Hershey
Transcript:
Phil Addison – Manager of Third-Party Cyber Risk Management
I’m Phil Addison. I am the Manager of Third-Party Cyber Risk Management, with some leadership in our Enterprise Third-Party Risk Management at The Hershey Company.
We are one of the U.S.’s—and the world’s—largest and most successful snacking manufacturers. We have lots of iconic brands: Reese’s, Hershey’s, Hershey’s Kisses, Dots Pretzels, Ice Breakers Gum, ONE Brands Protein, and a whole lot of other products that are fairly common on store shelves.
Our goals for the third-party team are the same as with any risk management function: to provide actionable risk intelligence and insights to our decision-makers. Our third-party risk program is centered around our third-party infrastructure and our pre–Scorecard environment.
We did not have cyber insights on all of the third parties that went through assessment. We don’t send an assessment to every single one of our third parties—it would just get too cumbersome. So, there was a subset of our vendor and third-party landscape that we simply didn’t have cyber insights for. And we realized that we need cyber insights—even if we’re not going to assess a vendor using our questionnaire process.
Our enterprise program is a fairly young program. So for metrics, we’re really looking at the percentage of our vendor landscape that we cover. We’re measuring time to assess, and reporting some basic risk metrics up into procurement.
From the cyber side, we are a little more mature than the enterprise program. But again, we’re looking at the same metrics: coverage, time to assess, and risk-related metrics like likelihood and impact. We also compare vendors—not competitively, but to understand the trends we’re seeing in our overall risk exposure.
We evaluated SecurityScorecard and a couple of its competitors. Ultimately, SecurityScorecard was the best fit for what we were trying to implement from a continuous monitoring perspective. Outside of the scoring and monitoring, the breach notifications were a huge part of the decision-making process. So was the internal self-monitoring.
One area where SecurityScorecard stood out was in vendor hierarchies. When we first looked at our vendor hierarchy in SecurityScorecard compared to competitors, SecurityScorecard wasn’t just the most accurate—it was almost perfect.
We’re using SecurityScorecard in a number of ways:
-
Primarily for third-party risk—gaining cyber insights into our vendor ecosystem.
-
We’ve also integrated it into other InfoSec processes, including incident response. Breach notifications from SecurityScorecard automatically trigger SOC activity and triage.
-
It’s also used for tracking zero-day vulnerabilities. If we or one of our critical vendors is exposed, our SOC team reaches out to collaborate and reduce that risk.
-
We’ve integrated it into vulnerability management to determine whether we or our vendors are publicly exposed.
More recently, we’ve started to integrate SecurityScorecard data into our threat management and exposure management programs. Some of the signals are valuable for helping the threat management team implement capabilities they’re targeting this year. And from an exposure standpoint, we now understand where we’re vulnerable—both as Hershey and across our third-party ecosystem.
SecurityScorecard has absolutely helped us mature our third-party risk management program. We now get some level of cyber insight for 100% of the third parties that come through our risk management process, regardless of whether we’re doing continuous monitoring or sending a survey.
I’m a one-man shop for third-party cyber risk management. It’s reduced the time I spend researching open-source intelligence and has enabled earlier, more cyber-informed decisions in the procurement and vendor selection processes.
The richness of the insights has enabled us to provide better risk intelligence to our business partners. Our data privacy team has found value in understanding how cybersecurity impacts data privacy, especially since every data privacy framework includes cybersecurity elements.
From a mergers and acquisitions perspective, we’ve made better-informed decisions on recent deals thanks to SecurityScorecard’s data.
The richness of the data and insights has been absolutely great—it’s 100% value-added. There are decisions we’ve been able to make from a cyber perspective that we would not have been able to make as efficiently without those insights.