Episode 9

Why organizations must address their vendor risk | Aaron Spiteri, UpGuard

Your organization’s risk is also influenced by every vendor you use, so how do you reduce the chances of a third-party data breach?

Director of Third-Party Risk Management at UpGuard Aaron Spiteri discusses the challenges organizations face managing their third-party risk and offers suggestions for organizations to ensure vendors are maintaining a high level of security.  

They also discussed

  • The landscape of supply-chain risk  
  • What does a third-party risk assessment involve?  
  • The common mistakes third-parties are making  
  • The evolution in attitudes toward security and risk, especially for those in leadership positions.  
  • Advice for organizations who want to control their vendor risk.

Resources

🎧 FILED S02:E4: Companies must focus on reducing risk, not just improving compliance | Dr Miles Ashcroft, RecordPoint

📨 FILED Newsletter: You’re only as secure as your supply chain.

Transcript

Anthony Woodward

Welcome to FILED, a monthly conversation with those at the convergence of data, privacy, data, security, data regulations, records, and governance. I'm Anthony, the CEO of RecordPoint. And with me today is my cohost, Kris Brown, RecordPoint’s VP of product. Hey, Kris, how are you?  

Kris Brown

I'm very good mate. And as it just would be perfect timing, we've got everybody here today ready to go, but we've got some neighbors who have decided that chainsaws are things that they want to play with right this second.

Kris Brown

So, if you do hear that during the podcast today, no, Anthony and I aren't fighting in the background with chainsaws. It's just my wonderful neighbors. How's things?  

Anthony Woodward

Yeah, good, good, good. Although that chainsaw fighting sounds like fun. We should organize that at some point.  

Kris Brown

Maybe we should introduce our guests and see whether they would like to be in there as well.

Anthony WoodwardSo today, everybody, we have Aaron Spiteri from UpGuard. Hey, how are you, Aaron?

Aaron Spiteri

Yeah, good. Thanks. Thanks so much for having me here today.

Anthony Woodward

I know it's really great to have you along. And part of what we do on this podcast is try and get a lot of different views from different parts of the industry. Like we said at the intro, we really see the industry as a whole bunch of convergence occurring across a bunch of different problem sectors.

Anthony Woodward

And it's great to have someone from UpGuard on it. Would you mind giving us a little bit of background on UpGuard, the problems you solve and the things you do every day?  

Aaron Spiteri

Yeah, awesome. No worries. So UpGuard itself is an all in one third party risk and attack surface management software that our customers are consuming within that piece of software that we have.

Aaron Spiteri

You can essentially use the UpGuard Vendor Risk area of the product that does allow you to continuously monitor your vendors, automate security questionnaires, and reduce your third and fourth party risk. We do also have area of the product called Breach Site, which does also allow you to monitor your attack surface management, prevent data breaches, discover leaked credentials, and protect your customer data.

Aaron Spiteri

The final piece that we do have is our Managed Service, which is the area that I'm working in. So I'll sort of just give the leeway into that, but the managed services piece is where we essentially work with customers where customers want to do assessments on their vendors and third parties and customers would essentially request from our team of analysts to go and do that work for them, whereby we would communicate with our vendors on their behalf, send out security questionnaires and obtain information back on those vendors to give those customers information on those vendors and how risky they are.

Aaron Spiteri

Thank you. So, to give you a bit of an intro there on UpGuard itself. So, yeah, I've worked in IT for several years across multiple different roles, so I've worn quite a few different hats. And I suppose that's given me a lot of good experience and exposure in different areas. I got really interested in cyber a few years ago when I worked as an IT manager.

Aaron Spiteri

For a financial planning company. And that's where it really became evident to me that yes, security was a really important, you know, piece of the puzzle, especially in making sure that customer data was safe. Fast forward a little bit. I've now been working at UpGuard for just over four years now, starting in their customer success team as a technical account manager.

Aaron Spiteri

So, I was the first technical account manager here in Australia, in the company, and then helped grow out that team. Of staffing customer success and worked my way up to the director of customer success of which not that long ago, I moved on to another position, which was the Director of Third-Party Risk management, which is what we're going to be talking a bit more about today.

Aaron Spiteri

But yeah, that's how you find me today.  

Anthony Woodward

No, that's really cool. I know Kris is the same, you know, but particularly ask you work in records and data management for a long time. Your stuff sounds really exciting. And also, the records and data management are exciting. It's exciting too, but we certainly get excited around the all that sort of upstream management elements.

Anthony Woodward

And I guess that brings us to the, you know, a few questions. One of the things that we've been writing about and talking to our customers about, you know, the regulations coming from APRA as a regulator here in Australia, or obviously the regulator in Canada or the SEC is really that third party supply chain risk and managing.

Anthony Woodward

The supply chain elements. How do you see that world today around supply chain risk? You know, after the, the move at hacks and after the hacks that we've seen in a number of vendors out there, what's that landscape look like for you?  

Aaron Spiteri

Yeah. So, for us, you know, we see it all the time because we're working with customers that are essentially going and, and essentially using our product to manage and monitor their third parties.

Aaron Spiteri

Right. So, it is really big and it's really important. Customers are getting audited on this all the time. And customers have a lot of interest in this now as well, given that there's been so much media around, you know, things are leaking or breaching, you know, there's a lot of reputation on the line now, and our customers are putting a lot of trust in their 3rd parties.

Aaron Spiteri

So as soon as you do put that trust in a 3rd party. And you're giving them some of your data. Essentially, any of the risks that they might have now become some of the risks that you might have because you're working with them. So that's why this has grown so large because there are so many vendors and customers that are all working together now.

Aaron Spiteri

And there's data all over the place. People are sharing all different types of data, depending upon what service they've got for you. So if anything does get leaked out, if there is a security issue, anything like that with one particular company, if you can imagine, they've got multiple customers now, all those customers then become affected as well, which is why this is becoming such a big thing, because there's so much reputational damage, irreversible damage as well.

Aaron SpiteriOnce the data is actually available. It's next to impossible to get rid of that data once it does leak on the dark web, for example, and we just see it continuously getting copied and duplicated all over the place. So, it is quite a big deal.  

Kris Brown

You, once you see that genie come out of the bottle, right? Like it's, it's out there.

Kris Brown

It's very, very difficult to stuff it back in. You can try. I've watched the Disney movies. They do try very hard. Interesting for me and maybe something for the audience too, Aaron, to explain a little bit more about that third party risk. So. In the managed services thing, we've sort of spoken previously, but what are the things that you're doing?

Kris Brown

You know, how does that provide value to your customers? So maybe some examples where we could be a little more specific for the customers.  

Aaron Spiteri

Yeah, for sure. So, one of the things that we do for our customers is a customer would let us know that they want to do a third party assessment and essentially what we would help them do is.

Aaron Spiteri

Work out what T that vendor is. So, it might be a critical high risk, medium, low risk. All vendors have got essentially different tiers, depending upon what they're doing for the customer. And that's if they're holding a lot of data or a little bit of data. What type of data it is, it all just depends, but we help the customer through that piece.

Aaron Spiteri

We then have a look at whatever the tier is for that particular vendor to then determine what type of security questionnaire we need to send them. So, you know, if they've got a customer that's trying to adhere to, you know, APRA, CPS 234, or also work with ISO 27, 001. With their vendors, we can essentially from the UpGuard product, send a questionnaire that's tailored to ISO 27001, for example, and we can send that out to a vendor.

Aaron Spiteri

So, a vendor would receive that. They then log into the UpGuard product. They then complete that security questionnaire in our product and provide it back to us to then provide that back to our customer. My team specifically would go a little bit further. And what we do for customers is we get the questionnaire back and then we liaise with the vendor to go and get some additional evidence.

Aaron Spiteri

So, if you can imagine, I asked you to just complete a questionnaire. You could put in whatever you want. But when we get that back, we need to then validate it. So, by validating it, we need to go and get some additional information such as pen tests or SOC 2 reports, things like that, that can help us validate and confirm all the things that that vendor put in a questionnaire.

Aaron Spiteri

Is that valid? Is there anything else that we need to look for? And have we got that Any compensated controls essentially that they might have come up with so that we can have a look at that and provide that back with that customer. So, there's a bit of added work we do. And then we piece together a whole risk assessment where we write up a risk assessment report and give that back to any of our customers that essentially using that managed service.

Kris Brown

And what are some of the common mistakes? I think we were talking about the pen test stuff earlier as well. But what are some of the common mistakes that the third party, you know, does it while they might attest to a certain level of things? It's like, I think you were mentioning things like, you know, the pen test might be old or, you know, what are the common mistakes organizations are making in answering these?

Aaron Spiteri

Yeah, definitely. So that, yeah, what you were talking about just before with the pen test, we see that often where, yeah, it costs quite a bit of money to get a pen test. We see that sometimes it might be a small company. They can't afford to do it every single year. So, they might do one pen test every few years.

Aaron Spiteri

We have to mark them against that because the pen test is obsolete essentially. So, they should be. Done every year, but if we get one that's over a year old, we've got to flag that with our customers to let them know that we found one, you know, that's exceeded that year period of time. And we see a lot of other things like vulnerable unpatched technology.

Aaron Spiteri

So specifically with software open ports, you know, it's one that you might not think about. You know, you're working at a company and, you know, staff are doing what they're doing, opening ports. They might not think anyone else can see it, but there are people out there that can see all those open ports that are constantly scanning.

Aaron Spiteri

So, we see that all the time. We also see HTTPS and HTTP. So, a lot of websites still might be available using HTTP instead of having HTTPS. So, we flag that as well. That's another common one. A lot of untrusted web certificates as well that we see. User behavior is actually a really big one as well. So human error is a really big cause of a lot of loopholes that we do see as well.

Aaron Spiteri

When we're doing some of these assessments, things that people have done and, you know, failure with their IT policies is really big as well. And then your compromised systems, they might not know that they've actually got something that's compromised. That's sitting there just waiting. They're quite a few of the things that we do come across.

Anthony Woodward

Yeah. Beautiful. Super interesting space. What do you see, you know, something that we certainly say, and as we talk to the industry, is the realization of boards and the realization of people in more executive roles of, of trying to better manage these risks. You know, I think with UpGuard, we share a number of large customers and the reality in our space is the boards have seen this is something that you do to the side as opposed to something that's core to the operation of their business.

Anthony Woodward

And as a result, they’ve not treated it that way, but there's a real transition going on of how do you manage risk, data risk, be it cyber risk, be it other risks in the business. And then what are the controls around that? Is that consistent with what you're seeing in UpGuard in your roles?  

Aaron Spiteri

Yeah, I, look, I feel like in the past there was a lot of ignorance towards IT and security specifically from leadership and management.

Aaron Spiteri

That's not to say everyone was doing that, but I would say that there was a big piece of that. And I know that cost was probably another big thing that influenced that as well. And just not knowing what was going on there. I do feel like that has changed significantly. I know that a lot of the people that we work with, a lot of the vendors that we work with, they've actually got staff members there that know exactly what they're doing.

Aaron Spiteri

They're focusing on accreditation. The business is putting money into it. And the business is also putting money in from a leadership point of view to then make sure that they educate all their staff as well on what they need to be doing for cyber as well. So. You know, again, thinking about it back in the day, I feel like it was always it's problem and it is going to protect you against any of your cyber risks.

Aaron Spiteri

Whereas now, you know, you would see it and hear it that a lot of businesses now putting so much time and energy into also educating this staff so that the staff know exactly what to do, what to look for. And they're essentially living and breathing the values of the company to make sure they're all collectively helping to protect themselves.

Aaron Spiteri

I think that is really positive and I do see a lot more of this, which is really good. As I said, I didn't feel like that was such a big thing years ago, whereas I feel like now it is really at the forefront.  

Kris Brown

So, you were sort of saying, you know, very much, you can see it changing inside the organizations, but is the who changing?

Kris Brown

So, you sort of mentioned that it was very much IT's problem, and now there's others in the organization. Who's the who in this scenario? Who's, who are we really talking to? Who are we really seeing as responsible? Who is really engaging? Like, you know, roles, obviously don't want names of individuals, but yeah, roles and what's being created in organizations that drives them to say I need to buy an UpGuard, or I need to do that security class.

Kris Brown

These are the parts of what we're doing.  

Aaron Spiteri

Yeah. Look, we speak to a lot of different people, you know, from chief information security officers, chief technology officers, cyber risk teams, that's definitely growing. IT managers, security and governance personnel and procurement teams getting involved as well.

Aaron Spiteri

So really where I see it with the cyber risk teams, that's definitely growing a lot more. There's a lot more businesses I work with now where there is actually a team that is looking after cyber risk. Years and years ago, I felt like it was more just risk and compliance and they kind of had a bit of overarching.

Aaron Spiteri

You know, gray areas into it, but it wasn't really their bread and butter. Whereas now there's like a full cyber risk team looking into that, that then essentially reports into the chief information security officers, which then provide that straight back into the business. Right. And procurement as well is now getting a lot more involved, especially with those cyber risk teams where they're doing a procurement piece.

Aaron Spiteri

They're trying to come on board with a new vendor. And now there's all these assessments that have got to be run to actually confirm that particular vendor opposed to just bringing them on board and then telling IT Hey, yep, we've got this new vendor. You've got to set it up. That to me is what it used to be like, whereas I feel like now there's a lot more hoops that you've got to go through to make sure that cyber risk team is happy.

Aaron SpiteriAnd they are working very closely with procurement from what I can see to make sure that they're reporting that back to the business with these reports that they've got to provide. So like a risk assessment that I'm talking about, so a full assessment that explains any risks involved in working with any of those particular vendors is something that now needs to be provided, not just, you know, the cost of how much it's going to cost to come on board with that vendor and what they're specifically providing as well.

Aaron Spiteri

So that's definitely changed a lot.  

Kris Brown

Yeah, and look, I think it's interesting. I'm sure for what would be maybe the core listeners who normally listen to us from a records or an information governance world, there would have been the act of, I will supply the information that's regularly gathered. It's available here.

Kris Brown

A good vendor will have that information regularly managed. I'd even suggest that, you know, maybe UpGuard should be looking at how they’re managing those documents, even just the reports, the assessments, and the other things. I'm sure there are lots of processes related to that. But if I'm an organization listening to the podcast, and you think that there might be more that can be done.

Kris Brown

Other than run off and invest in your product in UpGuard, what's some advice? What's the first step that, you know, organizations can do that you see regularly, that that would help with making sure that they've got good control of their risk? And maybe if I add to that the other side, like as a vendor, if you're a supplier, what are the things that you can be doing to make these processes more streamlined for your potential customers?

Aaron Spiteri

Yeah, awesome. I'll try and just rattle off a few in no particular order that come to mind. So, encrypting data and definitely creating backups is important. Obviously making sure that you do protect any of your data. I see a lot of data that still is not encrypted. So that's a really big one to make sure you're keeping your data safe.

Aaron Spiteri

Making sure that you are conducting that employee training. I spoke a little bit about that today and how it's really important to make sure that you've got your data. The whole business involved. So, making sure you actually have employee training is important because you need to make sure those employees know what to look for.

Aaron Spiteri

Otherwise, if you don't help them, they could potentially click on anything, download things and do the wrong thing, right? So, you need them on board, which is really important to keep your systems and software updated. I still come across some companies where they didn't know a piece of software was installed and it's obsolete.

Aaron SpiteriYou can't get updates for it anymore, but it is sitting there, and it is risky. So, make sure that you understand what software is installed where, and make sure it is updated as well. Enforce the use of strong passwords. So still people can use passwords that are not super strong. Really important to make sure that you're using strong passwords, complex passwords, even Making sure that you do have multi factor authentication with those is a must.

Aaron Spiteri

So, I'd really focus on that. Discourage any staff members from sharing passwords. They shouldn't be doing that anymore. I still do see that sometimes with legacy applications, they just share passwords and should not be doing that. You should definitely assess and monitor your vendors. We spoke a bit about that as well already.

Aaron Spiteri

Have a look at how you can reduce your attack surface yourself as a business. So what are the different, you know, like entry points that you could have? It's anything. So, if you've got IOT devices, software, web applications, systems, anything that's really facing the internet could be an attack surface for you.

Aaron Spiteri

So making sure you do a bit of an assessment to understand what are all the things that are available. For your company on the internet, because you want to make sure that all those different areas are reviewed for any risks that you do have also your physical security too. I know we're talking a lot about cyber security, but your physical security in an office.

Aaron Spiteri

If someone did walk in there and, you know, they took a computer, how easy would that be for them to do that? And is there data on the computer or is there, or are you still storing data on external drives that someone could just take off your desk? You know, you need to make sure all of this is protected as well.

Aaron SpiteriMaking sure you've got firewalls set up. And probably the last thing I'd say is really making sure you've got a clear cybersecurity policy for your staff members. So, I spoke about training. But making sure you've got a policy in place so they understand what they need to follow and what they should do in case of anything that pops up in relation to that.

Aaron Spiteri

So that's probably what I'd suggest for anyone that was wanting to try and do some things themselves as for vendors specifically. For you to make it easier as well, anyone that you want to work with and do business with, they're going to essentially want to do an assessment. They're going to want to understand, you know, how you would hear the things.

Aaron Spiteri

What are your different types of certifications that you might have or policies and procedures? Because you're going to receive that in the form of a questionnaire. One benefit of the UpGuard product as well is we've got a shared profile, so any vendor could essentially log into the UpGuard product, create a shared profile, and they could answer any of those questionnaires and save them.

Aaron Spiteri

So once they've answered them once, they can then just get them ready and provide them to any customer that wants to of their security information. I do also see a lot of vendors put security packs together, which is awesome. So that's where they've got like their SOC report, pen tests. They might have all their attestations.

Aaron Spiteri

Everything's in a pack so that when you want to do an assessment, it's already ready to go. You can obtain it and then review all the information at ease. So that is also another thing that you can do. Just get it all pre prepared, ready to go so that then when. You might have a prospect that wants to work with you.

Aaron Spiteri

You can provide that type of information to them.  

Anthony Woodward

No, cool. It is a super interesting space and I think we could talk for hours on it. I'm super, I'd really like to understand more around, you know, the way that you can benchmark different vendors within the supply chain then. Because it's, you know, not everything is equal.

Anthony Woodward

And so when you look at, you know, I think some of the things you talked about, you know, which are quite legacy overhangs in terms of not having some of the basic kind of password through to more advanced kind of cloud services, how do your customers, or how do you see people going and benchmarking?

Anthony Woodward

So those different types of risk and how they then make those decisions about it, because ultimately, we've still got to do business. We've still got to go and do the work and risk is just part of that process. So how does that mix in?  

Aaron Spiteri

So, one thing we've built into our product that we use specifically when we send a questionnaire to any of our vendors, right?

Aaron Spiteri

Or if you use our product to do an assessment on any of your vendors to have a look at anything that's facing on the internet, right? If we're going to have a look at any of the risks there, like open ports or vulnerable software. We essentially have a rating that we've got. So, a risk rating out of 950 and we categorize all the different risks from informational all the way to critical.

Aaron Spiteri

So, we've pre done that for our customers so that our customers don't. For example, receive a questionnaire back and look at a response and if it might say, you know, do you back up your data? And then the vendor says no. For example, is that a high risk? Is it a critical risk? Is it a low risk? A lot of customers we work with might not have the time to go through all of these as well to work that out.

Aaron Spiteri

So, we tried to make that very easy for them by pre putting in I Risks according to what vendors select and we've done the same thing in the product according to any risks that we find when we scan vendors as well. So, we've got a team of staff that have then gone through industry standards and best practices according to what's available right now and how risky things look, and we've tried to make it as easy as possible for our customers so that they then.

Aaron Spiteri

Can have a look at that and they've got a bit of a, I suppose, standard of what they look for because it's the same risk that's categorized across multiple vendors. opposed to them having to manually come up with how risky is that particular risk that we've seen. No, that makes perfect sense and sounds very logical.

Anthony Woodward

In light of what we've seen happen across the globe in the privacy area and, you know, the extension of the key risks associated with, you know, me as an individual sharing my data with other suppliers, how do I as a customer know on the other side of all of that process what these processes are, and I know that's not necessarily part of the up guard story, but I'm really interested in Aaron's view on that extension.

Anthony Woodward

You know, I know a lot of your customers are using the services you've been working with for a while to understand and know what the risk is in their supply chain. How do I understand that as a customer and make sure my data is safe with insert bank telco company here?

Aaron Spiteri

Yeah. Look, Anthony, I think something that doesn't exist, which I think would be really awesome in relation to, you know, consumers specifically, when you go to the supermarket and you purchase certain types of food, you get like a health star rating, right?

Aaron Spiteri

And it's usually five stars. I feel like that's not something that applies at all when you're working with specific companies in relation to the security that they have, and I don't think it is easy for consumers to understand that information for someone that knows what they're looking for, they could go on that particular website and they could have a look for, you know, different types of security documentation that that particular vendor that you might be working with has, and you could make your own assumptions based on that.

Aaron Spiteri

But it would be really good as well for consumers specifically that might not even have that knowledge and understanding if there was some sort of, yeah, universal practice where you could go and have a look and understand, you know, what was that particular vendor rated, you know, like the health star rating that I'm talking about.

Aaron Spiteri

I'm very familiar with that, but it'd be great if, you know, that was something that was available to consumers where they could understand, yeah, how risky is this if I'm going to go and start working with that particular. Vendor, what are my risks look like? What have they got?  

Kris Brown

And look, you're welcome now that UpGuard can go and build that product and product ties it and you know, you're going to be doing shaving ads shortly.

Kris Brown

You're welcome. I think it's a great idea. And certainly, I think it's an interesting space because…

Anthony Woodward

It's always the product guy that claims the CEO's idea as his own, right? Sorry, Aaron, that you had to see that happen out loud, but look, I mean, if we're not having that argument.  

Kris Brown Here, Anthony, at least I've got some proof that I was there and involved. I want my 10 cents. That's all I'm looking for. I don't need much more than that. But I mean, Aaron, for me, I think the, the, yeah, it's, look, it's interesting. Right. There's one of the key things about talking to, you know, again, people like yourselves and these is to hear. Now there's, there is another side and while companies are able to do this, you know, it would be very, I would expect it would be very, very difficult for me as a, you know, a bank customer, a Telco customer to sort of ring up and go, Hey, I'd really love to understand your attestation around SOC and my data and where it's going on.

Kris Brown

However, and I think this is probably a little bit where Anthony was going, soon in Australia there are going to be much more interesting policies and legislation around it. Certainly globally, if you look at GDPR, I have the right effectively to ask those questions, not necessarily, hey, what are you doing around SOC 2 or all those other things?

Kris Brown

What are your vulnerabilities? You know, obviously I can jump on and scan the ports myself, but, you know, GDPR allows me to say, well, what have you got on me? What do you know? And what, and more importantly, that if I'm so inclined, I can check that against what I've sent. So, I can be in a position to say, well, no, I sent you this and this in this regards to these products.

Kris Brown

I don't see that. So now. How are you, you know, and this is probably where we play more, is it helping organizations to sort of say, well, not only did I have it, I collected it, I managed it, I maintained it, and then I got rid of it according to this legislation. That's why I don't have it now. Yeah, that's almost the flip side of privacy in this instance, where it's like, I asked that of GDPR.

Kris Brown

A right to understand the information that you've got on me and having the organization be able to say, well, I had it, but I got rid of it and here's the reason why. And that builds trust, right? So, but yeah, that next level of how are you operating, which is effectively what you're asking these suppliers isn't something that's there right now.

Kris Brown

But if I tie into that crystal ball, you've got your magic wand. You're able to change one thing about, you know, what's happening in that space. What's the one thing that you'd change that would make either a difference to UpGuard, a difference to your customers, a difference to consumers? What's the one big thing that if you could wave a wand, ignoring how hard it might be, what would you change?

Aaron Spiteri

Yeah, I'd probably change, or I'd probably implement some sort of way for you to understand where your data is. I feel like that is something that you just can't get right now. You know, I might have a register myself of any website that I've ever registered for, and, you know, understanding what I might've put on those websites, which is great. You know, if I ordered something.  

Kris Brown

Just so we're clear, if you're that guy, you're the only one, right?  

Aaron Spiteri

Yeah, so yeah, I have been pretty stringent in terms of if I have registered for certain websites and, you know, what was on those websites, but yeah, making it clear to consumers as well to understand that because, you know, like, yeah, you go to all these different websites, you use it for a certain reason, if it's learning something, purchasing something, anything along those lines, but then, When you're finished with that website or what you've already done there or what you've learned or what information they've got and you move on, do people just forget about that completely?

Aaron Spiteri

And then what happens to the data that was there? You know, you going back and actually canceling that and more or less like unsubscribing saying, I don't need it anymore. Cancel the records that you've got that you had with me and move on. I'd love to make that a lot easier. For people, because I do feel like people just sign up for anything and everything.

Aaron Spiteri

And then they might not understand how those websites were either tracking something that they had or what permissions you gave. If for example, you used a Google account or an Apple account. You just did the auto sign up and then it had access to your Google account, for example, and it was getting your address book, contacts, et cetera.

Aaron Spiteri

How often do people actually understand that it's got that information and how many websites have they got? And do they know if any of them have been breached? We'd love to make that easier for people. I feel like that's a confusing thing  

Kris Brown

I think that last piece to that is the real, the real gotcha, right?

Kris Brown

Like, I think we all want the first one, the first part of that. But I think I still want to be able to sign up, but I want the information to understand my level of risk if I want to take it back to where you are. Like, it would be really cool if there was a universal way. to calculate the risk of me giving you the data.

Kris Brown

Because, you know, that creates behavior. If I'm a business that has high risk, I should reduce those risks to bring that down. Or, reverse, I can always make it cheaper. As a vendor, I can always go, well, you know what? Yes, I might be risky. But I'm also very well-priced. So, you're now Mr. Customer. You can make a more informed decision about things. I think that tie.  

Anthony Woodward

Isn't there a Black Mirror episode with this, with the number above? That's it, my number?

Kris Brown

Yeah, I was, I was about to go there, right? Like again, if you pop culture, it for a moment, Black Mirror sometimes is a little bit too prophetic, but it's, we are in that place where. Had I known that Telco X had certain practices, would I have bought a device from them, or a phone from them, or a plan from them?

Kris Brown

Had I... Signed up for Music Plan X on, you know, Service Y. Do I really know what that means? And I kind of think that's where you're going there, which is, yeah, I think that's super interesting. And again, the convergence element of this, the privacy legislation is going to be driving some of that behavior.

Kris Brown

UpGuard and I said that that product process of I have to understand my vendors at a commercial level is starting to drive that behavior information governance and making sure that you have the proof of those things and you can control that data and you understand how long you're keeping it for is driving that behavior and as always, we'll see things dribble down through commercial down to consumer.

Kris Brown

But I think that convergence of all those is really where we all and again, you did it. You just waved the magic wand, and you went there too well. Thank you. This is who makes that product and what do we pay for that, or what's the value that we see in that, or is it something that should be legislated?

Kris Brown

I think those are really interesting conversations.  

Anthony Woodward

Yeah, cool. Look, Aaron, it's been a fantastic conversation. I know we've taken you to some darker places and different places than I think you expected, and I really appreciate you coming on the journey with us and making some time. Extremely interesting and I suspect we could sit here and talk again for another set of hours.

Anthony Woodward

There are so many societal issues and drivers behind, you know, what the regulators are doing in APRA and ASIC for the banking sector, but that doesn't actually apply to what's happening in the telcos the same way there is this. Equilibrium of how our data is being treated differently in different institutions that needs to be resolved.

Anthony Woodward

And then that comes back to the standards that are being applied in processes that you're auditing. So, I really thank you for the time. And it's been a great conversation.  

Aaron Spiteri

Yeah, no worries. Thanks so much for having me. I really appreciate it was really fun having a chat with you both

Anthony Woodward

No, thank you. And thank you to all the audience for listening.

Anthony Woodward

I'm Anthony Woodward.  

Kris Brown

And I'm Kris Brown. And we'll see you next time on FILED.  

Anthony Woodward

Thanks everybody for listening. Don't forget to follow us on LinkedIn, Twitter, and you can catch us on Facebook. Catch you next time. Thank you.

Enjoying the podcast?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

We want to hear from you! 

Do you have a burning topic you'd love to hear discussed?
Submit your topic idea now to help shape the conversation.
Submit your Topic