From the Rambo Architecture to Sherlock Holmes’ Mind Palace

I finished reading a recent LinkedIn blog by Jason Chan about third party risk management and business resilience, where he drew “first blood” in a spot-on critique of how many enterprises today handle third party security risk management: the dreaded vendor risk assessment questionnaire.? Looking deeper, I found his proposed alternative to the questionnaire to be a little less Rambo and a little more Sherlock Holmes.

In his blog, Jason proposed a well-proven approach over the current vendor risk assessment questionnaires: aggregating and operationalizing distributed context. Now, I know that’s a mouthful, but the basic premise here is that the knowledge your security and compliance teams need in order to properly assess and manage third party risks is already in-house, distributed amongst your procurement, finance, IT, legal, and business teams. The key is to gather it together (aggregate) and make it available and usable (operationalize) to the security, compliance, and other teams that need it. This reminds me of the mind palace, a technique Sherlock used to recall and correlate various memories in order to fuel his deductive reasoning.? Enterprises need their own “mind palace” to aggregate and operationalize distributed context.

An emphasis on assets and users

Getting back to Jason’s blog, if you replace “vendors and partners” in the following passage with “assets and users,” it reads (almost) perfectly:

“The nice thing is that the answers to these questions are inside your organization. When you’ve gathered this context and operationalized it, you know your key vendors and partners, who to contact when issues arise, where your systems, applications, and data are exposed, and whether you’re covered legally if and when something happens. And you don't want these answers buried in spreadsheets. To operationalize this data, it needs to be online and available to other systems (e.g. asset inventory, incident response). And - like anything inventory-related, it’s an ongoing process that you’ll need to enrich and improve over time.”?

Okay, so maybe the “covered legally” part isn’t a great match, but the part where teams are running around, manually pulling together information about their cyber assets (like a security questionnaire) and then trying to manage them on a spreadsheet for use in the annual compliance audit or posture check is real. Too real. All the data a security team needs to perform an internal security risk assessment is already in your environment, they just need the platform to aggregate and operationalize it in a continuous and automated way. Like JupiterOne .?

We can apply the same approach of unifying context to manage security risk for the internal environments as well, taking an inside-out view. This is what the JupiterOne platform does, helping organizations to assess and manage cybersecurity risk by aggregating and operationalizing data from all your assets, users, technology tools, and security controls together. It’s the reason I set out to build JupiterOne; as a former CISO, I remember all too well trying to get answers across multiple systems and attempting to make tools work for problems they were never able to solve.

Asking the right questions

Jason’s blog also had a number of questions that security teams need the answers to in order to manage third party risk. His questions mirror the list of five questions my security teams would have to answer in order to better understand what and who they are trying to protect and how vulnerable they are. Proper asset management is key to getting the answers to these questions. If you’re interested, you can dive into it deeper in my recent blog post about the 12 cyber resilience questions leaders should consider .

Jason concludes his blog by asking a question that would challenge even the great Sherlock Holmes:

“Can you confidently predict when and where security issues are going to occur in your own environment?”

I am optimistic that the state of our industry is at a place where we can feel increasingly confident in our ability to predict what’s next by investing in deeper inside-out, unified contextual awareness.? We may not be Sherlock Holmes, but having an “enterprise mind palace” would sure bring us pretty close.