Defense in Depth
​​Doing Third Party Risk Management Right

If third-party risk management becomes too broad, it effectively becomes worthless. But too narrow and you'll miss critical risks. So how do you strike the right balance?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. Joining us is our guest, Erik Decker, CISO, Intermountain Health.

Why are we doing this in the first place?

Intentions matter when it comes to third-party risk management. As Troy Fine of Drata asked, "Why are organizations going through the Third Party Risk Management/Supply Chain Risk Management process? Is it to reduce security risk, or is it to show the outside world that they did their proper ‘due diligence’ so that they don’t have to take responsibility for the breach?"

Once you have that answer, how can you make sure you’re doing it right? Todd Hammond, CISO at TMJL Group provides this rubric, "The right way should mitigate risk and also provide evidence of due diligence which if an incident did happen would steer the organization from negligence claims and ramifications."

Filling in the context gap

It’s not a secret that context is one of the harder aspects to quantify when it comes to managing risk. It’s one thing to see a critical CVE number, it’s another to see how that applies to the complexities of your own business, let alone a third party. "The two keys are relevancy and probability. The relevancy part is determined by how this particular component changes the risk posture of the production system. For the probability part, it's about assessing the likelihood of exploit and impact," said Aldo Febro, PhD., CISO at Continuant.

Third-party risk comes down to process

Process provides a bulwark to defend against inevitable human bias when it comes to third-party risk. Without it we risk poisoning any decision analysis and create more risk. “The key is to avoid ‘security theater’ and look at whether the actions you are taking are appropriately coupled to the goal you are trying to achieve," said Dustin Sachs of World Kinect Corporation. Walter Haydock of StackAware suggested some ways to actually implement this, saying, “A suite of tools that help to measure risk using SBOMs, the OSCAL format, and related standards will be the way to measure supply chain risk in an effective manner."

This comes down to vendor relationships

When it comes to third-party risk, it’s easy to prioritize process and technology as ways to help mitigate it. These are the things you can most demonstrably control. But that doesn’t mean we should ignore the people part of this issue. Duane Gran of Converge Technology Solutions Corp reminds us that engagement with a vendor is key, "I ask them what other clients like us are doing to be more secure using their platform. Often we are already doing the right things, but we can learn how to work better together. TPRM should really be about relationships, not questionnaires."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Praetorian

LIVE!
​​Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Johna Till Johnson, CEO, Nemertes.

Thanks to our Cyber Security Headlines sponsor, NetSPI

Super Cyber Fridays!
Join us NEXT WEEK, Friday [01-12-24], for "Hacking the Data Privacy Paradox"

Join us Friday, January 12, 2024, for “Hacking the Data Privacy Paradox: An hour of critical thinking on where to find the balance between business operations and personal information.”

Super Cyber Friday all begins at 1 PM ET/10 AM PT on Friday, January 12, 2024 with guests Kim Elias, senior compliance specialist, Vanta and Davi Ottenheimer, vp of trust and digital ethics, Inrupt. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Vanta

Live!
​​PREVIEW: CISO Series Podcast LIVE in Clearwater, Florida 01-17-24

CISO Series Podcast is kicking off 2024 with live recording at the Convene conference. Joining me on stage for the recording will be Brett Conlon, CISO, American Century Investments, and Mical Solomon, CISO, Port Authority of NY and NJ.

If you’re interested in attending, get your tickets here.

WHERE: Sheraton Sand Key (1160 Gulf Blvd, Clearwater Beach, FL 33767)

Huge thanks to our sponsors, Living Security & KnowBe4

Cyber chatter from around the web...
​​Jump in on these conversations

"What cybersecurity services do small companies need?" (More here)

"I can remember all my passwords, so I don't need a password manager. Or do you?" (More here)

"Are people enjoying studying for these certs?" (More here)

Coming Up On Super Cyber Friday...
​​Coming up in the weeks ahead on Super Cyber Friday we have:

• [01-12-24] Hacking the Data Privacy Paradox

• [01-19-24] Hacking Security Audits

Save your spot and register for them all now!

Thank you!
​​Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.