Coca-Cola Bottlers’ Sales & Services

Transcript:

Jeff McCrae – Cybersecurity Analyst, CCBSS

My name is Jeff McCrae, and I work for CCBSS, which stands for Coca-Cola Bottling Sales and Services. I work in the IT Architecture department as a Cybersecurity Analyst. I wear many hats, but I’m primarily responsible for vendor risk management. I monitor and manage our overall security posture, ensuring it aligns with our internal standards.

We’re a small team currently, but we manage over 1,600 vendors across both procurement and internal departments. Our role involves overseeing vendor security assessments and addressing any potential risks they may pose.

We work closely with our SOC team on any incidents or events that could potentially lead to a breach. This collaboration extends throughout the entire incident cycle, ensuring we have support from both our internal and security teams.

I initiated the use of SecurityScorecard within our organization. Initially, we faced challenges with vendor relationships—many vendors were hesitant to receive feedback or be coached on vulnerabilities within their systems or networks. However, we emphasized the importance of fixing these issues to maintain a secure relationship that aligns with our agreed-upon risk management standards.

One of the standout features of SecurityScorecard for us has been the ability to conduct risk assessments during the vendor onboarding process. This allows us to evaluate a vendor’s security posture upfront and offer recommendations for improvement. These insights are particularly helpful in early engagement, especially since some vendors are initially skeptical about how we obtain our data. We explain that their digital footprint—like domain information—is publicly accessible, and we’re simply using that to identify potential issues.

The support we receive from SecurityScorecard has helped us strengthen our negotiations and demonstrate that our goal is collaboration, not criticism.

On a day-to-day basis, we receive alerts from SecurityScorecard when a vendor’s security posture score declines. We analyze these changes to understand the root cause and work with the vendor to remediate the issues.

We’re currently using two tiers of MAX with our top-tier vendors. MAX has been incredibly helpful in identifying and resolving issues proactively, especially as they relate to score drops.

From a cost-savings perspective, our vendors benefit significantly. Insurance costs and breach-related expenses can be high, and using SecurityScorecard and MAX helps us reduce that risk.

Our relationship with the MAX team has been superb. We hold regular conference calls to discuss concerns and ensure we’re making the most of our investment. The MAX team has been responsive, informative, and committed to helping us achieve our cybersecurity goals.

Overall, we see SecurityScorecard as a valuable tool, and we’re dedicated to maximizing its benefits for our organization.