Biggest Threat is You

Any type of crime, be it real world or digital, has an element of human behavior about it. One of the world’s most famous scams, the Ponzi Scheme, carried out back in 1920 was based on the basic human behavior to accumulate resources – in this case, lots of money. Today, cybercriminal scams also focus on human behavior to elicit knee-jerk reactions. Phishing, a technique based on social engineering, which encourages its target to perform an action that benefits the cybercriminal, is the most successful vector for cybercrime according to a report by Phishlabs. And in 2016 this continues to be the case with the first quarter of 2016 seeing an increase of 250% in phishing attacks. Phishing is a perfect example of the use of human behavior to exact an outcome. Phishing comes in a myriad of forms, morphing into new ones as older ones become recognizable and less effective. The reason why this method is so successful, with SANS Institute, estimating that phishing is behind 95% of all security breaches, is because the successful cybercriminal uses their knowledge of how we tick as much as they use software code. What this means for us, as business owners, IT staff and company employees, is that we need to be much more aware when it comes to security, especially cyber. With the type of cyber-threat climate we face today, we cannot rely solely on technology to get us out of sticky cyber-situations.

Being Security Aware

Being security aware is about creating a culture of security within an organization. In practice this will require everyone, from the board, to the IT department, to the sales team, out into your extended third party vendor system, to understand the implications of the modern cyber security threat.

Security awareness includes understanding the security requirements and impact of common standards and compliance, such as HIPPA and PCI-DSS. However, security awareness is much more than just complying with laws. Security awareness is about knowledge and understanding of what the threat landscape has in store for us, and the techniques used against our organization and ourselves. To be security aware you need to:

1.     Know the types of attacks being targeted at your specific industry area (check out our industry series covering six industry sectors, and the types and levels of cybercrime they experience)

2.     Use this knowledge to setup the best type of security awareness program to put in place in your company

3.     Use special programs, like phishing awareness to train your staff and extended vendor ecosystem in what a phishing campaign will look like. This can include creating mock phishing attacks. Metrics from these mock attacks can also help you to understand where in the organization to concentrate security awareness training on.

4.     Recognize that security awareness is an ongoing activity. Cybercrime is not a static practice; it morphs and changes to optimize better outcomes. The fact that cybercrime revenue is up there with the most successful companies in the world is a testament to the cyber criminal’s continuous improvement of their business models.

Being mindful of the benefits of security awareness is a modern way of tackling cyber crime. It allows us to form a concentrated defense system, utilizing the very thing that cybercriminals rely on to bring about a breach – ourselves.