Evidence of Learning #3

Date:​ February 28th, 2020

Subject:​ Third Party Risk Assessment

Analysis:
On Thursday, February 27th, I attended my second North Texas Cybersecurity group
meeting. This month, the topic of discussion was third party risk assessment. The CISO of Fossil
group, the popular watch company, gave the presentation. Mr. Ray discussed the lack of risk
assessment for organizations, stating how risk is continuing to increase for business
partners/vendors and yet there is a lack of a coherent process to identify and analyze such risks.
These types of risks include data breaches, ransomware, regulatory non-compliance, downtime
and even outages. After describing these threats, Mr. Ray proceeded to discuss the optimal
analysis method for such risks. He emphasized how a successful program requires identification,
analysis of risk factors, and most importantly, a ranking system of the threat level of each risk. A
ranking system is essential, as this shows professionals which risks to address first in order to
minimize the security hazards for the business. Lastly, Mr. Ray discussed the difficulty in
working with external vendors, specifically for risk assessment. He described the legal
procedures the program provider has to take in order to ensure the vendor working in
conjunction with the provider to upgrade their own security. Surprisingly, there have been many
cases of “vendor abuse”, where the vendor purposely creates risks in their own system in order to
commit cybersecurity insurance fraud. For the remainder of his presentation, Mr. Ray reminded
the audience of the importance of ensuring there are no legal loopholes with vendor agreements.

This discussion of third party risk assessment definitely works well with Risk-Based
Alerting (RBA), the topic of last month’s group meeting. The program Mr. Ray was discussing
in terms of gauging the threat of each risk is essentially RBA. However, Mr. Ray focused his
presentation on both the program as well as the vendor compliance, which is commonly
overlooked within the industry. Furthermore, Mr. Ray emphasized the importance of
collaboration for the vendor and provider, as the implementation of such a program requires
transparency between both parties, as security is a common insecurity for businesses to discuss
because of the impact it can have on their business if such information was to go public.
However, if the business fully discloses their security infrastructure and its weaknesses, i.e. the
past data breaches, providers like Mr. Ray and his company can better utilize the program to
diagnose and solve the weaknesses within the vendor’s security infrastructure. For these reasons,
Mr. Ray emphasized the necessity for vendor and provider fluency, as this will ensure both
partners benefit from this relationship in the long-run.
 After the presentation was over, I was given the opportunity to network with other
professionals. At this point, I was very interested in talking to a recruiter who was offering a
summer internship. Unfortunately, as soon as the presentation ended, she began talking to
another professional. This made me very uneasy in approaching the recruiter, as I felt it was
disrespectful to interrupt her conversation. This was a mistake, as she swiftly departed as soon as
she was done with her conversation. This taught me the importance of taking advantage of the
networking opportunity I was given, as by not utilizing this opportunity, I lost another
opportunity in advancing my position in the cybersecurity field.

After this, I decided to present myself to professionals. One professional, who preferred
to be called Sheldon, introduced me to Hashcat. This is essentially a password deencrypter in
Kali Linux. I quickly realized the relevance of Hashcat to my original work, as by using this
industry-standard decrypter, I can test the effectiveness of my application. In other words, I can
utilize Hashcat to prove the usefulness of my application in terms of end user security.

Overall, this group meeting was extremely informative. I was able to learn about third
party risk assessment, which not only helped me advance my understanding of risk assessment
but also helped me better understand RBA, the presentation topic from last month’s meeting.
UNfortunately, I did not take full advantage of the networking opportunity I was given, but I was
still able to gain insight regarding my original work, insight that will prove my original work’s
efficiency. I look forward to continue attending these monthly meetings.