Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

CRO Wisdom Episode 4: Philip L Bennett, Manager – Information Security, NFCU

Atul:

Hello, everyone. Welcome to the next episode of CRO Wisdom – the voice of risk leaders. I’m delighted to have Phil Bennett today. Phil comes with a deep background in third party and cyber risk from companies such as Capital One and Navy Federal Credit Union. Phil, welcome.

Phil:

Thanks, Atul. Good to be here. Thank you for inviting me.

Atul:

Absolutely. So, Phil, a question that I always start with is, I’m always curious about how people’s journey started their specific area of expertise. So how did your career start in the risk management space?

Phil:

Oh, thank you. That’s a great question. I was fortunate not having a background educationally in risk or technology to grow organically with a younger company that was just starting out in risk management. And my focus area was with the growing information security focus in both project management and then especially in third party risk management, which is where I spent most of my career time, and establishing the processes and best practices. And also just because at that time, the time when I came through, which is way too long ago, we sort of together with yourself and others you know, colleagues across the financial sector which is where I’ve spent most of my time with risk management, sort of learned what the examiners and what the regulators and others were expecting, what internal audit practices with respect to sort of broadening the risk management focus from credit models only to cybersecurity controls and third-party oversight. So, we all sort of as an industry grew up together and defined it. Now there are practitioners out there who’ve come through university programs on these topics. And so it’s kind of a different landscape now. But that’s how I came through.

Atul:

The hard knocks style, right? Learning on the job for sure.

Phil:

Absolutely. Which has a lot of benefit because you learn from the ground up in a very practical way. And you’ve heard me say very frequently, it is the practical implementation that is important to me because I’ve been seeing where you have the theory, you have the best practices, the aspirational practices, but then there’s the reality of getting the risk budgets. There’s the reality of training resources. There’s the reality of finding the right model and framework with which to practice what makes sense within not just your industry sector, but also within your organization culturally. And so, I think, to consider all of those aspects is vital to success in risk management.

Atul:

Right? So, Phil, let’s bring that to today. So, when you think about 2021 and risk programs for 2021, what are some of your priorities in this new risk environment?

Phil:

Yeah, when I think about where the industry is going and where the needs are in an ever-evolving threat landscape, I think where the focus really is, is being able from a risk management point of view, to incorporate some of the nuances that are coming to bear and coming to the forefront. Maybe they should always have been there, but, we’re giving more focus either because of our own organizational culture, or because of a greater heightened focus in the world. You know, we think about ESG matters as becoming very important and considering those ESG matters, not just for the organization but also for third parties in your supply chain ecosystem. We think about areas of which we’ve always known – social unrest, climate is having a very specific impact on many industry sectors and will continue to grow in impact. And so, I think that in my area of cyber security, but especially in supply chain risk management, to creatively start incorporating those matters into your oversight procedures and risk management procedures in very practical and measured ways. How do you measure success? How do you measure what you’re doing? You know, even if you are able to find the baseline. And so I think that that’s an area in 2021 that will really come to the forefront and has for us.

It is the practical implementation that is important to me because I’ve been seeing where you have the theory, you have the best practices, the aspirational practices, but then there’s the reality of getting the risk budgets. There’s the reality of training resources. There’s the reality of finding the right model and framework with which to practice what makes sense within not just your industry sector, but also within your organization culturally. And so, I think, to consider all of those aspects is vital to success in risk management.

Atul:

So Phil, you make a great point in terms of widening the risk aperture. And as you said, looking at these other risk categories like ESG and social unrest, geopolitical and others, one of the other things we’ve been seeing particularly because COVID made it very live, was moving beyond point in time risk management to a continuous monitoring and continuous intelligence approach. Phil, first of all, what are you seeing in that change? And secondly, how do you think companies ought to be adopting it? How do they get, how do they move into a model like that?

Phil:

Yeah. It’s fascinating over the last 10 years, being a CEO of a company that works in this space, and as I’ve seen these capabilities develop, I’m seeing the industry come to grips with, well, what does it mean? Initially there was the sort of bracing from the targets of the continuous monitoring tools on: Oh, well, this is not substantiated information; these are false positives; that sort of pushback that we get. Well, then, as the tools became more mature and there was a little bit more understanding and how the tools should be used and how the data coming out of the tools should be considered, it has become a great best practice to really consider this is another intelligence feed that is more focused on the supply chain that can really enhance your point in time assessments. So, the way that, I’ve worked through it as the best practice in organizations I’ve worked through was really to consider: it’s not a replacement of point in time assessments. Ongoing monitoring similar to the old annual health check – financial check for an organization has become part and parcel of the assessment process. So now, as I walk out of the door after having done a third party assessment, let’s say a cybersecurity or compliance assessment. Now I have these other tools. So, it’s my point in time assessment, plus my ability to get indications of potential areas that I might want to inquire to my third party on the aspect that’s being indicated. So, I like to think about the output of the continuous and ongoing monitoring solutions as giving me indications of areas where I may want to inspect a little bit further. And then a second area – it really does help come back to inform the assessment – the point in time assessment, so there may not be an escalated matter that I might want to take immediately to a third party. But also, when I do go on site maybe I take, in my test scripts, a little more informed information to talk about patch management, to talk about cycles of change, and how I have secured my environment or how the third party has secured their environment.

Atul:

I think Phil, that’s a, it’s a really good way to make your whole life cycle a lot more efficient and effective by actually thinking of these two as a cycle and not just as kind of separate ways of doing it, which is assessment and continuous monitoring.

Phil:

Yes, absolutely. And, you can’t, there’s another principle that comes into play. I can’t boil the ocean. I am setting thresholds appropriately, but also, as a practitioner in this space, you have to have a solid inherent risk model that informs where you’re going to apply your continuous monitoring. You know, and it can be two fold. One is I can evidence – in my sector – I can evidence that I am paying using today’s tools and technologies to apply appropriate deeper oversight for my top 10 or 20 third parties. Also, maybe because I’m paying for that additional service from a budget point of view, I may move some money over into that deeper inspection with a more broad lens, a critical lens, if you will, quite at the same time, maybe because I am monitoring at a higher level, the back end, the long tail of the supply chain, if you will, I’m able to lessen my frequency of onsite visits, which saves me a bunch of money as I don’t pay for airline tickets and all of that. And so, I can back off visiting third-parties again to be able to still get the comfort that I’m monitoring appropriately the backend through these additional capabilities that ongoing continuous monitoring provides to me. And so, it really can become a budget play as well, so that I’m not going to the tail for more money. I can adjust my money in an intelligent way by leveraging continuous monitoring tools and I’ve found that very effective.

Atul:

Yeah. Phil, you just, you just answered a question that I often get, which is,  how do I deal with assessments if I cannot go on site? So you’ve just described a great way of being able to use continuous monitoring to maybe lessen the load on and reliance on that they, of course, still form a part of your program, but be more effective this way.

Phil:

It is. And it also solves for a side issue that we in the financial sector have, and our key vendors have been focused on for the last 15 years: and that is sort of having a little bit more Shared Assessments or collaborative assessments that we share. Well, in a way, it achieves that goal of lessening the impact of the vendors, if I’m doing my part to find some other creative ways to monitor their cyber health, especially in other aspects of their legal environment and financial health, in other ways, independently.

Atul:

Yeah. Yeah. So Phil, one of the things in risk management companies realized over COVID was this whole aspect of cascading risk, right? Where, something may start as a financial risk and ends up impacting people and cyber risk, but in a lot of companies, these portions of risk management, kind of financial risk of their third party, cyber risk of their third parties, compliance often maybe coming from disparate systems and being handled and seen by different parts of the organization. And so the realization has been that we need an integrated view of my third parties. Any thoughts on kind of how to do that and the importance of it? Any ideas appreciated.

Phil:

Yeah, there, there are a couple of things that I have observed and, I think, are important in this space. One is, depending upon who you are as a practitioner in this space, to think about your organization, its size, its maturity and its complexity. We all have worked in, Atul, you and me and others in this practice, various sized organizations. And the answer to this question is different for different organizations. I may be a single performer across procurement and cybersecurity and third-party management, compliance. So, understand the organization in which you work as a practitioner in this, in this space. I think that you know, the intelligence that we’re getting, if I am a mature organization that has a procurement department distinct from a cybersecurity function that may be inputs ,assessment tests into oversight for vendors, together with  a separate legal department then, and a separate cyber security department that includes a SOC, right, a threat intelligence, then my focus is to make sure that I am building relationships with each of those functions and communicating with them two ways. So, in a continuous monitoring solution as an example. Typically, it might be considered a cyber security operations center function to monitor using these kinds of tools. Well often that’s not the case right now, it is often the third-party risk management role that is leveraging the supply chain, continuous monitoring tools for indications, are you sharing back and forth? So, if I’m a larger organization, I’m going to make sure that I’m setting up that relationship and staying in touch with my  cyber threat intelligence team and counter intelligence team to gather information and to get feedback from them. Hey, I’m seeing this indication, can you confirm that this is what’s going on? And then, the other way, they can help feed information to me that I might then look at continuous monitoring tool to say, Hey, there’s a heightened awareness of this supplier. I’m going to check my continuous monitoring intelligence to then incorporate. For smaller organizations you have a little more flexibility to unilaterally leverage the intelligence, and work with the vendor to address  the intelligence indications that you’re getting.

Atul:

Right. At the same time, I think what you’re saying also is find a mechanism to make sure that you do get an integrated view of that third party. So that you’re not just addressing one area that you understand the overall picture.

Phil:

Yeah, yeah. A big deal these days Atul, as you know, is breaking down silos across the organization for effectiveness, and that definitely comes into play here.

I think that integrated view, that single pane of glass, is really what I need to understand. With the various intelligence feeds coming in, to be able to synthesize that information, is going to become even more important. I have a continuous monitoring tool that has fantastic models on giving me the likelihood, the asset value, the importance, so that I can think, where do I want to focus my risk management activities.

Atul:

Right. So, Phil, I, I just wrote an article for Forbes. It got published today on automating risk management. When you think about automation, artificial intelligence, machine learning, and others, what are you seeing or what’s your desired state of application of some of these technologies and best management?

Phil:

I think the ability to set a meaningful threshold based upon my risk appetite model is a big deal. I can’t boil the ocean. We are just now coming into understanding what skill set is required to be able to analyze the intelligence that we are gathering. And so, I think that integrated view, that single pane of glass, is really what I need to understand. With the various intelligence feeds coming in, to be able to synthesize that information, is going to become even more important. I have a continuous monitoring tool that has fantastic models on giving me the likelihood, the asset value, the importance, so that I can think, where I want to focus my risk management activities, where it matters, the biggest bang for the buck, if you will, the areas of higher concern and focus. But now to take that intelligence about my extended network, if you will, my supply chain ecosystem and integrate that with internal dashboards, that’s going to be very, very important.

Atul:

Risk management is a very, very exciting space, Phil and you may have noticed recently that Bloomberg called Risk Manager a hot job. What do you think about that?

Phil:

I think it’s appropriate. I’ve enjoyed it even in the narrower space that I’ve worked in supply chain risk management, as well as cyber security risk management, and I think that resonates with me – the obligation and responsibility of the C-suite is becoming very important. And so, I can imagine that organizations that do not currently have, even mid-sized companies that do not currently have, Chief Risk Officers will be establishing that role. Yeah, definitely resonates with me.

Atul:

Wonderful. Two more questions: what do you rely on to make yourself a better risk leader? What resources do you rely on?

Phil:

You know, Atul, I rely a lot on reading the industry papers, staying informed, and especially through groups, such as your risk board, the Shared Assessments, the Santa Fe group. I participate in many of those panels and boards to stay informed as well as outside reading. Then, internally of course, staying in touch with the various practitioners, because you have a wealth of knowledge of folks who are really smart, who have been in this practice, probably folks who are listening to this have in their organization, really smart people who have either grown up organically as I did, or have just come from a company that you can pick their brain and really learn a lot of current best practices. So, I think that discussion with your peers and colleagues is really important.

Atul:

Phil, I think that’s really good advice because too often I see leaders as they’re moving up in an organization, they become more insular and don’t give their time to activities like that. So that’s really good advice. My final question: what advice would you give to future risk leaders?

Phil:

To really start with two things: one is to get a baseline in some area, whether it’s supply chain risk management, whether it’s consulting on security projects, if you’re just starting out in your career, I think that to find an area where you can dig in and learn the process end to end, that practice and find a good mentor to help guide you, hopefully, the right organization, you’ll find somebody who’s a good mentor. I think that’s really important. I think the second thing is really to establish and identify a framework that you can learn – a baseline out there because it’s really important to contextualize the practice of risk management within a framework, and there are a lot of them out there. If your organization doesn’t have one than just probably a quick Google, you’ll be able to find enough reading material to be able to help you understand the fundamentals of risk management.

Atul:

Good advice, Phil, thank you so much for sharing your experience and your thoughts on risk management and how to be a better risk leader. Thank you again.

Phil:

Thank you Atul. I appreciate the opportunity.

Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

Speakers

Philip L Bennett


Manager - Information Security

Navy Federal Credit Union

Phil Bennett is Manager, Information Security Governance Horizontal Services at Navy Federal Credit Union, Vienna, Virginia. Phil has led cyber security advisory and assurance teams in the financial sector since 2002. In March 2020, he joined the Navy Federal Credit Union to lead cyber security horizontal governance functions including metrics and reporting, phishing and communications. Phil holds the Certified Information System Security Professional (CISSP), Shared Assessments Certified Third Party Risk Professional (CTPRP), Certified Information Security Manager (CISM) certifications, and the M&A @ Columbia Business School certificate.

Atul Vashistha


Chairman and CEO

Supply Wisdom

Atul Vashistha is recognized globally as a leading expert on globalization, governance, and risk. He has authored three best-selling books: The Offshore Nation, Globalization Wisdom and Outsourcing Wisdom. Atul pioneered the global sourcing advisory space in 1999 when he founded Neo Group and is also the founder and Chairman of Supply Wisdom. Founded in 2012 as an early warning service for business disruption risk, today, Supply Wisdom® is the market leading patented real-time and continuous risk intelligence and monitoring solution. Atul serves on the boards of the US Department of Defense Business Board (Vice Chair), IAOP, Shared Assessments, and Zemoga.

Recent Conversations

Stay Updated

We will notify you when a new conversation is posted

Recommend a Speaker