Case Study May 28, 2024

Cleveland Clinic



My name is Rakesh Sharma. I’m the senior director over cybersecurity governance risk and compliance. I work for Cleveland Clinic. Cleveland Clinic is a, multi specialty academic medical center. We manage all IT and cyber risks to the enterprise, ensure that we’re appropriately communicating, those risks to senior leadership and the board, so that we can make data driven, risk based decisions on allocating resources, to mitigate the risks that are most important to us. So I think, you know, success in cybersecurity is sometimes difficult to measure, but the way that I look at it is to ensure that, senior leadership in the board were speaking the same language. You know, I would say in addition, it’s keeping up with all the new challenges coming in from AI.

There we’ve seen a lot more sophisticated attacks coming in, for example, from phishing, that are now AI enabled.

So keeping up with all that and enabling the business to move at the pace that they need to. So we use security scorecard, in I would say four distinct areas. One is any RFx type activity that we execute.

One of the first things we do is we pull the security scorecard scores for all of those vendors that are involved. We describe it as almost a a credit rating for companies for for cyber. The second area is, as we’re onboarding new vendors, bringing them into our system, we risk tier. We risk stratify all of our vendors to understand which ones are the riskiest ones.

That’s where we spend more time deeper dive assessments. Part of that risk stratification formula is a security scorecard score. The third area is the continuous monitoring of those third parties, so the ones that are the higher risk third parties. We keep an eye on their score.

If those scores deviate from what we’re comfortable with, then we follow-up with those third parties, to ensure those risks are mitigated. And then the fourth area is is for ourselves. So we monitor our own score actively, ensure that we’re keeping it as high as possible. That obviously helps from a cyber insurance perspective, as well as when we’re the third party to to others.

So most recently we implemented, the ServiceNow vendor risk management module as well as integrated risk management. And we were pleasantly surprised by the integration capabilities just very seamless with SecurityScorecard. And now it’s a one stop shop where we’re able to to see all of the risks associated with our third parties, in a very clear way.

And we’re now leveraging the platform, giving access to some of those teams outside of cyber so that they can take a look and see what the risk is of a third party. Where I see SecurityScorecard, really helping us out is streamlining that vendor, risk management process. So as I mentioned, scale is a big challenge for us and being able to keep up with all the new requests. With this ServiceNow integration, we’re able to reduce the amount of time it takes us to get through assessments. If you want someone that’s really going to be a partner with you and really cares about you and not just cares about you but the bigger picture, and what I’ve noticed is it’s not just, hey, we can help you manage your third parties or we can help you manage the risk that they’re bringing to your enterprise or that we can help the health care industry. But it’s more this global view of how can we all manage the risk of the entire ecosystem.

And that’s really the partner that you want, is someone that has that big picture view.

Innovation’s at our core, and so we look for those partners who have that as well, and we can certainly see SecurityScorecard has innovation at its core.