View this email in your browser

Defense in Depth

Third Party Risk vs. Third Party Trust

Businesses grow based on trust, but they have to operate in a world of risk. Even cybersecurity operates this way, but when it comes to third party analysis, what if we leaned on trust more than trying to calculate risk?

Check out

this post

for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, producer of CISO Series, and our guest co-host is Yaron Levi, CISO, Dolby. Yaron and I welcome Dan Walsh, CISO, VillageMD to discuss:

Choose trust over fear.

Anthony Cusano of Quest Diagnostics loves this philosophy. He said, “The more controls a third party has in place, the higher our trust. Similarly, the more risk/vulnerabilities, the higher our fear." It’s the direction third parties want you to go, noted Jamil Farshchi, CISO, Equifax, “The key question is how you gain it… and maintain it... the answer lies somewhere at the intersection of transparency and validation."

The Holy Grail is continually proving trust, rather than a single point in time.

Everyone is frustrated by the questionnaires and the checkbox mentality towards compliance and third-party approval process. No one on either side thinks this is a good formula for building a trusted and secure relationship. But, not all trusted relationships are necessarily equal in form. The relationship a financial institution wants with a supplier is going to be drastically different than the one a hospital wants versus what a retail chain wants. All parties need to match on a “common risk culture,” noted Matthew Davies of SureCloud. 

Trusting people doesn’t translate into trusting technology.

People can have good intentions and you can trust them implicitly, noted Paul Stefanski of The Bi-Sate Development Agency, “But that does not mean the company has their backend systems in order." One way to get there is to work through problems together. Rich Friedberg, CISO at Live Oak Bank mentioned triaging the Log4J crisis. If you have open communications, especially during difficult times, that will go a long way to building that trust. You want your vendors to have the same concerns and objectives as you do.

As you build trust, also know what happens to your business when a third party fails.

Do you know what happens to your business when a third party vendor gets compromised or fails to deliver their service? What business continuity plans do you have in place to handle such a situation? Both Phillip Miller, CISO, NetApp and Gene Melendez of MUFG noted the need for resiliency on third party failure, or if their business ceases to exist. What data do they have access to and are your values aligned with theirs?

Please listen to the full episode on your favorite podcast app, or over

on our blog

where you can read the full transcript. If you’re not already

subscribed to the Defense in Depth podcast

, please go ahead and subscribe now.

Thanks to our podcast sponsor, TrustCloud

Super Cyber Fridays!

Join us NEXT WEEK, Friday [03-10-23], for "Hacking RSA"

Join us Friday, March 10, 2023, for “Hacking RSA: An hour of critical thinking about how to get the most from attending RSA, or any security conference.”

It all begins at 1 PM ET/10 AM PT on Friday, March 10, 2023 with guests Adrian Sanabria, host, Enterprise Security Weekly and Allan Alford, host, The Cyber Ranch Podcast. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Nick Vigier, CISO, Talend.

Thanks to this week's headlines sponsor, Conveyor

Cyber chatter from around the web...

Jump in on these conversations  

"When is it okay to take a vacation after starting a new position?" (

More here

)

"Be more like the person who hired you" (

More here

)

"Cybersecurity is not an entry-level job." (

More here

)

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.