Livestreaming on 13 February 2024, #RISK Digital examines the changing risk landscape in a content rich, knowledge sharing environment. The one-day event sees over thirty expert speakers provide insight and guidance on how organisations can mitigate risk, reduce compliance breaches and improve business performance in the digital age. 

An esteemed expert in information security and risk management, Mike Boutwell’s career spans over 15 years in security and 10 years in risk management. Mike’s journey in this field has seen him make significant contributions to leading companies such as Cisco, AT&T, IBM, Kyndryl, First Data, and Euroclear.

Mike Boutwell will be at #RISK Digital to discuss the potential impact of AI on Third-Party Risk Management (TPRM) strategies.

Below, Mike answers questions on his professional journey and introduces the key issues of his #RISK Digital session.

Could you briefly outline your career pathway so far?

I started off as a security engineer working for Deutsche Telekom and later worked in a more senior engineering role in First Data. I then went on to be a lead security architect for three separate accounts at AT&T, working with IBM and overseeing the accounts of Dow Chemical, Citizens Financial Group, and WPP Plc.

I started a boutique consulting firm where I currently work. Here I advise clients on cyber risk of all kinds. I work mainly with financial institutions and provide oversight onto their governance processes, conduct risk assessments, business impact assessments, and propose security and control requirements. Most recently, I conducted an AI based risk assessment for a financial services firm with 5,000 employees.

I am certified in CISA, CGEIT, CISSP, ISO 27001 Senior Lead Implementer and Auditor. In addition to being a Certified Trainer, I am also a Certified Non-Executive Director. I assist in training and skill development in my security areas, but focus mainly on ISO 27001.

How are evolving technologies such as AI adding complexity to the data protection and privacy risks within Third Party Risk Management (TPRM)?

AI has a very different risk profile and very specific control and regulatory requirements. Given that it is still a software deployment, many software vendors can simply integrate AI features into an already existing product.

This means that if an organisation owns that product, simply turning on that feature might be done by the click of a button or it may be turned on by default. Some teams may not know or care about the impact this has and thus do not go through risk, legal, and other necessary reviews by the relevant stakeholders.

In addition, vendors have made some claims which are hard to believe, but also impossible to prove or disprove. For example, environment segregation.

In what ways are TPRM strategies changing so that organisations can stay innovative while optimising privacy and security?

• Enhancing security awareness training and keeping it up to date to include AI and other next-gen technologies.
• Integrate AI vendors and a centre of excellence with representation from internal AI experts, legal, risk, etc. into a governance process to assure regulations and other requirements are assessed and met.
• Be sure to train teams not to fully rely on AI, but to use it to assist them in their work, while scrutinizing the information it outputs.