Introduction. At Gate 15, our team focuses on risk management and organizational security and resilience, with unique expertise in threat analysis, operations and preparedness (planning, training, exercise and
continuity) support. Recognizing that clients and partners require additional technology, services and capabilities to effectively manage their complete riskprofile, our team partners with organizations that can enhance our competencies and which offer additional risk management resources that complement our capabilities. On the “About Us” page of this website, you’ll see some of our outstanding partners. In a five-part series, we’ll be posting updates with interviews with these partners to share more about what they do and how they can help organizations reduce their risk and enhance preparedness, security and resilience.
DatumSec: Interview with Michael Schell, Vice President of Business Development and Strategy
Third-party risk is something organizations are increasingly understanding must be a part of their broader organizational risk assessment. As evidenced in numerous data breaches, third-parties and supply chains can be the links that adversaries use to access bigger or related targets. In relation to cyber risk, can you briefly explain what third-party risk is and provide some notable examples of how things went badly? Unfortunately, there is a tremendous lack of communication between procurement, risk management and cyber security teams. 3rd and 4th parties are being granted access to extremely sensitive intellectual property and customer information with only a subjective questionnaire being the gatekeeper. The desire to select a vendor and begin/finish a specific project is much higher than the desire to understand the cyber risk a selected ven dor may introduce. It has become much easier for attackers
to hit the supply chain and see what the relationship might have in terms of value. DatumSec data proves our hypothesis, a questionnaire for small and medium vendors is not adequate nor sufficient to address cyber risk in 2016.
In a few sentences, can you describe generally how the DatumSec Vendor Assessment Program works and how it allows clients to better understand and decrease their risk environment? Cybersecurity has been focused on selling products and services to large enterprise, often overlooking small and medium businesses. The DatumSec Vendor Assessment Program is designed to reduce audit costs by automating the process with software and services. We provide a very cost effective solution to help SMB vendors with ensuring best practices are implemented properly (NIST/SANS). We instruct our clients to transfer cyber risk to your supply chain, and if possible, your cyber insurance coverage. External scoring is great for an external view, but can be misleading or inaccurate.
If I’m a risk manager or security leader, I might say that I conduct risk assessments and update those regularly. Why would an actively engaged leader want to consider DatumSec on top of their existing assessment process? Risk managers and security leaders are understaffed and overworked, sometimes underfunded. I would recommend automation as much as possible. Most security leaders know the burnout that comes with evaluating log data or performing routine penetration tests, thus leading to attrition and fatigue. Find creative ways to allow your team to use their skills and experience on challenging projects. Security professionals hate “check box” strategies and prefer objective results. Let DatumSec perform the routine security controls audits on your SMB vendors, have your supply chain remediate their own cyber problems, and get back to working on challenging security problems.
On your website you promote that DatumSec is “ideal for small and medium vendors.” Being one of those, I know we’re constantly trying to manage tight budgets, limited time and critical needs. In a world of so many competing needs, how does DatumSec help add value to a small or medium-sized business? We provide extremely cost effective pricing to support organizations with little or no budget. Our pricing is under $1,000 a year for unlimited scanning and unlimited audit submissions to their clients. We have kicked around the idea (thanks to client feedback) of providing a version of our software for free. If we look at the numbers, over 95% of all businesses in the United States are considered small or medium business (US Small Business Administration). Download our software, run the lightweight agents, and begin the remediation efforts. Our model will help SMB vendors reduce cyber risk, show due diligence, help build trust, and provide a competitive advantage to the laggards in the industry who refuse to take cyber risk seriously.
We work with a few collaborative communities focused on enhancing the security and resilience of their members – such as Information Sharing and Analysis Centers (ISACs) and Organizations (ISAOs). Is there a way for such groups to employ DatumSec? Absolutely. We are more than happy to share our data. We feel we better serve the community by helping to educate organizations with addressing and often overlooked element, the small and medium sized vendors. We like to challenge organizations by asking a few simple questions:
- How many critical vendors do you rely upon?
- How many of those critical vendor are SMB?
If someone reading this post is curious for more information about your products and services, what’s the best way to get more information? If anyone at anytime has any questions or wishes to test, please feel free to reach out to us via email websubmit@datumsec.com or email me directly at mschell@datumsec.com. We have some pretty compelling data that can help organizations to quickly identify low hanging fruit within their supply chain, and design a proper risk mitigation strategy.
Thank you, Michael! There is a lot of great info above and DatumSec offers an awesome solution to small and medium businesses that are always trying to balance limited time and resources while meeting compliance requirements and ensuring security for their greatest business risks. In today’s environment, so much of our security posture is contingent on our neighbors, supply chains and vendors’ security and risk management. I love that DatumSec can help organizations wrap their arms around the cybersecurity component of that challenge to minimize third-party cyber risk! And, thank you for your military service!
