🔒 Security Week Fireside Chat: Arianna Willett & Ling Wu
In this Cloudflare TV Security Week segment, Ling Wu will host a fireside chat with Arianna Willett, Senior Director, Security Risk & Trust, Okta.
All right, and we are live. So welcome to Cloudflare TV. I'm Ling Wu and I manage our governance risk and compliance team at Cloudflare.
Excited to have with me today Ari Willett, who is a senior director of security risks and trust at Okta.
So first, thank you so much for being here with me today.
For the audience, we met actually during the pandemic virtually through a Slack group for a Bay Area security, for basically Bay Area GRC members in this professional space.
And in the Slack group, we talk about everything like security compliance related, from what kind of GRC tools teams are using, or even like, have you dealt with the latest Canadian privacy and security requirements.
So if anyone in the audience is in security, or part of a GRC team and in the Bay Area and would like to join the Slack group, let us know, you can find us on LinkedIn, send us a message, we're happy to add you there.
So Ari, you've been in the security compliance space for some time now.
Tell us a little bit about your background, what you do at Okta, and the other companies you've been at.
Yeah, sounds good. And thanks, Lynn, for inviting me to join you today.
Yeah, I've been in the GRC space for around 10 years now.
I started my career with Deloitte, I spent a lot of time doing, unfortunately, some SOX work, and then moved into IT internal audit and third party security, and did that for a number of firms, or with a number of firms out in the Northeast, I'm originally out of New England.
And then just decided that the winter was not for me and came out to California, I moved in and started the risk and governance group over at Twilio, and spent some time over there, built that group from the ground up.
And then most recently transitioned, as you mentioned, to Okta, where I'm the Senior Director of Risk and Trust there, overseeing all of GRC.
So yeah, I think every part of my career has had third party security as a core component.
And it's just a really, really great conversation to have really great, you know, it's a pillar of the GRC space, I think.
Yeah, thank you. I'm super excited to talk about third party risks.
And in the security world, when we talk about third parties, our definition is when we do business with a partner, a cloud provider, a contractor, an auditor, a data center provider, basically, any third party providers, where we are transmitting, processing, accessing, or even storing sensitive information through the third party or, or with that third party.
So some of you may use the term vendor risk, or supplier risk, it is one and the same to us.
So the reason why we decided to talk about this today is because it is trending.
It is a trending area in security, especially with like recent events.
And so in the last 10 years, I've seen third party risk programs evolve, I want to say it was the enforcement of GDPR in 2018, where a lot of companies started truly focusing on retiring their third party risk programs.
Prior to that, I want to say it was more of kind of like a checkbox activity to meet standards and requirements.
And the reason why I say that I think like GDPR was a turning point is because it required companies that were like processing personal data with vendors to make that information public with basically who those vendors are, like you had to list on your website, you had to put it either in your website or in your privacy policies.
So Ari, I was wondering from your perspective, how you've seen third party programs evolve at the companies you've been at or the clients you've served?
Yeah, and I 100% agree with you around kind of a bit of a turning point with GDPR, because you have to be much more transparent and have to have everything, you know, at at your customers fingertips, particularly in the B2B space, that's become much more prevalent, I think.
I'd also say, you know, some of the things I've seen over the past few years is, you know, with a lot of these large breaches that impact a lot of SaaS companies, there's a lot more visibility and concern from the C-suite on vendors and what we're doing and how we're thinking about them.
And so, you know, with increased attention comes better practices, because you have to be showing that you're thinking about this holistically as a process.
When, you know, the CEO calls and says, what are we doing about this?
You know, everyone wants to have a good answer to that. So, you know, there's been a lot of thoughts or a lot of conversations over the past few years, but, you know, especially recently with SolarWinds, with Verkata, there's a lot of different incidents that have impacted a lot of different companies.
And that kind of brings this issue to the forefront as well.
Yeah, I definitely agree that breaches and recent events have highlighted the importance of third-party risk programs.
Something I've actually been thinking about recently is if a company has been impacted by a security incident or breach caused by a third party, do you think we will trend towards companies purchasing less to reduce their threat landscape?
No. I think that this would make my job a lot easier. And the person that runs vendor security over at Okta on my team, this is her life goal, is to have us purchase less, just less overall.
But, you know, I don't necessarily think that will be the case.
And I think it's actually trending in the opposite direction, where a lot of companies, particularly technology companies, are, you know, building their core functionality, you know, what they bring to market in-house, and then outsourcing everything else.
And so I think the trend of that trend will continue and, you know, companies will continue to bring on specific SaaS applications, best-of-breed applications to do, you know, in-house functionality for them.
That being said, I do think there's more, you know, when you talk to groups like IT and procurement, they don't necessarily want to, and I apologize, it's street cleaning day, so I'm not sure if you can hear that.
I'll just wait till it passes real quick. Okay. I do think that groups like procurement and IT can help kind of reduce that vendor landscape, that threat landscape, because, you know, procurement doesn't want to be bringing on and paying for all of these different SaaS providers or different kind of companies and consulting firms and whatnot.
IT doesn't want to manage all those applications, but they want to kind of reduce that.
I don't necessarily think that they think about it like a threat landscape, but really the vendor portfolio that a company has.
And so partnering with them to kind of reduce the threat landscape, everyone, those three groups at least, win, while still managing to kind of make sure that the business has all the tools that they need to do their work.
Yeah, I think they primarily focus on just consolidating.
Yes, exactly. Consolidating all the applications and vendors.
To make your lives a little bit more efficient. But I actually 100% agree with you that it would make our lives a lot easier if we just stopped purchasing.
And I also don't see companies halting that as well. I think there will be more companies focusing on monitoring and detecting the behavior of those providers and also re-evaluating their security review process for critical impact vendors within their environment.
I'm wondering what you've seen companies implement in the past year due to these security incidents like SolarWinds or Verkata to protect themselves.
Yeah, it's been interesting. I've had a couple of conversations with different folks who run third-party security at different companies.
The way that we've always run third-party security is kind of you send out your questionnaire, you do your due diligence, you perform an on-site audit.
But some of the breaches and some of the incidents that have happened recently, those processes wouldn't necessarily catch, wouldn't have caught that, wouldn't have protected any of the companies that use those vendors.
And so, the thing that I've seen being discussed more often is really that end-to-end process around a software vendor.
You do your due diligence, but then what happens once you decide to make that purchase?
Who helps if there's any kind of integration or stand -up work that needs to be done with the vendor?
Who helps configure it? Who helps manage access to it?
Are you pulling logs and monitoring that from a SaaS vendor? What's the holistic landscape around how you're managing risk?
And that's been more of the forefront as opposed to how do we do more due diligence on the front end?
How do you manage the lifecycle of that product while you're using it?
Yeah, for sure.
I've seen that too. With other third -party programs around the Bay Area, a lot of people have that they didn't necessarily put in new processes.
It was more so a re-evaluation of what they currently have and maybe fine-tuning a little bit of what they were doing or putting more emphasis on a specific area.
What kind of areas have you seen become emphasized of late? Probably more so the implementation of the product itself and, honestly, the detection portion of it, ensuring that we're ingesting those logs and understanding what is normal behavior when users are using that third-party service provider or even what that service is offering.
Yeah, same. So I want to move away from security events and really talk about processes.
We've been working from home for over a year now, and I noticed it definitely has changed the way we work.
At Cloudflare, we evaluate our critical vendors on a periodic basis, and we used to visit these providers in person and perform an audit in person and had to move away to the virtual environment over the past year.
So now some of our providers will share their information through Zoom, where before they were never really open to that.
And even with some of our data center providers that we used to visit, we do so virtually through a tour or on a camera or actually through one of those pre-recorded videos.
I was wondering, have you seen any changes to third-party programs due to the pandemic?
Yeah. The lack of on-site visits or tours of certain facilities is certainly a big change in a lot of third -party programs.
And I've seen it drive a lot more virtual or self-service options, and so a lot more tools like Wistik, where you can...
It's both for the vendor side, but also I've seen customers put out documentation in public profiles or in private profiles that they can invite you to, and just being a lot more open about sharing things kind of online with folks.
So I definitely agree with you there.
I've also seen and heard of a lot more emphasis on business continuity practices, disaster recovery practices.
With the pandemic, people are thinking about those topics a lot more, not necessarily that they didn't think about them before, but it's certainly top of mind for folks.
So I see a lot more emphasis on talking about redundancy, both in the workforce and in the technology.
Yeah, I definitely have seen that too, because you want to ensure that these providers that you bring, especially if it's a critical provider, that they're available.
If everybody in the company is using this thing, they want to ensure that it could be up and running especially if it's critical, especially if they're relying on it for one of their key processes.
How do you get the business to understand security risks when sometimes they just want to buy a solution to meet a goal or an objective that they have, or really to sometimes just solve one particular issue?
Yeah, this is an interesting one, and it 100% depends on the person that you're working with within a company.
I find some people, you say, this poses a bigger security risk to us, and they're like, you know what, we'll take a look at another vendor.
The conversation just stops right there, and then everyone moves along and comes to a better solution.
On the opposite side, security isn't everyone's job, and it's not something that's top of mind for everybody all the time.
Certainly seeing the other side where someone is a little bit more resistant, this is the product, it meets all of our requirements, doesn't matter if it's not up to par on the security side, doesn't matter what kind of data we're sending them, doesn't matter what kind of overly-permissioned integration we've set up with them.
Those conversations do become a bit harder. One of the things that I've seen be successful there is leveraging a security policy exception process where, okay, if you really need this vendor, we don't particularly enjoy it from a security side, but there's a process that we can follow to get this approved, and it's your VP, SVP, CIO, CTO, et cetera, has to approve it.
You need to explain why you want to purchase this vendor. We need to explain why they don't meet our security requirements and what risk that poses to the business, and whoever that senior person is needs to approve that.
That a lot of times changes the conversation.
They don't need to be brought into this. That's fine.
We'll look at a different thing. Or maybe this is really a good tool, and we do need to accept the risk.
It's not ideal from a security side, but it brings so much value to whatever group is trying to purchase it that it's worth it.
We've had a lot of conversations around, you know, when I was with Twilio, they grew a lot, and Okta is still in kind of a high-growth phase as well as Cloudflare.
The risk profile changes a lot as the company grows, and so when you're early, early stages, a lot of times the vendors, you know, the company is just willing to take a lot more risk to move really quickly, which is fine as long as everyone's kind of acknowledging what that looks like and where we sit, and then over time as a company grows, becomes stabler, the emphasis is more on stability and less on breakneck speed growth.
The acceptance kind of changes a bit, and people are willing to take less risks around that, and that's just a normal growth phase, I think.
Yeah, I definitely, I definitely agree, and I've seen that at other companies as well, where they do accept a little bit more risk because they want to move faster as they're in the growth period, and that tends to stabilize as they mature and tend to take less risks as well.
We see that with our customers when they evaluate us as a provider as well.
Yeah, yeah, I'm sure you see a lot of different variances from your customers on, you know, what the big banks require and what the startups require.
Yeah, exactly. So most third-party programs tend to focus on the third-party security and compliance posture, but they kind of sometimes tend to leave out important elements, like once a service is purchased, how do you actually implement it securely?
How do you review any integrations or add-ons that you can add on to the application itself or platform?
And if you decide to off-board, like people don't think about what that process actually looks like.
So I was just wondering if, Ari, is this something that you have seen as well, and are there any other blind spots companies should consider as they're building or retiring their programs?
Yeah, it's a good question, and this is, this is an area that I think is done piecemeal at a lot of companies, or at least a lot of companies that I've seen, and yeah, the blind spots.
Okay, so yeah, so a third-party security program, and we had talked about a little bit about this when we had talked about security breaches just a few minutes ago, but, you know, you have your onboarding program, and one of the, it's really important to kind of have an understanding of where the handoffs are, because, you know, your vendor security team is not necessarily going to be the one that, that handles security for a vendor throughout the entire life cycle of that vendor, or that consulting company, you know, time with, with your company, and so getting a good process in place is super important.
I think that, that in and of itself can be a blind spot that some people don't think about until, you know, all of the pieces are haphazardly working together, and, you know, one handoff drops, and it kind of brings to light the fact that, that there's not a very solid process around managing a vendor for the entirety of its life cycle.
So that's blind spot number one.
Blind spot number two that I think, I think people understand and know is out there, but I rarely see done well is really that, that monitoring and response piece that you had mentioned, and making sure that we're pulling the right logs, that we have the right alerts set up for all of our third -party vendors.
I think there's, there's often a lot of emphasis, probably rightfully, on our internal systems and the logging and monitoring that we're doing there, but, you know, SaaS apps that are used for key business processes are sometimes lost in the mix.
Yeah, I definitely see that too. Speaking of blind spots, I, I, I know we were talking about this before when we, when we met.
How far, how far down the rabbit hole should you evaluate vendors?
Should, I mean, do you think we should evaluate vendors and their vendors, and then those vendors' vendors as well?
Like, you know, it kind of goes, you can, you can actually dig super deep into this rabbit hole.
What is your guidance, and what have you seen companies do?
Yeah, 100%. This is actually, this is something that I think started popping up in the banking space around looking at fourth-party vendors and really looking at the ecosystem.
I've always thought it's a super interesting topic because the, so your third parties will, will pose certain security risks, but your fourth parties, your fifth parties, your sixth parties can occasionally pose equally, if not more risk that, that you don't necessarily have line of sight on.
That being said, I think rabbit hole is, is the right word to use here because once you open Pandora's box, you know, how far down do you go?
How far into it do you go? For programs that, that I've run or worked on, a lot of times third parties is kind of where the line is drawn.
That being said, I think there's a really important aspect to looking at your third parties, third party programs to make sure that they're evaluating vendors correctly and have the right mindset, have at least a similar mindset that you do on what requirements third parties are being held to, how often they're being assessed, what kind of continuity practices are in place.
So I think that's incredibly important.
I also, one of the other reasons that I think the line should be drawn really at third parties is particularly in the Bay Area and we both work, you know, in tech, I feel like, you know, there's this whole, all the tech companies all use each other.
And so everyone's at each other's third parties, fourth parties, fifth parties, and you end up looking at really this, this really large ecosystem where it's really kind of circular.
And so, you know, at the end of the day, if you really wanted to, to manage 100% of your risk with no thought for return on investment, you know, you might be looking at, at, gosh, I don't know.
I don't even want to put a number on it because I'm thinking about how many vendors, you know, Twitter uses, Opti uses, a lot of my clients used to use when I worked for Deloitte, and then how many vendors, each of those must use it.
And, and, you know, the number becomes really, really big, really quickly.
And so, you know, when we look at ROI on, on just operating a third party security program and where you're going to manage the most risk easily, I think third parties is where you're going to get the best bang for your buck.
Although certainly, you know, all those other companies, like I said, it would potentially pose a risk to your company as well.
Yeah, I definitely agree. I would also stop the line at like just the third party and ask and determine whether they, the third party has like a solid third party risk program or vendor risk program of their own and to ensure that that flows down to all of their, their, their subprocessors or vendors as well.
And hopefully they flow it down. Yeah. How do you, I suppose a lot of the ways that, that I've seen kind of that flow down work is in contractual obligations.
And, you know, here's, here are the things that we want you to, to obligate yourselves to do with your third parties and how we'd like to think about them and the standard that we'd like you to hold.
And so that's always been both during the assessment, but also really the contractual negotiations as well, trying to use both of those to ensure that you're on the same page with a vendor.
Yeah. Yeah. I mean, we we've done the same. We've had like a really, we do have a really similar approach as well.
Speaking of like approaches, I have been thinking recently about just like streamlining vendor reviews.
So I know the way that your team performs reviews is probably very similar to the way my team performs reviews.
And there should, I honestly think there should be a way for us to share this information.
I've seen organizations like the Vendor Security Alliance and Cloud Security Alliance attempt to drive efficiency to evaluate vendors.
And I've also seen that, I think you, you mentioned this before, companies, companies like Wistik or Security Scorecard, where if you do purchase their platform, you get access to the vendor rankings or vendor data, basically.
Do you think we'll ever get to a place where we have like a unified way of evaluating third parties?
Like that is like my dream. I hope like one day we're able to do so.
Yes. You and I have a similar dream. Yeah, I think, and we talked about this, I think last week or a couple of weeks ago when we had last chatted, I think vendor security is the most inefficient security discipline in all of security.
You know, everyone's doing very similar reviews. They're all looking for similar evidence.
They all have teams that go out and do all this work.
And a lot of it is incredibly redundant. And you had mentioned a couple of companies that had done that.
And I'll add the one that the bank, there's like four or five banks that put together a consortium to kind of share information after their regulators had said, had given them the thumbs up on that called TrueSight, which I think does the same thing where it kind of consolidates all the different audits and evidence that's collected from third parties and they share it throughout the five of them.
Do I think we'll ever get there? I'm not sure. I would very, I would really like it to happen.
I think a lot of the models out there don't make particularly, they don't make economical sense for smaller companies.
It's hard to pay the fees per vendor. If you're looking at a number of vendors and at the end of the day, it's really a volume game.
Can you get enough information on enough companies to kind of pull the tide of third party programs into your platform?
So I would love this. I don't see it happening anytime soon, but I think it makes a ton of sense.
Yeah. I think it's, there's obviously some difficulties with it.
One, it would probably have to be like a free platform of some sort.
Second, it would, how do we ensure that people are sending the most up -to-date information?
Yep. That way companies are able to rely on it, but hopefully one day we're able to get there.
One day. I think that would be fantastic. Okay.
I think we only have three minutes left, so I'll keep, I'll have one more question for you.
Yes. And it's related to something I saw recently on our Slack group.
So someone asked a general question this week around metrics to leadership and to the board.
And for us, as it relates to third party risks, I've typically seen metrics like how many vendors were reviewed per quarter or what are our total number of high risk vendors?
Or like what is the total number of vendors per year? And they'll do like a comparison year after year or quarter after quarter.
Any other metrics you think would be valuable when talking or reviewing third party risks with management or the leadership team?
Yeah. So I think one of the ones that you mentioned is one of my favorites, the new high risk vendors or tier one vendors, however, you're kind of bucketing.
But yeah, who's new in the ecosystem that people should be aware of that management should understand how we're using this tool or how we're using this company.
The other one, there are two other ones that I like to talk about and one's a little bit harder to pull than the other.
The other one, so one of them is any type of issues that are found in due diligence that are out of SLA.
So oftentimes when you look at a new vendor, they'll have some issues that you'll find where there's differences in what your expectations are and what the company is delivering.
You'll agree that they fix it in six months or so.
And then tracking against that six month deadline and making sure that they're kind of following up on their commitments.
So anything that's out of those SLAs is important to think about.
And then if it's possible, like I said, this one's a bit harder to track, but it is always, I've had many conversations about it with folks.
And so it is something that people are interested in. Any kind of liability issues that you might have with your vendors regarding security risk.
And so that comes down to a lot of contract negotiations and being able to track commitments in contracts.
How much liability are you signing up for? Do you have caps?
What kind of, this is not necessarily related to liability, but what kind of notification requirements are they agreeing to?
And just kind of making sure that you're covered if something does happen and being able to track against that.
Yeah. And I don't think a lot of companies do that to track. And it's really, really hard to.
Yeah, but that is actually a good way. That would be a good metric.
So we're about time. And I want to thank you again, Ari, for taking this time this morning to talk about all things like third-party risks.
Thank you everyone for tuning in to Cloud Fire TV and have a good weekend.
Thank you. Thanks everyone. Thanks.