Third-party risk management (TPRM) tools take varying approaches to automated vs. manual operations.
The company SAFE addressed automation in a July 15 press release. It uses the trendy term “agentic AI” so it must shift paradigms and optimize outcomes.
After stripping out the PR fluff, here’s some of what’s left.
“[SAFE] announced the expansion of its Agentic AI strategy with the release of 12+ new autonomous agents, over the next 3 months, purpose-built for third-party risk. The next two AI agents are SnapShot and BreachWatch which help organizations proactively organize AI summaries and identify third-party breaches respectively….
“‘Legacy solutions weren’t built for risk landscape,’ said Saket Modi, CEO and co-founder of SAFE. ‘SAFE is transforming TPRM….’”
But if I could offer a marketing word of advice to TPRM firms, the “we are better than legacy TPRM firms” message has jumped the shark. EVERYONE is better than legacy TPRM firms these days; you are nothing new. No one is completely manual any more. It’s like comparing a Tesla to a bicycle. Or any basketball team to the Washington Generals.
The real question is HOW you use your automation, and how accurate your automation is. Speed alone is not enough.
Continuing my self-promotion, as opposed to promotion of my Bredemarket marketing and writing consultancy, how do I promote myself to companies outside of identity and biometrics?
For example, cybersecurity firms, or third-party risk management (TPRM) firms, or content management system (CMS) firms, or healthcare firms (the non-identification biometric)?
By emphasizing that I ask, then I act.
Resonating with both the Simon Sinek devotees, and the bias to action adherents.
Short in duration, heavy on symbolism, and daring to mention “B2G” before “B2B.” That will start a conversation.
And then if someone fixates on the biometric modalities…
The FIDO Alliance is one of the chief proponents of the “death of passwords” movement, and is working on delivering secure authentication. But even the most secure authentication method is not 100% secure. Nothing is.
Authentication is a complex undertaking, and the ability to authenticate on a new device is a special challenge. But the FIDO Alliance has addressed this:
“Cross device authentication allows a user to sign in with their device using a QR code.
“FIDO Cross-Device Authentication (CDA) allows a passkey from one device to be used to sign in on another device. For example, your phone can be linked to your laptop, allowing you to use a passkey from your phone to sign into a service on your laptop.
“CDA is powered by the FIDO Client-to-Authenticator Protocol (CTAP) using “hybrid” transport. CTAP is implemented by authenticators and client platforms, not Relying Parties.”
“After entering their username and password on the phishing site, the user was presented with a QR code….
“What happened behind the scenes is the phishing site automatically sent the stolen username and password to the legitimate login portal of the organization, along with a request to utilize the cross-device sign-in feature of FIDO keys. The login portal then displayed a QR code….
“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.
“This process—while seemingly complicated—effectively neutralizes any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.”
Presumably the FIDO Alliance will address this soon.
Tech CMOs want to move their prospects to act and buy world-changing offerings (products or services) from their firms…and I want to move my tech CMO prospects to act and buy marketing and writing services from Bredemarket. So tech CMOs, I definitely feel your pain. But how can you move your prospects…and how can I move you?
Because my client had a specific problem. The client needed its prospects to understand how its offering could solve nagging prospect problems. Riots. Car thefts. Robberies.
And my client had a specific solution. I can’t reveal the solution without giving the client away, but let’s just say the the solution simultaneously addressed the end customers’ dual needs of speed and accuracy, as well as other end customer concerns.
As for specific results, I confess I don’t know. In this case my client never got back to me and said, “John, case study 3 attracted a prospect that ended up buying an annual contract.” And my primary contact at the client subsequently moved to another firm. But the fact that the client stuck with me for a dozen case studies and some subsequent NIST FRTE analysis work indicates that I did something right.
You see what I did there. Well, as much as I could while preserving my ghostwriter status and my client’s anonymity.
What is your specific problem?
This section of the blog post is specifically addressed to tech CMOs and other marketers. The rest of you can skip this part and watch this entertaining video instead.
Bredemarket has specific solutions depending on whether your needs are short, medium, long, or ongoing. As part of my solution, I begin by asking questions and then iterate the deliverable with you.
The specific results you need? Let’s talk about them.
Now I know I’ve loaded this post with links to previous Bredemarket content that addresses the…um…specific topics in much more detail. Maybe you clicked on the links, or maybe you didn’t. I will find out.
But if you are ready to move forward, this is the one link you need to click. (“Now you tell me, John!”) It lets you set up a meeting with Bredemarket to discuss your specific needs.
Some of you may have seen a similar reel targeted to Bredemarket consulting clients (identity/biometric marketing leaders). Actually there are two Bredemarket reel versions because of a landing page change. The existence of three reels shows my dedication to repurposing.
But none of the three versions is meaningful to cybersecurity firms, or third-party risk management (TPRM) firms, or content management system (CMS) firms, or healthcare firms (the non-identification biometric).
Both identity/biometric industry professionals and the general public have an intense interest in the U.S. Department of Homeland Security (DHS). This isn’t a new interest, but has persisted since the Department was created.
But it’s important to remember that DHS has a bunch of different components, ranging from U.S. Immigration and Customs Enforcement (ICE) to the Federal Emergency Management Agency (FEMA) to the U.S. Coast Guard.
And you don’t want to get them confused. You really don’t.
If you go the the DHS website and visit the Organizational Chart page, you can download a PDF of the organizational chart. As of November 8, 2023. (We’ll return to that.) As a help, here’s an image showing the organizational chart.
DHS organizational chart as of November 8, 2023.
The chart is mostly filled with a myriad of offices that don’t interest most people. I don’t think political activists really care about the Office of Public Affairs.
The sexy stuff can be found in the 8 boxes at the bottom of the organizational chart. These include:
U.S. Immigration and Customs Enforcement (ICE).
U.S. Customs and Border Protection (CBP).
U.S. Citizenship and Immigration Services (USCIS).
Federal Emergency Management Agency (FEMA).
U.S. Secret Service.
Cybersecurity and Infrastructure Security Agency (CISA).
Transportation Security Administration (TSA).
U.S. Coast Guard.
Remember remember remember that these are separate agencies, and each one has its own mission that is separate from the missions of the other agencies. So don’t try to complain to the Coast Guard about what ICE does or doesn’t do; the Coast Guard doesn’t care. In fact it’s highly likely that the people in the Coast Guard think that the people in ICE are a bunch of bozos. And vice versa. Even for the agencies that supposedly work together, such as ICE, CBP, USCIS, and TSA.
During my years with IDEMIA and its corporate predecessors, and during my time as a consultant at Bredemarket, I have dealt with many of these agencies and helped them achieve their missions.
But there’s one part of DHS that is of prime concern to me…and you can’t see it on the org chart, right above the Chief Financial Officer and Chief Information Officer.
What about OBIM?
As a biometric product marketing expert, I obviously have an intense interest in the Office of Biometric Identity Management, or OBIM. This office self-identifies as follows:
The Office of Biometric Identity Management (OBIM) leads the U. S. Department of Homeland Security (DHS) in the advancement of identity for a safer world and improved quality of life through the development and refinement of solutions to improve how identities are verified and managed. In this role, OBIM delivers biometric compare, store, share, and analyze services to DHS and mission partners. The need for biometrics continues to grow among DHS Components; interagency stakeholders (e.g., the Departments of State, Justice, and Defense); state, local, tribal and territorial entities; the Intelligence Community; and international mission partners. Biometric and identity services support critical national security priorities, including counterterrorism and immigration. OBIM is focused on delivering capabilities, services, and expertise that provide identity assurance for decision making. OBIM’s overall goals and priorities include continuing to design and deliver biometric and identity services, strengthening collaboration and coordination of with all DHS partners, and pursuing advancements in biometric technology and identity solutions to enable DHS operational missions.
So both because of its role within DHS and its role with other federal, state, local, and international government agencies, OBIM is key to biometric use. If you’ve heard of IDENT, OBIM is involved in that. If you’ve heard of HART, OBIM is involved in that.
The reason that OBIM is not on the displayed org chart is because it’s a component of another entity, the Management Directorate. It’s on the left side of the org chart,
And by the way, OBIM may go away
As I mentioned earlier in this post, the displayed org chart is dated November 8, 2023. Since that day we have transitioned to a new President who is keenly interested in the work of DHS, and who may alter the displayed organizational chart.
One potential change is already public knowledge. Biometric Update:
“As the U.S. federal government expands its use of biometric technologies to manage everything from border security to federal benefits, an internal debate over the future of the Department of Homeland Security’s (DHS) Office of Biometric Identity Management (OBIM) has emerged as a flashpoint. Conversations inside the Trump administration, believed to be led by influential White House adviser Stephen Miller, have fueled concerns about the potential consolidation of OBIM under the direct control of U.S. Customs and Border Protection (CBP).”
As you can imagine, the consequences could be dramatic.
“‘There is a good chance that OBIM will be forced into CBP, which will mean that the 40-plus stakeholders that OBIM currently has could well be treated secondarily to the CBP-centric border mission,’ one source told Biometric Update on condition of anonymity, adding, ‘That would not be a great outcome.'”
You have to wonder whether the anonymous source was from an international agency, worried that CBP wouldn’t care about its homeland security needs.
Or maybe a tribal agency with the same concern.
Or maybe the FBI, who could fear that CBP wouldn’t care about law enforcement.
Or maybe ICE, who could worry that CBP would prioritize tarrifs and border protection over immigration enforcement. Because border protection and immigration enforcement are two separate tasks, which is why there are two separate agencies in the first place.
In summary, don’t just talk about a monolithic DHS. Know the players. And which players may strike out in the future.
(Author’s preface: I was originally going to schedule this post for the middle of next week. But by the time I wrote it, the end of the post referenced a current event of astronomical proportions. Since said current event may be forgotten by the middle of next week, I am publishing it now.)
You get a message on a platform from someone you don’t know. The message may look something like this:
“John ,
“I hope this message finds you well. I came across your profile and was truly impressed by your background. While I’m not a recruiter, I’m assisting in connecting talented professionals with a startup that is working on a unique initiative.
“Given your experience, I believe you could be a fantastic fit for their senior consultant role. If you’re open to exploring this opportunity, I’d be happy to share more details and introduce you to the team directly. Please let me know if you’re interested!”
Let’s count the red flags in this message, which is one I actually received on May 30 from someone named David Joseph:
The author was truly impressed by my background, but didn’t cite any specifics about my background that impressed them. This exact same message could be sent to a biometric product marketing expert, a nuclear physicist, or a store cashier.
The author is not a recruiter, but a connector who will presumably pass me on to someone else. Why doesn’t the “someone else” contact me directly?
The whole unidentified startup working on a unique initiative story. Yes, some companies operate as stealth firms before revealing their corporate identity. Amway. Prinerica. Countless MLMs with bad reputations. Trust me, these initiatives are not unique.
That senior consultant title. Not junior consultant. Senior consultant. To make that envelope stuffing role even more prestigious.
I got the note and the note is even clearer
But I wasn’t really concerned with the message. I get these messages all the time.
So what concerned me?
The note attached to the message by the platform that hosted the message.
“Don’t know David? Ask David to verify their profile information before responding for added security.”
The platform, if you haven’t already guessed, is LinkedIn, the message a LinkedIn InMail.
Let’s follow the trail.
LinkedIn let “David” use the platform without verifying his identity or verifying that Randstad is truly his employer as his profile states.
LinkedIn sold “David” a bunch of InMail credits so that he could privately share this unique opportunity.
Now LinkedIn wants me to do its dirty work and say, “Hey David, why don’t you verify your profile?”
Now the one thing in LinkedIn’s favor is that LinkedIn—unlike Meta—lets its users verify their profiles for free. Meta charges you for this.
But again, why should I do LinkedIn’s dirty work?
Why doesn’t LinkedIn prevent users from sending InMails unless their profiles are verified?
The answer: LinkedIn makes a ton of money selling InMails to people without verified profiles. And thus makes money off questionable businesspeople and outright scammers.
Instead of locking down the platform and preventing scammers from joining the platform in the first place.
Bredemarket 