author photo
By Bruce Sussman
Thu | May 9, 2019 | 10:53 AM PDT

A bowl of Campbell's chicken noodle soup somehow seems good for the soul.

And it may also be that Campbell's approach to third-party risk is good for security.

We interviewed Bernie McGuinness, IT Risk Lead at Campbell Soup Company, before his session at SecureWorld Philadelphia.

Listen to how he approaches third-party risk, or read excerpts below:


[SecureWorld] When it comes to third-party risk, how do you approach different parts of the organization on this topic?

[Bernie McGuinness] "There’s the IT side of it, and IT wants to know where all their assets are. You know, whether those assets are virtualized machines, whether they’re Oracle databases, whether it's SAP data, PII data, PCI data.

And then there's the non-IT people. They just think it's on their computer because they're just typing on the keyboard. And they don't understand that a vendor that's not, if you will, inside the ‘invisible fence line’ of the company has that data."

[SW] What is the approach, then, with those who are outside of IT?

[McGuinness] "One of the things is education is a big part. I always tell the non-IT people that want to contract with these service providers, our third-party partners, is can this vendor protect the data as good or better than we protect the data?

And that leads to a conversation. The conversation being, what data are you providing them? What is your expectation of privacy on that data or confidentiality?

And sometimes they don't get it, but I always leave them with this question, the non-IT people. I say okay, if the vendor were to lose, compromise, destroy, or otherwise mishandle your data, how bad a day is it going to be for you? How bad a day is it going to be for the company? And a lot of times that wakes them up. ’Oh, this this could be a bad day’ if the vendor mishandles it."

[SW] When it comes to vendor assessments around third-party risk, what is your approach?

[McGuinness] "I try to do my assessments with the vendor partners in a similar way. I get as intrusive as I need to be, and a lot of that has to do with what has the vendor already done for their other clients? These vendors get these requests all the time; I want to leverage what they've already done.

They’re in the business to provide a service to their clients. I would be one of their clients, one of their many clients. So what have they done, how does that align with the methodology that we use at the Campbell Soup Company? What can I use and what's still missing?

And then ask them to provide evidence and artifacts on what's missing."

[SW]  So that's how you handle vendors. What about the people within your organization? Why do you believe creating awareness around this security topic is so crucial?

[McGuinness] "It goes back to—the IT people get it. Even the IT people that aren't necessarily security by trade. But again, it's the non-IT people, getting them educated to understand that it is a big deal and it does need to be protected. And it's not just the IT people's responsibility to protect the data; it's everybody's responsibility."

A responsibility that is growing as organizations rely more heavily on third-party vendors and their applications and services.