 Welcome to DSCI Insights in Action. Today we are fortunate to have with us Kevin Turni, Chief Security Officer for General Motors, and Karen Evans, Managing Director of Cyber Readiness Institute to discuss a vital area of supply chain operations, third-party risk management. Thank you, Kevin, and thank you Karen for being with us. This is a timely discussion because not only supply chain resilience, top of the mind for global business leader, but also October is a cybersecurity awareness month. When organizations in US, but as well around the world are focusing on educating the public and private sector on the importance of maintaining a good cybersecurity readiness practices. An action CRI tackles all year long and Karen will tell us more about it. Focusing also on providing tools to small and medium-sized businesses to make up the majority of participants in the global supply chain. Having an understanding and knowing that global organizations have their internal teams, but also caring about those small and medium-sized enterprises who don't, CRI is their partner in going forward. Kevin, in addition to his role at GM, he is a member of the RSA, Conference Executive Security Action Forums, an organization of Fortune 1000 chief information security officers that has been helping companies to improve cyber risk management for the past 20 years. Now last month, ESAF published a report on the state of the third-party risk management. How top CISOs are transforming third-party risk management. That report cites a survey of 100 CISOs of Fortune 1000 companies in the second quarter of this year that found 87% of the companies were affected by a significant cyber incident at a third party in the past 12 months. So this number is an alarming number, but what is important is what actions are actually taken to mitigate this. So thank you both for joining us for what really seems to be a promising discussion with the insights which can be actionable to all people who are interested in the topic. So let's start, maybe as we always do with the bold statement and knowing what the report has shown, we can start with the notion that the traditional cybersecurity approach are ineffective today. So how do we find ourselves in this situation that traditional approach to risk management is no longer effective? Kevin, can you please start? Yeah, thanks for having me. Good morning, everyone. So I think this is a great report that ESAF just published just recently because it really pulls together a conversation that's been happening with top security leaders for several years. And if you go back several years, you think about how have security programs evolved across companies. It really started out focused on the company and the IT systems itself. It wasn't as much of a focus on the third party business partners and other ancillary parts of the business. And so a lot of the resources and the primary kind of efforts of the program were around protecting your own company's infrastructure. Well, I think the big companies like General Motors and others along that sort of scale, I think we've made the right investments over many years to get to an okay spot. I mean, we're never perfect in security, as you know, but I feel like we're in a relatively good spot. And I think the hackers have realized that as well. And they've realized that going after the big Fortune 100 type companies isn't netting the results that they once had. And so they've turned their targets on smaller and medium-sized companies, which are largely a lot of the companies that we depend on for supply chain activity, whether it's parts or other services that go to our vehicles. It's generally these smaller and medium-sized businesses that are now taking on the brunt of a lot of the cyber activity. And at the same time, these are very cost-pressured organizations. They don't have all the resources that a large company has. And so it's a bit of a perfect storm that we're seeing where these companies are really facing the front lines of a lot of these attacks. And so when I say the traditional measures aren't really working, really what we created was a contractual sort of obligation on behalf of all of our companies that do business with us to do the right thing for security. And what we're seeing is that's really not having enough effect because these companies are continuing to face issues or continuing to have cyber attacks. And so where we were doing risk assessment, where we were doing questionnaires, we were working with vendors and third parties, there's a whole host of new things that are coming out that try to assess the security score of a company. And what we've seen is that it's not moving the needle and we're seeing more and more attacks. It's not going down, it's going up in a lot of cases. And so that's given us pause to step back and reflect and say, hey, there's gotta be a different way. Group forcing this all independently as separate companies isn't probably the most efficient path either. So what's working out there? What's find a new way? Let's try to understand collectively how we can all get better together. So I'd say that's kind of how we got to where we are today. And I think that's why this sort of conversation and this sort of report is so timely. Thank you very much, Kevin. Just trying to extend what we have started with this question, Karen, I think the view from CRI in a sense of, is the alarm bell for small and medium-sized enterprises going inside there, like small organizations or no. I think it's very interesting to hear that side of the story. First of all, thank you so much. And I always like listening to Kevin speak because it always makes me think a little bit about what CRI is doing and kind of flipping it in the opposite direction. And that's probably primarily, Marco, one of the reasons why I joined CRI. I have held large positions, policy positions, operational positions for close to 25 years managing large enterprises within the federal government that depend on private industry, but also recognize that it's small businesses. And when I was working on all that, I saw what we were pushing wasn't working. We drove a lot of the policies that people are implementing. We developed in this framework, we developed in this standards. A lot of those things, the intentions are great. The implementation is really hard. And so the outcome that everybody wants to achieve is the right outcome, but things get lost in the details of implementation. So to answer your question, are the alarm bells going off in small and medium businesses? I think Kevin hit it by saying, they are resource constrained. So when they're looking at these things, they look at the problem differently. I want to be a good trading partner to GM, but I'm not necessarily thinking about all the outside risks associated with the technology I'm using. I'm thinking about GM has requirements on me and I want to be that good trading partner in that supply chain. What I think Kevin also has highlighted is a lot of our adversaries or hackers or whatever we want to call them, they look at the large companies and then small companies become targets of opportunity in order to be able to fund their long-term plan that they have against a larger company or our nation as a whole here in the United States or any nation that a small business is doing in a supply chain with a large company. And so it's a really complex landscape when they're very focused on, I want to grow my business. So that's a long answer to the question but it's really building off of Kevin's point about the resource constraints of small and medium businesses. Thank you very much, Karen. And I think you, let's say you link things very well in a sense that on both ends, on the spectrum of the, let's say global enterprise and then on the spectrum of small, medium-sized businesses, both parties are looking into how the synergies can work in order to improve the overall security. And this brings me also to the next question and Kevin, the report offers like seven new types of approaches. So for setting priorities to verifying security controls to even providing security services. So can you discuss the new recommendations and why they appear to be more successful at reducing risk? Yeah, no, absolutely. And I'll try not to make this a test. You'll see if I've been able to memorize all these seven priorities. But like I mentioned earlier, a lot of this really started out of contractual obligations. So what the security team did in the past was they looked at what they were doing internally, wrote it down in a piece of paper and talked to purchasing and said, hey, make sure that companies that we're contracting with are doing these same sort of things. Then that evolved into active questionnaires or a lot of that's self-report, but here answer all these sort of questions. And if we have issues, we'll contact you and we'll talk about it. And that's evolved a little bit more into active auditing and actually being on site in some circumstances. And then ultimately, now we're in a space where there's a lot of third-party companies who are doing assessments and doing scoring. And I mentioned some of that earlier. But that's kind of the boundary of kind of a standard third-party security program today. What you see reflected in the report are really where do you go from there? And are those things truly effective or are they really having the effect which the hypothesis is no because we're still having more and more cyber attacks in these sort of areas. And so if you go through and a lot of this came from active discussions that we've had as security leaders. So we've been in the room and we've said, hey, this isn't working, that's working. Hey, we're really frustrated with this whole thing. We feel like we're not making progress. I mean, there's been a lot of, I'd say, stewing over the problem. And I think that's why we really said, hey, this is a really good topic to pull together, organize our thoughts, see what everyone's doing, and then that can hopefully serve as a kind of a mechanism for others to learn. And then ultimately hopefully get to our end goal. I don't know that we're there yet, but I think this is definitely a great step. So some of the key aspects that are in the report, first of all, prioritizing the requirements. I mentioned earlier, a lot of times it's here's all the stuff. Here's the reins of requirements. Well, as Karen indicated, these companies are resource constrained. So if I as General Motors give them a stack of 10,000 pages, it's not gonna happen. So how do I help prioritize what are the most effective security controls that a company can implement? And then go deep on those. So instead of just saying, here's what we want you to do in walking away, having a little bit more deeper conversation, getting evidence that those controls are being implemented appropriately, having a bit more of a two-way dialogue. So building that relationship becomes really important. In addition to that, looking at the problem more from a resiliency perspective. So instead of just saying, let's put everything against stopping this, let's also think about if it does happen, how do we recover fast? How do we eliminate the downtime, even if cyber events are occurring? And I think that's a really important area. And it's one that the security team and other cross-functional parts of the business really have to work together on and understand, how do you keep the business as resilient as possible in the face of lots of different risks and threats out there? Whether it's a cyber attack or a tsunami or labor outages, there's all kinds of these sort of risks out there that we have to think about in terms of how you run the business. And so I think bringing cyber security issues up in that conversation and making sure that we are thinking about our supply chain or our supply base, how we're transporting goods and how do we recover very quickly in those sort of circumstances becomes very, very important. Another piece of it is health and resources. And I think CRI is a great partner in this, which is helping to bring education to these companies that are resource constrained and giving them kind of a leg in the door. Here's information that people could be taking these courses and never thought about cyber security and they're having to kind of come in on the ground level. I think it's extremely important. It's a resource that we leverage and we share with our supply base. And I think it's programs like that as well as maybe engaging in your ISAC, ISACs or information sharing analysis centers that are kind of organized by sector. There's many resources in those if you can get engaged and just ourselves as a OEM or original equipment manufacturer, we work with over 15,000 different suppliers and we try to offer resources ourselves, things that we can do to help these companies become more effective. So all those things I think taken together are really helping to create a lot of resources to help but there's probably still more that we can do there. And then finally, it's really about incentivizing, I don't like saying enforce because I feel like we started from a place of enforcement and I don't know that was as effective. How do you incentivize these companies? So if they are resource constrained, what can make it easier for them to implement it from a cost perspective? So some of the things that industries are doing and honestly, we're looking at this in automotive currently is how do we kind of pool resources as the OEMs together? How do we commonize on those priority set of requirements and then make it easy for a company to certify where they can sell to any company and be achieving some level of security that's been certified? And I think that creates an environment where they only have to do something once, it's cheaper, it's more effective and then we're not all wasting kind of all of our time doing the same thing over and over again. So I think there's something there and there's some great case studies that talk about that, bringing the business along, and I think is another very important aspect because this started really from a security team perspective trying to provide requirements, but more and more often, it's a two-way dialogue between us as the security team, the business and the third party, because the business is the one that's in the primary liaison seat with those companies and they understand what they're providing for the company, they understand how to interact with them and so we're there to help, but making sure that everyone understands that this could affect any part of the business any day and then finally, I know that's a long list, I'm sorry, but the final thing that we talked about was actually providing services ourselves out of the companies, some companies have a position to do that. Again, I think all of these depend on like what kind of industry you're in, what kind of company you are, what size and resources you have, what your relationship with your suppliers is like, but that's another scenario that could help where maybe your industry is underserved by security services providers and you see a role that you can play. So there's been several case studies along those lines. So I don't think those are exhaustive, but I think it's a great list of here's the next steps. Some things work better in other industries. There's probably a lot of people, we'll talk about this in a minute, they're probably doing pieces of them and maybe not everything, but a lot of different aspects of all the seven different areas. But again, taking together, this is representing what I think a lot of leading companies across all industries are thinking about and trying to execute when it comes to third-party security. So I think it's kind of state of the art. I think it's where the boundary condition is and we're still learning. Every day is still a learning activity. Thank you very much, Kevin. And what resonates from what you shared is that it's a living document, right? It didn't start with several points and then it's only card in stone and you learn as you go because the market conditions are continuously changing. And I think you gave a great segue with sharing that, for instance, resilience is a very big thing because it's not if the cyber attack will happen, it's really when. And then the key thing is how we react on it in that sense. And also you mentioned people and raising the awareness and then building a muscle in that sense. And then you mentioned certification and that brings me to you, Karen, and to the experience of Cyber Readiness Institute and basically your view of what are the best tools and actions for small and medium-sized enterprises to build up the muscle Kevin has shared. Well, and it was great. Again, like I said, I always love listening to Kevin speak. And I hit on a couple of things where he talked about resilience. So I really like to start there and kind of build backward, right? And when you look at the foundational types of activities, you have to have a good solid foundation in order to build upon several of these other alternatives that are mentioned within the ESAP report. And that's really what the Cyber Readiness Institute is focused on for small and mid-sized businesses. It's building a strong foundation. So we're not focused on the technology because we know they use technology. You can't go into a small business that's not using Apple Pay or Google Pay or the little iPad to do the receipts and send you stuff. Like they're all using technology, but they may not necessarily realize the risks associated with that. Or they don't really, and I think this is one good thing that came out of COVID is that small and medium businesses really got to understand how the supply chain worked, where their weaknesses were, what they needed to do in order to be able to stay into business and who was up and down that chain that they had to interact with. Again, using technology, they were using technology. So CRI focuses on four foundational activities, not on technology. And it's focused, and when you hear them, you're gonna be like, yeah, okay, that's a no-brainer because it's passwords, multi-factor authentication, automatic updates, phishing, and removable media, which deals with storage. And phishing is the human behavior. And really what we're very focused on is building a culture of cyber readiness. So as they continue to grow and they have more and more partners and they participate in more and more of the global supply chain, they're gonna be cognizant of the risk. They're gonna be thinking about all the questions that Kevin brought up, all of where those interactions are, how do I become resilient? One of the key things that we put in the program with our new release that came out in March was the business continuity plan. So it's not just the incident response plan, but it's a business continuity plan. And it's based on an ISO standard, but we don't tell them, hey, here's the ISO standard number. Here's all the set. It has a worksheet that makes them ask key questions about how would you do accounts payable? How would you do accounts receivable if you lost the power, if you lost this? It asks a series of questions where you're like, oh, you know, I really do need to plan on this. And then there's a prioritization work plan. So then what we do is we also give them policies. We tell them they have to train their people and we even break out all our videos so that they can use our videos to then train in these four core areas. So when they're done and we walk through the playbook with them, we verify the playbook, they do get what we call a certificate of being certified cyber ready. They can go through our program now on the website and just complete it and still have all this. But if you, and this is the part, Kevin, that I think links into what you're talking about is we are working jointly right now with, for example, the cyberspace solarium 2.0 group about the foundation, about the certificate that's CRI issues, right? That a company would earn. And is that foundational product? Is that foundational playbook with those artifacts? Can that then be recognized as that foundation that you build upon when you then go into a different vertical and then you just need to do the delta, you know, and do the change and something that is specific. So we are running a pilot right now in water utilities, specifically focused on small and medium water utilities because they're under the, they don't have to do a risk assessment as required by the government. But they are critical in their geographical area to major companies, to defense bases, to local communities. And so it's focused on water and waste. And so we're going to study that, we're going to implement it. We're going to do up to 200 utilities, gather the data and then really analyze like, hey, does that really improve to your point, Kevin? Reduce the risk for everybody upstream and then downstream and then be able to then show those artifacts to all their partners. So actually, thank you Karen for sharing. You know, you hold the hand of those companies who are willing to embark on the journey to satisfy the cyber readiness for the large enterprises. And I think that also brings me to the next question, Kevin, which will be directly for you. And it can help our followers also to understand and see how a successful large enterprise like General Motors is addressing the findings in the report and what changes are you instituting? Yeah, it's a great question. And I foreshadowed it a little bit in my last response. We're doing a little bit of everything to some degree and we're looking at all options, of course. But let me, I'll talk a little bit specifically kind of where we are in that journey and what things will probably fit better in the automotive industry versus maybe a different sort of setup. The thing that we started off with was prioritizing our requirements. So we've been on a journey, I think we're on the third or fourth version of our third party security information requirements, information security requirements. And every one of those iterations has been about clarifying, simplifying, prioritizing and making sure that if we're giving requirements to a supplier, they're appropriate. Again, I don't want to send 10,000 pages. I want to send just what you need as a supplier. And we go through a pretty rigorous process of understanding the risk of each one of those third parties. Are they handling sensitive or private information? Are they creating software for us? Are they part of our safety program? There's many different things that we look at and based on what they're doing for the company and what their kind of risk level to the company is, they'll get kind of a customized, prioritized set of requirements. We've also been going deep with, especially our critical value suppliers, which are kind of the highest tier of having more bi-directional conversation, more auditing, more conversation around those core security controls that we kind of keep going back to. And I think that's been improving, but I think it's only one piece of it, right? That's only kind of so far. Resiliency is something, of course, it's a very broad effort across the entire company to ensure we have resiliency across our supply chain. And so we have been, you know, bringing cybersecurity into that conversation, understanding, you know, do we have single source components, single source services? Are things in geographic locations that are risky? You know, are we on on an organization if they go down, you know, what's our backup plan? There's a whole host of things that we kind of consider. And I think it's really good that we're doing that. But again, that's another thing, I don't think you can ever be 100% resilient. There's no company in the world can just depend on, you know, have multiple sources for everything and everything's always perfect. So I think it's another area where it's eating away at the pie, but it's not, you know, it's not gonna get us 100% there. But it is a mindset, it's a culture shift of, hey, you know, here's the sort of things that we need to be ready for. And honestly, I think we've had a lot of it built in for many years. When we do have cyber events in our supply chain, I often, you know, I always hear from the team, you have the teams on manual operating procedures, they're still able to process material, they're still shipping things, but they're running their maybe more, you know, less efficient process or they're having to do things by hand or whatever. But in every one of those circumstances we've been able to circumvent the issue. We've been able to mitigate the issue for enough time to allow the company to bring itself back up and, you know, get back on its feet. And we've lost very few units of production as it relates to a cyber event. So we've got it built in, but again, you know, as attacks get worse and companies, you know, maybe aren't following along fast enough, you know, I still have a lot of fear of kind of the worst case scenario there. And then I mentioned just briefly about what we're trying to do as an industry, which is I look at it as incentivization, which is how do we commonize requirements? How do we get, you know, simplified and really get prioritized on what are the core things that company, every company needs to do. And I think if they do it really well, it reduces all of our risks together. And at the same time, we get efficiency and we save money for everyone because they're not responding to me and Ford and Stellantis and Toyota, you know, we can maybe get to some sort of common set of requirements that really helps raise the bar as well as reduce the cost. And I think the more that we can get to the win-win situations, that's when, you know, we're going to really see progress being made because until we get there, until the incentive model is kind of flipped, I think Karen, you know, said it right, these are resource constrained companies and they're going to struggle. They're going to struggle with trying to set those priorities. And they may just say, hey, this is something that's below the line and we'll deal with it when we deal with it. And that's not what we want to hear. But so I think the model, you know, has to evolve. So that's a little bit of what we're doing. You know, we're continuing to try all those different things and listen to others, learn from others and, you know, measure our own program and see, hey, is this having the effect? It can kind of take a little bit of time for these things to pull through and really see the measurable results. But I'm hopeful. I mean, I think we have to be doing something different. We're doing that. We're learning. And I think it'll have an effect. Thank you very much, Kevin. You know, I'll jump into your camp on completely being hopeful after seeing what you are doing as a true partner to the whole ecosystem GM is operating with. And I think this can be a leading example of how partnership, you know, structures the weight over the cyber readiness for everyone in the value chain. So usually we close the conversations we have with an input from, you know, our speakers in a sense of a message you want businesses and supply chain leaders to take. And this time I would like what you would like them to take from the report we have been talking about. So if you can do it in a sentence, both Kevin and then Karen, we can round up the conversation. Yeah, it's hard to do in a sentence, but I guess, you know, what I would summarize is whether you sit in a business or you're in the supply chain, cyber's got to be a part of what you're looking at. You have to understand its implications on your business. And, you know, again, how do we get to the partnership? How do we get the incentive model right? So we're always looking for feedback. A part of our program has always been, hey, how can we make this easier on you? You know, we go and have those conversations. And so I think that two-way dialogue and just realizing that cyber has to be a part of the risk model, you know, moving forward. I think if people understand that, you know, we'll make a lot of progress. Thank you very much, Kevin, Karen. Well, I think the insights in the report, if I was a mid-sized company out there reading the report, it would give me hope to realize I'm not in it alone. That these large companies have the same issues that I do as a medium company and that there's a lot of insight into how I can tackle this. And there's a lot of partners that are willing to help me. So that, to me, again, I'm in the camp of let's work together and be hopeful and raise the bar. Thank you very much, Kevin, and thank you very much, Karen. This rounds up our discussion on cyber readiness and cybersecurity within supply chains. We will close with a sentence, which I really like, Karen, you know, you are not alone with companies as general motorists who can be a partner and the organizations like Cyber Redness Institute are who can be the partner as well in your cyber readiness journey. So you have listened to another DSCI insights in action and we look forward welcoming you again soon.