The SIG Webinar will begin shortly.

Once the webinar begins, the sound will come from your computer

speakers.

In the meantime, please take a look at the upcoming SIG networking events listed on the right side of your screen

and plan to join us if you are in one of these cities this fall.

NETWORKING EVENTS

GLOBAL SUMMITSApril 19-21 – Orlando, FL

SYMPOSIUMSSept 15 – SF Bay Area, CA

Sept 22 – Toronto, CANREGIONAL ROUNDTABLES

May 5 – Chicago, ILMay 12 – Sydney, AUSMay 24 – Atlanta, GA

Sept 27 – Cincinnati, OH

For more information and to register for all SIG events:

www.sig.org

RECENT POSTINGS

The SIG Career Network is

bursting with opportunities.

New jobs are posted daily by some

of the best known global companies in the world for those

seeking careers in sourcing, outsourcing, procurement and

related functions.

For more information go to: www.sig.org/career-center.php

NEW to the Career Network!

• Guidewell/Florida Blue – posted April 11:

• Sourcing Manager – IT

• Sourcing Manager – Delivery

• Sourcing Manager – Professional Services

• Adobe – posted April 11:

• Sr. Sourcing Specialist – Contingent Labor

• PennyMac – posted April 7:

• Sr. Assoc., Commodities Mgt & Procurement

• J.Crew – posted April 1:

• Mgr – Central Procurement and Profit

• Hudson’s Bay Company – posted March 22:

• Vice President, Procurement

• FedEx – posted March 14:

• Associate Sourcing Specialist

• Chubb– posted March 7:

• Global Procurement Category Mgr

• Westfield Group – posted March 7:

• Procurement Operations Leader

• LINAK U.S., Inc. – posted March 1:

• Bi-Lingual Sourcing Specialist

• Unum Group – posted Feb 26:

• Category Manager

special member

benefits

• 6 months of free buy-side

access to the Vendor

Evaluation & Assessment Tool (NEAT)

• 2 free Market Intelligence

Reports

• 15% discount on direct

hire placement fees

For more information, go to: http://sig.org/member-discounts

• $20,000 discount on Enlighta

Govern or Risk pilot

• 5 relationship assessment

surveys

• 20% discount on assessment

or implementation services

• 20% discount on research

reports on Chinese cities,

technology parks, providers

and advisory services

• 50% discount off fees

associated with GSOS

Health Check

• Receive current market

labor rates for your top 5

job openings

• Join SkillsVillage, learn

more

bit.ly/SIGLinkedIn @SIGinsights bit.ly/SIGfacebookbit.ly/SIGYouTube

Join the discussion in SIG’s Peer2Peer Resource program too!

Stay connected with other SIG members through various social media channels

SOCIAL MEDIA

bit.ly/SIGBlog

New Topic Each Week

NEW TIME!!8:00 am PST

11:00 am EST

4:00 pm GMT

5:00 pm CET

Upcoming Free SIG Webinars:

April 26, 2016 The CPO’s Agenda for 2016: Tackling Procurement’s Key IssuesPresented by Zycus

April 28, 2016 Solution Deep Dive: Procurement & Sourcing Usability for AllPresented by Coupa Software

May 12, 2016 Solution Deep Dive: Avoid a Risk Knowledge Gap with Better Due DiligencePresented by LexisNexis

Register at www.sig.org

For more information and to register for all SIG events:

www.sig.org

Upcoming Town Hall Teleconference:

May 11th

From the Trenches to the Treetops: Supplier

Market Intelligence in the Real World

Presented by:

Kelly Barner

Buyers Meeting Point

SIG Town Hall Teleconferences

bring a small group of buy-side ONLY attendees together for a facilitated

discussion on top-of-mind issues in an open-mic, private conversation. Town Hall Teleconferences are NOT recorded.

Calendar of Town Hall Teleconferences

Taking place at 1:00 pm Eastern on the following dates:

February 10 August 10 March 9 September 14 May 11 October 12

June 8 November 9July 13 December 14

For more information and to register for all SIG events:

www.sig.org

SIG Symposiums and Regional Roundtables provide education and local networking for members and invited non-member corporate users

Symposiums 2016:

Silicon Valley, CA – Jan 14

Minneapolis, MN – Mar 24

Columbus, OH – Apr 7

San Francisco Bay Area – Sep 15Toronto, CAN – Sep 22

New York, NY – Sep 29

Regional Roundtables 2016:

Chicago, IL – May 5

Sydney, AUS – May 12

Atlanta, GA – May 24

Cincinnati, OH – Sep 27Pittsburgh, PA – Nov 3

London, UK – Nov 9

For more information and to register for all SIG events:

www.sig.org

SIG Global Summits are semi-

annual events with 350-450

decision-makers in attendance

• Non-commercialized

• Hundreds of industry thought

leaders

• 70% buy-side

• 4-5 keynote sessions

• Global brands

• 3 days of networking

• Executive Roundtables

• Over 50 breakout sessions

69% of delegates are director level or above, of which 43% are VP/C-level

Recent speakers include:

For more information go to: www.siguniversity.org

Online learning environment

Sourcing and Governance certifications with Professional and Executive level courses

Modules with lessons, formative assessments, summative testing and final proctored exam

Certification good for 5 years

Certified Sourcing Professional course starts June 27, 2016!

Certified Governance Professional course starts May 2, 2016!

For more information go to: sig.org/student-outreach.php

Partnering with Universities

Introducing students to seasoned supply chain executives

Sharing thought leadership with students in class, SIG University courses and at SIG events

Giving access to internship and job postings on the SIG Career Network

Allowing students to get real world insight into supply chain careers

Finding tomorrow's supply chain professionals today

Confidential

The Quality of Your Vendors’

Security Programs is no Secret

Control your third party risk

Today’s Speaker

Kelly White

RiskRecon Founder and CEO

kelly@riskrecon.net

Career Summary

- 8 years security consulting Fortune 500

- 10 years top-30 US Bank- CISO / Director of Information Security

- Manager of Security Architecture and Threat Intelligence

- Manager of Customer Fraud Protection

RiskRecon Fast Facts

RiskRecon enables dramatically better enterprise

vendor risk management through frequent, accurate,

actionable measurements of vendor information

security performance.

- Founded 2015

- $3 Million seed round led by General Catalyst

- Providing risk assessments at scale to Fortune 500

- Services accessible through customer online

portal

The New Security Team

Confidential

Vendor Management is the new

Information Security Team

Why?

Confidential

Why?

New Corporate IT World

Confidential

The IT Landscape

Changed

SaaS has exploded

….and it isn’t over

Corporation Circa 2000

Confidential

Corporation Circa 2015

Confidential

• Top 30 U.S. financial services company app portfolio – 10% SaaS in 2005, now 60% in 2015

• Top 30 U.S. financial company has > 300 SaaS providers

• Top 3 U.S. financial company has > 3500 SaaS providers

• SaaS = $67.3 Billion market by 2016 (IDC)

• SaaS spending in 2016 = 20% of all software spend (IDC)

Information Security Impact

Confidential

Info Security Landscape 2000 Info Security Landscape 2016

Information Security Risk

Confidential

Vendor Risk

Internal Risk

Information Security Objective

Confidential

Rapidly enable the business to safely pursue its

objectives.

The Big Vendor Question

Confidential

Will this vendor protect my assets with the same or

better care?

• How to I quickly select the right vendor?

• How do I ensure the vendor continues to

perform to security standards?

Information Security Objective

Confidential

Rapidly enable the business to safely pursue its

objectives.

Vendor Management

Select good

partners

Hold partners

accountable to

performance

Act on

performance

gaps

Standards

How?

Confidential

• Hundreds of vendors

• New vendors weekly

• Rapidly changing technology

• Rapidly changing threats

• Regulatory requirements

• Executive management

reporting

• The stakes are

REALLY HIGH!!!

Data

Confidential

Common Vendor Risk Mgmt Data

Confidential

Surveys, Document Review,

and Vendor Attestations

3rd Party Auditors

Interviews and on-sites

Common Vendor Risk Mgmt Data

Confidential

Surveys, Document Review,

and Vendor Attestations

3rd Party Auditors

Interviews and on-sites

• Infrequent

• Time consuming

• Attestation may not

match reality

Common Vendor Risk Mgmt Data

Confidential

Surveys, Document Review,

and Vendor Attestations

3rd Party Auditors

Interviews and on-sites

• Infrequent

• Time consuming

• Attestation may not

match reality

Did the vendor patch against the

DROWN vulnerability?

Common Vendor Risk Mgmt Data

Confidential

Surveys, Document Review,

and Vendor Attestations

3rd Party Auditors

Interviews and on-sites

• Infrequent

• Time consuming

• Attestation may not

match reality

Did the vendor patch against the

DROWN vulnerability?

Are they really hosting my data in

authorized countries?

Common Vendor Risk Mgmt Data

Confidential

Surveys, Document Review,

and Vendor Attestations

3rd Party Auditors

Interviews and on-sites

• Infrequent

• Time consuming

• Attestation may not

match reality

Did the vendor patch against the

DROWN vulnerability?

Are they really hosting my data in

authorized countries?

Are they really handling malware

threats well?

Common Vendor Risk Mgmt Data

Confidential

Surveys, Document Review,

and Vendor Attestations

3rd Party Auditors

Interviews and on-sites

• Infrequent

• Time consuming

• Attestation may not

match reality

Did the vendor patch against the

DROWN vulnerability?

Are they really hosting my data in

authorized countries?

Are they really handling malware

threats well?

Are they really hardening the

security of their systems?

Data

Confidential

Surveys, Document Review,

and Vendor Attestations

3rd Party Auditors

Interviews and on-sites

• Infrequent

• Time consuming

• Attestation may not

match reality

Did the vendor patch against the

DROWN vulnerability?

Are they really hosting my data in

authorized countries?

Are they really handling malware

threats well?

Are they really hardening the

security of their systems?

Are they properly encrypting my

sensitive informaiton?

Uncommon Vendor Risk Mgmt Data

Confidential

Surveys, Document

Review, and Vendor

Attestations

3rd Party Auditors

Interviews and on-sites

Continuously measure the vendors security

posture and security program quality

Yeah…

Confidential

Call it “Vendor Voyerism”

• Observe their IT practices – hosting providers,

locations, systems, software

• Measure their security effectiveness

• Get actionable information

All helpful in better managing vendor security risk

When companies do things on the internet….

Confidential

…they reveal a lot of stuff

Confidential

What can harvest from one web server?

Confidential

Alot!

Confidential

Some of the data out there…

Software patching?

Web application security?

Encryption practices?

DNS security practices?

Email security practices?

Malware defense?

A view in to one company

Confidential

Big Vendor (name changed to protect the guilty)

What you can learn starting with just the company

name

- No inside information

- No hacking

- JUST LOOKING

Big Vendor Systems – Internet View

Confidential

Big Vendor Hosting Providers

Confidential

Big Vendor Hosting Countries

Confidential

Big Vendor Hosting Cities

Confidential

Big Vendor Software

Confidential

Big Vendor Email Providers

Confidential

Big Vendor Corporation IT Summary

Confidential

Big Vendor Overall Performance

Confidential

Big Vendor Software Patching

Confidential

Big Company Software Patching

Confidential

Big Company Encryption

Confidential

A View of 21 Financial Services Vendors

Confidential

What is the point again?

1. You can rapidly measure the security program quality of any vendor based on how they operate on the Internet

2. You can do this without breaking any laws, without obtaining any information from the vendor

3. You can enrich your current vendor risk management processes with accurate, actionable data

Confidential

Benefit

1. Faster procurement decisions for new vendors

2. Continuous vendor security performance monitoring

3. Hold vendors to high standard of accountability

4. Better allocation of vendor risk analyst time / resources to vendors that require attention most

Confidential

Keys to watching your vendors well

1. Automate – enable frequent, rapid measurement

2. Be accurate – false positive can destroy the operation

3. Be legal – no hacking, no scanning, no grey areas

Given these conditions…

4. Be really good at finding all assets

5. Harvest all information

6. Read the tea leaves – extract security measurements from everything you collect

7. Make it actionable....or it isn’t worth much

Confidential

Thank you

Every enterprise reveals the quality of its security program through what it does on the internet.

All you have to do is know where to look and how to read what you find.

(and don’t break any laws.. and automate it…and be accurate…and be actionable…)

Confidential