You are only as strong as your weakest link.
At no time has that maxim borne more truth than in this age, when cybercrime and cyberterrorists are one click away for just about all large and small business communications carried out on the vulnerable internet.
These glitches are better known as data breaches, which routinely surface in the news.
This also is the age of outsourcing. Businesses not only have to worry about in-house cybersecurity, they also have to wonder about the third-party vendors that carry out all sorts of tasks for businesses of any size.
That is a niche that Catherine A. Allen has carved out for her Eldorado-based Santa Fe Group since 1996. Recently, Santa Fe Group has focused on strengthening the third-party risk management processes of Fortune 500 companies and certifying third-party vendors that serve those businesses.
Allen has built an entity within Santa Fe Group called Shared Assessments with about 350 members. They share best practices under the guidance of Santa Fe Group. About half are in financial services, banks and the like, and the other members include global titans, including Microsoft, Google, the International Monetary Fund, Aetna and Campbell Soup Co., she said.
Santa Fe Group started third-party certifications three years ago, and so far has trained and certified in risk assessment 2,000 individuals who provide services to other companies.
Santa Fe Group has 32 employees and annual revenue of $6 million. Allen sees much greater potential — especially as she transitions to a new role.
“Our projection is to reach $10 million in a couple years, $20 million in five years,” said Allen, who has been the company’s CEO for 24 years. “We are at 350 members. We should be at 10,000 members.”
Allen stepped aside as CEO on Jan. 1 after bringing in David J. Perez as CEO. Perez had founded Seamless Medical Systems in Santa Fe in 2012 and sold the company in 2017 to GetWellNetwork.
He had been a strategic consultant since then and was brought in last year by Allen to look over Santa Fe Group. In reality, Allen was looking Perez over to offer him her CEO job.
Perez found the idea of leading a mature company with boundless potential a refreshing change from his life in the startup business world. He also founded the Hispanic consumer digital marketing agency Latin Force in 2003 that he merged into Geoscape International in 2007.
“I’ve always been a startup guy: employee zero,” Perez said. “The life of a startup is the day when you run out of money. It’s exhausting.”
Allen has become chairman of Santa Fe Group. She brought in two other board members to carry out a specific new mission: expand the third-party risk management program to train corporate board members.
“Boards have three responsibilities: fiduciary, strategy and talent management,” Allen said. “Risk management is now the fourth one. In today’s world with the velocity of change, you have to keep up. We have a body of best practices [for companies and third-party contractors]. I want to translate that into board-speak.”
She is teaming up with her new board members, Joe Prochaska, a former MetLife executive vice president, and Charlotte Whitmore, the 32-year-old co-founder of Analytics Pros, along with Perez and Santa Fe Group Chief Operating Officer Robin Slade. Allen said Prochaska will serve as a financial adviser with capital expertise and Whitmore will oversee “marketing and culture,” which she defines, in part, as personnel and ethics matters.
Allen started Santa Fe Group as an emerging technology advisory company. After the Sept. 11, 2001, terror attacks, she shifted focus to anti-money laundering, anti-terrorism, cybersecurity and risk management in regard to establishing regulations and best practices for emerging technologies.
Third-party risk management emerged as the primary focus with the establishment of Shared Assessments in 2007. Shared Assessment started with financial sector companies as risk management and would soon become front and center with the Dodd–Frank Wall Street Reform and Consumer Protection Act.
Shared Assessments initially included health care and electric companies that were also required to assess third-party vendors. With Shared Assessments, Santa Fe Group helps member companies identify risks, mediate them through best practices and do assessments through tools the company developed.
“Our members have matured,” she said. “They are managing their outsourcing. They have much more sophisticated programs and monitoring to assess who they are working with. But I will tell you, nothing is foolproof. The bad guys are so far ahead of us.”
Santa Fe Group has built its reputation across the country and around the world, but Allen and Perez acknowledge the company is not that well-known in Santa Fe.
“It should be mentioned in the same breath as Meow Wolf and Descartes Labs — as a successful, homegrown business that has broad exposure and impact outside New Mexico,” Perez said.
Allen has led Santa Fe Group in an old-school manner for the first 24 years.
“I’ve grown it organically,” she said. “I have not gone for outside investment.”
She brought in Perez to chart a future. Should the company go public? Seek investors? How about employee count? Santa Fe Group more than doubled in employees in the last two years from 15 to 32, but Allen is hesitant to grow beyond 50.
Perez this year plans to hire a national salesperson and project managers for international expansion. Only about 15 percent of Shared Assessments members are international.
Perez noted only 1 in 10 cybersecurity jobs and only 1 in 20 third-party risk management jobs across the country are filled. Allen believes Santa Fe Group is leaving money on the table.
“Three things are driving the escalation of risk,” Allen said. “One, technology and the internet; two, the velocity of change; and three, globalization. We are all global companies.”