Six tips for better data risk negotiations from Chief Risk Officer Michelle Griffey

Choosing a collaborative approach rather than box-ticking and backside covering will be a win-win, says Communisis CRO

Michelle Griffey, Chief Risk Officer at Communisis, has led data risk and compliance negotiations with partners at both service providers and their clients. Here she offers some words of advice for creating a healthy working relationship that prioritises security.

Almost every organisation has partners. Sometimes the organisation is a client, purchasing services from a third-party supplier, and sometimes the relationship is reversed.

With data protection an increasingly hot topic, and with breaches potentially ruinous to both finances and reputations, companies that farm out personal and sensitive data for processing and storage need to calculate how far they should trust their suppliers to look after it securely. Thanks to GDPR and other data protection legislation, it's no longer possible to simply pass liability for a breach down the supply chain.

Meanwhile, from the supplier's point of view there's a need to demonstrate process, tools, experience and a culture of data protection to assure clients' their data will be safe while its in their care - without having to do the same thing over and over again for each new potential customer.

The job of risk management teams - on both the client and supplier sides - is to ensure that the main threats are identified and strategies put in place to mitigate them - including procedures that must be followed should the worst happen, be that data theft, DDoS attack, system failure, fire, flood or ransomware.

Ideally the two risk teams should work together to reach a mutually beneficial agreement, but it doesn't always work out that way. Too often this process is characterised by endless form filling, box ticking and backside covering - and fails to properly address the risk at all.

Michelle Griffey is Chief Risk Officer at Communisis, a third party supplier of marketing and advertising services with a critical transactional communications arm that delivers cheque books, bank statements, insurance certificates and cheques which have helped support people during the pandemic. Prior to joining Communisis, Griffey worked as a risk manager at Lloyds Banking Group which hired the services of third party suppliers like Communisis.

As, such she has sat on both sides of the table when it comes to risk negotiations between client and supplier, and in an interview with Computing she offered six key pieces of advice for risk managers dealing with data protection issues across partnerships.

1. Don't let your risk team become a silo

The risk team constitutes a pool of expertise to be drawn on when identifying risks, drawing up strategies to mitigate them, and creating plans for how to act should the worst occur. Ideally the team should be a forward-looking, proactive unit that's actively engaged in all aspects of business, but all too often it's sidelined, only consulted at the last minute.

The opposite problem can also occur, with the risk team expected to do the job of procurement or client management. So, there's a balance to be struck.

"Knowledge is only power when it's shared", said Griffey. "The risk team needs to be available and approachable - but don't drown them in things that they don't need to be involved in."

On the supplier side, the risk team's job is to translate the client's needs into processes that are practical within their operation. They need to be prepared to push back at times, Griffey said.

"Many clients try to impose their own processes and policies on their suppliers seemingly not realising that suppliers can't have different processes for each client as this would not only be cost prohibitive but also create complexity which increases risk - especially in relation to cyber security."

2. Assurance trumps compliance

In the face of the complexity of data protection regulations, particularly in highly regulated sectors like finance, there is an understandable tendency to seek the simplest way of complying with the letter of the law in order to keep the watchdogs at bay. Their prime concern is being able to prove to a regulator that they've gone through the required motions with the third-party supplier (for example, a fulfilment provider entrusted to send out sensitive documents to the customer base which therefore requires access to personal information), so that should anything go wrong their liability will be reduced.

Computing's Cybersecurity Festival is coming up in June - Register now for free

However, this static, form-filling approach ignores the true nature of cyber risk where the landscape is constantly shifting and will inevitably lead companies to underestimate the chances of something bad happening to them.

A far better approach is for the risk teams to keep evolving their plans in the light of new information as it comes in, but this is a tough nut to crack with management, Griffey explained, saying it's a classic example of how regulations can sometimes drive bad practice.

"I was recently asked to speak to a group of insurers and I spent 15 minutes explaining why assurance would be better than compliance, and they said ‘Yeah we totally agree but that doesn't meet our need. We need to prove to the regulator that we've asked you the right questions. That's why we need you to fill out this questionnaire'."

Compliance culture is ingrained, then. It's also oddly defeatist when a more proactive approach would also be better for all involved.

"Ticking a box to be able to show a regulator you asked a question misses the point. However, it is also almost subconsciously accepting that there will be a problem at some point which will require this evidence, which further highlights that the better course would be to be able to show the regulator how well you had worked jointly to reduce the risk level and create response plans."

3. Clients - keep DD questionnaires brief and to the point

You'll gain more knowledge with open questions than closed ones. Focus on how suppliers cover the risks that matter to you and get a feel for their overall risk culture, rather obsessing about what systems they might or might not deploy.

The bane of the supplier risk manager's life is the due diligence (DD) questionnaire, through which a client seeks to understand the systems and practices in place at their company. While DD questionnaires may be manageable enough at the start, they have an unfortunate habit of growing organically as companies add more and more bespoke requirements.

In one example of tick-boxery gone mad, Griffey says she's seen a DD questionnaire 360 questions long, requiring several hours to complete. Worst of all, she says, the questions are often irrelevant, seeking specific information on a particular firewall or monitoring system, whereas they would elicit far more valuable information by asking open questions such as ‘how would you protect our data in this circumstance?'.

Griffey asserts that clients should deploy a minimal DD form for to find out the basics, then just get on a Zoom call with their opposite numbers and work on solutions to the most pressing concerns.

"I am a massive advocate of a collaborative approach between customer and supplier," she siad. "Surely it is better to be able to evidence how supplier or client have worked to understand and mitigate risk then have a joint, tested response plan than to pull out a big questionnaire as your business is floundering following a cyber attack?"

4. Clients - when negotiating with a supplier make sure you are talking to operatives at the right level who really understand the issues. This will likely be more than one person

If you are really interested in understanding how a potential supplier manages risk, you'll need your subject matter experts (SMEs) to speak to theirs. Speaking to the right people provides assurance in a way that long DD questionnaires do not.

"We have had some good sessions when we have worked infosec-to-infosec, which mean you can overcome hurdles if a product or service isn't perfect at the outset - agreeing interim controls and dates for full remediation," Griffey said, by way of example.

However, depending on who's leading the negotiations, this approach may not always be the preferred one and departmental politics can get in the way, she added.

"Clients often want to keep procurement or relationship management in the middle: Chinese Whispers then ensues."

5. Suppliers - make your SMEs available to answer questions, but don't let potential clients monopolise them. An hour at a time should be plenty

Taking a collaborative approach that involves subject matter experts makes it possible to focus on the main risks that the client runs by using you as a supplier. This can save a lot of time and effort discussing issues that do not really matter.

But a strong caveat to uinvolving SMEs in the risk discussions is that helping auditors is not their primary role; time spent on this task can detract from their day jobs. Once again, supplier risk teams need to be prepared to push back, Griffey said.

"At Communisis we not only have clients that employ companies to audit us and who want to monopolise specialists for days - ten days was one ask! - we then have the same auditor being used by multiple clients, for many days each. Clearly, the auditing companies love this as they get fees from each client. But by working together, in the event of a big incident we all lose not just one company, we can reduce cost, share knowledge and allow specialists to focus on managing the risk rather than keeping auditors happy."

6. Test your plans

It's vital to 'kick the tyres' of your plans to make sure they are fit for purpose. For example, you don't want to store plans for recovering from a system outage on that system itself. Inevitably, there are many details that only become obvious in hindsight, but thorough and systematic testing will root many of the flaws.

"Incident management processes are critical and if teams trust they will work they use them to good effect," Griffey said. "Pre-emptive incidents are ‘a thing' in Communisis where we might see an emerging issue more broadly and get an incident team in place to manage comms and investigations to ensure we are not impacted. This is good risk management, and a test of the response plan. We did this for WannaCry and more recent issues like Microsoft Exchange.