Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

CRO Wisdom Episode 6: Bob Maley, Chief Security Officer, Black Kite

Atul:

I’m delighted to welcome Bob Maley of Black Kite to this episode of CRO Wisdom. Bob, welcome to this episode.

Bob:

Glad to be here. It’s a pleasure.

Atul:

So, Bob, let’s first talk about your background. I think the audience would really appreciate, because you don’t have a typical risk background. So tell us a little bit more about how you got here.

Bob:

That’s a long story, but I’ll try to make it short. I think my introduction to risk was a long time ago in a physical sense when I was a police officer. You know, we looked at instantaneous life and death risk situations and I loved it. It was a great thing. But, I went down into the computer line, not really as a risk professional. You know, I got involved in a technical fashion: software development, forensics, but as I kept getting exposed to different things and moving through different organizations for instance, I think my first touch on risk was when I was the coordinator for information technology at the Pennsylvania healthcare costs name and council that we started to have to look at the data that we collected. And we had to analyze a lot around privacy, the risk base of, because essentially, we sold the data as well that we collected and evaluating the risk of selling it to certain organizations. So that’s kind of how I, I dovetailed into it, which led to my big exposure to risk management was when I became the CISO of the Commonwealth of Pennsylvania. You know, I was responsible for all the governance risk and compliance efforts for the entire Commonwealth, all 47 state agencies and commissions and boards. So that that’s really where I cut my teeth on it, learned about it. After that I kind of formalized it in a consulting way. That’s my introduction to the financial world doing consulting with Wells Fargo and, I was already a member of ISACA – a certified information security manager. I certified there which then brought me into PayPal into third party risks. You know, I built their global third party risk management program. And that’s kind of how I got here. It’s a long story, but it took a long time

Atul:

Right now. So, Bob, I remember I met you when you were at PayPal. Talk a little bit about the role you serve today.

Bob:

The role I serve today – I am the chief security officer for Black Kite and it’s a small tech startup, so I have quite a large department. There’s three of us, so there’s me, myself and I. I am the Chief Privacy Officer, the Chief Risk Officer, the Chief Security Officer, all those things combined. So, it’s a very different view of risk. At PayPal, I got involved with the mergers and acquisition programs and it was some significant things, but now it’s still just as fun but it’s in a different scale. Yeah.

Atul:

Right. Bob, talk to us about in this in business environment, kind of in this risk environment, what are your key priorities? What are you focused on?

Bob:

Ransomware. It’s not just from what I read, it’s what we see in our platform where we do a lot of threat intel collection and understanding the bad actor point of view. It’s what we do is; we think like the bad actors and, I learned this back in law enforcement. It was a long time ago and we had bad actors then; they were looking to do criminal activity to get money. And nothing’s really changed since law enforcement days, other than the tools and the methodologies that they do. You know, they always looked at what was the easiest. Most bad actors typically are risk averse getting arrested. So, they looked at how they could do the, the least risky ways of getting the biggest returns and it’s that way today. And I see, that I think ransomware is one of those things. And I think there’s, there’s something that’s changing. We’ve seen it with solar winds, is that going after third parties is not new. Relatively – it really started getting people’s attention, with the target breach that it was an attack of scale that, that I call it. It was the bad actors. I don’t believe started out looking at the target company as their primary victim. They happened to compromise a small HVAC company in Pennsylvania, and they found some credentials that they thought, Oh, well, what will these credentials get us into? And they saw what they could see, and they go, Oh, well, can we see more? And they, they kind of leveraged that until they realized they could get into the development systems. And that’s where they, they really leverage their attack by installing their malware into their update for the card readers at all their stores all over. So, they scaled it and Solar Winds, while it’s a little different, it’s not really. They saw a way that they could compromise a third party that had that would give them avenues into thousands of other organizations. So, it’s, it’s those types of things. Those are, for me, that’s the biggest thing on my mind.

Atul:

Yeah. Bob, very clearly, if we think about kind of the set or the old risk management practices regarding third parties, they’ve been so focused on point in time assessments you and I have had many conversations about this and with John Bree, and COVID kind of made it even more clear how these assessments done a month ago, six months ago, 12 months ago, were not so relevant as, as things change and things continue to do that. Talk to us about your views on this, first of all, how can one be more continuous in their risk management approach? And what do you see as kind of pros and cons of that? What, what is it solving? What challenges it might be creating?

If you’re executing your OODA loop faster than your competition, you’re winning. And in this case, I think the bad actors, they execute that loop extremely fast. They are very agile. They don’t have to go and get someone’s approval to try something. They just do it.

Bob:

Well yeah, point-in-time, that’s obviously six, seven, eight, nine years ago. That was pretty much how we did third party risk. We sent out the questionnaires, we collected the artefacts, we looked at their SOC-2 other audit certifications and the big issue with – and I remember with some of the regulators that, well, what’s your program for reassessing? And so, we had our vendors classified. We had the critical vendors and we reassessed them once a year the medium vendors twice a year. And in the program, those low risk vendors were every three years, which essentially never really happened.

Atul:

Unless there was a bad incident.

Bob:

Yeah, if there’s an incident there’s always a change. But I look at that and the move towards continuous monitoring and obviously the bad actors are very quick, they’re very agile. You’ve heard me talk about the OODA loop before the strategic principles of Observe, Orient, Decide and Act. And if you’re executing your OODA loop faster than your competition, you’re winning. And in this case, I think the bad actors, they execute that loop extremely fast. They are very agile. They don’t have to go and get someone’s approval to try something. They just do it. If they see something that’s of value, the networks that they’ve created today, they don’t have to learn new technologies. They go out to another branch of Crime, Inc. And they hire some other bad actors who have an expertise to be able to get through and turn and monetize what they’ve discovered. So, they’re doing it. They are constantly iterating and getting better. And that’s where continuous monitoring – and especially not just in an enterprise view, but in third parties is critical, but that also introduces a lot of challenges as well. And, I’m going to talk a little bit specifically about cyber, but, very clearly from my view as a Chief Risk Officer, cyber is not the only thing. There are multiple other types of third-party risk. But, for me in the world I live in today with Black Kite, cyber is our focus. And I just released a new report on threat intel. And, one of the things that I saw about that is that everybody believes threat intel is extremely important, and it is, we all agreed on that. But the volume of data that you get: open source intelligence, it’s intelligence that you collect yourself, being able to do something with that volume of data. That’s the challenge today that’s in, continuous monitoring, I think that’s the biggest challenge.

Atul:

Yeah. And Bob, I think that’s the beauty of today’s tools that are available. I was talking to Jim Routh, formerly at Aetna and Mass Mutual, and the ability to use data science and automation to actually take all these feeds. And you can automate a significant amount of risk actions. I know when you think about cyber, you guys are doing that, right. That’s an approach that I know you kind of think about and you take.

Bob:

Well, exactly. That’s one of the first things that we do. And one of the things that brought me to Black Kite was the introduction of something called FAIR, the Factor Analysis of Information Risk. I was trained to talk about risk and qualitative methods. We’re technical; we understand high risk. We know if it’s red, it’s bad. But, in reality, that really isolates the technical, the CISO that thinks that way from the Chief Risk Officer, because there’s different languages of risk. Outside of cyber, it is in business impact and the ability to be able to communicate cyber in dollars and cents. You know, that was the game changer that I got excited about to be able to scale that I know I, I’m a, I’m a certified in FAIR. I’ve done a lot of research on that. We actually were awarded a patent last week about the process that we do, of collecting all those, that intel, all that data and how we scale that and turn that into realistic probable financial impact that, that just lets you make better business decisions. And that’s why I’m excited about the industry, in adding that AI. And now there’s other things that we’re doing around that because I’ve been a practitioner.

I’ve managed 1400 assessments a year with 80 on-sites and I know the volume of information you just collect in an assessment process. You know, I’m going to get your information security policies. I want to get your SOC-2. I want to get your ISO certifications. I’ve collected all that information and there’s so much good intel in those artefacts, but what do I do with it? When we had 294 assessments, we actually analyzed that information. But when you scale the number of assessments that you have to do, but your team doesn’t scale and then it starts to become essentially a checklist process that well, we’re, going to trust that their SOC-2 auditor did a good job, but their SOC-2report doesn’t mean that they’re a hundred percent perfect in their controls. You have to understand where they’re lacking in that SOC-2, to make it valuable and being able to automate those types of things. I think, for a Chief Risk Officer or a CISO, I think that’s what’s really valuable.

Atul:

Bob, one of the things that’s always stood out for me about you is you don’t think of the risk management role as a Chief Security Officer, as a Compliance Officer. You think of that as an Operations Risk and Resilience Leader, right?

Bob:

Absolutely. And, if you don’t, you’re very narrowing, and at some point, it’s going to come back on you. I know that because of past situations where, going to a business unit and telling them that, Oh, well, you really can’t use this vendor because they’re high risk. What does that mean, coming from a technical perspective, it totally goes over their head and you lose the battle because there is a business value, an operational value to use that vendor. And unless I can talk in that language and help them bring them to the same understanding that I have, that’s the challenge. So yes, absolutely.

Atul:

Yeah. You can be the Chief Resistance Officer.

Bob:

That’s good. Yeah. You can’t be the Information Security Office of No.

Atul:

Yeah, exactly. Bob, very clearly cyber risk is high priority. COVID also opened companies’ eyes about thinking about supply chain perspective, location risk, talk about some of the other risks categories that you are seeing, that you feel Chief Risk Officers ought to be paying attention to.

Bob:

Well, and I think COVID brought this one up too. It’s the financial stability of companies, having the ability to understand the changes, because you can look at their annual report and that’s a snapshot. And as, as you’re a businessman, how quickly things can change and these are all indicators that, cyber may be good, but then if that financial stability or ability of that company starts to degrade, that’s naturally going to cascade cyber will become a victim of that at some point, simply because of, programs being cut. You know, I remember in 2008 award-winning program, cyber security program that I got approached and I was advised that, well, your budget needs to be cut. And I know that you have a really capable multi-layered security approach, but you’re going to have to cut one of those layers because we don’t have the budget. And being able to see that ahead of time. So that’s why the cascading – financial, I think is that, solvency that’s, critical. And depending upon the nature of the companies location risk as well where are your suppliers located? You know, I got exposed to that back in PayPal that, one of the things that I learned about resiliency for call centers, for instance. The way that PayPal helped they built resiliency around that, for economies of scale there, certain parts of the world where call centers are easier to run. They’re less expensive, the second level call center. But some of those parts of the world are subject to different types of risk, a political risk, political unrest or, if it’s not in the Pacific, it’s not a hurricane, what is it?

Atul:

Typhoon.

Bob:

Typhoon comes through Manila and, the ability to be able to rapidly move from one region to another part that’s not subject to that same weather risks. So being able to understand all those types of things, and again, we may not think that our business has that kind of geolocation risk. But, unless we understand our critical vendors, what they’re supplying for us, and where they’re located, we may be totally central to North America, but we may have a supplier that isn’t, and if something happens to them in another part of the world, that’s important as well.

It’s tough to get that integrated view of risk simply because, especially in larger organizations, a lot of times there’s those silos, the territories that, resiliency may look at things in one particular way, cyber looks at it in another, procurement in another and, they don’t sometimes don’t play or work well together.

Atul:

One of the other challenges that I see in the profession is that if you think about intelligence inputs regarding risk intelligence inputs into a company, compliance has their own provider, procurement has their own financial kind of health provider, cyber CISO office might have their cyber susceptibility. And then you might have another area now with ESG coming on board ESG, somebody else is looking at it. And so all of a sudden, when you’re looking at your third party, you’re not getting an integrated view. What are your thoughts on that kind of both pros and cons of that?

Bob:

Well, it’s tough to get that integrated view simply because, especially in larger organizations, a lot of times there’s those silos, the territories that, resiliency may look at things in one particular way, cyber looks at it in another, procurement in another and, they don’t sometimes don’t play or work well together. It’s one of the initiatives I got a chance to work on at PayPal. It was a multifunctional third-party working, or risk working group that included all of those stakeholders. And through that process, it was the brainstorming, understanding what those challenges were and why those different groups had different reasons for wanting to do things, but then working through that. So, it’s extremely valuable once you do that, because then you get that bigger holistic picture. But, learning how to do that, understanding why, but it comes back to, well understanding what the business goal is of using third parties. And, ultimately everybody’s going to have the same goal. You know, resiliency obviously is that my critical vendors, if I lose one, I need to know which ones are resilient, but cyber, on the other hand, they’re more interested in, while we don’t want our data being, exfiltrated from a vendor and, procurement – they’re concerned about the contracts, do we have the right contracts in place? Do we have, are we spreading out to too many vendors? Should we concentrate vendors or are they too concentrated? But the ultimate goal is the bottom line for the business. And when we can understand that, I think it’s a little bit easier path to bring those disparate folks into this, into the same program, so to speak.

Atul:

Right? An exciting field. In fact, Bob, Bloomberg in a recent article said Risk Manager is a hot job, what do you think?

Bob:

I gotta tell you a Risk Manager in a cyber tech startup – I don’t know if it’s a hot job or not, but it’s exciting. You know, I’ve always been one of those folks that love building things. I love building programs and when the program’s built, it’s time to operationalize and run it. I love handing that off to someone else. But we have to look at the way the world is today. And we’ve talked about it in the cyber world. You know, it’s all started out, well, we have to have that hard, crunchy exterior. We can’t let them inside. And then we started realizing, well, yeah, they’re going to get inside. So what we have to have multilayers of defense. And then we started realizing that, well, our ecosystem is bigger than just us. It’s all the third parties, so those things change. And, and if we can look at that in, in a risk perspective in being able to understand what are the real risks, what are the real impacts to our business? And that’s why I think it makes the CRO such a valuable role – if we can speak in those languages, that the business understands, that the board understands, not only are we helping our career, but we’re helping the business that we work for. And it’s the combination of all those things that, yeah, I think it’s exciting.

Atul:

Yeah, hot, hot job, and maybe also a hot seat.

Bob:

Well, it’s always a hot seat I’ve been a CISO. I know CISO, that’s a hot seat. And I imagine the Chief Risk Officer will be too, simply because sometimes people like to, to speak in absolutes that they want us to be prognosticators that we can actually predict what’s going to happen. Well, we can’t predict, but we can, as a Chief Risk Officer, we can understand what the likely or what the probabilities of risk are and help our business folks make better business decisions. And if we take that approach, I think maybe if we’re doing it right, maybe the seat’s not quite so hot. If we claim that we can, we can predict risk, it might get hot.

Atul:

Right? So Bob, very clearly you have a growth mindset excited to continue to learn. So what resources do you rely on to make yourself a better risk leader?

Bob:

Well, one of the biggest resources Shared Assessments and it’s not just the tools, it’s the learning they have, but what I find really valuable is the intellectual sharing that happens in the working groups, in the meetings that, I know that our views can become rather narrow when we’re only focused on our own little world. And at PayPal, I had the luxury of seeing a global view. You know, I worked with business units from all the different countries and Australia. They look at things very differently in Australia than we do here and in Asia Pacific and in Germany. And I had those things then, but now with Shared Assessments, that’s one of those biggest things that I look at obviously, I, there’s a lot of leaders that I follow that thought leaders, Phil Venables, I love reading what he has to say about what’s going on in the world and, and others. And it’s just trying to keep up that way. It’s tough because you have your day to day, but you have to make sure that you are constantly exposing yourself to other frames of reference, other thought processes and other views because if we lock ourselves into our preconceived notions about what risk is that, and I, it’s interesting, I still run across folks that the risk matrixes, and, and the qualitative view, that’s the only way to do it. And I’ve been there. So, I understand why, but locking yourself into that, not looking further at better ways to communicate to the business it’s extremely important to keep that, keep your mind open.

Atul:

Right. No, Bob, I think I totally agree. You know, even for myself, for the last decade, Shared Assessments has been a great resource for me and serving on the board for those years, meeting people like you, that bring all those views together and share so openly in these working groups has been, I think it has been a gift for leaders like me. Bob, the final question for you, and thank you so much for making time for us, the final question for you, what advice would you give to future risk leaders, as somebody who’s interested in risk wants to build a career? How should you think about their career and especially as they want to keep moving up?

Bob:

Well, it’s, it’s embraced change. I really think that’s probably the number one thing is that if you, if you get into a static process that you’re really not going to advance because, I talk about it. I look at the career advancing the same way as the OODA loop – Observe, Orient, Decide and Act – and things change so quickly in the risk industry. How we look at risks, what different risks are 13 months ago our, our view of third-party risk was very different than it is today, but having the willingness to embrace change, I think that’s probably the biggest thing for somebody that wants to be a CRO or they, they should if they’re, if they’re dead set against change, it, in my view may not be the best career to get into.

Atul:

Well, Bob Maley, Chief Security and Risk Officer of Black Kite thank you so much for making time for us. Really appreciate it. Talking to you.

Bob:

My pleasure.

Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

Speakers

Bob Maley


Chief Security Officer

Black Kite

Bob is the Chief Security Officer at Black Kite, a technology company that specializes in cybersecurity intelligence gathering and analysis used in assessing potential impact of cyber events at third parties. Bob has been involved in security for most of his career, initially in physical security as a law enforcement officer. He has acquired a broad range of experience and expertise in all areas of security. This includes third-party security, risk assessment, architecture, design, policy development, deployment, incident response and investigation and enterprise solution deployments in areas including intrusion detection, data protection, compliance, and incident reporting and response. Prior to assuming the Chief Security Officer role at Black Kite Bob was the head of PayPal’s Global Third-Party Security & Inspections team, developing the program from the ground up into a state-of-the-art risk management program.

Atul Vashistha


Chairman and CEO

Supply Wisdom

Atul Vashistha is recognized globally as a leading expert on globalization, governance, and risk. He has authored three best-selling books: The Offshore Nation, Globalization Wisdom and Outsourcing Wisdom. Atul pioneered the global sourcing advisory space in 1999 when he founded Neo Group and is also the founder and Chairman of Supply Wisdom. Founded in 2012 as an early warning service for business disruption risk, today, Supply Wisdom® is the market leading patented real-time and continuous risk intelligence and monitoring solution. Atul serves on the boards of the US Department of Defense Business Board (Vice Chair), IAOP, Shared Assessments, and Zemoga.

Recent Conversations

Stay Updated

We will notify you when a new conversation is posted

Recommend a Speaker