September 16, 2022

Supply chain risk management can prove to be a slippery slope—why should you take pains to conduct a proper risk assessment, and how do they impact IT and business continuity? 

From international restrictions to balancing generic and specific risk assessments, any guidance is welcome in the world of supply chain management.

I invited Willy Fabritius, Global Head of Strategy & Business Development, Information Security Assurance at SGS, onto the show to provide insights into supply chain risk management. Including definitions, best practices, and where to turn for guidance.

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Speaker 1 (00:06):

You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:26):

Hey there, and welcome to yet another episode of The Virtual CISO Podcast. With you as always your host John Verry, and with me today Willy Fabritius, hey Willy.

Willy Fabritius (00:36):

Hey, how are you today?

John Verry (00:37):

Apparently I’m better than you, you were just telling me that you’re feeling a little bit under the weather. So Willie’s a trooper, he’s going to grind his way through this one for us. And that’s probably not a bad thing, because Willie is usually off the charts energetic, so he’ll probably just be a normal person today. So Willie, we always like to start easy. Tell us a little bit about who you are, and what is it that you do every day?

Willy Fabritius (01:01):

Well first of all, thank you very much, John, for having me on your show, much appreciated. Well, I’m living for 22 years now in Chicago, and originally I’m from Germany. So I’m spending the last 25 years or so in third-party assessments for all kinds of management systems, from quality management in the automotive industry, to information security and business continuity. I had the privilege to audit small companies, from literally one person company to multi billion dollar companies, spanning the globe and being one of the top three or four cloud service providers. At SGS I’m the global head for strategy and business development, so I’m responsible for identifying new and future trends, to make sure that we are able to provide adequate products and services to our customers.

John Verry (02:01):

I would add one more thing, Willy is one of the good guys in our industry, I’ve known Willy for 15-ish years, since we’ve been doing ISO 27001. Knew him a lot from his previous place of employ, and anytime there was ever a challenge, an issue, or something that needed to get done, a simple call to Willy always got it done. So I’m very appreciative of everything he’s done for us, and for me personally over the last 15 years. Thanks Willy.

Willy Fabritius (02:25):

Sure, you’re welcome.

John Verry (02:27):

So we have a tradition, what’s your drink of choice?

Willy Fabritius (02:30):

Oh, well that’s a difficult one. I’m seeing that you have your coffee latte with lots of ice, and I have my coffee here as well, but that’s because of the afternoon. Look, I’m the global head, so that means I need to be agnostic to all kinds of country specific expectations. Guess what, when I’m in Germany it’s obviously [foreign language 00:02:54], when I’m in Japan it’s obviously sake, and soju in Korea, and maybe whiskey in the states. So I’m open minded, as long as there is at least a certain percentage of something.

John Verry (03:08):

As long as the alcohol comes with good conversation, you’re fine, right?

Willy Fabritius (03:12):

Exactly, you got it.

John Verry (03:15):

All right, so for anyone who listens to the podcast regularly, over the last few months of episodes we’ve talked extensively on this idea of software eating the world. And the significant movement that we’ve seen across virtually every industry, to folks moving services and workloads to the cloud. One hidden element of that, that we haven’t really talked about that much yet, is how these interdependent trends… And these trends create risks that we haven’t really ever faced before. And that’s what Willy’s here to chat about, so let’s talk about that. So let’s start with just a simple definition, if you will, what is supply chain risk management, and why is it becoming so important?

Willy Fabritius (03:59):

It’s a pain in the neck.

John Verry (04:02):

That’s not a definition, Willy.

Willy Fabritius (04:02):

I wanted to say something different, but I’m pretty sure that in the public forum I’m not allowed to do so. No, the thing is that on the surface, it’s super, super easy, but when it then comes down to analyzing and executing it’s getting extremely difficult. So from my point of view supply chain risk management is the risk management associated with managing supply chain when it comes to software. But what does this actually mean? And that’s the problem. So it all starts from my point of view with an inventory, if you don’t know what you have, then you cannot manage it. And then I am discovering that more and more companies have really challenges, not just say problems, with really telling me an answer to this very simple question. What kind of software are you using? Everybody comes up with the top five, six, whatever. SAP, Salesforce, Microsoft Office 365.

And that’s great, that’s important. But what is with all those other pieces of software we are using, all the other sales providers we are using, all those other services we as a company use, but maybe not official suppliers. For example, you are buying for some kind of online service, and people in the company are just signing up, maybe it’s free, maybe they pay $50 per month, or whatever, it falls under the radar of the purchasing department. And therefore there’s no assessment done of the risk, but yet we are providing those service companies with a lot of confidential information that might be not necessarily the right place to share with. So from my point of view it really starts with user awareness and clear policies, so that everybody within the organization clearly understands their responsibilities, and the risk associated with onboarding and using software providers.

John Verry (06:10):

Yeah, so it’s interesting you should point out how this one risk intersects with other risks. So I think what you’re talking about is something we often refer to as shadow IT, so even if you believe that you’ve got a pretty good asset inventory, it’s virtually impossible these days to know every little application that folks are using within your company, that at some point might be critical to things getting done. And then you’ve got the intersection of risk. So when we see a large block of Amazon, or Microsoft, Azure go out, and all of these interrelated services also have outages, and those stack up the wrong way for your ability for your organization, you can think about it from a security risk where somebody’s going to lose information. But I think the scary risk is that business continuity availability risk, the ability to get things done as well, correct?

Willy Fabritius (07:02):

Absolutely. It comes back to InfoSec 101, CIA, confidentiality, integrity, availability. I know that your listeners have heard that 1,002 times, but at the end of the day it comes down to really analyzing every situation against those three parameters. And in some cases, the confidentiality might be the more important thing, in some cases it might be the availability, and that’s okay. But the question is, when and who is doing actually that risk assessment? With regards to service providers and software supply chain.

I’m coming back to that old example of that sharing platform, there is this marketing department that is working with an external service provider to work on some kind of a campaign. And well, it turns out that they are using some kind of shared service, and they are pushing confidential information about future products to that public forum, where theoretically everybody in the world has access to. And they didn’t think about, that’s actually talking about prototypes and future developments, because we are only sharing that information with our ad agency. Maybe that’s the intended audience, but the real audience maybe actually the worldwide and your competitors. And this is the kind of thing that is really mind boggling. And yes, you mentioned shadow IT, but I think this goes a little bit further, because it’s really about all kinds of services.

John Verry (08:53):

Yeah. And it’s funny that you use the prototype as an example, only because I don’t know if you’ve seen the same thing, but we’ve seen a steady increase in TSEC’s conversations. And one of the areas of TSECs, one of the quote unquote assessment objectives that somebody has to set for TSECs, is are they sharing critical information? Are they sharing prototypes? Are they sharing personally identifiable information? So that specific risk, the risk associated with prototypes actually is a significant risk that the TSECs, which is an overlay, or addendum if you will, ties to 27001, that’s well promulgated in the automotive community. It’s interesting that that particular risk is one that I’m talking about almost every day recently with folks.

Willy Fabritius (09:37):

Yeah, there seems to be some kind of a tightened awareness of TSECs here in the US market. And I’m very happy about that because it’s something that is coming over from the other side of the Atlantic Ocean, finally catching up here, and I can share with you and the audience that right now at this very moment in time, the very first time there are more TSEC’s assessments done outside Germany than within Germany, so that’s the very first time in the history of the program. That’s brand spanking new as of last week Thursday. And that is indicating and telling me that TSECs is picking up globally very, very fast.

John Verry (10:22):

Yeah, I’ve had more conversations on TSECs in the last five weeks than I probably had in the previous five years almost, it’s crazy. So anyone who’s listening to this, is probably thinking supply chain, well we already do third-party risk management. And maybe, or maybe not, they do a good job of considering what I’ll call fourth-party or fifth-party risk within their third-party risk management program. So how is SCRM different than third-party risk management? Is it looking at the impacts of critical vendors on each other? Maybe you can give us an example or two where SCRM would be different than TPRM?

Willy Fabritius (11:05):

I don’t know if it is different, but it’s definitely important to note that supply chain risk assessment is really talking about supply chain. So it’s not just talking about my suppliers, it’s also talking about the suppliers to my suppliers, to my suppliers. So third, fourth, fifth level. And that is very, very important in the software world, because we all have our web pages. On those web pages we are deploying all kinds of nice Java scripts, wonderful. Those Java scripts may call somebody else, and that may have implications. Just to show your small little case recently from Germany, Google is kind enough to give something free. And yes, Google does a lot of good stuff. For example, they have published and made available Google Fonts, the characters that you can use on your website, totally free off charge, without any obligation to pay any royalties.

It’s great stuff, it’s free. Well, there are two possible implementations of using those Google Fonts on your website. A, you can have them on your own server, and that will take up a couple of gigabytes, not really a problem, but that’s one solution. Another solution is, you just simply send an API call to a Google server. Well, that’s a problem according to the German legal community, and according to some law decisions and court decisions in Germany, because with that API call, you also would send PII, personally identifiable information, of your web page visitors to Google in the US. Which would be a clear violation of GDPR requirements, oopsie doopsie. So you developed this wonderful website, or you have it developed by a web developer. In good faith this person, or you, are using an API call that is sending PII across the Atlantic Ocean in violation of GDPR, you are in big trouble. And that is for me a wonderful example of risk assessment was not done, nobody really understood what it means to use something free from Google. And that could happen with any and all software providers.

John Verry (13:43):

And this is where to me I think there’s a challenge between defining SCRM and TPRM, because they’re very inexorably linked. But TPRM in my mind for most organizations is done in a very discreet manner. What is the risk associated with me using this particular vendor? But the types of risks that you’re talking about are not traditional just vendor risks. So as an example, geographic concentration. I was working with a very advanced third-party risk management group, and they had two outsource call centers. And through third-party risk management, they figured out that both of them happened to be located in the Philippines.

And if there was a catastrophic weather event, both of those facilities might not be available. So they literally had to terminate the relationship with one of their vendors, for no other reason other than… And then we see the same thing. What if you have two vendors that provide a clearinghouse type service, but they both happen to be hosted in the same region of AWS? You might have some type of a disruption. So it feels like SCRM doesn’t fit neatly or elegantly into what I consider to be the three risk pillars most organizations I work with talk about risk in. There’s that enterprise risk, there’s information security risk, and there’s third-party risk. So where does SCRM fit? I mean, is that the challenge? Is that it fits a little bit in all of those buckets, and we have to kind of re-look at the way we look at risk when we talk about SCRM, versus just those other verticals.

Willy Fabritius (15:26):

That is one possibility. But I think that might be also an artificial self-inflicted issue, because we have the tendency to assign certain risk mitigations, and certain risk assessments to certain groups of people within our companies. Enterprise risk, that’s definitely not the IT department, they have no idea. That needs to be done by enterprise risk team. Okay, great, wonderful. And what is with availability of resource? That’s definitely in the IT department. “Well, is our contact center in the Philippines?” “Well, that’s not IT, it’s operations.” And guys, at the end of the day, it doesn’t really matter which department is doing it, it needs to be done. And I think that the multidisciplinary approach that we know from other industries solving issues is the key, because in some cases it might be an availability issue, in some cases might be a confidentiality issue, it comes down to really understanding the integrate and connected relationships within our suppliers.

You mentioned in one bucket of AWS, yes, it’s quite possible that your AI that you’re utilizing for text to speech, speech to text on your website, is actually coming from the very, very same place from one of the providers, regardless which API you call. And people really do need to understand, that in case that API is not working, I just simply go to an alternative API. Well, that alternative API may also be down, because it relies upon the same fundamental service. So it’s really about trying to understand, for lack of a better word, what is the SBOM, the software bill of material of our services we are leveraging, we are using? There’s a lot of talk about SBOM in the software development world, which is cool, but I also think the very, very same principle should be applied to our service providers when it comes to software as a service.

John Verry (17:56):

Yeah. And if you think about it, it really becomes not just an SBOM, unless we change S to not mean just software, we mean service. Because you’d have to understand where something is being hosted, and what those redundancies are, and what those reliances are. Where the geographic location is, which would not be traditional of a software bill of materials, correct?

Willy Fabritius (18:21):

Correct. And please don’t tell me, it says safe, it must mean it’s in the cloud.

John Verry (18:30):

Yeah, isn’t just the cloud a magic redundancy tool. We no longer have to worry about redundancy or availability, right?

Willy Fabritius (18:38):

Exactly. And many years ago I had the privilege to audit one of those large cloud providers. And as I said earlier, I’m coming from the quality auditing field. So my first question is, “So tell me about your customer complaints?” And the guys say, “Oh, customer complaints, don’t get me started. 90% of the customers are complaining that we don’t have any backups.” So I’m like, “What?” “Well, backup is a service. You buy the service of storing, you buy the service of processing, you buy the service of storage. And by the way, you buy the service of backing up. There is no automatic backup. And then customers say, my data has gone. Why didn’t you back up? Well, because you didn’t buy the service. Then they buy the service, and they put the backup into the same geographic location, from Datacenter One in Chicago, to Datacenter Two in Chicago. Guess what, data is still lost. Now, the customer complains that they don’t understand that location Chicago is not redundant.”

And it comes down to the people who are using technology are not necessarily well versed and well educated in understanding how that technology actually works. And for many consumer-grade applications that might be okay, you and I don’t really need to understand how a TV works, or how Siri works, but when it comes to very sophisticated technical applications in a corporate environment, yes, the users should really understand how those things work, and what are the implications of using one technology over the other.

John Verry (20:25):

So we agree that supply chain risk management isn’t easy, so now let’s make sure we give some people some ideas on how to deal with it. So I know you and I are both big fans of ISO 27001, and I think like all information related risks, I think you could make a good argument that you can look to ISO 27001 for some answers to SCRM. So how would an ISO 27001 certified company use ISO guidance for supply chain risk management?

Willy Fabritius (20:56):

I like the question, because it’s one of those open-ended questions that I would be delighted to answer in the next couple of 24 hours or so. No, just kidding. I try to keep it short. Every ISO standard has this idea… Or should I say, every ISO management system standard has this idea of identifying the context of the organization in which they operate. So before an organization even starts embracing the journey of an ISO certification, they need to ask this very simple, but yet profound question, who are we, and what are we doing? In what legal environment do we operate? There is a difference between a contact center operating out of the Philippines, versus a space exploration company working out of California. So the company first needs to understand that, the organization first needs to understand that. And that has implications in terms of the kind of information they have, the kind of information they are processing, by whom the information is being processed, e.g. Which suppliers we are using, which suppliers can we use, and which suppliers must we not use?

If John and Willy Incorporated designing, I don’t know, containers for medication. If we are using a third-party CAT supplier in China to develop our molding tool, that’s fine. But if you happen to be a space exploration company, and decides to outsource your CAT design to a Chinese company, you might fall into some kind of legal challenges, in terms of export control. So we need to understand that. And that has implication, in terms of which suppliers we can use, which information we are sharing with our suppliers. And that’s the reason why 27 K is so important, or so powerful. And that leads then to that request to identify the risk associated with those information assets, so that we can have appropriate suitable controls implemented, which are documented in the so-called stigma of applicability, and so on. Which forms the fundamental base for the certification.

And controls can come from all kinds of sources, they could come from ISO itself, they could come from NIST, they could come from CIS, they could come from all kinds of sources that are suitable to address a particular risk the organization is facing. And John, I know you ask about 27 K, but I really would like to emphasize, this is not just a 27 K specific approach. This is also applicable to business continuity, like in ISO 22301, the same principle applies. The question is only different in terms of, are we more interested in protecting the information from a CIA perspective, or are we interested in ensuring business continuity in case of some kind of a disaster? It comes down to the same approach.

John Verry (24:11):

So it’s interesting to me, and I probably shouldn’t be surprised. It comes down to, are we capable of doing real realistic risk assessment. And I think one of the things that I see with risk assessment, is that we talk about a risk, so the risk that data might not be available, or the risk that a vendor might go out of business, or whatever that might be. But I don’t think sometimes we go that next level of, how can this risk be realized? And we don’t go through the scenarios under which a risk could be realized, which would get us not to getting to the point of, let’s say, recognizing geographic concentration as being a risk. So it really comes down to, not unsurprisingly, is better risk assessment, better risk realization efforts. And then with those better risk realizations, we’d have a higher likelihood of picking up on supply chain risks.

Willy Fabritius (25:15):

Yeah. On one hand, a risk assessment should be generic, because otherwise you will go into the famous rabbit hole, and get never out of it. On the other hand, a risk assessment should be specific. So yes, you should ask, what happens if supplier A is not available, supplier B is not available? Wonderful. But you also should ask, what could be the reasons why those suppliers are not available? Is it because of a tsunami, and earthquake, or social unrest, or financial reasons? And that then leads to other questions. If you have those two suppliers, they could be out of business because of a tsunami. Really both of them? Yeah, both of them are in the Philippines. And that is just an example.

John Verry (26:09):

Yeah, that’s what I was saying. That’s what I was trying to say with that term risk realization. And it’s actually not a phrase I’ve used before, but I think that’s really what we’re talking about, is how can this risk be realized? I think most risk assessments stops at the thinking of the risks, not necessarily thinking through all the permutations of how that particular risk might be realized. So interesting stuff. So ISO is an extensible framework, as we know, one of the wonderful things about it. And in April 2022, so this is new stuff, I don’t know if you’ve had a chance to look at it, NIST introduced 800-161. Curious if you’ve had a chance to look at it, and your thoughts on whether or not it might be integrated with 27001, to provide a little bit more prescriptive guidance with regards to this subject.

Willy Fabritius (27:06):

Yes, I had a chance to look at it. Did I have a chance to digest the multiple hundreds of pages? No, I didn’t. But at a first glance, I think it’s an excellent document. For many organizations, for many individuals, it might be super heavy stuff to read, let alone to comprehend and implement, but there is huge, huge benefits, and huge collection of wonderful ideas and concepts. And on one hand, I think that all of the listeners of your show have a day job to run, and making sure that their companies are safe and sound. But at the same time, they really need to broaden their perspective, and I’m not expecting that people read 600 pages documents. That is over, we once did that when we were at university. But in our today’s job, we are focused on the executive summary. And then we leave it to people in our teams to really dissect and digest the content.

But I think that 800-161 is indeed very well written, and I really would like to emphasize the concept of the CSCRM. And I actually need to look at it, because now we are already beyond the four letter acronyms, we now reach to five letter acronyms. So it’s the cybersecurity supply chain risk management. And that is a really important concept that we really need to instill into our organizations.

So circling back to where we started at the beginning of the podcast, it’s not just understanding who are our suppliers, but also the supply chain, and the implications from a cybersecurity perspective. It doesn’t really help me if my supplier is in the States, but all their suppliers are in some kind of questionable country. And I may only transfer a PII to a stateside supplier, but they are then submitting that information to everyone around the globe. That is not a cool approach. And we really need to understand the cybersecurity implications of our supply chain as well. And this is what this document is really talking about in great detail, and I really would like to encourage the audience to download it. You and I paid already for it with our tax dollars, so from that point of view it’s already freely available. It’s heavy stuff to read, heavy stuff to let alone implement, but definitely a great source of inspiration.

John Verry (30:10):

Yeah. What I thought was cool about it, and I had a chance to kind of dig into it fairly deeply, because I thought it was a pretty interesting subject matter. And the good news is it’s not 600 pages, it’s only 320. I mean, that’s light reading. But what I did think was interesting, and you spoke to this earlier, which made me wonder whether or not you had read it as well, because they actually outline the different areas of the organization, if you will, like the need to be thinking about this. And they talk about enterprise risk management, they talk about business process owners, mission and business process. They talk about operational, they talk about security. So I thought it was really interesting that the jive you got on before, about how you need to consider this risk across all of these functional areas within your organization, is something that they outlined within the document, and they recommend, and they have a plan for being able to do that. So I thought that was really interesting, that your thought process off the cuff before, kind of closely lined with what they were talking about.

Willy Fabritius (31:11):

It comes down to, we all have our own perspectives, we all have our own paradigms. And I’m telling you, John, you are right, and you’re wrong. It all depends upon from which angle you’re looking at it.

John Verry (31:28):

Willy, I’m never wrong. Come on.

Willy Fabritius (31:31):

And that’s the thing in terms of when you ask somebody, “Start prioritizing, which applications need to be up and running?” You ask five different people within your organization, you get at least six different answers. Some people will say, “Well, it’s definitely SAP.”

John Verry (31:48):

Everyone’s provincial, it’s always the system that they use every day. That’s the one that’s critical.

Willy Fabritius (31:54):

Yeah, exactly. Everybody says SAP, I don’t know, Salesforce, and blah, blah, blah. And then some smart guy says, “Excuse me, what is actually with our email system?” “Well, we forgot that one.” And that’s the power of getting this multidisciplinary team together, where everybody is contributing, everybody says what he or she sees as important as a risk, so that at the end it comes down to a solid risk assessment.

John Verry (32:23):

Yeah. So when you talk about it in that respect, you could make an argument that your business continuity plan, and your TTRs, time to recovery, and your recovery process objectives, those objectives are going to be something which would also be a good input into your supply chain risk management assessment, correct?

Willy Fabritius (32:52):

If you see it from an IT perspective, yes. If you see it from let’s say a modern organization, solely doing business based on computers, absolutely. But I would like to emphasize that BCM is not just for IT companies, BCM or BCMS is for every company. So it’s also applicable for the Starbucks around the corner, and they might be able to operate for 12 hours without internet connectivity. After that the people will leave because that’s the real reason they go to Starbucks. But they still will be able to make coffee, they still would be able to accept cash, they still would be able to do the credit card if need be. So yes, they would be able to operate for a limited amount of time, but a company like Amazon would be not able to operate without IT for even a second.

John Verry (34:01):

Yeah. And when people talk about disaster recovery and business continuity, I prefer the terms IT continuity and business continuity, where IT continuity is the recovery of the data, and the processes and systems necessary to operate the IT infrastructure, and the people for that matter. And then I like business continuity to be the rest of it, that’s recovering the business functions of the organization. But yeah, it does, but I think we’re saying the same thing. Ultimately from a supply chain risk management, we have to come up with those most critical risks to the organization, and the continuity of the organization, or the lack thereof is going to be one of the key ways to assess risk, correct?

Willy Fabritius (34:55):

Absolutely. Some two or three weeks ago, I had some internet connectivity issues here at my home. And frankly speaking, I think I was more productive in that week, because I needed to use my cell phone as an internet bridge, so therefore I was reluctant to even use it on a regular base. So I had really time to work on webinars, and training material, and all that good stuff that doesn’t require internet connectivity. And I was not disturbed by anybody calling me, emailing me, whatever. So there are benefits of not being connected occasionally, and I hear you are doing that when you’re on your yacht close to the Bahamas?

John Verry (35:41):

Yes, that’s exactly right, Willy. As long as I’m within the continental United States waters, I have good coverage. But when I get outside of that, which is fairly regularly, it becomes a problem. One last thing about the NIST 800-161 document that I liked about it, and it goes to that concept of risk realization, is they have a section in there where they talk about scenario development, and they actually give some sample scenarios. And one of the sample scenarios they give, which is really interesting, that would be one we probably wouldn’t logically think about ourselves as an example, is influencer controlled by foreign governments over suppliers by telecommunication counterfeiting. So I do think that to that point of getting us to break that pattern of just thinking about risks within a limited context, I think that was also a pretty cool part of the document.

Willy Fabritius (36:29):

And that mirrors a little bit of the saying we all have heard, cybersecurity is national security, national security is cybersecurity. And we cannot ignore the possibility of foreign adversaries implanting some kind of box on hard drives, motherboards, NIC cards, network interfacing cards, router, switches, wherever. So we need to think about that. And if that is in the physical world, as I said in the hardware domain, trust me in the software world, it is exactly the same risk. So if I have this free service, the question would be obviously, why in the world is it free? Why would Google provide something free, where they get the PII of my customers? Why would Google do that?

John Verry (37:30):

What was the name of that… The Social Dilemma, have you ever seen that movie. A documentary would be a better way to say it. So watch The Social Dilemma, I believe that’s what it’s called, I think it’s on Netflix. It’s a great special on how big business uses our data. And there’s a line in there that I absolutely love, where he says, “If you’re not paying for the product, you are the product.”

Willy Fabritius (37:58):

Yes, absolutely. If it’s free, you are the product, no question about that. And we need to really realize that. So why are you providing this podcast free of charge to your listeners? What is the product your listeners are…

John Verry (38:16):

Willy, you just realized you’re the product. I’m selling you out right here.

Willy Fabritius (38:21):

Okay. Well in that case, got it. I’m usually a little bit behind in terms of processes.

John Verry (38:29):

Yeah. Listen, no one ever accused you of being the sharpest knife in the drawer. I said you were nice, I didn’t say you were sharp.

Willy Fabritius (38:33):

Yeah, that’s correct.

John Verry (38:37):

All right, we beat this up pretty good. Anything we missed?

Willy Fabritius (38:40):

Yeah, I think very generically speaking organizations are… What’s the word I’m looking for? Hesitant to go for certification, because there is this auditor coming, and it disrupts and interrupts my business. Well, that is in a certain way one perspective. But I would like to really provide another perspective, as in this one time interruption that happens once per year, is still less than having to answer the very same questions to your customers 53 times a year.

Because you have questionnaires coming your way from your customers every single week, asking pretty much the same kind of thing. Do you have a password policy? Do you have this, do you have that? Do you prefer to answer it 53 times a year, or just once a year? And this external certification provides assurance, not just to you and your executive management, but also to your customers. That yes, indeed, you are fulfilling international best practice. So I know this is a selling thing, but at the same time I’m totally convinced, I’m in this business for the last 25, 30 years, and that is just simply what we see more and more companies realizing. Certification is definitely an investment, but it’s an investment that is worthwhile to entertain, because there’s a huge return of investment in a very, very short period of time.

John Verry (40:12):

Yeah. Listen, I definitely think that forward thinking organizations look at something like ISO 27001, or any other attestation as a sales enablement. So there’s a value creation component. And then of course it has the classic value preservation, because we’re reducing risk. And while I don’t have a formal quantification of that through our 200 plus organization ISO 27001 certified client base, if you look at traditional metrics, depending on whose you believe, somewhere between a third and two thirds of companies have some type of fairly significant security incident. I can count usually the number of security incidents from an ISO 27001 certified customer of ours, on less than a hand in any given year. So I mean, you can be disrupted once a year by the auditor, but that auditor is giving you assurance that the likelihood of you being interrupted by a malicious individual during that year, and that costing you hundreds of thousands to millions of dollars, that risk is significantly limited.

Willy Fabritius (41:23):

It’s not just the reduction in risk from that angle, it’s also the duration of the interruption. Part of being prepared is being prepared, and part of a 22301, or 27 K certification is that stupid question. So just in case something happens, what are you going to do? And the organization really needs to have an answer for that. And while that specific answer might be not the answer for a specific case that materializes, just the thinking process that was involved in creating that response is already invaluable, and will help the organization in case it actually does happen. We all have some kind of basic fundamental training of CPR, pushing the heart, counting, blah, blah, blah. Hopefully we never use that, because if we use it then there is an emergency. But just the fact that it’s in our brain, that we have been prepared for that, hopefully sooner or later will save a life. It will not prevent the accident, the injury, but may save a life.

I had a customer who greeted me with, “Willy. I can move it again.” And he showed me that his thumb was moving. “So what?” And he says, “Well, long story short, I cut it off with a table saw, put it into a plastic bag, ice, emergency room, stitched again, and moving.” And I said something like, “Why?”

And he says, “Well, that’s a different story. The important thing is I was mentally prepared for injuries, and because I was mentally prepared for injuries, I didn’t even need to think, what am I going to do? I just grabbed the thumb, cleaned it under water, put it into a plastic bag, yelled at my wife, and she drove me to the ER, and that’s the rest of the story.” And I said something like, “That is really being prepared mentally.” This is not analyzing at that moment in time, because at that moment in time you can’t think straight. The brain needs to be pre-programmed. And that’s the case for an incident that may happen because of a hacker attack. The moment you are under attack, you must not think, you must be on autopilot. Think about that pilot that landed that plane on the Hudson River, was he really thinking, or was he on autopilot? Most likely he was on autopilot.

John Verry (44:07):

Boom, boom. Were you trying to make a joke there? Give me a fictional character, or a real world person you think would make an amazing or horrible CISO, and why?

Willy Fabritius (44:24):

I only can envision Charlie Chaplin doing a CISO impersonation.

John Verry (44:30):

So is that good or bad?

Willy Fabritius (44:32):

It would be definitely funny. I’m not in a position to judge whether it’s good or bad, I just envisioned how that would work.

John Verry (44:42):

Does he have the little mustache? And is he wearing the hat too?

Willy Fabritius (44:45):

Yes.

John Verry (44:46):

Cane in hand as well?

Willy Fabritius (44:47):

Yes.

John Verry (44:50):

But Charlie Chaplin, he was a silent actor, wasn’t he?

Willy Fabritius (44:52):

Yes.

John Verry (44:54):

So could you be a good CISO if you were a silent actor?

Willy Fabritius (44:57):

Depends on the face.

John Verry (44:59):

Well, we’ll leave folks to ponder that. If somebody wants to get in touch with you, what’s the easiest way to do that?

Willy Fabritius (45:07):

Well, the easiest way is actually look me up on LinkedIn, Willy Fabritius. There’s only one of me. Or write me an email, [email protected], whatever you prefer.

John Verry (45:22):

Excellent. This has been fun, sir. Thanks for coming on.

Willy Fabritius (45:24):

Thank you for having me. Take care, and enjoy the rest of the day.

John Verry (45:28):

Yeah, you too.

Speaker 1 (45:29):

You’ve been listening to The Virtual CISO Podcast, as you probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected], and to ensure you never miss an episode subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.