260 likes | 543 Views
Vendor Risk Management 10 Years Later…. Are We Any Better?. Joey Johnson, CISO Premise Health. Premise Health At a Glance. Vision/Mission/Values. 275+. 600+. ORGANIZATIONS. WELLNESS CENTERS. Our Mission. 5,500+. 91. To help people get, stay and be well. TEAM MEMBERS.
E N D
Vendor Risk Management 10 Years Later….Are We Any Better? Joey Johnson, CISO Premise Health
Vision/Mission/Values 275+ 600+ ORGANIZATIONS WELLNESS CENTERS Our Mission 5,500+ 91 To help people get, stay and be well. TEAM MEMBERS NET PROMOTER SCORE Our Vision Our Values To be the premier direct healthcare access company in the world. Providing high-quality and efficient care, focusing on health improvement and an exceptional member and client experience. 95TH 27% • Dedicated. Proactive. Primary. Comprehensive. Aligned. PERCENTILE HEDIS CLAIMS-BASED SAVINGS • Courageous. Engaged. Innovative. Accountable. Quality-Focused. Respectful. Ethical.
One Integrated Choice Clients Members Direct Primary Access Primary Care Occupational Health Pharmacy Fitness Women’s Health Behavioral Health Laboratory Radiology Lifestyle Medicine Physical Therapy Occupational Therapy Dental Vision Wellness Coaching Biometric Screening Nutrition Services Integrative Medicine Platform Access Member Health Management Mobile Manage Members Manage Premise Providers Manage Downstream Care Nearsite Onsite Virtual
Pricing and Performance Client Sectors Data Risk Scenarios Contracts & Auditing Entire Client Employee PII Legal Reqts Exceed Compliance Oil, Gas, Energy Defense Generated PHI Varied Vendors Per Program Technology Financial Services Constantly Audited Constantly Auditing Audited on How We Audit VIP Medical Records Manufacturing, Retail, Entertainment Healthcare Medical Claims Data Reliance on SMB Niche Vendors High Vendor Barrier to Entry Intellectual Property Low Client Risk Tolerance High Client Visibility ‘Gateway’ to Client (Perceived) Higher Education 1 Includes pharmacy, pre-packaged dispensing, mail order pharmacy
Industry TPRM Wins Enhanced business level VISIBILITY and AWARENESS of our threat landscape Movement towards industry-aligned assessment approaches Security aligned more strategically with business Appropriate risk focus for outsourced & ‘cloud first’ world
Premise Health TPRM Business Transformation • Reduction of redundant vendors. Efficiencies and leverage to: • Procurement: Purchasing leverage & relationship development • Legal: Contract management & negotiation reduction • Finance: Cost control, transparency, and cashflow predictability • IT & Support: Reduced technology footprint • Operations: Tighter alignment to vendor delivery, and roadmap influence • Align Security With Overall Business Operations • Growth Dept key stakeholder • Legal | Procurement | Security ‘Catch All’ triad • Drive Business Efficiencies in Complex Models (Data Extracts, PCI Models) Standardization Opportunities (Radiology, Dental, Fitness) • Inter-departmental Governance Committee (EDGE) • Assembles key stakeholders to address ‘Should We Do This’ BEFORE it hits Security • Prior to this things got ‘stuck in Security’
Industry TPRM Misses ‘Standard Assessment’ frameworks rarely adhered to Required accreditations not singularly trusted Large organizations run disparate, non-cohesive, overlapping assessments Depth of scope (4th, 5th, 6th parties) producing diminishing returns Crushing SMB vendors with VRA volume VRA process generates distrust and reticence, not partnership - - - - - -
SMB Partnership Challenge Just…..Lacking…. Lack documentation artifacts risk assessment relies on Lack understanding of the security risk problem Lack resources to fund security technology spend Lack security personnel & expertise Lack resources to implement & maintain remediation (Perceived) - - - - - BUT STILL…..We really need them!!
Traditional VRM Model Assessor Challenges • Lengthy Assessment Process • Heavy Internal Resource Demand • Findings Lack Context • Rigid Recommendations • Qualitative Risk Reduction Difficult to Measure Vendor Challenges • Arduous to Complete • Subjective in Response • Little Value to Vendor • Encourage ‘Fringe’ Honesty • Introduce Unclear Timeline Contingencies FEAR OF LOST BUSINESS Assessment Approach Risk Assessment Survey (BITS SIG, etc) Review Findings, Assign Risk Scoring Define Remediation Approaches & Timelines
Establish Trust Create Parnters Trust Relationship Overall Risk Reduction • Talk to humans. Not spreadsheets • Understand their position & challenges • You’re BIASED…..to find risk….AND help resolve it • Goal is partner MATURITY Identify Risk Deliver Solutions • Be Consultative…. • Work To Solve a COLLECTIVE challenge • You’ve got the skill & expertise…..So share it!! • Partner can’t be afraid to openly share risk Vendors sell ‘stuff’……… PARTNERS are fundamental to success!!
Partner Maturity Modeling • Not For All Vendors • Focus On Critical SMBs • One Tool In A Larger Toolbox • More Art Than Science
Standard Remediation Timeline COMMENCING Risk Reduction – 2.5 mon Ready for Data Exchange – 5.5 mon Reach Business Goal – 6+ mon
Sometimes all it takes is a tiny shift of perspective to see something familiar in a totally new light - Dan Brown
Shift Internal Resource Allocation Determine Partner RoI Leverage Internal Assets Reduce Long Tent Poles Multi-Tenant Tooling • Opportunity Cost • Time-to-Market Impact • Revenue & Margin Realization • Security Personnel As Part of Business Solution • Deliverer Technical SOLUTIONS • Advise on Shortest Path Resolution Model • Control pen-test quality • Remove Vendor ‘Cost Barriers’ and Delays • Subsidize The Risk Reduction • Its YOUR Risk • Its YOUR Profit Model
Partner Maturity Modeling Timeline Commencing Tangible Risk Reduction – Week 4 **New Line of Business Revenue Realization – Weeks 4-10** 30 Day Remediation Review – Week 7 (Findings Just Delivered in Standard Model)
Partnership Outcomes • SMBs Are Nimble • Motivated To Close Actual Risk Quickly • Working Directly With Risk Stakeholders • No Time Discovering What You Already Know!! • Focus on HOW Controls Are Used • Involve SMEs, Save GRC Generalist’s Time • SMEs empowered by participation in ‘business solution’ • Time/Cost Of Providing Solutions Vs Evaluating Them • Nimble Partner Moves From Corporate Overhead Cost To Productivity Quicker • Outsourced Assessors Do Not Understand Your Business Intricacies • Establish And Retain Partner Trust & Risk Transparency • Establish And Retain Partner Model Awareness Change Focus: Weakness Strength Internal Resource Optimization Re-Align Time/Cost Investment Model Outsourcing = Loss of Context & Visibility