Abstract image of a woman sitting on books and studying on a laptop

The Guide to Managing the Security of Your SaaS and Cloud Providers

Download as PPTX, PDF
DevOps.com, profile picture
DevOps.com

The document outlines the importance of managing security risks associated with cloud and SaaS providers, highlighting the increase in cloud service usage and data breaches linked to third parties. It criticizes traditional questionnaire-based vendor assessments and advocates for more contextual and automated monitoring processes to ensure provider compliance and security. Additionally, it provides a framework for building a comprehensive security program that includes stakeholder engagement, risk assessment, and ongoing monitoring to improve overall security posture.

Technology
Related topics:
Cloud Security Insights
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Confidential Managing the Security of Your SaaS and Cloud Providers 1 The Guide to
Confidential Why Manage Your Cloud and SaaS Providers ● Increase in Cloud apps ○ The average organization increased its usage of cloud services by 15% from last year.* ○ The amount of sensitive data shared in the cloud has increased 53% YoY.* ● Shadow IT ○ In 10 years, 90% of IT dollars will be spent outside of the IT organization.** ● Providers as a threat vector ○ 59% of organizations experienced a data breach caused by one of their third-parties.*** ● (Lots of) New Regulations ○ GDPR, NY DFS, NY-SHIELD, CCPA, Hawaii, Maryland, Massachusetts, Mississippi, Nevada, New Mexico, New Jersey, North Dakota, Rhode Island, Texas and Washington. 2 * Cloud Adoption and Risk Report, McAfee, 2019 ** Three Benefits of Shadow IT - and How to Harness Them, ServerCentral *** Data Risk in the Third-Party Ecosystem, Ponemon, Nov. 2018
Confidential Traditional Cyber Security Vendor Management 3 ● One size fits all ● Questionnaires, anyone?
Confidential There MUST Be a Better Way 4
Confidential Polling Question For cloud and SaaS providers that you assess, do you use questionnaires? ○ Yes ○ No 5
Confidential The Problems with Tradition 1. There’s no context to the questionnaires 2. You don’t have the resources to scale to demand 3. You don’t know the real security state of your providers on Day 1, let alone on Day 60. 4. The provider has a security gap… what do you do? 6
Confidential How Does the Provider See It? 7 The 10 excuses of providers
Confidential How Does the Provider See It? 8 The 10 excuses of providers 1. The dog ate my questionnaires 2. The font was too small 3. You sent it as a Google sheet? We restrict access to Drive. 4. It was sent as an attachment. Must’ve been filtered out. 5. The questionnaire never got to the right person 6. The questionnaire was too long 7. The questionnaire has nothing to do with my business 8. If I ignore, will you really not hire me? 9. I found an issue, what do we do? 10.Our technical manager went on vacation. Already a year ago.
Confidential It’s 2020 and You’re Still Using Manual Questionnaires.
Confidential Is Automation the Answer to All the Problems? NO! 10 1. You need context 2. You need visibility 3. No more providers excuses
Confidential Issue #1 You Need Context Define the relationship - Consider*: ● Business sponsors ● Which data is involved ● How the data flows ● What you’re using the data for ● Who will have access ● Do they use sub-contractors 11 * Defined by Ron Peled, former CISO, LivePerson, founder ProtectOps Security For more info, see here: https://blog.panorays.com/context-in-your-third-party-security-process
Confidential ● Analogy: If a a restaurant has dirty windows, how clean do you think the kitchen will be? ● Combine questionnaires with external scanning for an in-depth read on the company’s cyber posture ● Effective tool for continuous monitoring ● Review on a policy-driven cadence 12 Issue #2 You Need Visibility
Confidential Polling Question What kind of monitoring process do you have in place? ○ None ○ Repeat reviews ○ Vendor self-reporting ○ Scanning 13
Confidential Issue #1 You Need Your Providers to Stop Giving You Excuses ● Give context also to your suppliers Make questionnaires as short and relevant as possible, based on business relationship ● Give your suppliers an understandable, actionable remediation plan 14 Remediation Recommendations Fair > Very Good Fastest Impact: The supplier needs to remediate 2 critical findings: Make sure that an open external database is closed. Make sure that an open DNS zone transfer is closed.
Confidential Polling Question How do you share findings with your providers? ○ We don’t share findings ○ We communicate on them via email ○ We communicate through a dedicated risk platform 15
Confidential Building Your Program
Confidential Step by Step to Building Your Program 1. Identify stakeholders 2. Define tiers for the provider portfolio Inherent risk profile based on unique business relationship Define the security policy for each tier 3. Define the standard of care for each tier Review methodology Frequency of repeat reviews There’s an alert… what to do? 4. Focus on providers that don’t adhere to policy Remediate? Implement compensating internal controls? Fire them? 17
Confidential The Effective & Comprehensive Program
Confidential 1. Analysis 2. Engagement 3. Remediation Vendor doesn’t respond -> Compensating controls on your end (for instance, less access, portal on your end) 4. Approval 5. Monitoring Add KPIs, historical graphs and benchmarks: Sell the benefits your program internally 19 Step by Step to a Comprehensive Program
Confidential Summary
Confidential Case Study Sell Your Program Internally ● Insurance company, assessing 200 providers. ● CISO built a provider security program: ○ Kickoff: align Board of Directors on the need for provider security management. ○ Each quarter: CISO leverages the Board meeting to include dashboard on the state of provider cyber-security: ■ How many are critical ■ What is the risk ■ How to ensure providers increase security ■ Compensating controls to decrease risk ● Meeting also sets a bar to the organization’s own security posture. ● Self risk assessment leads to a discussion on budget and strategy that the Board is aligned to. ● Organization sees themselves also as providers and so boasts their own cyber posture to their business partners. 21
Confidential 22 Automated Third-Party Security Lifecycle Management

More Related Content

PDF
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217
National Retail Federation
 
PDF
2017 U.S. State of Cybercrime
IDG
 
PPTX
Managing security risks in today's digital era
Singtel
 
PPTX
Containing the outbreak: The healthcare security pandemic
Avecto
 
PDF
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24
 
PPTX
A Hacker's perspective on ransomware
Avecto
 
PPTX
10 web application security best practices for 2020
developeronrents
 
PDF
20180528 reflex presentation
Javier Núñez, CAIA
 
Digital crimescene emv_update_nrfprotect17_skipmyersbethprovenzano_final061217
National Retail Federation
 
2017 U.S. State of Cybercrime
IDG
 
Managing security risks in today's digital era
Singtel
 
Containing the outbreak: The healthcare security pandemic
Avecto
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24
 
A Hacker's perspective on ransomware
Avecto
 
10 web application security best practices for 2020
developeronrents
 
20180528 reflex presentation
Javier Núñez, CAIA
 

What's hot (9)

PDF
9 September 2014: Cyber Security Model
Defence and Security Accelerator
 
PDF
Google: The future of apps is web
valantic NL
 
PDF
Risk Management Metrics That Matter
Ed Bellis
 
PDF
Threat Intelligence Tweaks That'll Take Your Security to the Next Level
Recorded Future
 
PDF
GBS - Prevent network security fires
Kristin Helgeson
 
PDF
Pitfalls of Cyber Data
Phil Huggins FBCS CITP
 
PPTX
Preparing for the Inevitable
OmoniyiAnimasaun
 
PDF
Its time to grow up by Eric C.
ISSA LA
 
PPTX
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
jxyz
 
9 September 2014: Cyber Security Model
Defence and Security Accelerator
 
Google: The future of apps is web
valantic NL
 
Risk Management Metrics That Matter
Ed Bellis
 
Threat Intelligence Tweaks That'll Take Your Security to the Next Level
Recorded Future
 
GBS - Prevent network security fires
Kristin Helgeson
 
Pitfalls of Cyber Data
Phil Huggins FBCS CITP
 
Preparing for the Inevitable
OmoniyiAnimasaun
 
Its time to grow up by Eric C.
ISSA LA
 
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
jxyz
 
Ad

Similar to The Guide to Managing the Security of Your SaaS and Cloud Providers (20)

PDF
BSidesSF talk: Silver lining for security teams in data protection clouds
Rafae Bhatti
 
PPTX
The State Of Information and Cyber Security in 2016
Shannon G., MBA
 
PPT
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
SurfWatch Labs
 
PDF
A successful GDPR Program
Alberto Canadè
 
PDF
TrustArc Webinar - Cross-Border Data Transfers in 2025: Regulatory Changes, A...
TrustArc
 
PDF
2016 Global data valuation survey
Brunswick Group
 
PDF
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
PDF
Master Data in the Cloud: 5 Security Fundamentals
Sarah Fane
 
PDF
Data Security for MSME
Deepak Gupta
 
PPTX
Cloud cpr uncc cloud computing conference 2013
C5_LUCK
 
PDF
Cyber Rangers S1 E2
JudyEvans8
 
PPTX
PrivIQ Product Overview Plataforma de Compliance LGPD
RitaNeves55
 
PDF
GDPR Series Session 4
Jim Kaplan CIA CFE
 
PPTX
Introducing data driven practices into sales environments
Barry Magee
 
PDF
Creating a GDPR Action Plan; Not a Freakout Plan
Mediacurrent
 
PPTX
Ciso round table on effective implementation of dlp & data security
Priyanka Aash
 
PPTX
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
CIO Edge
 
PDF
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
AIIM International
 
PDF
5 things digital media companies need to do now
Grant Thornton LLP
 
PDF
How To Harness First-Party Data & Win In A Cookieless Future
Search Engine Journal
 
BSidesSF talk: Silver lining for security teams in data protection clouds
Rafae Bhatti
 
The State Of Information and Cyber Security in 2016
Shannon G., MBA
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
SurfWatch Labs
 
A successful GDPR Program
Alberto Canadè
 
TrustArc Webinar - Cross-Border Data Transfers in 2025: Regulatory Changes, A...
TrustArc
 
2016 Global data valuation survey
Brunswick Group
 
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
Master Data in the Cloud: 5 Security Fundamentals
Sarah Fane
 
Data Security for MSME
Deepak Gupta
 
Cloud cpr uncc cloud computing conference 2013
C5_LUCK
 
Cyber Rangers S1 E2
JudyEvans8
 
PrivIQ Product Overview Plataforma de Compliance LGPD
RitaNeves55
 
GDPR Series Session 4
Jim Kaplan CIA CFE
 
Introducing data driven practices into sales environments
Barry Magee
 
Creating a GDPR Action Plan; Not a Freakout Plan
Mediacurrent
 
Ciso round table on effective implementation of dlp & data security
Priyanka Aash
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
CIO Edge
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
AIIM International
 
5 things digital media companies need to do now
Grant Thornton LLP
 
How To Harness First-Party Data & Win In A Cookieless Future
Search Engine Journal
 
Ad

More from DevOps.com (20)

PDF
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
PPTX
Vulnerability Discovery in the Cloud
DevOps.com
 
PDF
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
PDF
A New Year’s Ransomware Resolution
DevOps.com
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
PDF
Don't Panic! Effective Incident Response
DevOps.com
 
PDF
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
PDF
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
PDF
Monitoring Serverless Applications with Datadog
DevOps.com
 
PDF
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
PPTX
Securing medical apps in the age of covid final
DevOps.com
 
PDF
How to Build a Healthy On-Call Culture
DevOps.com
 
PPTX
The Evolving Role of the Developer in 2021
DevOps.com
 
PDF
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
PPTX
Secure Data Sharing in OpenShift Environments
DevOps.com
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
PDF
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
What is a Computer? Input Devices /output devices
GulJan8
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 

The Guide to Managing the Security of Your SaaS and Cloud Providers

  • 1. Confidential Managing the Security of Your SaaS and Cloud Providers 1 The Guide to
  • 2. Confidential Why Manage Your Cloud and SaaS Providers ● Increase in Cloud apps ○ The average organization increased its usage of cloud services by 15% from last year.* ○ The amount of sensitive data shared in the cloud has increased 53% YoY.* ● Shadow IT ○ In 10 years, 90% of IT dollars will be spent outside of the IT organization.** ● Providers as a threat vector ○ 59% of organizations experienced a data breach caused by one of their third-parties.*** ● (Lots of) New Regulations ○ GDPR, NY DFS, NY-SHIELD, CCPA, Hawaii, Maryland, Massachusetts, Mississippi, Nevada, New Mexico, New Jersey, North Dakota, Rhode Island, Texas and Washington. 2 * Cloud Adoption and Risk Report, McAfee, 2019 ** Three Benefits of Shadow IT - and How to Harness Them, ServerCentral *** Data Risk in the Third-Party Ecosystem, Ponemon, Nov. 2018
  • 3. Confidential Traditional Cyber Security Vendor Management 3 ● One size fits all ● Questionnaires, anyone?
  • 4. Confidential There MUST Be a Better Way 4
  • 5. Confidential Polling Question For cloud and SaaS providers that you assess, do you use questionnaires? ○ Yes ○ No 5
  • 6. Confidential The Problems with Tradition 1. There’s no context to the questionnaires 2. You don’t have the resources to scale to demand 3. You don’t know the real security state of your providers on Day 1, let alone on Day 60. 4. The provider has a security gap… what do you do? 6
  • 7. Confidential How Does the Provider See It? 7 The 10 excuses of providers
  • 8. Confidential How Does the Provider See It? 8 The 10 excuses of providers 1. The dog ate my questionnaires 2. The font was too small 3. You sent it as a Google sheet? We restrict access to Drive. 4. It was sent as an attachment. Must’ve been filtered out. 5. The questionnaire never got to the right person 6. The questionnaire was too long 7. The questionnaire has nothing to do with my business 8. If I ignore, will you really not hire me? 9. I found an issue, what do we do? 10.Our technical manager went on vacation. Already a year ago.
  • 9. Confidential It’s 2020 and You’re Still Using Manual Questionnaires.
  • 10. Confidential Is Automation the Answer to All the Problems? NO! 10 1. You need context 2. You need visibility 3. No more providers excuses
  • 11. Confidential Issue #1 You Need Context Define the relationship - Consider*: ● Business sponsors ● Which data is involved ● How the data flows ● What you’re using the data for ● Who will have access ● Do they use sub-contractors 11 * Defined by Ron Peled, former CISO, LivePerson, founder ProtectOps Security For more info, see here: https://blog.panorays.com/context-in-your-third-party-security-process
  • 12. Confidential ● Analogy: If a a restaurant has dirty windows, how clean do you think the kitchen will be? ● Combine questionnaires with external scanning for an in-depth read on the company’s cyber posture ● Effective tool for continuous monitoring ● Review on a policy-driven cadence 12 Issue #2 You Need Visibility
  • 13. Confidential Polling Question What kind of monitoring process do you have in place? ○ None ○ Repeat reviews ○ Vendor self-reporting ○ Scanning 13
  • 14. Confidential Issue #1 You Need Your Providers to Stop Giving You Excuses ● Give context also to your suppliers Make questionnaires as short and relevant as possible, based on business relationship ● Give your suppliers an understandable, actionable remediation plan 14 Remediation Recommendations Fair > Very Good Fastest Impact: The supplier needs to remediate 2 critical findings: Make sure that an open external database is closed. Make sure that an open DNS zone transfer is closed.
  • 15. Confidential Polling Question How do you share findings with your providers? ○ We don’t share findings ○ We communicate on them via email ○ We communicate through a dedicated risk platform 15
  • 17. Confidential Step by Step to Building Your Program 1. Identify stakeholders 2. Define tiers for the provider portfolio Inherent risk profile based on unique business relationship Define the security policy for each tier 3. Define the standard of care for each tier Review methodology Frequency of repeat reviews There’s an alert… what to do? 4. Focus on providers that don’t adhere to policy Remediate? Implement compensating internal controls? Fire them? 17
  • 19. Confidential 1. Analysis 2. Engagement 3. Remediation Vendor doesn’t respond -> Compensating controls on your end (for instance, less access, portal on your end) 4. Approval 5. Monitoring Add KPIs, historical graphs and benchmarks: Sell the benefits your program internally 19 Step by Step to a Comprehensive Program
  • 21. Confidential Case Study Sell Your Program Internally ● Insurance company, assessing 200 providers. ● CISO built a provider security program: ○ Kickoff: align Board of Directors on the need for provider security management. ○ Each quarter: CISO leverages the Board meeting to include dashboard on the state of provider cyber-security: ■ How many are critical ■ What is the risk ■ How to ensure providers increase security ■ Compensating controls to decrease risk ● Meeting also sets a bar to the organization’s own security posture. ● Self risk assessment leads to a discussion on budget and strategy that the Board is aligned to. ● Organization sees themselves also as providers and so boasts their own cyber posture to their business partners. 21

Editor's Notes

  • #2: DEMI
  • #3: DOV. Bubble metaphor Hearing from people – privacy regs
  • #4: DOV
  • #5: DOV
  • #6: DOV
  • #7: DOV. Point #2: You’re one person and hundreds/ thousands of vendors
  • #8: DOV
  • #9: DOV
  • #10: DEMI
  • #11: DEMI
  • #12: DEMI - Business Sponsors have information you (the IT Risk pro) need in order to understand context
  • #13: DEMI Tier vendors based on risk/criticality – drives the frequency (cadence) of re-reviews Stay in touch with business sponsor – relationship might have changed!
  • #14: DOV
  • #15: DEMI
  • #16: DOV
  • #17: DEMI
  • #18: DOV
  • #19: DOV
  • #20: DOV
  • #21: DEMI
  • #22: CISO built a provider security program: Kickoff: align Board of Directors on the need for provider security management. Each quarter: CISO presents a 2-3 hour 100-page deck on the security state of the organization CISO leverages the meeting to present dashboard on the state of provider cyber-security: How many are critical What is the risk How does the organization ensure the providers increase security Compensating controls to decrease risk Sets a bar also to their own security posture. Going above and beyond the rating threshold they set for the providers Self risk assessment leads to a discussion on budget and strategy that the Board is aligned to. Organization sees themselves also as vendors and so boasts also on their own cyber posture beyond internal tests DEMI
  • #23: DOV