Last Monday, (9/30) at the LS-ISAO Annual Member Gathering, we had the privilege to help organize a panel about the importance of a legal specific set of controls to help manage your third-party risk management program. The session, “Creating an Industry Standard – A Collaborative Approach to Vendor Risk”, was moderated by Gary Brickhouse, VP- GRC Services at Guidepoint. The panelists included Jon Washburn, CISO, Stoel Rives, Katie Clare, CISO, Paul Hastings, Jeremy Phelps, Director- Information Security, Akin Gump, and Anders, CEO of ThirdPartyTrust.
The discussion was thought provoking, driving home the point that there is a huge need to have an industry standard set of controls.
Katie Clare crystalized this thought in response to dealing with vendor pushback, “Creating a community-based standard is imperative and helps enforce our rising expectations to our vendors.”
In response, Jeremy Phelps added to the introduction of a new set of legal specific controls, “It starts with getting buy in from the top and that trickles down throughout the firm.” He also stated that “ you need to get out the controls to your third-party early, don’t try to be sneaky, we find it works best to send them over with our NDA.’
Jon Washburn then brought up a great point about some of the biggest challenges we are facing in the industry. He claimed that “we need our third-parties to share in the responsibilities of their information security and not have such a huge reliance on their cloud vendors (AWS, Azure, etc.).”
Finally, Anders summed up the spirit of the collective process of the controls doc and why ThirdPartyTrust has the relationship it does with the LS-ISAO: “There is a moral imperative to help the have-nots, that is why we give access to our platform free to all LS-ISAO members.”
We are looking to continue the conversation so please let us know if you are interested in participating in a future online panel.