Rachael Lyon:

Welcome to To The Point cybersecurity podcast. Each week, join Vince Spina and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my co host, Vince Spina. Vince, hi, sweetheart.

Vince Spina:

Good morning, Rachel.

Rachael Lyon:

You know, I'm so jealous of your world travels. You just got back from what, New Orleans, you're going to Dubai next week, and then you're off to Malaysia. How do I get on your travel schedule? I wanna boondoggle in some of these solutions.

Vince Spina:

Well, first of all, don't use that word because our our boss will probably watch this podcast, and it's all very meaningful work. Now you get a little bit of fun, but, you know, it's funny. People ask me that all the time. And, I I like to say, I'm literally on my 3rd passport because I've gone through all the pages. Oh, wow. And I tell people I've been everywhere, and I've seen nothing. And, what I tell people, I like, when I talk about going somewhere, I can tell you what a hotel looks like there. I can tell you what a sales office looks like, and I'm pretty conversant in the nicer restaurants.

Vince Spina:

But other than that, it's usually, you know, you're in, you're out. You you do your work, you come home, and, you know, can't wait to get back to the family, to

Rachael Lyon:

be honest. Absolutely.

Vince Spina:

Absolutely. Not not always as, as attractive as people think it might be.

Rachael Lyon:

Yeah. I know. Exactly. Right. And, you know, work at trade shows, those are really long days too.

Vince Spina:

Kind of

Vince Spina:

Yes. Exactly.

Rachael Lyon:

Running around. But, bring me back a souvenir. That's all I say. I will. Thank you.

Vince Spina:

I will.

Rachael Lyon:

So really excited to welcome, this week's guest, Alastair Parr. He is senior vice president for global products and delivery at Prevalent, a company focused on taking the pain out of third party risk management. How much do we love that? Alistair, welcome. Welcome.

Alastair Parr:

Thank you for having me. Lovely to be here.

Rachael Lyon:

Awesome. So, Vince, you wanna kick us off?

[01:50] The Importance of Third-Party Risk Management

Vince Spina:

Yeah. I will. So, again, welcome to the, podcast, Alistair. And, you know, prior to our listeners, we were bantering a little bit with Alistair. And, you know, this is a subject that's becoming, more and more prevalent. It wasn't in the past. So probably just wanna start, Alistair, around 3rd party risk management and maybe just get your insights as an expert on this. You know, why has a 3rd party risk management become more of a critical concern, in CISO's minds today and company's minds today? Why is that? And I probably would want to just follow on with your expertise on what are some of the more common vulnerabilities that organizations are facing, today than they might not have seen, you know, in the past?

Alastair Parr:

Yeah. Of course. And and before I answer, firstly, I wanna thank you, Vince. You've you've warmed my heart by, throwing in a prevalent reference so soon already. So

Vince Spina:

Nice.

Alastair Parr:

That's something that's something near and dear to mine.

Vince Spina:

So We didn't even queue that up.

Alastair Parr:

That's so

Vince Spina:

so I'll I'll take that.

Alastair Parr:

Well planned. So yeah. Look. Most certainly. So it is certainly interesting when you look at third party risk. When you think about the very nature of what it is, it's that people spend so much time internally assessing themselves as an organization identifying potential deficiencies and threats, etcetera. And when they're doing so, they're doing so with and armed with the capabilities of the organization to hand. So they're able to use their audit teams, their compliance teams internally, and and drive this this internal narrative to say, hey.

Alastair Parr:

We need to get information on risk and vulnerabilities, and, you know, they have the appropriate stick to do so. Now when you start looking externally, particularly in this interconnected world we're in nowadays, there's so many third parties, whether it's hosting providers, on-site providers even, of course, contractors, etcetera, all interacting with us and driving either, revenue generating operations or are exposed to information which is understandably under some form of, of regulation, so things like personally identifiable information or health care information. So 3rd party risk is slowly getting more focused because people are realizing that they don't necessarily have the appropriate level of visibility into, a, who is actually exposed across their, their 3rd party estate, and and how so, and, b, what are the mechanisms and controls that they've put in place to help protect them? They are an extended part of the org, so it's always very, very crucial to understand and bring them into the fold. So it's a long way of saying, c sales care, and they certainly need to care on the basis that, they are really an extension of the organization. And once you've got your own house in order to a certain extent, you certainly need to start looking at the houses that are in your neighborhood as well. Absolutely.

[04:41] Strategies and Tools for Continuous Monitoring

Rachael Lyon:

Absolutely. Yeah. It's you know, we like to talk a lot about in cybersecurity. You know, set it and forget it is not a strategy. And I I think that very much applies, right, to to third party risk management. You know, once they're on boarded, that's not the end of the journey here. You know? So, for our listeners, you know, what strategies or tools, are available to continuously monitor, and most importantly, manage third party risks?

Alastair Parr:

Yeah. Absolutely agree with you, Rachel. So there's 2 generally, 2 aspects of of ways that people manage third parties. So one is the point in time assessments, and people sort of roll their eyes because we've all been exposed to some shape and form, whether it's RFPs or security due diligence assessments, that they're they're always the same in some shape or form with minor variances and people waste a lot of time doing it, but assessments are key to getting below the surface of the organization. And then there's, as you rightly touched on, the continuous aspects, so continuous monitoring. So it's, ways of looking at things like the cyber posture of the third parties you deal with, doing things like passive vulnerability scans, looking at dark web traffic, phishing spikes trends, as well as looking at their actual operations. So is there any news related to, acquisitions, service line changes, geography changes? All of that information is critical to help understand what's happening to the 3rd party, at least from my perspective. Like, certainly touch on a point I think you mentioned there, Vince, which is some of the most common vulnerabilities.

Alastair Parr:

And I think that ties back to what you mentioned there, Rachel.

Rachael Lyon:

Yeah.

Alastair Parr:

Is that rather than pick a specific risk domain, I would say some of the most common issues is the evolution of companies over time. So as people start changing year on year as orgs tend to do, people are generally looking at static stale data from 12, 24 months ago, the start of a contract, and then getting a false sense of comfort into what that third party is doing and how they're doing it. So that awareness and exposure, that continuous exposure I'd say is probably one of the most common issues related to the space.

Vince Spina:

Yeah. And Alastair, you you talked about, you know, RFPs and things like that and, you know, companies are outsourcing big portions of their business now. And it's, you know, very connected with with a bunch of adjacent, support. And I was just, while you were talking, I was thinking prior part of being on the vendor side, I've also been on the customer side. And I ran, data centers and networking and things like that. And I can tell you there was a time where we actually got breached, in our network, the the actual brand that I work for. And basically, what it was, it was a, the bad guys had come through a thermostat, an IP based Internet connected thermostat, and there was a black box on our network. We knew it was there.

Vince Spina:

We didn't manage it. We didn't do anything with it. But that's how the bad guys got in. And when I say a thermostat, this company was outsourced to make sure that the refrigeration of, our products that needed to stay cold, they would monitor basically a temperature and make sure that, you know, that temperature was always in tolerance. And again, for us, you know, we thought we were pretty buttoned down, but here was a black box that was just, you know, on our network. And, you know, I like to tell the story. Like, they didn't come through the front door. They came through, you know, the the thermostat.

[06:50] Real-World Examples and Incident Response

Vince Spina:

So really just setting up the question for when you're doing RFPs or you're vetting one of these vendors, how do you make sure that they have disaster recovery plans in place? They have a strong incident response because in this case, they didn't know they had been breached. We found out we got breached. And then through the post mortem, we had to back through, like, how did that actually happen? What's thoughts on that?

Alastair Parr:

That's an amazing story. And, yeah, certainly that Internet of Things has been a, a pain for lots of orgs I've spoken to over the years as well. I second that. Now would you touch on things like operational resilience and security incident response? I always find that particularly interesting because a lot of people in the space do focus on the vulnerabilities and not necessarily the response process.

Vince Spina:

You

Alastair Parr:

know, someone is gonna get invariably at some point. In fact, prevalent, we do our own studies across the community and I think in our most recent study, 61% of the community had experienced a third party related incident in the last 12 months, so the majority. So the topic of how do we manage resilience and at least get visibility of it is is foundational really to what this is. And a good example I think I'm seeing is things like the ISO 27,001 standard. You know, you look at the, section a 15 talking about supplier relationship management and operational security, a 16 for incident management. We need to establish in contracts at the very, very start of the process the obligations of the third parties to actually tell us these things. As much as we can go and look at the the web and try and find information where it's been reported elsewhere, a lot of the cases that may not be reported and most vendors don't tend to tell you very much once they've got your money and they've signed the contract. So having the teeth in that contract is is probably one of the biggest mistakes I certainly see in the space.

Rachael Lyon:

And kinda coming back on what you were talking about, Vince. I mean, it's that is so unexpected. It's kind of like, what was that MGM breach where they got in through the fish tank or something like that. You know? So it kinda makes me wonder, you know, what are what are some of the kind of the the unexpected, right, or lesser known ways that third party risk can manifest in an organization?

Alastair Parr:

I'll actually give you one anecdotal story, but before you answer that, Vince, because I've it's certainly a an event I found very interesting back in my auditing days. So I was doing some work for a, a Japanese bank, that actually had, an international gang attempt to infiltrate them. And the way they did so was, essentially using cleaning contracting staff. And internally, they were very robust with all of the appropriate controls you'd expect to see. But, of course, this subcontracted cleaning company wasn't applying the due diligence on the people that they were hiring. And it was a targeted attack by a criminal gang who managed to, over a series of couple of months, put key loggers, on various traders' machines in the business. And eventually, over time, they reached the point where they were trying to wire, I

Vince Spina:

think,

Alastair Parr:

about $250,000,000 worth of thumbs out, over weekends when when on to the year, but it was at home. And they were so close to doing so, I think they were a couple of keystrokes away when they didn't realize there was a timed response in the process because they weren't doing the day to day job. But we were talking minutes away from wiring out $215,000,000 out to a Wow. A series of accounts that they never see it again. And this is as simple as a a, a cleaning company that you might otherwise take for granted, not even getting access to data centers.

[ 11:47] The Role of AI in Third-Party Risk Management

Vince Spina:

Interesting. Yeah. I don't have any other anecdotal other than the one, but I can tell you when it happened, my daughter was, who's in the cybersecurity space, as well, but she wrote a dissertation and her opening line to the dissertation, in college was, the bad guys aren't coming through the the doors or the windows, they're coming through the thermostats. And, she's got a really good grade. So, anyway, our bad fortune was good for her. Alistair, we would not have a podcast over probably the last 12 months if we didn't talk about AI. So from, you know, an artificial intelligence perspective, you know, what role does that play in 3rd party risk management? And, you know, probably maybe compare and contrast. What do you see as the biggest benefits from it? But maybe also what, you know, are some of the bigger concerns? It's a good question.

Vince Spina:

And

Alastair Parr:

I'm I'm sure there's many people, listening who who cringe slightly when they hear the word AI. I know I know it's certainly overused in many ways these days. But for us, it's interesting in the sense that third party risk is so much about trying to find the needles in the haystack because you're dealing with 1,000, tens of thousands, 100 of thousands of vendors, and I'm personally not Rayman. You you both might have those skill sets, in which case, kudos to you, but being able to sort through millions of rows of data and trying to find commonalities between them is certainly not my forte. And lots of reporting tools are are good at that, but where we see AI being particularly useful is is really in 2 things. The way we see it is is one is that analytics to be able to find those common those commonalities and the, the controversies and the anomalies in the dataset. It's certainly very good at doing that or supporting that initiative. But the other, which is an interesting one is I mentioned at the start some of that assessment fatigue.

Alastair Parr:

So if you go through RFPs, if you're going for assessments, it feels like almost a waste of time where you're rearticulating information to different people, so there's value to them, but nonetheless, it's a it's a time sink. So we're seeing people starting to use AI now in this space to actually take their policy sets, their document sets, their previous responses, and populate all these 3rd party assessments that they're getting. And the value for them is it's accelerating the decision process to say, hey, we can work with this 3rd party or not, and it becomes more of a validation exercise rather than that somebody having to sit there and you know, regurgitate the same data. And we're seeing real happiness, should we say, across the space for one of a better word, on the back of that. So that that's, say, some of the benefits. I don't know if if that resonates with you both as well then.

Rachael Lyon:

Absolutely. Well and there's the benefits of AI. Right? But then as we know on the flip side, there's the dark the dark side of AI. And, you know, how can, you know, particularly AI driven third party ecosystem risks. I mean, how do you even prepare for that? It's almost like venturing into the unknown. How do you how do you manage that?

Alastair Parr:

Definitely. And the amount of AI driven contractual updates I've seen in recent, recent months is is staggering. People are certainly rightly cautious about it, and Shadow AI being used across business. That's almost a new business model that's sort of grown overnight from Shadow IT to Shadow AI, which is which is certainly interesting. But we actually do internal studies ourselves to understand how many are using AI. In fact, it was relatively low to start with. I think it was about 5% across our community were actively using AI. This was about 6 to 12 months ago.

Alastair Parr:

However, about 61, 62 percent were looking to do so over the next 12 months.

Vince Spina:

Yeah.

Alastair Parr:

So there's this cautious awareness of the fact that AI introduces issues with hallucination, looking at the data, for example. And from an audit perspective, we will always need that human element to, you know, essentially validate what what they're seeing. But AI is certainly useful as a tool to enable that and get initial decision points that can be validated by a by a human, but there's certainly new, new clauses. There's new assessment templates. There's new AI frameworks out there now that help support AI controls specifically to make sure people own the data. It's not being, hallucinated or used to train other models, etcetera. So it's it's certainly an evolving space.

Vince Spina:

Yeah. Just on the, the darker side on that, Alistair, I was just thinking while you were talking. So, we have kind of a saying around here that, you know, as it pertains to AI, you can't take the flour out of the cake And a metaphor, once something goes in, it's in. And the idea is when I think about compliance and third party risk and all the regulatory stuff going on, you find, from an AI perspective that, I guess my term is garbage in, garbage will come out. And then, you know, the other one when we talk to folks around AI and there's so many positives, but on the flip side of that, bias is something that pops up as well. You see that? I mean, is garbage in, garbage out bias, the finity of that on the, you know, the AI side is we're talking about, you know, compliance and regulatory and, you know, all of the things that you're steeped in. Are those issues to to be concerned about?

Alastair Parr:

Definitely. And it's I think some of the the pitfalls that the space has fallen into is going into AI without some meaningful consideration as to how they're doing it. You know, the the simplest way is to just plug into something like OpenAI and and to see what comes back, but you aren't really training it on your dataset, your data models. You do get that bias tied to that with the, you know, the black box esque perspective on what's being trained on. Where we're seeing the industry making demands is that where AI is being used, it has to be locally trained to some shape or form. It has to have that consideration on the types of data that we're looking at and there needs to be that validation on some of the outputs that are coming out. And it's a, you know, it's a crawl, walk, run approach that the community is asking for. So where people are just simply plugging into a large language model and saying, hey.

Alastair Parr:

We have AI embedded. It's it's not as coherent a strategy as people may want. At least that's what I've been hearing.

Vince Spina:

So so the takeaway there is preplanning is key. Right? You know, all the upfront, like, spend a lot of time on I think it was crawl, like, you know, crawl and and make sure you're putting a lot of planning into that. Because, again, once the flower's in the cake, it's it's not coming out.

Alastair Parr:

It's a good yeah. Definitely. Yeah. And the fact is there's a lot of lawyers out there making sure that the flower is the is the right grain that they're looking for at the moment. There's a lot of language going around,

Vince Spina:

which is great. Yeah.

[18:41] Regulatory Compliance and Best Practices

Rachael Lyon:

Nice. So speaking about compliance, I mean, one of the things that I'm I'm really fascinated about right now are all the regulations coming online, you know, be it for, you know, like, data security privacy, even AI regulations. I know you wrote this great byline in corporate compliance insights. Just a shameless plug for you. Upgrade TPRM programs ahead of AI regulations. I thought that was a really, really useful article. You know, but when you're working with, you know, these third party risks and, you know, there's a global footprint, you know, kind of like, what regulatory frameworks do you adhere to? I mean, and how do you how do you do that across every country based on all of these different regulations and and fines, you know, more importantly, and and, repercussions should you run afoul of these regulations.

Alastair Parr:

Yeah. It's a it's an interesting topic, Rachel. Now I've seen from my experience around 2017, 2018 became a wake up moment for a lot of people or just related to GDPR. You know, that privacy momentum associated to the EU being pretty strict, certainly from their initial discussions on fines and implications. You know, that woke up a lot of international a lot of the international community and how do we start managing data effectively? In this case, obviously, focusing on personally personally identifiable information. Now that obviously cascaded into, you know, more localized regs elsewhere. You know, you're looking at, CCPA, the California Consumer Privacy Act, and similar perspective. Now those who evolved over time to start including more data beyond privacy on supply chain management as well.

Alastair Parr:

You know, HIPAA refers to it. Sarbanoxley refers to it. PCI also refers to it. Mass, Monetary Authority of Singapore refers to it. NYDFS, refers to it. So we particularly in finance and insurance, and health care, you're seeing a lot of regulation. But as you rightly pointed out, I can just keep playing word scrabble of acronyms all day long, and in some shape or form, you're gonna have part of your your enterprise ecosystem exposed to it. So when people are asking me and asking us how do we make sense of that that word soup into being saying actually meaningful if they haven't got a huge compliance team that's driving it, The reality is there's resources and support out there that call out the individual clauses and give you some insight into how you can essentially apply at scale.

Alastair Parr:

You know? How can I apply a key control, for example, on being aware of who my third parties are and having a map associated to that? That might correlate to 7 or 8 different regulatory frameworks out there, and and I know I've I've done what I need to do. So using the resources out there is key. I think if people go out and try and do it themselves from scratch, they're gonna struggle. It's gonna be a hard time. And one of the ways we do it as ourselves is, you know, we will build up things like an assessment model. You know, we have something called the prevalent compliance framework, which essentially cross maps to all the different regs as it comes out. And we have to essentially have teams that do that for us to save the, the client's time. But it's a challenge.

Alastair Parr:

Definitely a challenge.

Vince Spina:

Yeah. I mean, it seems a big challenge to me, Alistair. Like, when I think about I I have the privilege of I lead, systems engineering for Forcepoint here at a global capacity. So I get to meet with a lot of, really interesting customers and have some pretty good chats. And when you think about, you know, at a multinational level, a global corporation with all these regulatory frameworks and standards in place, you find that they align or do they ever con contradict each other?

Rachael Lyon:

And Yeah.

Vince Spina:

You know, how do how do you kind of kinda meander through that? I mean, I I almost it feels to me like an impossible task. Like, you brought up, you know, WordSoup, GDPR, and CCPA. Those are, like, different parts of the world.

Rachael Lyon:

Yeah.

Vince Spina:

Do those do those tend to line up? Like, are people talking or, you know, one one is saying, hey. You gotta do this and the other one's over here, and you're like, yeah. Those those don't connect in in any way. I mean, it's just fascinating. You know? The meander point I like. Yeah.

Alastair Parr:

It's definitely only meander through on that perspective. From from my experience, I've seen the 80 20 rule tend to apply. So the principles, 80% of them are by and large applying the same sort of aspect, but it's some of the interpretation of the principles and obligations become that 20% variance, which is a challenge. You know, you may not see a direct contradiction that often, but you're gonna have to expect to report in certain ways for like, Dora is a great example recently. The amount of orgs that come to to myself to to discuss Dora and how to actually report on it effectively because they're sitting there scratching their heads. It's it's it's it's it is a significant amount. Now they might be doing a lot of that work already elsewhere, but they have to be able to present it in a very particular format in order to satiate, you know, the obligations placed upon them. And I think that's a real challenge for people as well as, you know, how do you actually report back this information? And then Dora apologies being the digital operation within the exact.

Alastair Parr:

I

Vince Spina:

don't I don't know if this lands with you, but I, you know, I tend to tell myself jokes along the way. But, we we have this, cartoon, in the states called Dora the Explorer.

Alastair Parr:

Have you ever

Vince Spina:

heard of that? Like, that's you. You're you're Dora the Explorer. You're the person. You're the oracle that everybody comes to talk to.

Alastair Parr:

If if only I could entertain them to the same extent.

Rachael Lyon:

That's fantastic. You know, could kinda continue on the compliance theme, though. Like, do you have any kind of best practices recommendations, you know, as these new kind of compliance standards come online, you know, you have to update, right, existing cybersecurity systems and processes, which seems like it could be an incredibly daunting task.

Alastair Parr:

It it really is. Yeah. And and I think the biggest the biggest thing that people can do in order to stay on top of these things is ultimately having the data to hand. And you you talked about, Vince, earlier on, which I paraphrase bad data in, bad data out. Yeah. This applies to this as well. If if you've created the foundational set of data that you need to be able to demonstrate some form of alignment here, that means having things like the contractual clauses in place to make sure that your third parties give you visibility. You know who's doing what, where what data is, but where data is ultimately going and flowing for the organization, it becomes far easier to be able to react to it.

Alastair Parr:

Right. And and I'll touch on something there because it's when people look at 3rd party risk, immediately their minds are looking externally. They're looking at what's going out there in the world and dealing with 3rd parties, but for that crawl, walk, run model, the crawl is very much let's start with the business internally.

Rachael Lyon:

Right.

Alastair Parr:

Who is the various department heads, the divisions, the sub codes who are interacting with third parties, how are they doing it? You need to understand your own business before you can effectively start looking out outwardly as well and getting by in, of course.

Vince Spina:

Interesting. Alright. Listen. Maybe we shift a little bit, knowing a little bit about you, Alastair, your background in that. You know, first of all, in your in your bio and when we were researching, you got a pretty strong background in auditing and just want to kind of get a sense of, you know, how that experience has helped you in your cybersecurity role. And I you know, again, I'm talking to myself in my own head when I'm talking out loud, but when I when I met you and we got spent some time ago, man, this guy's a pretty cool guy. I could sit around and have a pint with, Alistair. And, I can tell you when I was a customer, I was afraid.

Vince Spina:

Like, I I ran networks, and I was afraid of the compliance team. And, you know, you just you you had them in because you had to do it, and it was ask and answer. Whatever they ask, you answer, and you just try to get out of there. But, you know, I kinda you know, you've got a great style to you and I'm just going, my auditors didn't look like Alistair, didn't talk like Alistair, and I didn't wanna have any beer. You know, I didn't wanna have a beer with any of them. But, anyway, I digress. But, you know, little bit about you. You've been an auditor for a lot of years.

Vince Spina:

You know, how's that helping you in your new capacity?

Alastair Parr:

Well, I'll be that's a sign of, a good auditor is the one who's able to to get you to to slip and then reveal those control failures. So, yeah, for me, I think there's 2 things in my background that particularly lent themselves to 3rd party risk and auditing, of course, being one of them. So, originally, many moons ago, I used to do a lot of third party risk assessments. Now naturally, they would tend to be less in-depth than an internal, audit of an organization and you'd use a baseline like ISO 27,001 as an international standard. Certainly more have come along since then that make it easier looking at things like top 2 docs. But back then you really had to spend time understanding who they are, the the the genetic makeup of the business, how they function. And then the first most important skill I probably learned from that is pragmatism and and proportionality. Now I could sit there and write down on a piece of paper all the things that they don't do perfectly as a vendor, but does that actually present a meaningful amount of risk that we need to worry about? And then that's I'm sure you you both have the same experience there, which is real world risk versus paper based risk can be very different.

Alastair Parr:

And understanding the context, compensating controls, etcetera, is something that people very often overlook when it comes to third party risk but is so crucial. Otherwise, you're chasing your tail focusing on things that aren't necessarily, you know, the priority. From my auditing days, I'd say that's the the number one takeaway which I I really got value out of. But then a second part of this is worth noting is so I used to run global, data loss prevention programs for managed services, etcetera, for various orgs over time in enterprise, and the parallels I saw between that and third party risk were astonishing because the business knew and was paralyzed to say, when I flick this switch, I'm gonna find out everything that's wrong in my org that people are sending out data they shouldn't do, how we're sending it around in in bad ways. And they were paralyzed to fear of flicking that switch because as soon as they did it, they had to do something about it. And you see the same in 3rd party which is they don't want, in some cases, to talk to the entirety of the 3rd party estate because it's gonna create a whole load of work for people and they're under resourced and under start in order to be able to do it. So the way that makes these programs successful, data prevention and managed services for third party is being able to understand the volume of data that's coming in and make sense of it and apply some degree of proportionality and prioritization. So, you know, it goes goes back full circle to the auditing piece there, but for me, that was really, really, pertinent for my my history.

Alastair Parr:

That's fantastic.

Rachael Lyon:

Yeah. It's always interesting to hear kinda origin stories of of how people found their way, right, you know, to to the current role to cybersecurity. And, we had a guest once. He, get a PhD in medieval studies.

Alastair Parr:

I didn't know they did those.

Rachael Lyon:

Yeah. But I I think realized not a lot of money in that, I think, will turn. So the cyber thing's looking pretty good. It's fantastic. So you've got this amazing bird's eye view, Alastair, into kind of the the threat landscape out there, and I'd really be interested to know kind of, as we see cyberattacks evolve, particularly in the age of AI, but, are there any cyberattacks that have fascinated you or just horrified you recently? I would love to hear your perspective.

Vince Spina:

I I feel

Alastair Parr:

like in in this space, and, Rachel, Vince, I'm sure you find the same is, fascination and and horrifying as as so often aligned. Synonymous.

Vince Spina:

Yeah. Many times. Absolutely. We just

Alastair Parr:

we just watch in dismay and and shed interest at these things. But, the one and I know it's going back a bit, and I think people have heard it a lot, but I think as much the name gets banded around too much, I don't think people should become too numb to it being SolarWinds. SolarWinds has been discussed very in-depth over time and I appreciate it's it's good few years old now. Was it March, December 2020 depending on which, you know, discovery versus attack starting point? But the things that came out of that were very interesting to me, which is it suddenly introduced third party breaches as a board level discussion point. And some of the first things being asked is, of course, hey. Are we impacted? And a lot of people shrug their shoulders and say, well, we don't really know. You know, we don't know who who in our supply chain is dealing with it. And that suddenly became an unacceptable answer in a boardroom because it's gonna affect revenue and operations and, of course, reputation.

Alastair Parr:

So that really evolved some of this space, which is the investment started with to to be focused on 3rd party. You started to see people understand that they needed meaningful incident response plans and processes and what how to manage that, and it really just cascaded from there. So that was a very interesting reaction, I would say. So as much as the, you know, the attack itself is is extremely interesting. It was the reaction of the industry to me that was really, really fascinating. And and that prepped some companies in some respects to how they actually, manage some bits of of of COVID 19 as well where they're starting looking their instant response plans over time. You know, swine flu was also precursor to that as well where all of a sudden they have these processes in place to focus on operational resilience, concentration risk of vendors. And it was, yeah, certainly an interesting time.

Vince Spina:

Yeah. It's funny, Alistair. I was trying to tie a couple of things that you said earlier. I don't remember exact words, but, to paraphrase, you know, when you work with, you know, your auditors and compliance, there's there's what somebody in the business every day as a networking guy at data centers, what I would perceive to be real risk. And then there was that paper risk. And you had to deal with all of it. But the stuff on the paper, you're like, the chances of those things happening are, you know, slim to none. But, you know, recently over the last several years, some of those things that I remember seeing on paper that I just kind of didn't think about, and I'll tell you, the pandemic that we went through.

Vince Spina:

You know, that was something that was always on. You you mentioned bird flu, and we talked about that all the time. But, you know, I was probably very skeptical going that the chances of that happening and us, you know, having to worry about operational resilience and all that. But, boy, you know, it's it's good to kind of, you know, have a heads up display on that because, I mean, if it does happen, boy, that's when big brands can be in a lot of trouble financially, brand perception, and all that. You brought up SolarWinds. And we actually had the privilege of speaking with the CEO from that. Yeah. And, yeah, it was a, you know, fantastic conversation.

Vince Spina:

So, anyway, just great great feedback and words that were in there.

Alastair Parr:

Yeah. It's like, the the amount of tabletop testing exercises I used to go through, know, back in the Exactly. Thousands. And and like you said Yeah. They treated these, these flu situations as if we're running zombie apocalypse tabletop testing. And, there was definitely, some smiles in the room, but, yeah, certainly came full circle.

Vince Spina:

Exactly. Then the pandemic hits, and I tell you everybody who, you know, had to worry about that just dusted off a couple papers. It might have said bird flu, but at the end of the day, all the activities that you needed to do to get keep your brand safe and and up and running, that was time well spent. And I learned something very much from that, to be honest. So

Rachael Lyon:

It's awesome. Well, I really wanna be mindful of time. So final question, and, we do love to ask folks this, Alastair. Looking ahead, you know, kind of thinking about, you know, the security landscape and and how it's evolving, you know, is there anything that keeps you up at night or or anything that you're super excited about seeing kind of where it goes and the opportunity it presents?

Alastair Parr:

Yeah. No. Absolutely. So the thing that I find most interesting now, of course, I'm gonna be biased to third party risk here as a a particular you know, close to my heart. But the thing I find interesting I know we spoke a bit about AI, but it's more about the the implications of that big data analysis. Mhmm. We're seeing more and more people now doing real meaningful comparative and predictive scorings across the supply chain. Mhmm.

Alastair Parr:

So if if I'm a multinational with 200,000 vendors, being able to look at passive intelligence on them, I don't need to pick up the phone. I don't need them to complete any anything, but just being able to look at predictive indicators that suggest that that third party is gonna have a ransomware attack just because of the nature of who they are and where they're based or they're going to have an issue because of geography even nowadays. You know, all the unfortunate incidents over the last few years on, you know, localized sites. Mhmm. Getting all this passive meaningful intelligence and being able to analyze it is really now just coming to the forefront of the space Mhmm. To give you not garbage, but meaningful outputs and meaningful data. And that to me is very exciting. So that should make the life a lot easier for the third party specialists out there.

Vince Spina:

Yeah. That's fantastic. Up my game in metaphors too. I should never have used that term. You you gave me a 2 much better one. So I appreciate that. Sorry, Rachel. Cut you

Rachael Lyon:

off there. No. No. Not at all. Not at all. It's, you know, I I I love this idea. You know, AI can detect AI, but, you know, all the all all the benefits. Right? I mean, it because the ongoing trope, right, are we ever gonna get ahead of the threats, you know, because the attackers are using the new technologies just as fast as we're adopting them.

Rachael Lyon:

You know, but the whole predictive opportunity. Right? I mean, it it makes me very hopeful on on what the future can hold and, you know, kind of security efficacy, for for organizations. Right? Because it's I mean, how many letters have you gotten about a breach? I've gotten so many. I have so many ID monitoring free services. I'll never have to to pay for 1.

Vince Spina:

That's that's a good thing and a bad thing all all to itself.

Rachael Lyon:

Exactly. You know, I it's like I have so many dark web notifications and you know? So I'm just kinda waiting. But, anything that we could do to get ahead of threats and kinda turn them off before they turn on would be very much appreciated.

Alastair Parr:

I always feel like there's invariably, and I don't think it's gonna change. There's always gonna be so much for us all to deal with, but as long as we can be a bit more intelligent around where we're gonna spend our our limited efforts and resources, we're in a better place.

Rachael Lyon:

100%. Well, Alistair, thank you so much for joining us today. This has been a really awesome conversation. I'm I'm so glad we had a chance to dig into this topic because we just haven't done that before, and and it's evolving, you know, and it's it's so critical today. Thank you.

Vince Spina:

Luckily, I'm in, the UK. I'll look you up, Alistair, and we'll have that.

Rachael Lyon:

That's right. Have that pie Look

Alastair Parr:

forward to it.

Vince Spina:

Yes. Absolutely.

Rachael Lyon:

Oh, to all of our listeners, thanks again for joining us this week. As always, we love to share with you great insights, and we would love to hear your feedback as well, you know, on this episode or our episodes and topics that you would like to hear more about. Always reach out to us. And, you can't forget, Vince, what do we need to do?

Vince Spina:

We need our listeners to smash that like button.

Rachael Lyon:

That's right.

Vince Spina:

Let us know we're hit we're hitting the mark, and, you know, we'll keep these going.

Rachael Lyon:

That's right. Smash it. Smash the like, smash the subscription, and you get a fresh episode every single Tuesday in your inbox. How awesome is that? So for everyone out there, until next time, stay safe. Thanks for joining us on the To the Point cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/podcast. And don't forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

About Our Guest

Alastair Parr, Senior Vice President of Global Products & Services at Prevalent Inc.

Alastair Parr is responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent portfolio. He joined Prevalent from 3GRC, where he served as one of the founders, and was responsible for and instrumental in defining products and services. He comes from a governance, risk and compliance background; developing and driving solutions to the ever-complex risk management space. He brings over 15 years’ experience in product management, consultancy and operations deliverables.

Earlier in his career, he served as the Operations Director for a global managed service provider, InteliSecure, where he was responsible for overseeing effective data protection and risk management programs for clients. Alastair holds a university degree in Politics and International Relations, as well as several information security certifications.