Episode Transcript
WEBVTT
1
00:00:02.399 --> 00:00:05.960
All right, we're live from the
global podcast studios here in Atlanta. Rich
2
00:00:06.000 --> 00:00:09.519
Castanova here alongside Dwayne Hart. Dwayne
heart is the guest of the hour.
3
00:00:09.679 --> 00:00:15.400
The He's our subject matter expert on
everything cybersecurity. He hosts his own podcast,
4
00:00:15.480 --> 00:00:18.600
he's written a book on the subject
matter. He is the if you
5
00:00:18.839 --> 00:00:21.320
need to know or want to know, this is the guy you gotta Talk
6
00:00:21.359 --> 00:00:23.640
To. Man, we're gonna talk
to him right now. Welcome to the
7
00:00:23.640 --> 00:00:28.839
show, Dwayne. Hey, I'm
back again. Here right here be rich
8
00:00:28.920 --> 00:00:34.079
cast Nova. We all be coming
brand maybe one day on our heart.
9
00:00:34.359 --> 00:00:38.880
Yeah, talking about cybersecurity. Yeah, we'll maybe taking on the road show,
10
00:00:39.399 --> 00:00:42.320
the keynote speakers, all that good
stuff, but I'll just introduce you
11
00:00:42.359 --> 00:00:45.119
on the stage. You take it
from there. Yeah, so, UM,
12
00:00:45.159 --> 00:00:49.560
so we're talking cybersecurity once again,
and we mentioned he has the Cybersecurity
13
00:00:49.679 --> 00:00:53.399
Uh podcast as well as his book, and you can check everything out at
14
00:00:53.439 --> 00:00:57.039
DWAYNE HEART DOT com. But today's
topic is kind of interest. Is Very
15
00:00:57.079 --> 00:01:00.439
interesting actually, because we've talked about, you know, obviously cybersecurity in terms
16
00:01:00.600 --> 00:01:03.799
of B two B, you know, business to business, if you want
17
00:01:03.799 --> 00:01:07.959
to uh, whether it's a startup
or a billion dollar brand. It's got
18
00:01:07.959 --> 00:01:11.319
to be on your mind. It
should be on your checklist of things to
19
00:01:11.359 --> 00:01:15.480
do and not do, and one
of those should be cybersecurity. We've talked
20
00:01:15.519 --> 00:01:19.959
about the internal implications of that right
within your own organization. We've talked about
21
00:01:19.000 --> 00:01:23.319
employee. Today we're gonna be talking
about the third party vendor. So before
22
00:01:23.319 --> 00:01:27.120
we jump into that, what are
some examples of some vendors that businesses typically
23
00:01:27.120 --> 00:01:34.000
work with? Okay, vendors businesses. Think about? Think about the vendors
24
00:01:34.079 --> 00:01:42.040
that have to collect data? Okay, maybe a cloud, cloud service providers.
25
00:01:42.640 --> 00:01:49.000
Think about the vendors, vendors that
have to come onto your site into
26
00:01:49.079 --> 00:01:56.200
install equipment. Okay, right,
those are your third party sources. Even
27
00:01:56.239 --> 00:02:00.680
if you want to take it deeper, think about think about organizations like Walmart,
28
00:02:01.000 --> 00:02:05.480
right, and think about the merchants, right, uh, you know,
29
00:02:05.560 --> 00:02:09.439
the credit card companies. Yeah,
the processing. Yeah, and it
30
00:02:09.479 --> 00:02:14.039
could be at your office or Your
Business. It could be we think in
31
00:02:14.120 --> 00:02:16.680
terms of maybe just the Wifi or
the Internet connection, but these days most
32
00:02:16.759 --> 00:02:22.080
all of technology is somehow connected to
the web. I mean even your copy
33
00:02:22.159 --> 00:02:27.199
machine would write. Your security cameras
Um, the way you if you're hosting
34
00:02:27.199 --> 00:02:30.000
an event where you're registering people on
vent, you're using a third party vendor.
35
00:02:30.439 --> 00:02:35.599
Right. Third Party vendor can be, uh, so, social media,
36
00:02:35.639 --> 00:02:38.360
we've talked about in the past,
but it can be your telephone provider,
37
00:02:38.439 --> 00:02:44.840
your systems, right. And and
the concern there is that in order
38
00:02:44.879 --> 00:02:47.680
to interact with the third party,
you have to share data. So what's
39
00:02:47.719 --> 00:02:53.840
the upside and what's the challenges and
what are some things you should look out
40
00:02:53.840 --> 00:02:58.120
for when you're sharing data like that
across those platforms? Rich, I could,
41
00:02:58.960 --> 00:03:01.199
I could take three hours to talk
about that, but but I'm gonna
42
00:03:01.280 --> 00:03:06.319
sit here for a couple of minutes
to talk about it. It's about information
43
00:03:06.360 --> 00:03:12.840
sharing and trying to establish a trusted
relationship, because before anyone begins to share
44
00:03:12.879 --> 00:03:17.039
information with an outside source, you
always have to have a trusted relationship,
45
00:03:17.560 --> 00:03:24.120
and that trust relationship is built upon
agreements, whereas there are certain things such
46
00:03:24.159 --> 00:03:30.199
that is, such as a service
level agreement, operational level agreement and also
47
00:03:30.280 --> 00:03:36.240
a privacy level agreements. Those are
really three of the basis type of agreements
48
00:03:36.240 --> 00:03:40.719
that you have to have in place, because, let's just imagine, imagine
49
00:03:40.759 --> 00:03:46.080
that one of us was to give
information to a third a, a third
50
00:03:46.080 --> 00:03:52.520
party source. Right, we need
to make sure that they protect that data
51
00:03:52.560 --> 00:03:59.439
with the same interest as we would
now now to make sure that that,
52
00:03:59.599 --> 00:04:01.719
you know, all the controls in
place in the standards are being practice.
53
00:04:02.479 --> 00:04:08.759
We would have to put agreements in
place. Okay, because the risk behind
54
00:04:08.919 --> 00:04:14.520
that is that is that I would
have customers and I have a third party
55
00:04:14.599 --> 00:04:18.399
source that needs to have assets to
that information. Now, now, if
56
00:04:18.439 --> 00:04:24.519
something goes wrong, I can't sit
here and say I gave it the company.
57
00:04:24.160 --> 00:04:29.680
Right, no, I am ultimately
held responsible, because this is one
58
00:04:29.720 --> 00:04:34.160
of the problems that I think a
lot of organization face is that they give
59
00:04:34.199 --> 00:04:41.120
their environmental way to their vendors.
Okay, but you still have to maintain
60
00:04:41.600 --> 00:04:46.680
a vision look and you have to
have that three hundred sixty, three hundred
61
00:04:46.720 --> 00:04:51.279
and sixty degrees of security visibility,
because the end the day it's on you.
62
00:04:51.439 --> 00:04:55.600
There is a president that said the
buck stops here. Right. So
63
00:04:55.839 --> 00:05:01.240
it's I'm thinking about some you know, applicate sations as a consumer that she
64
00:05:01.319 --> 00:05:05.000
might experience. Right, you check
into a hotel, they can't release you
65
00:05:05.040 --> 00:05:09.720
know your uh, when somebody walks
in, they can't say, well,
66
00:05:09.800 --> 00:05:14.279
Dwayne hard is in room three fourteen, right, that's protected information. And
67
00:05:14.360 --> 00:05:18.759
you think about your security cameras also, not just cybersecurity, but the security
68
00:05:18.759 --> 00:05:24.240
that's monitoring your premises, your equipment, your employees. That's you know,
69
00:05:24.519 --> 00:05:27.680
uh, that's a third party vendor, right. So you've got to do
70
00:05:27.759 --> 00:05:30.319
your research and you due diligence to
make sure that it's almost like there are
71
00:05:30.360 --> 00:05:35.240
another employee. You're trusting your employee
with the information, you're also trusting these
72
00:05:35.319 --> 00:05:40.800
vendors with that the same information.
Right. See, see, now here's
73
00:05:40.920 --> 00:05:49.839
the disconnection. I call it the
Trans Transitional Knowledge. All right, the
74
00:05:49.920 --> 00:05:54.720
same way that we practice the protection
of our homes, cars and keys,
75
00:05:55.399 --> 00:06:00.000
all we have to do is to
transition that knowledge into cybersecurity. You know,
76
00:06:00.600 --> 00:06:08.160
back about five or six years ago, target had a data breach and
77
00:06:08.160 --> 00:06:13.600
and upon research, was found out
that the vendor just came through the door
78
00:06:14.639 --> 00:06:18.199
and stated I need to work on
your network equipment, and someone say,
79
00:06:18.240 --> 00:06:23.680
Oh, yes, it goes the
network closet. person goes back there and
80
00:06:23.759 --> 00:06:30.879
start to work and what happened was
that the person released data through their computers
81
00:06:30.959 --> 00:06:34.319
or something. Right. So,
you know, let's just step back for
82
00:06:34.360 --> 00:06:42.920
a minute. Here's the control process
before that person came to target should have
83
00:06:42.959 --> 00:06:46.959
been a list with the name.
I D okay, should have been someone
84
00:06:46.040 --> 00:06:50.639
that works at target that follows them
around monitoring them. See, now,
85
00:06:50.680 --> 00:06:55.279
when someone comes in your house,
you just don't let them wander around.
86
00:06:56.839 --> 00:06:59.839
Okay, if you can have them
to sit out in the backyard, then
87
00:06:59.879 --> 00:07:04.800
you'll go make it work. Now
back to the topic. You think about
88
00:07:04.959 --> 00:07:11.519
just something as simple as somebody walking
into a building, right and starting to
89
00:07:11.639 --> 00:07:15.560
work, because you have to have
those agreements in place to say that if
90
00:07:15.600 --> 00:07:18.920
you're gonna come into my building,
you are going to be escorted by my
91
00:07:19.079 --> 00:07:24.199
employee. You'RE gonna have to send
me the name of your employee that is
92
00:07:24.240 --> 00:07:28.240
coming over and give me a full
scope of work that needs to be accomplished
93
00:07:29.040 --> 00:07:31.600
and verify that their background has been
checked and so forth. Right. You
94
00:07:31.639 --> 00:07:36.519
know what? That's yours sobersecuted mindset
kicking in. Yeah, it's kicking in
95
00:07:36.959 --> 00:07:42.639
exactly. Yeah, Um, yeah, because also, you just think about
96
00:07:43.160 --> 00:07:46.680
now. You mentioned these contracts are
agreements, right. So, Um,
97
00:07:46.839 --> 00:07:50.240
how you know? Is that something
that? What's the update cycle on those?
98
00:07:50.560 --> 00:07:55.240
I mean it is those typically a
one year, you know term kind
99
00:07:55.240 --> 00:07:58.839
of situation, or you review them
as needed. Um, you know,
100
00:07:58.879 --> 00:08:05.800
what every and every organization is different. Most organizations will go review them once
101
00:08:05.839 --> 00:08:11.959
a year and most organizations only build
them upon a business type of relationship.
102
00:08:11.040 --> 00:08:16.040
Let's say, if the business relationship
is only for three months, well,
103
00:08:16.279 --> 00:08:20.439
that is the life term for that
service level agreement that you have in place.
104
00:08:20.079 --> 00:08:24.240
Now. It depends on the company
and it depends on the type of
105
00:08:24.279 --> 00:08:30.399
business relationship that you have in place. But but it makes great sense to
106
00:08:30.560 --> 00:08:35.919
do a review if you are pretty
much Um, you know, have a
107
00:08:37.039 --> 00:08:41.519
business engagement for one year, because
what you want to do is that you
108
00:08:41.559 --> 00:08:43.559
want to do your own homework,
because, see, you want to put
109
00:08:43.600 --> 00:08:48.080
in a service level agreement that every
two months, you're gonna have to see
110
00:08:48.120 --> 00:08:52.559
me in your Auditan re reports.
You'RE gonna have to show me signs that
111
00:08:52.559 --> 00:08:56.840
that you have, uh, this
level of security in your data centers.
112
00:08:58.320 --> 00:09:03.919
But as a company, you need
to review that service level agreement by actually
113
00:09:03.120 --> 00:09:09.559
making sure that one, that is
that is being followed and two is that
114
00:09:09.600 --> 00:09:11.600
if you need to make any changes, then well, you need to make
115
00:09:11.600 --> 00:09:15.480
no changeing, because you don't want
to wait until the end of the contract
116
00:09:15.480 --> 00:09:18.200
purity and try to make a change
to it and said, well, you
117
00:09:18.240 --> 00:09:20.039
did not follow this end up policy
here. Well, you should have told
118
00:09:20.039 --> 00:09:26.120
me this about six months ago.
Okay, so that makes it makes common
119
00:09:26.919 --> 00:09:31.679
and common and, you know,
like common sense. Even a privacy level
120
00:09:31.720 --> 00:09:35.720
agreement. Okay, privacy is about
data and information. And See, you
121
00:09:35.759 --> 00:09:39.600
have to have a privacy level agreement
in place because if you don't, you
122
00:09:39.639 --> 00:09:45.279
know, you could uh find yourself
in the courtroom. Now we're referencing an
123
00:09:45.320 --> 00:09:48.919
article a little bit earlier for the
show and one of the topics was managing
124
00:09:48.960 --> 00:09:52.519
procurement risk and I thought there was
an interesting statement here. It says the
125
00:09:52.600 --> 00:09:56.679
rule of thumb for managing supply chain
Cypersey, uh, cybersecurity, is that
126
00:09:56.720 --> 00:10:00.399
if it touches the network, it's
in, it's in the scope of risk
127
00:10:00.440 --> 00:10:05.360
management. Right, it is.
It's you, once you, once you
128
00:10:05.360 --> 00:10:09.919
step into the fire, right,
yeah, yeah, all bets are off
129
00:10:11.000 --> 00:10:15.840
and it's like and what about,
you know, if we uh flip this
130
00:10:15.919 --> 00:10:20.639
around and talk about the mitigating the
vendor from the vendor standpoint, is there
131
00:10:20.679 --> 00:10:24.480
anything a vendor should be concerned about? Is there any red flags of like,
132
00:10:24.200 --> 00:10:28.919
Um, you know, because you're
you're cross pollinating this data, right,
133
00:10:28.320 --> 00:10:31.759
so is the company kind of tapping
into your network as a vendor,
134
00:10:33.120 --> 00:10:37.159
and is there anything that like this
is a company that maybe that is uh,
135
00:10:37.240 --> 00:10:43.960
gonna they're not doing it their due
diligence as the company and it could
136
00:10:43.000 --> 00:10:50.879
risk our reputation as a vendor?
Well, number one is this. When
137
00:10:50.960 --> 00:10:54.759
you have a type of agreement in
place, if you agree to it,
138
00:10:54.360 --> 00:10:58.840
okay, so you have to follow
it. All right. So that's so,
139
00:10:58.919 --> 00:11:03.440
that's fun to top. Now now
so much as a vendor. Um,
140
00:11:03.480 --> 00:11:05.360
what you need to be concerned about
is that, can you go do
141
00:11:05.440 --> 00:11:13.399
the work right? Yeah, can
you? Can you adhere to the policies?
142
00:11:13.720 --> 00:11:18.320
Okay, because because as a vendor, you you're gonna be required to
143
00:11:18.000 --> 00:11:22.879
protect information. So so, if
you don't have those, if you don't
144
00:11:24.000 --> 00:11:30.879
have types of controls in place like
like Um, like like some isolation where
145
00:11:30.919 --> 00:11:35.159
you can oscillate traffic, where you
have database servers that are protected and only
146
00:11:35.279 --> 00:11:41.039
authorized people can go have assets to
the data databasis. If it's public,
147
00:11:41.519 --> 00:11:48.840
public facing information, Um, you
know, you need to find out the
148
00:11:48.919 --> 00:11:54.039
sensitivity of that data before you put
it out there, because if it's sensitive
149
00:11:54.080 --> 00:11:58.679
and critical, then and if in
the and if in the s l a
150
00:11:58.080 --> 00:12:01.399
somewhere, you know, states that
that you would not support to put the
151
00:12:01.480 --> 00:12:05.919
data to the public, then you
can find yourself in the courtroom. Yeah,
152
00:12:05.000 --> 00:12:09.320
kind of. What's what's the boundaries
here? Right, and a lot
153
00:12:09.320 --> 00:12:11.799
of times we look at an agreement
and it looks, you know, it's
154
00:12:11.840 --> 00:12:15.120
it's drawn up by lawyers and it
seems like a standard, you know document.
155
00:12:15.320 --> 00:12:18.720
But I think from the vendor standpoint, Um, you might be cognizant
156
00:12:18.799 --> 00:12:22.600
of, you know, repercussions.
Other words, if there is a data
157
00:12:22.600 --> 00:12:26.519
breach, uh, what's you know, what's the implication to the vendors?
158
00:12:26.519 --> 00:12:30.840
That can put the vendor out of
business because, like you mentioned the target
159
00:12:30.879 --> 00:12:35.399
situation. Uh, that costs them
multiples and multiples and millions of dollars,
160
00:12:35.480 --> 00:12:37.440
right, to rectify that, get
that and then build the trust back with
161
00:12:37.440 --> 00:12:43.000
the customer as well. Right.
And but back to that vendor question.
162
00:12:43.240 --> 00:12:46.720
Is that on both parties. So
if there is a data breach, what's
163
00:12:46.759 --> 00:12:50.799
the financial impact of that? And
if you don't maybe read the contract,
164
00:12:50.360 --> 00:12:54.279
it might put you out of business. That's why you go ahead and buy
165
00:12:54.360 --> 00:12:58.440
insurance, right. Yeah, okay, you can. Organization now can buy
166
00:12:58.559 --> 00:13:05.799
insure and just for those security,
just for those fortal situation just to protect
167
00:13:05.799 --> 00:13:13.879
you now, because because you never, never have knowledge of the unknown.
168
00:13:15.000 --> 00:13:18.519
So, but, but, but, it's safe to have the insurance,
169
00:13:18.879 --> 00:13:24.480
especially with data and UH. And
I can say for sure that the federal
170
00:13:24.519 --> 00:13:30.600
government now has a supply chain risk
management program that is definitely growing. Uh,
171
00:13:30.639 --> 00:13:33.559
if you're a government contracting company,
you know there are certain types of
172
00:13:33.600 --> 00:13:39.039
parameters and rusing regulations that you have
to follow as well. Um, and
173
00:13:39.200 --> 00:13:45.039
uh, you know the only way
to make it operate is suggest make sure
174
00:13:45.080 --> 00:13:50.200
that each side has a standard and
make sure those standards are being followed.
175
00:13:50.440 --> 00:13:54.559
Okay, that's that's that kind of
shapes it. You know where you can
176
00:13:56.039 --> 00:14:01.799
put certain type of security controls in
place and you commit get issues because,
177
00:14:01.399 --> 00:14:07.399
Um, if you a vendor,
as you said before, like your reputation
178
00:14:07.240 --> 00:14:13.960
is on the line. and Um, I was also thinking the implications of
179
00:14:13.480 --> 00:14:18.320
if there is that data breach,
of you know, only the fines with
180
00:14:18.360 --> 00:14:20.480
the insurance, but I think the
insurance, most like any other insurance,
181
00:14:20.840 --> 00:14:26.320
is gonna still come back at you
and say, did you do? Uh,
182
00:14:26.720 --> 00:14:30.759
did you have all the checks and
balances in place that was possible to
183
00:14:30.799 --> 00:14:33.759
prevent this? Right, because if
you're asleep at the wheel, and you
184
00:14:33.919 --> 00:14:41.159
really didn't update your agreement. You
didn't anticipate things they could potentially say.
185
00:14:41.200 --> 00:14:43.600
Well, you know what, there's
a clause in here that says, uh,
186
00:14:43.679 --> 00:14:48.639
some of this is on you.
Right, it goes back to protocols.
187
00:14:48.519 --> 00:14:52.679
Are you following the correct protocol?
Here's I mean, like that example
188
00:14:52.679 --> 00:14:56.559
of the person you that you let
U into the into your back office in
189
00:14:56.600 --> 00:15:00.480
your store. Right, the insurance, you know, it's not a blanket
190
00:15:00.519 --> 00:15:03.159
insurance. Like insurance, is great
to protect you, but like here at
191
00:15:03.159 --> 00:15:05.960
the podcast to your studio, if
we leave our doors unlocked in the building
192
00:15:07.000 --> 00:15:09.360
and the door wide open and company
steals all the equipment, it's probably not
193
00:15:09.399 --> 00:15:15.039
going to be covered by insurance because
you didn't take a reasonable amount of onus
194
00:15:15.080 --> 00:15:18.480
on your end. Right, right, right, see, see. See,
195
00:15:18.519 --> 00:15:22.879
now, this is the this is
the mindset that that actually has to
196
00:15:22.919 --> 00:15:31.759
be in place. All right,
take care of others possession as you as
197
00:15:31.799 --> 00:15:35.480
you would your own. See,
that's simple. Right. Okay, so
198
00:15:35.600 --> 00:15:41.879
that means that if you employ a
cybersecurity mindset where you uh, what you're
199
00:15:41.960 --> 00:15:48.919
thinking holistically, what you look at
the entire picture of cybersecurity and if you
200
00:15:50.759 --> 00:15:54.679
and if you have that risk based
thinking in place, okay, and you
201
00:15:54.799 --> 00:16:00.320
understand that that risk means that you
need to look at the entire picture,
202
00:16:00.360 --> 00:16:06.519
because it's not about you, because
it's about the customer as well. So
203
00:16:06.519 --> 00:16:10.279
so, as the third party vendored
in, you're going to be concerned about
204
00:16:10.360 --> 00:16:15.759
making sure that you maintain the great
relationships because when you do, that's why
205
00:16:15.799 --> 00:16:21.840
that value proposition mentality comes to surface
and you become a high value asset and
206
00:16:21.879 --> 00:16:26.720
no one really wants you to go
because you such a great client to work
207
00:16:26.759 --> 00:16:33.720
with. But but, as I
said before, protocols, follow the protocols,
208
00:16:33.679 --> 00:16:37.399
follow the rules and regulations, policies. Yeah, some of those points
209
00:16:37.399 --> 00:16:41.799
you just sit on kind of dovetails
into your recorded you had another live episode
210
00:16:41.799 --> 00:16:47.639
on Your Live Stream earlier today right
on Youtube, and a lot of that
211
00:16:47.679 --> 00:16:52.519
was about certification, a job opportunity
to the industry really growing leaps and bounds,
212
00:16:52.600 --> 00:16:56.480
and that kind of begs the question
within a certain organization, I imagine
213
00:16:56.480 --> 00:17:02.000
there's almost a new titler position at
have to be a decent sized company,
214
00:17:02.039 --> 00:17:06.039
but within that organization there's correct me
if I'm wrong, there's probably a dedicated
215
00:17:06.079 --> 00:17:11.440
officer or role just to oversee vendor
agreements in terms of Cybersecurity, not just
216
00:17:11.680 --> 00:17:15.920
negotiating. You know the terms of
the agreement. But is there a level
217
00:17:15.000 --> 00:17:21.640
where this person oversees Um, all
those checks and balances and reviews, maybe
218
00:17:21.680 --> 00:17:23.960
on a daily or weekly basis,
just monitors, you know, to prevent
219
00:17:25.039 --> 00:17:27.880
those, but more of a proactive
approach to data breaches? Right? Yes,
220
00:17:29.000 --> 00:17:33.480
yes, yes, large, large
organization. Have have privacy officers and
221
00:17:33.519 --> 00:17:41.519
some information security risk managers that are
that are so concerned about Um, making
222
00:17:41.519 --> 00:17:44.599
sure that Stennis in place. But
but you can think out of it as
223
00:17:44.680 --> 00:17:49.680
audit into yeah, the audited.
Now now, speaking of certifications, some
224
00:17:49.799 --> 00:17:56.480
of the vendors will go require your
system to be certified. So so advice
225
00:17:56.599 --> 00:18:03.799
versa? Yes, yeah, yes, because because, Um, well,
226
00:18:03.720 --> 00:18:08.359
well, you know, because when
you're certified, see, that means that
227
00:18:08.440 --> 00:18:14.680
everybody meets the same level of clients. Because if a vendor wants to do
228
00:18:14.759 --> 00:18:18.880
business with company A and company a
want to do business with with like company,
229
00:18:19.000 --> 00:18:23.000
uh, you know, in vendor
a, both of them Muss and
230
00:18:23.119 --> 00:18:30.200
must have the same level of certifications
in place because in order to meet the
231
00:18:30.240 --> 00:18:37.039
requirements of the of the customer,
then the vendor has to have the same
232
00:18:37.079 --> 00:18:40.119
type of requirements in place. You
know, it's a match for match.
233
00:18:40.920 --> 00:18:48.440
So so if both companies needs are
practicing practice in the same standards and carries
234
00:18:48.480 --> 00:18:51.880
the same level of certification, then
it then it kind of makes the job
235
00:18:51.960 --> 00:18:56.759
easy. All right, it's all
about expectations, right, and and and
236
00:18:56.880 --> 00:19:00.400
matching those right. So and then, as a a business, you know,
237
00:19:00.480 --> 00:19:06.200
you've got a shop. What's reasonable
budget wise and, uh, can
238
00:19:06.279 --> 00:19:08.200
they meet those demands and also kind
of grow with you as a business?
239
00:19:08.240 --> 00:19:12.200
We talked about, you know,
Um, reviewing those contracts or those agreements,
240
00:19:12.359 --> 00:19:17.599
because technology changes, you know,
in light and warp speed these days.
241
00:19:17.680 --> 00:19:21.119
Right. So what was in place, you know, last year or
242
00:19:21.160 --> 00:19:25.240
six months ago? I mean probably
it's reasonable every six months to review or
243
00:19:26.400 --> 00:19:30.279
you know, you know, I
cannot sit here and say when it's multi
244
00:19:30.359 --> 00:19:34.319
review, but I would say that
as frequent as possible. You know,
245
00:19:34.400 --> 00:19:40.200
that's some organization that are very are
scrange it because because they have so many
246
00:19:40.559 --> 00:19:45.079
suppliers, and I guarantee you that
they are probably watching S L as on
247
00:19:45.119 --> 00:19:48.119
a monthly basis and on a weekly
basis, because you may have over three
248
00:19:48.160 --> 00:19:53.799
to five hundred suppliers. So so
you have to keep a vision look on
249
00:19:55.160 --> 00:19:59.440
those suppliers. See now, see
now. This is where the adapted mindset
250
00:19:59.519 --> 00:20:03.079
comes to her. You know that
last chapter in the cybergecated mindset talks about
251
00:20:03.160 --> 00:20:10.359
having a constant engagement into cyber security, Um, so you can maintain your
252
00:20:10.440 --> 00:20:18.160
availability and your residence. This is
where chapter twenty is surfacing now, because
253
00:20:18.279 --> 00:20:22.759
once you figure out everything you need
to do to to to actually get the
254
00:20:22.799 --> 00:20:29.440
cybergecated mindset, the work, you
know, the last chafter is sustainability,
255
00:20:29.680 --> 00:20:34.079
is to making sure that the train
is still moving. Okay, but in
256
00:20:34.160 --> 00:20:37.680
order for that train to still moving, then you're gonna have to be vigilant
257
00:20:37.759 --> 00:20:42.240
and you have to keep your eyes
open and have that three and sixty degrees
258
00:20:42.279 --> 00:20:48.359
of security visibility in place, because
you just can't become laps because someone else
259
00:20:48.480 --> 00:20:52.559
is taken over the work. And
also, too, you can't become loust
260
00:20:52.599 --> 00:20:57.519
because it's somebody else's data. Okay, because you have to treat that data
261
00:20:57.640 --> 00:21:03.440
as you would your own penny so
that you can stay protected. Yeah,
262
00:21:03.480 --> 00:21:07.079
almost as if they're not in the
mix, because to the consumer, to
263
00:21:07.119 --> 00:21:10.519
your customer, you know, they
don't care about that third party. Right.
264
00:21:10.559 --> 00:21:14.359
It's Um, I, I I'm
doing business with you, not with
265
00:21:14.400 --> 00:21:18.359
the vendor. Right. It's your
responsibility to make sure that, you know,
266
00:21:18.400 --> 00:21:23.319
my dad is protected or that transaction
is secure, right. You know,
267
00:21:23.799 --> 00:21:27.400
I think that in so many ways
rich I think over the past couple
268
00:21:27.400 --> 00:21:32.880
of years, I think that I
think the cybersecuity enderstry has gotten better with
269
00:21:32.920 --> 00:21:37.720
this, because the more people talk, the more people listen. Okay,
270
00:21:38.079 --> 00:21:45.960
so having a conversation about vendor and
supplier management has been at the surface a
271
00:21:47.039 --> 00:21:49.440
lot for like the past five years, I would say. Okay, when
272
00:21:49.519 --> 00:21:53.279
I first started, I t and
coming on through maybe seven years ago,
273
00:21:53.319 --> 00:21:59.559
it wasn't even a hard topic.
Right now it's a hard topic because in
274
00:21:59.680 --> 00:22:03.759
form man shared and then two,
you know you have customers. You know
275
00:22:03.920 --> 00:22:07.200
you do not want to lose your
customer base. So you have to maintain
276
00:22:07.720 --> 00:22:12.960
a certain type of compliance because your
reputation is on their line. Yeah,
277
00:22:14.480 --> 00:22:15.880
you took the words right out of
my mouth because we talked about the vendor
278
00:22:15.920 --> 00:22:21.720
reputation. Right exactly, but it's
that business. You know as a consumer,
279
00:22:22.319 --> 00:22:26.880
if word gets out that you know
things are not on the up and
280
00:22:26.960 --> 00:22:30.160
up with that business, it's it's
a long haul to build that trust back.
281
00:22:30.759 --> 00:22:34.960
Right it's just one mistake can cause
a ripple effect that can really implement
282
00:22:36.000 --> 00:22:37.480
your business. Um, Dowayne,
we're almost out of time. Unless there's
283
00:22:37.519 --> 00:22:40.519
any other, you know, points
you want to hit on, I think
284
00:22:40.519 --> 00:22:44.480
this is a good point to kind
of potentially wrap it up and any closing
285
00:22:44.480 --> 00:22:48.440
comments and we'll mention a call to
action for our listeners as well. But,
286
00:22:48.680 --> 00:22:51.359
UM, in terms of the next
steps, uh, this is a
287
00:22:52.359 --> 00:22:56.720
quote I read from an article that
Uh sums up an angle we talked about.
288
00:22:56.759 --> 00:23:00.039
But it says no amount of technology
and best practice will be suffer a
289
00:23:00.079 --> 00:23:04.079
ship if employees are not committed to
the program right. It goes back to
290
00:23:04.160 --> 00:23:08.000
that, uh, that mindset and
that hacker's hat. So, you know,
291
00:23:08.039 --> 00:23:12.640
we talked about maybe an organization you
have a dedicated officer just overseeing vendor
292
00:23:12.759 --> 00:23:18.799
security. But, like you open
the show with that illustration that we can
293
00:23:18.880 --> 00:23:23.160
visualize, Um, this person walks
into the business and say I need to,
294
00:23:23.160 --> 00:23:27.640
you know, check into the network. Right, the employee needs to
295
00:23:27.680 --> 00:23:30.119
have that mindset of like wait is
hold on, buddy, hold on,
296
00:23:30.400 --> 00:23:33.559
I have to get my manager,
you know, just instead of just giving
297
00:23:33.599 --> 00:23:38.640
them a carte blanche to do what
they want order of mindset. Chapter one,
298
00:23:40.240 --> 00:23:44.680
exactly right, literally and figuratively,
Chapter One in the book and chapter
299
00:23:44.759 --> 00:23:48.839
one in real life practice. It's
called the inclusive culture. Yeah, okay,
300
00:23:49.039 --> 00:23:53.039
when you go and build a culture
that is very inclusive, people would
301
00:23:53.119 --> 00:24:00.279
have a defensive mindset. Okay,
they they will become a human file wall.
302
00:24:00.680 --> 00:24:04.759
Okay, now, a human firewall
is not a person that standing up
303
00:24:04.839 --> 00:24:11.039
with a firestick. It just a
mythology that says that people are thinking defensively.
304
00:24:11.880 --> 00:24:18.039
Okay, that's that's how you start
things off, is to have that
305
00:24:18.200 --> 00:24:23.960
culture and your people on board where
where they can think defensively. You know,
306
00:24:23.960 --> 00:24:29.119
when you be all that, that's
when everything else happens. As far
307
00:24:29.200 --> 00:24:33.200
as the situation whearing is, you
know, that wrist bate thinking, and
308
00:24:33.319 --> 00:24:40.240
also that hackers mindset, which is
your favorite. Exactly. One day we're
309
00:24:40.240 --> 00:24:45.079
gonna literally have the hat or whatever
in the studio, get some merch that
310
00:24:45.119 --> 00:24:49.319
has hacker's hat on there. So
Um, uh. So, a lot
311
00:24:49.400 --> 00:24:52.559
lots more to talk about, but
I think we're out of time here.
312
00:24:52.720 --> 00:24:56.680
So Um, unless there's any uh
you know, final thoughts, we want
313
00:24:56.720 --> 00:24:59.119
to do a call to action here
in a second. I mean, how
314
00:24:59.160 --> 00:25:03.200
would you summarize uh, this for
you know that business and that vendor.
315
00:25:04.279 --> 00:25:10.000
All Right, make sure that you
agree to the terms. Okay, make
316
00:25:10.039 --> 00:25:15.119
sure that you know what you need
done of your vendors and if you have
317
00:25:15.079 --> 00:25:18.720
a vendor, make sure that you
can do to work exactly. You can
318
00:25:18.759 --> 00:25:21.000
deliver that. Yeah, yeah,
yeah, yeah, make sure you can
319
00:25:21.000 --> 00:25:25.319
do it. It's all it's all
fairness to to light both side, because
320
00:25:25.359 --> 00:25:27.319
at the end of the day,
we are only the safest of all.
321
00:25:27.400 --> 00:25:32.240
Mindset. Well said, Um,
and you can quote the guy on that
322
00:25:32.279 --> 00:25:33.799
one there. So, Dwayne Hart, Pleasure of having me at once again
323
00:25:33.839 --> 00:25:37.880
in the studio here on the Global
Podcast Studio Network and UH, here in
324
00:25:37.920 --> 00:25:44.079
Atlanta, and again check out for
everything, uh, for Dwayne's book,
325
00:25:44.359 --> 00:25:48.759
for his podcast, for his live
stream, Um, for his home address.
326
00:25:48.880 --> 00:25:56.759
No, that's a little cyber security
humor there. Yeah, but now
327
00:25:56.839 --> 00:26:00.599
for everything to follow up and for
more information, it's just DWAYNE HEART DOT
328
00:26:00.640 --> 00:26:03.960
com. Again, DWAYNE HEART DOT
com, and we'll see you on the
329
00:26:03.960 --> 00:26:08.559
next episode and tune into this podcast. m