Doubling Down on Critical Third-Party Risk Vulnerabilities

Session Preview

Kelly White

Co-Founder & CEO

RiskRecon, a MasterCard Company

MAY 2024

The complete entanglement of cyber risk with business risk is becoming increasingly more visible. CISOs now have an opportunity to better pinpoint third parties that present a threat to the organization. Yet the increasing complexities of third party, and even fourth party, risk management, prompted by a wide range of evolving threats, demands heightened attention. How can CISOs ensure they have a clear understanding of their vulnerabilities across ecosystems and supply chains?

At the upcoming San Francisco CISO Executive Summit on June 25, Kelly White, Co-Founder and CEO of RiskRecon, a MasterCard Company, will lead a boardroom discussion on these vulnerabilities, “Doubling Down on Critical Third-Party Risk Vulnerabilities.” 

The discussion will focus on the identification of vulnerabilities across the vendor landscape to prioritize response efforts, third-party risk management strategies to safeguard your digital ecosystem, and overcoming resource challenges to prioritize extended supply chain risk. Ahead of the session, Kelly is sharing insights on the topic and why CISOs need to prioritize mitigating these risks. 

Kelly is the co-founder and CEO of RiskRecon, a cybersecurity risk ratings company that enables dramatically better third-party security risk management. Prior to founding RiskRecon, Kelly held various enterprise security roles, including CISO and Director of Information Security for financial services companies. Kelly was also practice manager and senior security consultant for CyberTrust and Ernst & Young. 

Tell us a little bit more about your session, “Doubling Down on Critical Third-Party Risk Vulnerabilities.”

The rise of ransomware has led to a 5x increase in breach events, with criminals increasingly making enterprise software and services vendors their target of choice. In fact, according to RiskRecon research, 32% of breach events reported in 2023 were due to compromise of a third party, an increase from 11% of all breach events in 2022. 

Managing risk well requires good, timely information upon which the enterprise can understand and act. This is particularly challenging in the realm of third-party risk management, where the enterprise is at an information and ability-to-act disadvantage. In many ways, the enterprise is at the mercy of its vendors. Or is it?

In this session, we will discuss the challenges organizations are facing in managing third-party risks and share approaches they have implemented to better understand and act on their third-party risks.

What are some of the challenges CISOs face in this area?

Properly managing the safety and soundness across a highly distributed ecosystem is difficult. A breach of sensitive data, whether it be from your own environment or from a vendor’s, is still a breach of your sensitive data. 

A few of the many challenges of managing third-party risk include ensuring the business engages with trustworthy partners, ensuring that vendors operate a control program sufficient to protect your assets, and efficiently engaging your vendors to ensure they meet your requirements. 

In addition to these, fast moving threats, such as the Move-IT exploit require rapid response across the entire vendor portfolio. Adding to the complexity is the reality that this has to be done with limited resources, and an information disadvantage.

Why is it critical for the Evanta CISO Community members to have this conversation now?

The risk realities of being operationally dependent on organizations that we don’t control have come to head, highlighted by recent events such as Change Healthcare and MoveIT, which resulted in large-scale operational impacts and breaches of sensitive data for hundreds of organizations. 

These third-party incidents are becoming more common. In fact, the RiskRecon research that 32% of breach events are due to compromise of the third-party provider exceeds the number of breach events due to malicious or accidental insider activity. Add to all of this the increasing regulatory pressure to manage risk better, one of them coming in the form of the recent SEC cyber rules.

What are you most looking forward to about the session?

  1. I am looking forward to hearing from fellow CISOs about their frontline experience in managing third-party risk. How common are third-party breach events, and what do they observe as being the most impactful components of their programs for managing third-party risk?
  2. I am keen to learn how CISOs are managing critical vulnerabilities across their supply chain. What vulnerabilities are significant enough to motivate a survey of third-party exposure? How do they gather third-party exposure information? How do they engage their vendors to triage the issues, if at all? Is it effective?
  3. Last, I would like to know how CISOs monitor their supply chain for breach events, and what is their related incident response program?

You can join this conversation with Kelly White of RiskRecon at the San Francisco CISO Executive Summit on June 25. 

If you are not yet an Evanta community member, apply to join a CISO community near you to connect with other CISOs on mission critical topics like third-party risk management.

Special thanks to RiskRecon, a MasterCard Company.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.