Ashish Rajan: [00:00:00] Third-party risk management, not the sexiest topic Abysmal.

Igor Andriushchenko: It becomes a paper exercise where you, you do something for the sake of doing it.

Jasper Mills: The process of, like, using the tools on the market felt like I'd been, like, catapulted, like, to 1979. It was, like, the worst experience of my professional career. A CISO called me and he said, like, "We have just given a kindergarten a nuclear bomb."

Igor Andriushchenko: People just create a personal workspace, and they just enable that feature. Everything feels solvable, just, like, one toggle away.

Jasper Mills: Or maybe John built it themselves, and then he found an MCP that he has spun up and now it's going to Salesforce and, like, fetching whatever it wants.

Igor Andriushchenko: I've heard it many times, 2027 is the year of agent to agent.

Igor Andriushchenko: There is no place for humans in that loop.

Ashish Rajan: Third-party risk management is not something that I thought I would be excited to talk about, but somehow the AI era seems to have even made that feel interesting. I had a great conversation with Igor, who is the head of information security and CISO at Lovable, and with Jasper Mills.

Ashish Rajan: She is the CEO of a company called Ethira. Now, [00:01:00] third-party risk management as a whole has been the bane of many people, including myself when I was a CISO, and it is something which is very manual, very tedious. But in this particular conversation with Igor and Jasper, we kind of unfolded what does it mean to do that in an AI world, what parts of it can be fully AI augmented, and how far can you go with doing third-party risk management in the new AI native way?

Ashish Rajan: If you are someone who works in third-party risk management and have been thinking about how AI can be augmenting this This is definitely the conversation for you in understanding what are some of the moving parts and what you can do with it. And if you know someone who is working in this, definitely share this episode with them as well.

Ashish Rajan: As always, if you are here for a second or third time and have been enjoying the episodes of the podcast, I really appreciate if you take a quick second to drop a follow or subscribe, whichever podcast platform you're listening or watching this on. We are on Apple, Spotify, YouTube, and LinkedIn, and I hope you enjoy this conversation between myself, Igor, and Jasper.

Ashish Rajan: I'll talk to you soon. Peace. Hello, and welcome to another episode of Cloud Security Podcast. I've got [00:02:00] Jasper and Igor with me. Thank you for coming on the show.

Jasper Mills: Thanks for having us.

Ashish Rajan: Uh, maybe Jasper, if you wanna set some context for your professional background, uh, just to t- get the audience to know a bit about yourself.

Jasper Mills: Yeah, sure. So I actually came to security in a bit of like a, from a business perspective. So I worked in executive management for like high-growth startups. Um, and I actually saw the security problem as a business problem, and that's how I actually got into security, which I guess is like a bit of a, a topsy-turvy way to get here.

Jasper Mills: But I think it's actually a really, like, important way to like go into a discipline, which gives a real sort of validation to the, to the, the space, which I think it really like needs to be viewed as a business problem rather than just as a technical problem. So, uh, I led basically, um, engineering enablement teams for a very long time which basically meant that I got like a smorgasbord of, of like things that, uh, you'd...

Jasper Mills: no one else really wanted to take responsibility for, which ended up being things like incident responses and like, I had a satellite team for a while and like, um, I did a lot of like change management, regulatory [00:03:00] like things but mostly also like helping like business to understand like what...

Jasper Mills: how incidents impacted businesses and, and looking at those kind of metrics and AI adoption and things like that.

Ashish Rajan: Awesome. Uh, Igor, just a brief intro of yourself. Thanks.

Igor Andriushchenko: I'm Igor Andriushchenko. I'm, uh, head of security and CISO at Lovable, that AI, built with AI product for 99%. I've been a CISO four times before.

Igor Andriushchenko: I worked at, uh, digital telco companies, worked at AI companies, worked at medical device companies. So I've seen quite a lot of spread of like different security approaches, uh, from the most, uh, risk-averse to the most risk-taking ones, and trying to find a balance, uh, in it. And of course, like recently with AI changing, throwing all the bal- everything off the balance, it's very interesting, like where do we end up?

Igor Andriushchenko: And I think for this conversation, uh, I have, I have so many, so many ideas and like, you know, like I, I'm thinking of how would we work if we had what we have today like 10 years ago, that would be such a [00:04:00] different world. I always would say maybe we'll be in a b- better state of security already.

Igor Andriushchenko: Uh, but yeah, let's, uh-

Ashish Rajan: Maybe let's start there then 'cause the topic we have is third party risk management, not the sexiest topic, I must agree on this. I'm sure any, any people who are tuning in right now, like, "Oh my God, he's gonna talk about third party risk management." Like at least security people, I would think they would be like, "Oh my God, that's the most laborious thing in- cybersecurity.

Ashish Rajan: And to your point what was the pre-AI state of third-party risk management?

Igor Andriushchenko: Abysmal. Yeah. It's like, it's the, it- if you take a, a security program, right? There is a, the whole bunch of security program dedicated, any security program dedicated to third-party risk management. You can fail a lot of audits on it.

Igor Andriushchenko: Uh, it requires a lot of documentation, a lot of ri- a lot of rigor. And the more the bigger company becomes, the more impossible it becomes to control your vendors the way, you know, if you, you actually bring value, right? Yeah. During it becomes, uh, this kind of paper exercise where you, you do something for the sake of doing it.

Igor Andriushchenko: Well, like a lot [00:05:00] of companies, it feels like their vendor management processes are like that. Uh, it involves, uh, it involve 200, uh, page, uh, checklists. Yeah. I've spent long nights filling out vendor checklists when we were trying to get business. So it's, it was a pain for both sides. Yeah. And the question is, what value did that bring to actually either of the sides, right?

Igor Andriushchenko: I want like, as a, as a, uh, as a CISO, I want to have a good understanding what are my riskiest vendors? Are they doing good enough job? Uh, are there any things that they're falling, uh, falling behind on, and how can I force them to... Like how c- can I keep control over the risk- Yeah ... that this, each individual vendor presents?

Igor Andriushchenko: That's all. Yeah. And from the vendor perspective, I want to offer the best service to my, uh, to my customers, right? Yeah. So I want also to grow with them. I want to keep the requirements coming in and be like, "Oh, here is a new regulation that probably I should be complying with." So there is also a positive side in that.

Igor Andriushchenko: But as, uh, as we say, like, you know, 10 years ago, it was not positive for everyone, for, for anyone- Mm-hmm ... in this, uh, [00:06:00] equation. So yeah.

Ashish Rajan: Is, is, uh, and I'm, I'm curious to hear you, Jas- Jasper. Obviously, such an ex- attractive field. What got you, uh, working on this particular problem space?

Jasper Mills: Yeah. So actually, when I first started, uh, my last job, I was given two board initiatives, and the first one was that I had to implement DORA, which is a digital operational resilience act. It's a financial regulation across the EU. And my, like, task was third-party risk. And I, like, started to look into what the options were, like, for, okay, how are we gonna manage this?

Jasper Mills: Um, and at the same time, I was getting this- this like ChatGPT and all of these, like, AI tools were starting to come into play. And so the, like, other sort of side of this was people were saying, "Okay, now we have to, like, transition to all of this productivity tooling." And the problem is, is like they're very similar in terms of, like, how do we actually, like, safely adopt tools, but then actually how do we monitor tools?

Jasper Mills: And so the regulation was actually looking at this from [00:07:00] more of an accountability perspective.

Ashish Rajan: Yep.

Jasper Mills: And how do you, like, maintain continuous accountability over, like, what's happening to things that are so critical to your business that actually can cause severe damage? And then at the same time, like, businesses were a bit at a standstill of, like, how do we actually adopt AI tooling?

Jasper Mills: And so I was basically looking for something that would give me both, or like, and, like, the process of, like, using the tools on the market felt like I'd been, like, catapulted, like, to 1979, and it was awful. It was, like, the worst experience of my professional career. Mm. And it was. It was just, like, hundreds of vendors and, like, Slack messages on Slack messages.

Jasper Mills: And, like, terrible manual reports. And, like, nothing of actual value, even if, like, the original intent- Yeah ... was really good. Yeah. And so I realized that, like, this actually is a problem is you look, like we had hundreds of vendors. All of those vendors were adding AI tooling. And what I realized is, like, we needed a way to both have [00:08:00] autonomous reviews if that was what the audits were going to demand, but also be able to look at this from a technical depth perspective to be able to actually integrate, okay, how do the vendors interact with the systems that you have?

Jasper Mills: Yeah. And then when actual things arise, like for example, as AI is added, how are you able to track that? How are you able to tie shadow AI back to approved vendors in a way that's autonomous and actually useful, rather than being just, like, tedious and manual and like a checkbox? And yeah. So that's basically how I came into it is it was pro- it was just like one of the worst experiences of my career.

Ashish Rajan: So wait, 'cause I, I love what you said about the accountability part, because I, I'm sure Igor would agree as this, 'cause the entire... It was a process-driven activity rather than a automated activity that all of us perhaps have been scarred with and accept it as normal. I, I'm curious, 'cause like, Igor, you mentioned, like, now you're excited about what is possible with AI.

Ashish Rajan: So I'm curious, how do you see this change? And we'd love to hear what you [00:09:00] have the story of later as well. In terms of how do you see as what's possible now?

Igor Andriushchenko: It's interesting because we cannot take this discussion out of the context of a more general change that AI is driving, right? So on one hand, we're solving some problems with AI.

Igor Andriushchenko: Yeah. But then for cybersecurity practitioners, it creates a lot, a lot of other type of problems, right? So for instance, now we have many more vendors. We have vendors sometimes that are very- Very good, very innovative, but it's like five people companies. Yeah. How do we measure the risk of the product that is bu- created by five people company?

Igor Andriushchenko: It's solving one problem, but introducing another. So then we have the whole thing around people building things within the organization with AI. Yeah. Should we treat each of these people or their departments as mini vendors? Because essentially we need to apply to those, uh, whatever they produce- Yeah

Igor Andriushchenko: uh, some, some kind of rules, some kind of governance. And that governance is very similar in its nature to third party risk. Yeah, yeah. It just... [00:10:00] You're, like, it's almost like it's a second party risk. Yeah. It's your employees, it's your builders. Yeah. On the other hand, of course, now we can take a, uh, old school sh- uh, spreadsheet with questions, put it into AI connect our database of knowledge to it, or like, like, the docs file with knowledge, and then we get pretty accurate results back, right?

Igor Andriushchenko: Yeah. That's great. That saves some time. So, but I feel like, like, the middle layer between the horrible state and, like, the good state are more like, kind of the challenges that were created and the opportunities that we got. Like, there is something there that should kind of route them, you know, route the good solutions to relevant problems, right?

Igor Andriushchenko: So we pick a solution that is uncovered by AI, and we solve some old problem, forever problem with it. Yeah. But also we need to be on the lookout for, but what are the new, uh, areas and surfaces we got introduced by AI and, like, its presence everywhere, uh, in the organization.

Ashish Rajan: So I kind of agree also because to what you said, [00:11:00] even every wipe coded up, especially if it integrates to data sources which are internal, quote-unquote, you technically become a vendor now.

Ashish Rajan: Even though you're technically the employee of the company, you've introduced a, a vendor w- unknowingly. Uh, I, I'm curious, Jasper is everyone on that journey that you talk to, or?

Jasper Mills: Yeah, so it's really interesting for us because basically we see something very similar to what Igor is talking about, is that, like- It goes back to the fact that, like, you need a really up-to-date inventory and understand, like, when your, like, inventory is changing in a way that that changes, right?

Jasper Mills: Yeah. So, like, a lot of these things are start of some of these problems are starting to collide in a way that they have, like, previously not. What we see actually is, like, we have really interestingly, like, some of the fastest growing companies and, like, some of the slowest companies, like really highly regulated.

Jasper Mills: And so I- we had a customer recently who did, who told us that this was the first AI tool that they had ever used, um, like, i- in the [00:12:00] organization. I'm sure they had used, like, ChatGPT. And it was, like, the first thing to see, like, okay, we can have real productivity gains within- Yeah ... sort of our area.

Jasper Mills: Yeah. Um, but what we see is, like, a really big gap in terms of uh, trust. And so there's a high barrier to get people to understand, like, how AI can be used when they're sort of naturally skeptical of it. Oh, right. Um, and so we've actually had to, like, solve for this. We have a toggle that basically is, like, fully autonomous and, like, in the loop, right?

Jasper Mills: Because, like, you want to give people a sense of control, and people who are very comfortable with AI are fine with our AI negotiating with the vendor to go back and forth on the questions- Yeah ... or, like, the pen tests they haven't sent. That is, like, a very uncomfortable, like, reality for someone who isn't as comfortable with AI.

Jasper Mills: So we've had to solve for both of those problems, which has been really interesting to be- Yeah ... in this world. Yeah.

Igor Andriushchenko: Yeah, it seem like how [00:13:00] coding tools solve it nowadays, right? You can choose different permission level, full access, full, uh, or, like, full, uh, uh, full autonomy, medium autonomy, like it decides when to ask you for things, or fully manual, like ask for every tool approval.

Igor Andriushchenko: Of course, you can, with coding you can also, like, specify in settings of JSON or something which commands to run without their approval. Yeah. I think it's pretty similar, kind of the threat model is similar, right? Yeah, yeah. What we are, like, I'm always talking about this toggle- Yeah ... right? We are turning about, like, security, full security or full speed.

Igor Andriushchenko: Yeah. And it's never, like, it's never binary. It's never like you, you, you sometimes tune it and it's never, like, only the security or only speed. Right? Yeah. You, you find your own balance. Yeah. And I think, uh, we will get even more granular at these things, and probably it's interesting that, like, with with the, uh, uh, very known, like, code assi- coding assistant agents, they put AI in charge of how autonomous AI should be.

Igor Andriushchenko: Isn't it interesting, right? Yeah, yeah. Like AI assesses with this level of risk that customer accepted, should I ask them about, uh, well should I [00:14:00] ask for permission or forgiveness essentially? Yeah. And, uh, that's, uh, that's where things are moving.

Ashish Rajan: Did you find, uh... 'Cause I, I love what you said about, uh, the first AI tool and having skeptics in the org.

Ashish Rajan: I'm sure people who watch this would also be, some of them would be skeptic on this idea as well. I'm curious about what parts of third party risk management, which is in my mind is completely process driven. I'm actually literally calling Jasper, "Hey, Jasper, is your, uh, SOC 2 compliant? Are you..." Like almost either I'm doing a phone call, a form, or trying to...

Ashish Rajan: And then there is the whole regular maintenance of this as well. There's so many moving parts to this. Right. I'm curious what parts of these that are, uh, open to AI applicability, I guess, or you can use AI assisted or full, hey, autonomy. Like are what parts of these are and what parts of these are still very human driven?

Jasper Mills: Yeah. So we basically see the judgment. So what we try and do essentially is use the agents to do like the full sort of initial assessment. And, and from my perspective, like that is like just [00:15:00] like sort of the beginning of third party risk because then you have to fit, once you've approved that vendor, you have to monitor how it works and how it's being used within your system.

Jasper Mills: So like do they add AI coding agents? Can you detect that? And so what you end up having is not just like third party vendor risk, but then you also have like the third party agents, uh, registry, and those life cycles, and who actually has access to those, and what data sources do those have, um, access to as well.

Jasper Mills: Yeah. So it becomes like a third party plus agents plus MCPs. Like, so all of these things which are sort of like new, like new third party artifacts are starting to become something that you also need a very similar process. But what I would say back to your question so we see the sort of ability to do all of the data gathering all of the sort of like checks from, uh, like, uh, historical news, like financial, like everything that sort of like you might wanna see.

Jasper Mills: We can like check GitHub, we can see how many like people are like ha- or like have... If it's an open source, um, tool, like we [00:16:00] can look at like how many people are maintaining the project, when was it last maintained. Yeah. We can do... So like all of that can be done autonomously. Where we actually, uh, sort of like pull the humans in is at the end.

Jasper Mills: So we basically aggregate everything that we cannot get, or we'll give an analysis of basically based on like your risk sort of tolerance, which can be varied depending on, um, this is sort of what we would recommend, and like these are the mitigating factors, uh, if you want to like accept it, like onboard or not.

Jasper Mills: But then we basically try and do all of the tedious work up until someone has to accept the risk. Yeah.

Ashish Rajan: Uh, I'm sure you as a AI forward company, 'cause I think one of the conversations I come across quite often when you meet people who have been very AI forward, let's just say- How they feel.

Ashish Rajan: There's a whole always a build versus buy conversation. This... 'Cause a lot of people already have a predefined process. At what point, and may- maybe I'll ask the build part first, 'cause I'm just curious. Uh, is it practical to build this or is it more... And obviously you have a whole company [00:17:00] around it. I'm cur- curious to hear, you know, your opinion on this as well, 'cause I, I...

Ashish Rajan: What do you say to when people ask about the fact that, "Hey, can I just build this?" And where do they come across the challenge that actually at this point in time, this, it's insane to continue maintaining this? Like, where do you see that to- toggle change, for lack of a better word?

Jasper Mills: I mean, I think it all, I think it depends on the company, right?

Jasper Mills: Like, so like it depends on like the risk fa- like, the risk tolerance. Like, so like we have really high quality data sources and like a lot of them. Yeah. Right? And so like that means that we have like databases and things like that, so if it really matters to your company, so like if you're med tech or like, like finance or, or like you serve high trust industries, like a lot of B2B, like they really need to like sort of maintain a high level of trust because their customers are trusting them that they have sort of, you know, this on lock, right?

Jasper Mills: But if... I think there is a case to be made that like if this is, if you have a really high risk tolerance, like you can sort of like run the gamut and like use Claude and like, you know. Like, I, I don't really see... [00:18:00] I think that it's like important, don't get me wrong, but like consumer facing products, for example, higher risk threshold, like, you know, l- more forgiving, things like that.

Igor Andriushchenko: Yeah. Well, I have a whole take on it probably, is that like it's probably not one of the areas I would like to build ourselves, right? There are a few reasons for that. Because, uh, imagine you have to build like your third party risk management from scratch. You start with, okay, let's do automated follow ups.

Igor Andriushchenko: Like let's, let's do like far crawl of their website, right? Yeah. Then we add capabilities, we add capabilities, we store the data somewhere. Uh, we have it automatically gathered and I decide, okay, now let, let it message customers and let it request something. But like how many people are working on that really?

Igor Andriushchenko: Like, is there one engineer who's like vibe coding it? Good. But then what happens next? And as we, um, we talked about the governance of each application. What happens next to the application after it's done or reaches some sort of operational form? Yeah. Right? It needs to be maintained. Somebody needs to take a look at, uh, logs, at alerts, [00:19:00] at telemetry.

Igor Andriushchenko: Uh, check that, you know, far crawl key is not expired. And like all those things, they just adapt, and you ended up, you end up with somebody like full-time job whose full-time job is just maintaining that app. Yeah. And how is that different from like buying it from someone, right? Yeah. Essentially, you just outsource that all that and you already get it like tomorrow, right?

Igor Andriushchenko: Yeah. Yeah. And it's already working, it's already enhancing your, uh, like reducing your risk posture, enhancing your security posture so like everyone wins, right? And another area is that like if you are having an audit And if you, let's say, you build something yourself you put one engineer in charge of it, uh, let's say something goes wrong, uh, in the audit, in the security audit, I think it will be much less tolerable if it's, like, your own fault, right?

Igor Andriushchenko: Because essentially if your, like, third-party risk management tool didn't cover for something, you're like, "Yes that's a mi- minor non-conforming." But if it was, like, uh, your own fault, you decided to take that risk and build it yourself, uh, then it could be a more serious issue. Yeah. So essentially it's about, like, [00:20:00] balancing that residual risk- Yeah

Igor Andriushchenko: uh, of what, what, what you get after, like, implementing ei- either way. And of course you can build it. Uh, but also I think, uh, this is a good space for the specialized tooling with, uh, unique data sets, with unique unique automations, unique approaches, um, like, of, um, uh, removing hallucinations from AI, for instance.

Igor Andriushchenko: It's not also, like, always hallucination-free, right? Like sometimes it can, like, imagine answers. Like, and it's a very hard problem, and these people, like, they work day and night solving it. Yeah. And most likely your company does not, right? So again, you can do it, but the quality, like, quality will be probably at the beginning lower.

Igor Andriushchenko: Of course, if you want to invest it and if it's, like, in your main path somehow, if your company is doing some kind of other somewhat related to this area- Yeah ... if you can, like, put it then later into your product or sell it somehow, make it your own product, then maybe it makes more sense.

Ashish Rajan: Yeah. Yeah. The only reas- reason I ask is because, I don't know if you guys know this, you know Rippling as a company, which is like a financial bank before, they've come out with a compliance tool as well, and you're almost like, "Wait, this is a financial institute coming out with [00:21:00] a compliance tool," which is kind of interesting.

Ashish Rajan: At that point in time, you realize, oh wait, you made a... To, to what you said, somehow it became their main path. Exactly. Because it's like, oh, we have a product which we were... I know we were a bank, but now we are, or payment company, whatever you do, I guess. We're doing compliance. You're like, "Oh."

Igor Andriushchenko: Payment compliance, I think it's just same type of people solving those type of problems.

Igor Andriushchenko: Yeah. And then they were like, "Oh, there is a more interesting, uh, or a space where we can have more impact." Yeah. Right? And then it became a main quest for them. For instance Global will not pilot into a third-party risk management anytime soon.

Jasper Mills: Really?

Ashish Rajan: You never know. Uh-

Jasper Mills: Well, well- No, I mean, I think it's also, I mean, like, just, like, the cost alone, it is...

Jasper Mills: you have to un- Like, we have a really, really specialized team. Like, our entire team has built these products at scale for like- Yeah ... their entire career. So, like, while I come from it from the business side we have 10 security engineers, you know- Mm ... who have built, like, mathematical models on, like, how to assess risk, how you actually are able to, like, s- [00:22:00] Someone has to do that, right, and understand how to maintain it, and it's, like, not cheap-

Ashish Rajan: Yeah.

Ashish Rajan: Yeah ... to, like,

Jasper Mills: actually do well, you know? Yeah. And so I think that, like, if you're gonna do that, it's a- The- It's an investment, right? Yeah,

Ashish Rajan: to your point, I guess it's, if it's your, becomes your main, main, I guess main gig after a while, they're putting it as a product. I'm also curious for people who already have- an existing, uh, third-party risk management.

Ashish Rajan: Perhaps someone who's watching this is someone who's in that field, or probably sitting there behind their desk going, "Is there a better way to solve this?" I'm curious, what are some of the building blocks required for people who already have a program that's running to even enable themselves to do this?

Ashish Rajan: 'Cause I think at the moment everything's manual, Excel sheet, document, like a Dropbox folder somewhere or a Google Drive folder somewhere collecting the pen test reports. Mm. What are some of the building blocks required to even build this?

Jasper Mills: I mean, I think it really depends on, like, what you're trying to optimize for.

Ashish Rajan: Yeah.

Jasper Mills: So, like, um, if you're optimizing for, like, operational efficiency, like what we see, like, as [00:23:00] really important is, like, to embed into the tools that people already use. Like, that is a significant reduction of time. Yeah. Um, or to have products that do that, right? Because, like, one of the main problems with third-party risks specifically is that it's so uncontained to, like, one area, and actually, like, the biggest area that we see problems, and especially with AI adoption, is, like, the non-technical teams.

Jasper Mills: And so you're having to, like, constantly try and figure out, like, okay, is this, like, a new vendor? Like, who is, you know, John in sales, and, like, what is this, like, new thing he found on the internet? You know, if you're doing, like, if you've integrated Shadow AIS or Shadow IT as part of your, like, third-party program.

Jasper Mills: Yeah.

Igor Andriushchenko: Or maybe John built it themselves.

Jasper Mills: Right, or maybe John built it themselves. It's- Downwards, right? Yeah. Exactly, and then he found an MCP that he has spun up, and now it's going to Salesforce and, like, fetching whatever it wants, right? And I think you just see all of these things. Yeah. And this is actually something I had someone tell me recently, because we're also h- we help, uh, with a number of sort of like third party, but [00:24:00] third-party agents, and then also we're moving s- somewhat into first-party agents.

Jasper Mills: But another story. But this guy told me, I had a CISO call me and he said "We feel like we have just given," they had enabled it for sales and, like, all of their non-technical teams, and it, they, he basically said like, "I feel like we have just given a kindergarten a nuclear bomb."

Ashish Rajan: Ah.

Jasper Mills: And, uh, just because they had so little visibility, they had so little, like, insight into these teams.

Jasper Mills: And so, like, that cross-functional work was just not there. So I think first is, like, being able to reduce the amount of work that it takes your team to, like, work within the, the, like, tools that they use. But then if you're trying to optimize for, like, other areas like document analysis and things like that, then I would look at, like where are the sort of like biggest pain points you have?

Jasper Mills: Is it like the, you know, vendor questionnaires? Is it like the, um, NDAs is weirdly a, a really challenging one, so, like, that, like, bridge between legal. So, like, there are ways to reduce that sort of operational overhead. Um, but I would optimize for like the biggest pain points that, like, your security team has, right?

Jasper Mills: And [00:25:00] then the other ones would be obviously, like, the continuous monitoring. Yeah. And from that I would say, like- Really try and get technical depth and, like, have a system that automates and sends things to your SIEM and, and those kinds of, like, integrations, right? So, like, try and pull as much as you can to integrate into the systems that you have so that it's like a full loop rather than just like a standalone system.

Ashish Rajan: Oh, fair. I mean, uh, from your, uh, 10 years ago or the previous third party risk management manual part, uh, rebuilding that from an AI first approach, uh, what were some of the building blocks that you see as well? I'm curious.

Igor Andriushchenko: Yeah, I think doing an... I think I'm very excited about AI doing inventory of everything that's going on in the company, 'cause we already have some solutions.

Igor Andriushchenko: They just look into telemetry from the device. Let's say they take like CrowdStrike telemetry, they take any other agent kind of running on your computer telemetry, and then they analyze it, and it was like, "Oh, I found these 75 vendors here." So you don't even need to like, you know, like ask someone, go with a spreadsheet and inventory all [00:26:00] the software.

Igor Andriushchenko: It will not be e- uh, explicit, right? Yeah. But if you run an agent... Uh, it's l- it's not even that. They use the agent a- that already exists for gathering telemetry, right? Yeah. And then they run AI on top of it, and then they find all the vendors. And then for every vendor they compute a risk profile, and then you already have this kind of inventory.

Igor Andriushchenko: You know what you're dealing with, then you can start treating each vendor separately. Yeah. You can go through them and be like, "These are the, the companies or, like, the vendors, the tools I have. Uh, they, they have no place in our, our workplace," right? Yeah. We immediately, like, disallow them. Yeah.

Igor Andriushchenko: Immediately. Remove so much risk by that. And then you start, like, proactively working with that, uh, vendor list. Yeah. And you're like, "Okay, let's look at how, what's our relationship?" Uh, the tools that can provide you with understanding, are you running the enterprise agreement with them? Are you running, like, enterprise level account with them?

Igor Andriushchenko: What's the plan we are on? Yeah. Or i- are people connecting to a personal, let's say, cloud instance? Yeah. Because I've seen that the... And h- I've heard a lot from, uh, like CISOs, uh, uh, who work, uh, you know, with AI tools as [00:27:00] well, that often people just they to bypass the company cloud workspace restrictions, for instance- Yeah

Igor Andriushchenko: or Lovable or something, some other tool restrictions. They go and they create a personal workspace, and they just enable that feature, and they, they use it. Uh, and it also speaks to, like, I feel like AI is creating more agency in people. Hmm. If everything feels solvable, just like one toggle away- Yeah ... and then people think less about what security implications will have because, "Hey, my job can be 10 times more productive by just enabling that small thing," whether it's true or not.

Igor Andriushchenko: Yeah. Uh, and I feel like we are dealing in the, uh, from a CISO perspective when working with my users, my company, sometimes I'm dealing with people just, like, asking this question, "But why cannot I be more productive?" Because that will introduce that will just blow up entire risk program and, like, everything will be very bad if we enable a thing, right?

Igor Andriushchenko: That's essentially the answer. So we need to know about what is, what are we dealing with- Yeah ... what state of it it is, and then we could start working proactively and just introducing, [00:28:00] uh, like, I don't know, running, running the, the third party risk management agent that automatically follow ups with all these vendors, request NDAs from them where it's missing.

Igor Andriushchenko: Yeah. Request, like, updates, maybe negotiate- Mm-hmm ... on the, on our behalf or start, like, conversations early. Okay. And it all should be happening, you know, autonomously because we are in that... Like, what, because why not? Right? Yeah. Mm-hmm. We're already there. And then think about this, like, I've heard it many times, 2027 is the year of agent to agent, right?

Igor Andriushchenko: We, we're looking at third party management agent, uh, risk management agents talking to company agents, like vendor agents- Yeah ... that are just there listening for, you know, anyone coming in, asking about pen test results or NDA or something like that. They verify credentials. They start conversation, right?

Igor Andriushchenko: Like, there is... It may sound bad, but there is no place for humans in that loop. Yeah. Mm-hmm. And maybe it will offer humans to do, to let humans do something more meaningful with their lives, right? Because everyone hated, like 10 years ago, everyone hated risk management. Most did it poorly. Those who did it well hated [00:29:00] their, their lives because, like, it's a very, very mundane job.

Igor Andriushchenko: Mm-hmm. Now we have a chance to, like, literally, like, lift the entire block-

Ashish Rajan: Yeah ...

Igor Andriushchenko: and replace it with something better. Yeah. And this we are freeing up resources. I listened to your podcast with box.com CEO, uh, CISO. Yeah. C- CISO, CISO, and she was talking about the SOC- Yeah ... like building a SOC. Yeah.

Igor Andriushchenko: Mm-hmm. And it was about, like, where do we, like, like, now we have this, like, people don't have to do it anymore. Yeah. Now they can be, do something more meaningful- Yeah ... in their, uh, line of work. Yeah. So I think that's, uh, that's beautiful. Yeah.

Ashish Rajan: Yeah. And I, I think it goes back to what you were saying earlier as well about the whole what you're optimizing for, but I love the hygiene analogy before.

Ashish Rajan: You almost wanna know what your wipe coded apps, your MCPs, or how many agents are running in your organization so they can enable third party risk management on top of that. Because a lot of people may approach this, we are definitely walking into a territory where it's easy to create an agent. Yeah. I don't even have to, like, be technical to do that.

Ashish Rajan: And the goal that non-technical people have is, is a fair [00:30:00] goal, that I just wanna solve a problem. I wanna do my task. All the peripherals of security and everything is just like a, eh, it's kinda like, you know, it's like, my... it's, like, hard to explain to people when, hey, I, I don't, that's not my, my job.

Ashish Rajan: I, why am I thinking about all that? Right. So I love where this, uh, kind of went. I'm just curious also from a perspective of now that you laid out the foundation for people who are starting fresh versus people who already have this defined, and what can we do in terms of automation, where do you see this go in, I guess, I...

Ashish Rajan: And then, and we were talking about agent to agent 2027. Do you guys, at least I'm k- sure from, from a product company perspective, do you, where do you see this gonna go as the adoption increases for this?

Jasper Mills: Yeah. All right. This is gonna sound like- Really dystopic, okay guys? So, like, bear with me for a second.

Jasper Mills: But I think IT will end up being like HR, in like the fact that it will be like your contracted workforce. So you'll have a lot of- Mm ... contracted agents, you'll have a life cycle, you'll have a [00:31:00] cost within that, right? Like, you'll have an association, it will have their own credentials. But I think you'll manage it very similarly to third party risk, and the vendors will eventually have their own agents that are working in your systems.

Jasper Mills: And so this idea of having, like you said, like this continuous inventory, understanding where your third parties are, in the same way that we have contractors that come into, like, our offices, right? They still have a contract, they have, like, bounds in which they have to. Yeah. I think that's where it will go, and that there will be, like, life cycle management.

Jasper Mills: And I think on the process side of things, I think you will see... Like, and that's w- look, what we're building towards is, like, this agent-to-agent world, because we see this already. Like, there's a company called Pactum that's doing this for procurement, so they're going and negotiating contracts for, uh, pricing, right?

Jasper Mills: And- and their agents have, like, certain boundaries and guardrails in which they're able to work within. I don't really see why that work couldn't be done today as long as it, you had, a- as long as the, like, company was comfortable with the results, right? Yeah. Like, [00:32:00] ultimately it comes back to, like, how comfortable they are if they review those results and those kinds of things.

Jasper Mills: But I don't see why any agent today, if you have the right tools and the guardrails, that it couldn't be doing those things like requesting, uh, pen test results, that it couldn't be asking for SOCs and then reviewing them against, like, what the standards are that maybe your company, um, uh, accepts, and then, uh, sending that back to the vendor to say, "I need these things in order to, like, approve it."

Jasper Mills: Like, I just don't think it's that far off, and I, and I see other industries doing it. Yeah. Yeah. So, um- Yeah ... it's definitely feasible, and I think that's where it's going.

Igor Andriushchenko: Yeah. I think it's such a, such a strong metaphor of treating, uh, agents more like, uh, personnel, right? Because it's in the name, right?

Igor Andriushchenko: And what defines a pers- a per- person is the agency, right? Yeah. We have free will. We decide what to do next. Yeah. The agents have that too. Yeah. And, like, not to the same extent, of course. There is a program where there is, like, intention we give them- Yeah ... but still, sometimes they do things we do not expect.

Igor Andriushchenko: But most of the time, they do things, like they decide what [00:33:00] next step to take. Yeah. And then we cannot treat them as programs, because the moment we start thinking, "Hey, this thing will behave deterministically"- Yeah ... we've failed as security people, right? Yeah, yeah. Because we know there is some, some degree of non-determinism, but same with people, right?

Igor Andriushchenko: When we bring in a new person into the organization, we know they could be, like, the... We, we don't know how they will behave, right? Yeah. We have expectation, we have... We know their background, we know what, who they are, we know what impression we got during the interviews, and then we assess, and then we see if we need to take any corrective actions and so on.

Ashish Rajan: Yeah.

Igor Andriushchenko: It's similar. It's even, like, it's dystopian-ly, it's kind of- awkwardly similar. And I don't know what to do with that knowledge- ... but at least I n- I don't know what to do with that feeling that I have now about it. But of course, it gives me an important knowledge to how to secure company in 20- 27 and past, like- Yeah

Igor Andriushchenko: you know, 2028 and so on and so on, where we will see just more agents, uh, and where would be the human place, where would be the agent place, [00:34:00] or we will be... Will we be all in the same HR s- system calendar? It's like, "This is human. This is agent. Bob, meet Bob. Did you say hi to Bob?" Maybe. Yeah. I mean, I think

Jasper Mills: so, maybe.

Jasper Mills: Like, I know it's kind of crazy, but I also think if you look at, like, what's happening, and this actually... Okay, we're gonna go full back to DORA, right? So we- Okay.

Igor Andriushchenko: Yeah, right. We've made a circle. We're making a

Jasper Mills: circle back to DORA. So DORA, one of, like, the key, like, sort of foundations is, uh, contractual accountability.

Jasper Mills: Yeah. And one of the things that we've thought about is if you think about people, if you think about agents, if you think about vendors, like historically what you've been able to do, if you look at when something goes wrong, you go back to the contract, you call a person up. But actually what you're able to do with vendors, with third-party agents, even with first-party agents, and I guess now, like, second-party applications even, like you can then actually take the contract that you have and create guardrails.

Jasper Mills: You can actually sort of pull an, a policy that's much more likely to be adhered to, and that's actually much more likely to be able to be followed, and proof that you were [00:35:00] able... That you did what you could- Yeah ... as opposed to, like, where you have problems with, with people. And, and I think what we're seeing, like, there are a number of things happening in the US in terms of, like, some of the bigger data breaches, where people are trying to understand, how do we take these AI attacks, which many are starting to come through third parties is it's being litigated in court.

Jasper Mills: And so if you look at third party as more than just, like, a process, but actually, like, something that helps you to stay contractually above board- Yeah ... right? Like, it actually becomes a real sort of, like, risk management and, like, reduction for your organization if you can apply what you have for your contracts to those agents that then go and do that autonomous work, right?

Jasper Mills: Yeah. A- and I think that, like, if you have a system that can then prove that, then you are much better positioned if someone were to come with a lawsuit or an auditor from a regulator to say, like, "Look- Here's what we had, here's what we did, here's the process we had, and, like, here's the trail. Mm. [00:36:00] Um, and so I really think it's, like, an interesting...

Jasper Mills: I know it starts off being really boring, but I really think third party has, like, a real future here. I

Ashish Rajan: mean, uh, you- you've- you're fully invested into it, so I guess it better have a future now. Uh, but, I mean, that's most of the questions I had, so thank you so much for sharing all that. Where can people find out about the work you're doing- Yes

Ashish Rajan: the company, what, uh, everything else? Uh,

Jasper Mills: sorry, I did not mention. I am, uh, Jasper. I'm the co-founder and CEO of a company called Athira. You can find us at athira.dev.

Ashish Rajan: Awesome. Uh, Igor, where can people connect to you and talk to you more about how to make third-party risk management exciting? Yes. Uh, you can

Igor Andriushchenko: talk to me about anything security related.

Igor Andriushchenko: Uh, you can try our product lovable.dev. Uh, it's a builder building digital, anything digital- Yeah ... for 99%, right? From the most technical to people who, like, never, never built anything. Yeah. And in between. And you can try building third-party risk management if you want. Yeah.

Ashish Rajan: And you can- And we can compare.

Ashish Rajan: Yeah.

Jasper Mills: Yeah. We

Ashish Rajan: can do a- And, and you're hiring as well. Is that right?

Igor Andriushchenko: Always hiring.

Ashish Rajan: Always hiring. We're,

Igor Andriushchenko: like, 30-plus people,

Ashish Rajan: so if people wanna find a role as well. But thank you so much for coming on the [00:37:00] show. Thank you everyone for tuning in as well.

Jasper Mills: Great. Thanks.

Ashish Rajan: Thank you for listening or watching this episode of Cloud Security Podcast.

Ashish Rajan: This was brought to you by techriot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on cloudsecuritypodcast.tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify. In case you are interested in learning about AI security as well, do check out our sister podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, Apple as well, where we talk to other CISOs and practitioners about what's the latest in the world of AI security.

Ashish Rajan: Finally, if you are after a newsletter that just gives you top news and insight from all the experts we talk to at Cloud Security Podcast, you can check that out on cloudsecuritynewsletter.com. I'll see you next episode.

Peace.

‍