Vice President, Third-Party Risk Management
As vice president, third-party risk management, Robinson oversees Optiv’s Third-Party Risk Management practice which includes the development and operations of TPRM-as-a-Service and Evantix. During his tenure at Optiv, he has worked as a core contributor around strategic internal initiatives including threat management, risk management, third-party risk management, vulnerability management and data program protection. He also develops and delivers a comprehensive suite of strategic services and solutions that help chief experience officer (CXO) executives evolve their security strategies through innovation.
Three "E"s of Modern Email Security for Phishing: #3 Enterprise Visibility
In response to the persistent threat from phishing attempts, a three-pronged approach focusing on the “Three 'E's of Modern Email Security for Phishing” can be highly effective in reducing your organization’s attack surface. The first two "E"s are Enhanced technology and Employee focus. The third and final "E" of modern email security for phishing is Enterprise visibility.
While the primary vulnerability exploited in a phishing attack is people, all sorts of factors within the enterprise can contribute to greater risk. Understanding and correcting your vulnerabilities is critical.
Know Your Entry Points It is important to map out your vulnerabilities, regularly conduct a gap analysis, and aggressively test your systems to understand the entry points attackers can exploit. These entry points are constantly changing and evolving. For example, I was working with a company that merged with another organization that turned out to be wide open, without many security controls in place. This became a new entry point that wasn't being monitored, and the new, combined organization was hit with a phishing attack.
Enable Incident Response Capabilities When a phishing attack is identified, it is critical that your organization has a process in place for proper notification and issue handling. Incident response plans should be mapped out for different attacks – from employee reports, to executive and public notification. You cannot wait until an attack has occurred, you must be ahead of the game with a plan. Being prepared makes a huge difference in how an attack impacts your organization.
Operationalize Data from Attacks Every failed and successful attack should serve as a learning experience to your organization, and provide useful metrics and statistics. Use the data from attacks and incidents that were prevented to deliver insight into the return on your security investment by measuring impact and results. Use the data from successful attacks to understand the changes you need to make and how to prevent the exploit in the future.
By using the “Three 'E's of Modern Email Security for Phishing” to address phishing, you can effectively reduce the chance that users will open the door to risk and prevent these attacks from doing significant damage to your organization.