In this episode of Redefining CyberSecurity Podcast, host Sean Martin discusses the evolving landscape of third-party risk management with guest Laura Robinson, highlighting the need for a shift in approach and sharing success stories from case studies.
Guest: Laura Robinson, ESAF Program Director at RSA Conference [@RSAConference]
On Linkedin | https://www.linkedin.com/in/laurarobinsoninsight/
At RSA | https://www.rsaconference.com/experts/laura-robinson
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of Redefining CyberSecurity Podcast, host Sean Martin engages in a conversation with Laura Robinson, the ESAF Program Director at RSA Conference, about the changing landscape of third-party risk management. They explore the need for organizations to shift their approach in assessing third-party risk and the limitations of relying solely on questionnaires. Laura emphasizes the importance of more detailed assessments and manageable requirements for suppliers.
The conversation touches on the significance of fostering a culture of security and collaboration between organizations and their third-party partners. They discuss the challenges faced by small businesses in meeting complex regulatory requirements and the difficulties in finding the right cybersecurity services and talent. The episode showcases case studies that highlight successful third-party risk management programs and their positive impact, including significant reductions in incidents and quantifiable risk reduction.
The discussion also delves into the potential benefits of standardization in the industry, such as shared assessments, resources, and frameworks such as NIST CSF and HITRUST. Sean and Laura underscore the importance of collaboration, community, and a change in mindset to effectively address third-party risk in the evolving cybersecurity landscape. Throughout the conversation, practical insights and success stories are shared, providing listeners with a deeper understanding of the progress being made in third-party risk management while acknowledging that there is still work to be done.
The episode offers a thoughtful exploration of the topic, focusing on the need for collaboration, cultural shifts, and the development of more effective assessment approaches in order to mitigate third-party risk effectively.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
CISO Perspectives on Transforming Third-Party Risk Management: https://www.rsaconference.com/library/webcast/158-ciso-persp-transfer-third-party?utm_source=x&utm_medium=social&utm_content=158-ciso-persp-transfer-third-party-webcast&utm_campaign=september-2023-rsac365&postID=11353906220
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new episode of redefining cybersecurity here on ITSB magazine podcast network. This is Sean Martin, your host. And as you know, listening to the show, I do my best to get people to think about how to operationalize all this security stuff we talk about. How do we change our business processes, our teams, our tech stack?
To, uh, not just protect the business from, from threats and attacks, but actually help them safely grow and then protect the revenue that they generate. So, uh, a lot to do in there. And, uh, sometimes as my guest, Laura Robinson will, it'll test too, given the report that she just pulled together. It's not always just on our shoulders.
It's the people we do business with that, uh, that have a role to play in all of this as well. And, uh, so we're going to talk about, you guessed it. Third party risk, something that I've been looking at for a long, long time, and I'm excited to hear what, what some of the findings are from the research you did, but before we do that, Laura, um.
Yeah. It's a pleasure to meet you. Happy to have you on the show. Share a few things with the audience about your role with RSA Conference and the program that you direct and head up. Yeah,
[00:01:19] Laura Robinson: thank you. Thank you so much. It's great to be here, Sean. So I'm Laura Robinson, the eSNAF Program Director. I'm an industry analyst and I've been in information security for Over 20 years, so obviously love it as I'm sure many of you feel the same way about this really exciting space.
I focus on working with CISOs to help them solve their biggest challenges and of course you guys can guess what sort of those challenges are and like Sean was talking about third party risk management being a huge one right now. So ESAF is an RSI conference community of Fortune 1000 CISOs. We have Our annual meeting at RSA Conference itself.
We have digital sessions throughout the year and we do research reports like the one we're going to talk to, we're going to, we're talking about today. So the types of people who are leading this research, the program committee are from companies, large enterprises like Walmart, McKesson, Liberty Neutral, Cisco, J& J, Procter Gamble, Lido.
So lots of companies you would be familiar with, maybe even. You have some business relationship with so they drove this research and typically our sessions over the years have been confidential sessions where the CISOs share information peer to peer. I mean, Sean, I know you can appreciate the CISO
[00:02:50] Sean Martin: rules.
I never get invited to those. I don't know.
[00:02:53] Laura Robinson: Exactly. Right. And because they need a place where they can discuss things really confidentially sensitive information, that sort of thing. But. They decided that they really wanted to get out information about third party risk management to the larger community and some of the other things that they, um, tackle as well.
Like, our previous report was on board, how to report to the board. So there's some things that they felt like, you know, what, it's really key that we not only share the information Internally, but we get the information out to the larger community. And so we, we anonymized everything, but we are able to bring you really leading practices from some of the largest companies in the world through these reports.
[00:03:40] Sean Martin: And leading, I was reading through some of the findings and leading doesn't necessarily mean. Not proven, which is
[00:03:49] Laura Robinson: cool, right? Yeah, no, that's right. They were willing to share really early initiatives. Like some of these companies, actually, all of the initiatives that are presented in the research, there are six case studies.
And then the first part of the research kind of summarizes the findings. But all of the case studies are very... I mean, they're multi year projects, but like, yeah, like you say, Sean, it's not necessarily proven, but they want to share these ideas to get things moving. Let's change what we do in this area.
[00:04:19] Sean Martin: Exactly. Exactly. Now this is the, the second. Report. Was it also a third party risk the first
[00:04:26] Laura Robinson: time? No, as I was mentioning, the first topic we did was on how to report to the board. Sorry, I did miss that. Okay. Yeah. Yeah. Sorry. Maybe I was talking too fast. But anyway, so the, um, how to report to the board was the first.
This is third party risk management, and we'll see what other topics they feel Really makes sense to kind of share their knowledge.
[00:04:49] Sean Martin: Apologies. I, I heard that in the connection with the, the sessions at the conference and I didn't put together the first report.
[00:04:56] Laura Robinson: I've given you too much information at once.
[00:04:59] Sean Martin: That's good. So hopefully the audience is listening far better than I as the host. Um, anyway, the. This is a topic that I think, well, it's near and dear to my heart. I've been, I've been working, have worked in this space for, for quite a while. And there are a lot of, there are a lot of companies trying or grappling with how do we get this large group of entities that we do business with, not necessarily under our umbrella, but how do we understand.
The exposure that they bring to our data and our systems and ultimately to our business. And so in markets popped up, technologies came out, some stuff was homegrown, standards and frameworks evolved. Um, yeah, working groups. And so I'm interested what you've heard and what the research says with respect to how things have kind of progressed over the last few years.
Do we, are we starting to get a handle on it widespread or is it still pretty much the majority of the large organizations that are really kind of copped on to a way to make this work?
[00:06:14] Laura Robinson: I think, um, it's the state that we're at, the stage that we're at right now is, I think it is mostly these leading large enterprises that are kind of pushing the envelope and really changing things.
Now, let me tell you why. Why are they doing this? Because, like you say, third party risk management has Problem forever. I mean, it's not really a problem, but it's been a challenge that organizations have had to deal with forever. So why are we suddenly needing to change all of this now? So what's been happening is, in the last few years, they have noticed, the CISOs in our community have noticed that it's the third parties that are getting hit with incidents and really affecting I mean, The large enterprises themselves.
So if your supplier is taken out by a ransomware attack, now you don't have your manufacturing lines operating. If, um, your business partner has a data leak, now your intellectual property is out there. So these sorts of incidents are increasing and there's a really interesting chart in the research.
It's, it's internal research from the defense industry that they were willing to share with us that showed this. Perfect trend. I mean, perfect. Scary. But how the, the, um, attackers are specifically targeting third parties, or in this case, they were looking at specifically suppliers. So they were originally, like many years ago, there were Basically attacking the large enterprises, what's called the DIB primes, the prime contractors.
But then, if you look at the graph, basically that disappears. They're not attacking the DIB primes as much anymore. They're going after the suppliers. Now the reason why they're doing that is because Suppliers tend to have less mature security programs, and often suppliers in every industry are going to be small to mid sized businesses who can't afford the level of cyber security that a large enterprise has.
So the reason why this has become so urgent for so many enterprises is because their third parties are just getting pummeled with cyber attacks, and they just can't defend themselves. The large enterprises have gotten pretty good at it, but not the majority of third parties. Right.
[00:08:37] Sean Martin: Yeah. There's one of the stats I read is that 80 percent of the, of the fortune 1000.
I've experienced an attack or an incident, I should say, uh, due to a third party, or maybe I guess at a third party, not themselves due to a third party, which is not, not shocking, but still surprising.
[00:08:56] Laura Robinson: Yeah. Yeah. They've had at least one significant incident that was caused because it was a third party that was attacked.
So this is affecting their operations. And so they, they, they decided, look, we... We just had to do something, we had to do something completely different. And they're taking really different approaches. Like in some cases, they actually are providing their supply chain with security services. They just figured that their third parties were in, um, just didn't have what it took to defend themselves and they literally extended their security program to help protect them as well.
So that's how, um, how much risk these companies are facing. They're willing to do something like that.
[00:09:47] Sean Martin: So what's, um, what are some of the, uh, clearly an incident is, is a reason to think differently about how you... You're tackling or ignoring. Yes. Yes. Yes. Um, do you have any insights into what other changes?
I can obviously point to regulation. Um, is it, is it often driver?
[00:10:07] Laura Robinson: Yeah, that's a good point. That's another reason I think that has kind of pushed this change. It's also because regulators are looking at not only Your own security practices, but they're asking you, okay, you share really sensitive information with third parties.
Let's talk about how those companies are able to handle their, um, uh, are able to protect that information. So it's, it's also that, and I think, I don't, it's just across the board, really, it's All of the CISOs within the ESAC community consider third party risk management to be a top concern. It's these six companies within the community that kind of started doing things really differently and decided to share with their colleagues what they were doing.
And I think you can take away some great learnings. The way that companies do things Traditionally, and I'm sure you're familiar with this, Sean, I'm sure you've maybe even been given one of these really long questionnaires to fill out. They can be hundreds of questions long and they ask you to attest to the controls that you have in place.
And then another thing that companies do is they go out to these cyber security rating services. And they, they get you, they get a score for what your security posture is like how secure your company is. And then also SOC 2 reports. Again, talking about compliance, something that companies will ask for is how you align to that particular compliance framework.
So, it's really focused on assessment, but the new way that things are moving is To still do assessment, but not just take the self attestations, actually get evidence. So they're going to start asking their suppliers and their business partners, show me your fish, the results of your fish testing, fishing testing, show them results of your penetration testing, um, your incident response plans.
They want to see evidence of the controls rather than just having you fill out a questionnaire. So that's one change. Um, and then the other thing that they're doing is actually putting more specifics in the contract. Previously, companies had very general requirements. You have to meet particular standards or you have to have a security program in place, but they didn't get very specific.
Now they're getting really specific. And they're putting in some incentives and enforcements to kind of hold you to those requirements. So I think it gives ideas, this report gives ideas not only for large enterprises that are hoping to change their third party risk management programs, but also for the third parties.
Because these companies are going to start being assessed differently. They're going to be held more accountable, but in many cases, they're going to get some help. The enterprises are going to help them build their security program.
[00:13:20] Sean Martin: Yeah. And I know the, uh, the healthcare space has been regulated to tackle this problem.
And then some of the more mature sectors like financial services and. Oh, absolutely. Yeah. Critical infrastructure. I mean, we see a lot of work in federal government with the S bombs and the whole supply chain. Oh, that's a good point. Playing a role there.
[00:13:43] Laura Robinson: Yeah. Right. So definitely regulation is driving this as well.
Some things like SBOM. So the government agencies are holding companies more accountable for how they're sharing information and working with their third parties. So definitely, um, not only threats, but regulation.
[00:14:04] Sean Martin: Absolutely. So what's, um, I think you alluded to a few things that are starting to shift.
Yeah. Are there any, any... Points from the, from the, uh, the report that you want to share that really highlights where change is taking place, these strategies. Yeah,
[00:14:25] Laura Robinson: sure. So. I talked about the fact that companies are are changing the way they assess. So, in many cases, they're still doing that questionnaire.
It's not like the questionnaire goes away. They still send you a questionnaire and have you fill it out. They're just not going to focus their third party risk management on just following up that questionnaire. Because, as you probably... Can guess or maybe even have experienced a lot of companies. It's kind of like just a checklist, right?
Like, they just check everything. And so they're not really giving you very deep or substantial information on their security controls. A company that might check the box. Yes, we have a security training program, but that might be sending an email to all the employees once or twice a year just to remind them about security.
Like, you know, it's, that's not really what the enterprise would expect. So, they're getting more detailed about what the controls are, and then the actual requirements that they want companies to focus on, it's getting more manageable. So, rather than having 200, 400 questionnaires, sorry, questions to think about, they're boiling it down for you.
Some company in some, some of the companies in our. Um, case studies have boiled it down to like, order of magnitude, 10, 20, like literally, we want you to do these things and do them really well. So that's, that's another kind of big shift is actually getting companies to focus on a set of requirements.
[00:16:15] Sean Martin: Yeah. Then another thing I saw in there and, and. My co founder, Marco, and I talk about this, it seems very often, um, the, the idea of a culture. So it's a mindset, it's, it's not tech ticking the box. It's actually living and breathing the reason why you're doing something. And in the report you mentioned, or it's listed that, that they're offering in helping with training and awareness and, and which to me, isn't just about the training and awareness.
It's about that connection. Yeah. The relationship and the culture between the entities. Uh, I don't know how well that scales, but, but the point is that a sense of, a sense of camaraderie and we're in this together, all ships rise with the same tide. Definitely. If we raise the tide, we're all doing better.
Um, is a key point, I think.
[00:17:09] Laura Robinson: Yep. The, that is another kind of part of the shift is rather than saying, okay, we are going to be assessing you. It's, we're going to work with you to not only evaluate your controls, but help you with things like training and that sort of thing. So, one of the companies in the report has been working with the CRI.
And I'm sure you're familiar with the Cyber Readiness Institute, which provides free resources for small businesses. So they actually developed a training program that their suppliers can go through, get certified, and then they get certain perks, certain benefits as a supplier for actually getting certified through that training program.
[00:17:57] Sean Martin: Interesting, because I think one of the things that I've experienced over the years is um, I mean, it was a big problem. You talk about the spreadsheets and it could be, I mean, think about the, the third party, right? They're a supplier to hundreds of companies. Yeah. They have to fill this out a hundred different times.
Right. And, and to your point earlier, it, it's probably not accurate, certainly not very meaningful. And chances are the The customers, that third party probably don't even read it or evaluate what's in it. Anyway. Um, I've even heard stories of, of this is the salesperson trying to close the deal, the Lancelot at any way possible just to get the deal done, which has no, uh, no real bearing on any, any, uh, upleveling of security posture when that happens.
So the point is it's been a tough problem. There've been solutions that have come out and yeah. And I think you bring regulation in which Which forces companies to do certain things in a certain way so they can report that they're doing them that way and not defined. And then you have the, the, the vendors that there are, the customers, the providers are working with that they have to answer to as well in one of many different ways.
And the solution to those two problems can't be bigger problem itself.
[00:19:25] Laura Robinson: Right? Oh, yes, exactly. And so. That comes up in the report. The fact that, I mean, as you mentioned, all of these third parties have, they could potentially have hundreds of customers. And so there have hundreds and hundreds of questionnaires they have to fill out.
Some of their customers are wanting them to have audits done constantly. So, ideally, and now, you know, this is not gonna happen overnight or anything, but ideally it would be nice if there were more standards. Like, if an industry could set a standard that these are the requirements for the suppliers in this industry, and then this is, um, how you will be assessed, and they could be assessed once, and then all of the large enterprises could just Use that assessment.
In two of our case studies, things like that are starting to happen. Um, the defense industry has actually moved to a set of 10 requirements that they want all their suppliers to focus on. And then also through regulation, like you mentioned, things like the CMMC. Um, which will be a way of the, not just the prime companies, so the large enterprises to be assessed, but also their suppliers.
And the idea being that they're going to be able to prove that they meet a certain level of, um, security, and then they're able to bid on certain types of contracts. So this kind of standardization is starting to happen. In the healthcare industry, which you mentioned, one of the other healthcare, sorry, one of the other case studies.
The healthcare company case study in the report actually talks about they're trying to drive an industry effort, which would do just that as well. So the assessments would all be on one platform that all of the various enterprises could access. So it's starting, and it would sure help the third parties themselves.
Yep. Because they're just faced with all these questionnaires constantly.
[00:21:39] Sean Martin: And, um, yeah, I know, uh, the healthcare, given the HIPAA high tech stuff, has been under the, under the gun for this for a long time. Yep. I know, uh, the HITRUST framework is doing a lot to help kind of Mm hmm. bring a cons, a consistent manner with which all of this can be managed.
I don't know if the, the healthcare company is using that or not, but, um.
[00:22:04] Laura Robinson: Yeah, they mentioned, I, I trust. Absolutely. Yeah. As part of their
[00:22:07] Sean Martin: standard. And I, I think the other, the other interesting thing is, and especially as we start talking about third parties and parties and organizations that, that use all this supply chain to do their stuff.
We're talking cloud services here. I'm not just talking about a widget that gets created and sent right as part of it That's part of a manufacturing process. This is cloud services mail services Right retails online server, whatever it is that helps helps the company. I mean think of health care.
They're not just HIPAA They have to be PCI compliant if they take a credit card for services provided. They have to, um, be SOX, uh, Sarbic, Oxley. I think if, if, uh, they're doing loans or something, I don't know. But any, my point is they have to. adhere to a number of things. And then you have the SOC 2 that some companies want.
And there's a lot of, this is where my point is, there are a lot of requests and requirements that just overload on top of these small companies.
[00:23:08] Laura Robinson: They just want to deliver their service. Exactly, and the problem with the way things are the traditional way is that the third parties get so bogged down in trying to figure out how to comply with all these regulations, figure out how to, to meet all of these standards and fill out all these questionnaires.
They don't have time to actually do security. So the companies in the research, they. In realizing, wow, our third parties are getting hit. They, they really don't seem to have very good security programs. Why not? So they actually did research. They did focus groups. They surveyed their supply chain, that sort of thing.
And they found out why they're struggling. And it's like what you're saying, like, they're told to comply with some very complex regulation and they can't make a security strategy out of that. It's just too complex for many of them. So it's interesting that so many of the things that these companies have been told to do, they just, they don't have the level of expertise in cybersecurity to do them.
Running a cybersecurity program takes a lot of expertise. And a small business isn't going to have that.
[00:24:34] Sean Martin: Exactly. Yeah. That it's not, and it's not necessarily that they don't want to want to do the
[00:24:41] Laura Robinson: right thing. Exactly. They do want to do the right thing. They just, they may
[00:24:45] Sean Martin: even have a budget to allocate.
They just don't know where to start and how to do
[00:24:48] Laura Robinson: it. Exactly. In some cases, it's just not even necessarily affordability. I mean, in many cases it is, but even if they do, even if they've set aside. Pretty significant budget. They can't find the right services. They can't find the right talent. I mean, talent is hard for large enterprises.
So there's a lot of issues that third parties are struggling with. And you're totally right. It's not like they don't want to be secure. Of course they do. Everybody does.
[00:25:16] Sean Martin: Yeah. So there, there's a, in the summer I'm reading a quote from Cecil Leidos, um, saying that for years this seemed intractable, but it seems like based on the conversations we're starting to move the needle and some folks have begun to, I'm paraphrasing now, uh, crack the nut.
Yeah! We will. Um, do you have any... Are there any case study success stories in, in the final report that, that kind of say we reduced X amount of time, or we've lowered the number of successful incidents that are across our third parties, or, or, we don't upset our third party providers anymore. Any anecdotal or, or tangible items there to share?
[00:26:02] Laura Robinson: So definitely there are, there are some results that are provided through the report. All the CISOs really wanted to provide that caveat of, you know, these are early days, so we don't have You know, really a lot of results to share yet, but they're all really confident that they're on the right track with what they're doing.
They, we do have, we do have some numbers. Like one company had over a hundred third party incidents. So a third party would have an incident. And, um, in the past they might've been affected by those incidents, but now that they've changed the way that they're doing their security, or sorry, their third party risk management, they weren't affected.
In any significant way by any of those incidents. So that company in particular is really focused on building resiliency against 3rd party incidents. They figure they're going to happen. We're going to put in place. our own controls and our own sort of, um, risk management in order to make sure that doesn't happen, um, make sure it doesn't affect us.
So that's one. Um, and then another company, the healthcare provider, actually figures that they're able to quantify their risk reduction. So they are seeing a noticeable, quantifiable reduction in the risk. I think they said like 15%. They're pretty confident by the end of 2023, after many years of this program, that they're able to reduce their risk by 15%.
So they're definitely on their way to better results with this sort of new approach.
[00:27:49] Sean Martin: Yep, I love it. I love it. Um, it's easy to get mired in the we're not there yet, uh, things are still challenging, but it's nice to see that, uh, as was noted in the quote, that we are moving the needle. Finally. And I think what, what I find interesting and valuable, and uh, again, Marco and I talk about this all the time, not just the culture, but the community.
And this is where, um, this is where I think the, the value of conversations, open and candid conversations, even if they are behind closed doors and, and sharing insights with each other and best practices and lessons learned and all that stuff, the, the value of CISOs coming together, um, to share. Oh, absolutely.
It's super, super important.
[00:28:37] Laura Robinson: Yes. Yeah. And so ECEF is a great place for Fortune 1000 CISOs and we definitely, you know, would, would welcome any new members, any CISOs that have responsibility for a large enterprise. But I mean, RSA Conference itself has all sorts of other information sharing for security executives and security professionals.
So, Just don't forget that the submission, the submission is open for, um, Uh, if you want to have a session at RSA Conference to share information with your peers, then get it in before October 6th.
[00:29:18] Sean Martin: You know, that's, that's a great point because I think, yeah, I mean, there's so many different tracks at, at, uh, RSA Conference.
So many things. There's so many different people. I would love to see more around the business and around the CISO and best practices as well. Yeah. Yeah. So, so any,
[00:29:37] Laura Robinson: uh. Well, they have, um, besides ESAF, uh, which is a. closed door community. There are other, um, communities of CISOs who, that meet at RSA conference.
So definitely go to their website and figure out where you could plug into all
[00:29:52] Sean Martin: that. Exactly. Exactly. Don't, don't sit on the sideline, sidelines, get plugged in. Yeah. Yeah. So I'm, I'm gonna. Note, uh, I mean, we're obviously, uh, ITSP Magazine, huge fans of, of what RSA Conference does, uh, with and for, uh, the community at large.
And, uh, Marco and I appreciate being. Being part of that community and, and participating and getting to share stories like this, a thousand CISOs at once. That's a lot of, a lot of story in one sitting. And I would encourage everybody to participate in the conference. If you have a story to share, as Laura mentioned, submit a talk.
Share that story. Help, help folks understand what you're doing. If you have a story to share with us, um, even if it's, we don't know what we're doing and we want to talk about what we don't know, so we get people to think I'm happy to have that conversation too, so the point is. Talk, share, learn, collaborate, be part, participate, and, uh, Laura, I think, uh, what you've done with this research is great.
I'm going to have to look back on last year's for the boardroom talk. Yeah. Yeah. That's, uh, another important one. That was fun too. So we'll, we'll, uh, we'll include a link to this report in the ESAF website so folks can find the other one as well. Yeah, that sounds great. Yeah, I don't know, any, any final words in, in
[00:31:19] Laura Robinson: parting?
Well, just the quote that you, uh, brought up, I think probably most people who are listening, if they are involved with third party risk management, You probably have been feeling like this is an intractable problem for so many years. We've been talking about it at ESAF, well, since I've been part of ESAF, so almost 20 years.
And it is kind of interesting that it just always seemed like, Oh, we're just not getting a handle on this. We're not totally understanding where our third parties are, etc. So it's just cool. I'm excited that, um, I didn't know if I would see this kind of movement in this space because You know, it's not a sexy part of information security.
It's not like threat hunting . Right. But it's so important and the fact that people are being really innovative, it's exciting. It's really exciting.
[00:32:11] Sean Martin: Definitely innovation, uh, taking place and it's, I'm glad to see that the, the needle is moving. Yeah. And, uh, the needle's moving. It was a pleasure to meet you, Laura.
Hopefully you too, not, not our last chat. I hope to have you, hope, have you on the show again. See you at RSA conference. When is it? May 6th through 9th. That's
[00:32:30] Laura Robinson: right. See you there.
[00:32:32] Sean Martin: My advice to everybody, book your hotel room now.
[00:32:36] Laura Robinson: Right. Register early and book your hotel room.
[00:32:40] Sean Martin: Of course. Yeah. Register and book.
So, um, and thanks to, uh, The RSA conference team for uh, including Marco and I and ITSB Magazine family and everything that's going on there. And stay tuned for more and uh, thanks everybody for listening. Thanks Laura for joining me. We'll see you all on the next one. Thank you.