From Chaos to Order – a NewPush Special Event

**Over the years NewPush has organized a series of online conferences which featured some of the leading minds of our industry. The latest such event took place on 31 March and was centered around the idea of disruptive innovation in cybersecurity. **

Our industry has been in a state of intense growth and change for close to two years now and the innovation and increasing threat levels continue to both exceed expectations and upend established industry practices. In keeping with this trend, our event focused on bringing our audience up to date with the trends we’ll all be talking about over the year.

How are you controlling your third parties?

*"Beyond managing threat factors related to a company’s own systems, as interconnected enterprises, we also have to consider what risks might come through our trusted partners. The goal of TPRM is to provide organizations with a clear understanding of the tools their suppliers and partners use, and what safeguards they have in place. The scope of TPRM in different fields can vary widely, still, some best practices are universally applicable." *—Mark Johnson

We started the event with Mark Johnson, Senior Principal at Ernst & Young, someone who has extensive experience in Audit, Security, Governance, Risk, and Compliance matters. Mark shared his considerable insight on Third-party Risk Management in a high-level overview of the processes, stakeholders, functions, and benefits of TPRM programs. 

According to Mark, more and more companies realize the importance of TPRM programs especially now that a number of outside and inside influences are conspiring to drive increased focus and investment into the area. Major outside motivators include governments and the evolving regulatory landscape making even private companies accountable for the subcontractors in their supply chain, consumer concerns for sustainability, and major global disruptors such as the recent pandemic or political unrest in previously stable countries. Furthermore, companies are recognizing internal risk drivers, including audit findings, the impact of data breaches, and complex organizational infrastructures. A holistic approach to risk management allows companies to mitigate, or at least, better understand the pitfalls that may disrupt their business. As a result, board involvement in TPRM has increased, and the many benefits of comprehensive programs, such as increased buying power, improved resiliency posture, and increased business agility, have been revealed.

Mark really drove home the importance of understanding the risks involved in dealing with third parties up and down a company’s supply chain. Risks will be present, and mapping them is only the first step towards mitigation, where it’s possible. He laid out a reliable TPRM framework that combined the numerous third parties that should be assessed, the risks that they might bring, and the program itself from planning through onboarding to monitoring and possible termination. These programs rely heavily on structured policies, feedback cycles, risk models, and even automation to reveal patterns and trends. 

The challenge of complexity: losing the plot

*"Many security efforts amount to doing what’s expected and maintaining plausible deniability in the face of attack, ultimately missing the point. Organizations transform both user experience and protections when they revisit the core of security." *—Steve Hultquist

The second speaker was Steve Hultquist, Senior Principal at Apple Alliance and self-described Security Geek, who opened up a new perspective to security, one that focuses on what end users really need from their security systems, and what those systems are really meant to do. Steve has been involved in various tech ventures for 40 years, and in his presentation he set out to remind us what we’re doing and why we’re doing it.

According to Steve, we need an end-user-focused approach in security; we need to make sure that users get whatever they need to do their jobs. IT’s job is to enable and get out of the way. He argued forcefully that those of us responsible for security have lost our way, and have confused the increasing complexity of systems with increasing security. Instead of thinking why we need security tools, we tend to think that going down a list of security tools will get us to our goal.

Securing endpoints tends to amount to a host of softwares that we assume will do their jobs, while, in reality, they merely make it harder for end users to do their jobs, and serve more to avoid having to take responsibility for the eventual breach—rather than actually preventing those breaches. This approach is user antagonistic and counterproductive, as many of those tools are based on a model that’s 30 years out of date. Today, no single malware remains unchanged for more than 24 hours. 

How do we proceed then? Steve evoked the memory of legendary American football coach, Vince Lombardi who, even when coaching professional players, would often start training sessions by holding up a football and reminding everyone, “Gentlemen, this is a football.” Perhaps we can benefit from his example and ask, “What is security?”

Steve went on to argue that complexity has come to take the place of security; but in reality, complexity actually obscures mistakes and moves systems further from their original intended purpose—so make things as simple as you can! He used the example of remote work to support his thesis. In the last two years, organizations moved to work-from-home much faster than they wanted to, and now have much less control over their endpoints than they used to. As it turns out, this didn’t impact their security, because they focussed their efforts on what actually needed to be protected: their core data.

So try to protect your data in ways that don’t impact those who need to, who are authorized to access it. Users will find the path of least friction to access data—make that way the secure way.

Wrapping up

The event ended with a roundtable discussion where our speakers were joined by NewPush CTO Balázs Nagy to discuss their talks, and to answer audience questions. 

We are grateful for our speakers who took the time to present their insights and for our audience for joining us, and participating in the discussion in a meaningful way. We hope that all involved have come away having learnt something valuable, and we will endeavor to bring you more, similarly fascinating presentations in future events.

The Connective Platform™ integrates a host of cybersecurity tools into one system faster than any of our competitors, but that alone wouldn't give our partners the edge over cybercriminals. Simply gathering all the data from a number of connected elements would still require an army of experts to make sense of it; it's analogous to how gathering stock prices from markets all around the world doesn't tell you where to invest your money next. Our platform goes on to analyse that massive amount of data to give our partners the information they need: where the weak points of their cyber defence are, and how to address them.