We interviewed Kelley Grogan, a Third-Party Risk Management (TPRM) Analyst at MindPoint Group. In this interview, you’ll learn what it is like to help MPG customers manage their third-party vendors and how Kelley helps make a positive impact on their overall cybersecurity posture.
What is the typical TPRM and vendor assessment process?
The first step is to get an understanding of the type and scope of assessment the customer wants. Every industry and every customer will have their own approach with their own goals. It’s important to know what the customer wants to accomplish.
The assessment process itself will generally get kicked off with an engagement call with the vendor. This is where we explain the assessment process, the scope of what will be covered, and some housekeeping items like scheduling. I like to get a feel for how familiar the vendor is with these assessments. Some folks are more seasoned and have been through many assessments, while to others, it’s completely new. Especially for those new to third-party assessments, the process can seem overwhelming, so I try and help them feel more at ease to make the process less daunting. Relationship building and preparation are the two biggest keys to this role. When you’re prepared and the vendors feel prepared, it makes the biggest difference.
The actual assessment process can involve a couple of days at the vendor’s location, data center walk-throughs, on-line meetings, screen shares, depending on the situation. With the COVID-19 situation, we’re doing everything remotely and must be a little more creative with our process. One of my co-workers even had a “datacenter walk-through” using the mobile video capability of the vendor’s phone.
Depending on the size and scope of the assessment, we will then spend several days reporting the results of the assessment and preparing the deliverables for the customer.
What are the biggest challenges you face in a day?
One of the biggest challenges is working with a vendor who feels inundated by the whole process. Some TPVAs are really extensive so it’s easy for folks to get overwhelmed. Again, fostering relationships is crucial, and we really want to help set up the vendor for success. It can help to break the process down into steps. I like to identify some of the less-daunting areas and get those done first. This can help build momentum for the rest of the process.
What is your favorite part of your job?
Working with people can be extremely rewarding. I also feel like there is an educational component of this work, where we get to help people understand that one of the main take-aways from these assessments is risk awareness. Knowing a risk is out there informs decisions relating to managing that risk.
How did you get started with working in technology/security?
I started doing quality assurance reviews for a federal client. Our team conducted about 144 assessments each year, and part of my job was to help proofread the deliverables for those assessments. I went on to become the QA lead, then a junior assessor. I found I liked the work, so I began pursuing security-related professional certifications. I have been performing various kinds of cybersecurity assessment work ever since.
Why do you love cybersecurity?
It is rewarding to work in a field that is such an integral part of everything we do in our personal and professional lives. There are lots of opportunities to make a positive impact.
What do you like to do outside of work?
My family of four boys, two dogs, a cat, a hedgehog, a snake, and some fish keep me busy! We also like to go on road trips to visit weird and interesting places.
What is your favorite part of MindPoint Group?
I love the company because I always feel like I am supported by my co-workers and boss. I also love the company’s focus on continuing education. Cybersecurity is continuing to evolve every day, so it’s great to work somewhere that understands that education is the key to success in the security space.
Check out our job openings to find the right fit for you!
