Ranadeep Sarkar is Schoeller Allibert’s (part of Brookfield) Information Security Officer (ISO), responsible for IT and OT security globally. He works together with Nick DeFreitas, information security specialist, who is responsible for managing all vendor due diligence activities and 3rd party risk assessments. They explain the challenges they face, how 3rdRisk help them resolving these challenges, and why they chose 3rdRisk.
"Schoeller Allibert began its information security journey in 2019, focusing on creating robust protection mechanisms. This involved not only securing the 'front doors' but also enabling comprehensive information security practices.
Despite our proactive measures, we faced challenges in managing third-party relationships. The 2019/2020 supply chain attack involving SolarWinds serves as a significant example. We were one of the affected customers using SolarWinds, and while we were able to respond effectively by patching the system quickly, the incident underscored our vulnerabilities. When the zero-day exploits for Microsoft Exchange was uncovered in 2021, it became evident that supply chain risks should be elevated to the top 10 risks for every CISO.
Although it wasn’t a struggle to manage the risks posed by the major vendors like Microsoft and SolarWinds, the smaller vendors that were 3rd and in many cases 4th party entities remained a potential risk for us.
The complexity of our relationships with multiple vendors raised an important question: How can we establish genuine control over these associations, particularly when engaging with unfamiliar entities? The assurance of secure collaboration with such vendors remains a primary focal point for our organization, a point emphasized in the annual audit from our external auditor.
The challenge we faced was a lack of capacity to implement a third-party risk management policy. While downloading a policy might be a straightforward task, its implementation is an entirely different and much more complex endeavour within a global company like Schoeller Allibert. For the number of vendors we had, it would have required the full-time commitment of multiple employees to manage effectively.
With limited manpower, allocating existing team members to this task was not a feasible option. This constraint emphasized the importance of finding a solution that could help us navigate this complex landscape without overtaxing our resources. We immediately recognized the need for a tool that could assist us in this process.
To address the challenge, we set the selection process and criteria using the principles that would satisfy all requirements of ISO 27001 to remediate the third-party risk management and help us with a clear view on the supplier risk management.
The 3rdRisk platform emerged as an essential asset in this context. 3rdRisk offered a comprehensive tool that had all the essential elements of such a platform. The tool blended quite well with our supplier risk management process. The built-in questionnaires are set up with a lot of experience and were appropriate to use without altering them too much. We would never have been able to do these activities, let alone with so little effort on our part.
The onboarding process unfolded with remarkable efficiency and speed. Within a matter of weeks, we gained oversight of our most critical third-party relationships and were able to send out the first assessment. The platform's capability to track adverse news further helped us to gain control over emerging third-party related threats which we otherwise would have missed.
Nick and I are looking ahead to an efficient year, expecting to perform due diligence activities for over 50 vendors. Thanks to 3rdRisk this substantial task will only require a few hours of our time each week, allowing us to maintain this high level of oversight with minimal investment of resources. The 3rdRisk platform automates third party risk management in such a way that it minimises our workload while maximising results. The tool is exceptionally user-friendly, easy to understand and its implementation is straightforward. It is designed to provide the best possible outcome with the least amount of effort.
“The 3rdRisk platform automates third party risk management in such a way that it minimises our workload while maximising results. The tool is exceptionally user-friendly, easy to understand and its implementation is straightforward. It is designed to provide the best possible outcome with the least amount of effort.” Ranadeep Sarkar, Information Security Officer
We explored several tools, but what set you apart from the competition was the level of customization you provided to meet our specific needs. The 3rdRisk platform truly aligns with our purpose: it offers a comprehensive view of our third-party ecosystem, facilitates vendor evaluations, and significantly automates many tasks.
From a financial standpoint, 3rdRisk can’t be categorized as either cheap or expensive. However, the value it brings far exceeds the price. I particularly appreciate the innovative features you're developing, such as the AI-driven automatic evaluation of SOC-2 reports. For those of us working in this environment, this innovation will be a tremendous asset. Obtaining in-house security expertise can be challenging, so a tool that can assist in analyzing SOC-2 reports enables us to accomplish more.
The implementation was another highlight of our experience with 3rdRisk. Not only was it seamless and smooth, but it felt like a true partnership. It seemed as if we extended our team to include you, and you took on the majority of the work, guiding us every step of the way. Your support was invaluable in helping us succeed.”
“The implementation felt like a true partnership. It seemed as if we extended our team to include you, and you took on the majority of the work, guiding us every step of the way. Your support was invaluable in helping us succeed” Nick DeFreitas, Information Security Specialist