Archived: Third-Party Risk: Overcoming supply chain and other outsourcing threats

On-Demand Event

(Aired on May 4, 2021)
Earn up to 3 CPE credits by viewing this virtual conference.

Today’s supply chains are as much about the flow of information as they are about goods and services. Managing their associated security risk is a complex and critical task that touches on multiple functions within and outside the enterprise.

Cybersecurity in the supply chain spans the full breadth of your organization’s ecosystem: sourcing, vendor management, business continuity and quality control, physical security and more. To help organizations get their arms around this challenge, SC Media hosted a one-day virtual conference focusing on assessing exposures and charting a path forward. Discussions and presentations include:

  • Establishing an enterprise risk assessment process
  • Verifying supplier practices and procedures
  • Integrating threat intelligence approaches

A secure organization is only as strong as its weakest link. Learn about the scalable and repeatable processes that keep your counterparties and suppliers in line with your risk management vision. Register now.


10:45 AM ET
Conference opens 

11:00 AM ET
Keynote: Assess and protect from upstream threats 
Speaker(s): Dawn Cappelli, VP of Global Security and CISO of Rockwell Automation

Operational technology presents two kinds of supply chain risk – the risks from the wide assortment of industrial machinery in use and the risks to the products the industrial machinery makes. SC Media will talk to Dawn Cappelli, vice president of global security and CISO at Rockwell Automation, about how to: 

  • Ensure customer confidence in downstream security
  • Evaluate and protect from upstream threats
  • Do all of that after a year that dramatically increased OT connectivity

12:00 PM ET
Webcast: TPCRM best practices that reduce supply chain risk 
Speaker(s): Alexa Rosalsky, Third-Party Risk Consultant, CyberGRX

While SolarWinds captured the media’s attention, supply chain risk and third-party breaches are nothing new. Organizations are rapidly adopting digital transformation–and as a result increasing their reliance on third parties–faster than they can scale their third-party cyber risk management (TPCRM) programs. This transition creates a gap that is being actively exploited by attackers as evidenced by the fact that over 50% of all breaches are linked to a third party. The good news is we’ve gotten much smarter about third-party risk management and there are a lot of best practices and tools that can help you optimize your program today.  
This session will cover the foundational principles of building a third-party risk management program that will help you identify and prioritize your most vulnerable vendors and reduce your risk.   
Join this session to learn:  

  1. The foundational components of an effective TPCRM Program  
  1. How to use data to understand and manage third-party risk  
  1. Common TPCRM misconceptions that can lead you astray 

12:40 PM ET
Keynote: The case for a software bill of materials 
Speaker(s): Chris Blask, Global Director, Industrial Control Systems Security, Unisys 

Public and private sector are still reeling from the SolarWinds and Microsoft Exchange Server hacks, grabbling with an approach to better secure the supply chain. Among the proposals gaining traction is wider use of a so-called software bill of materials (SBOM), which offers such things as detailed inventories of components present in a codebase, licenses that govern use of components, and patch status – all in an effort to better track origin and state of security. But how realistic is such an approach in terms of implementation? We speak to Chris Blask, global director of applied innovation at Unisys about the company’s own experience developing a standard to enable SBOMs and other attestations tied to hardware, software, risk, threats, and custody.

1:20 PM ET
Webcast: Ransomware in the supply chain

Speaker(s): Allan Liska, Threat Intelligence Analyst, Recorded Future

Supply chain attacks used to be considered the stuff of nation state actors, but that has changed dramatically over the last few years, notably with the rise of ransomware attacks. Our networks are more interconnected than ever and a ransomware attack on one organization is often an attack on all of its partners and clients. This talk will look at how ransomware attacks are changing the nature of third-party risk and increasing awareness of supply chain attacks.

2:00 PM ET
Webcast: Five third-party risk management recommendations to prepare for what’s next 
Speaker(s): Brenda Ferraro, Global Governance Risk and Compliance Executive, Prevalent

Disruptions caused by the current pandemic have tested many organizations’ supply chain resilience plans. But what lessons have been learned, and how can we adapt plans to address future disruptions? This webinar, presented by former CISO and third-party risk management program leader Brenda Ferraro, delivers new recommendations on what supply chain security should look like after we emerge, including how to:

  • Expand supply chain transparency to better forecast future disruptions
  • Leverage crowdsourced threat intelligence to better understand potential weak points in the supply chain 
  • Adjust risk scores, tiering and assessment content to be more adaptable based on current circumstances
  • Remove the clutter of inconsequential controls to better focus on what’s most important 

Use automation and workflow to accelerate risk identification and reportingRegardless of the type of disruption – pandemic, natural disaster or political instability – take advantage of these recommendations before the next challenge to drive better business outcomes for your organization.

2:40 PM ET
Keynote: Keep your friends close…but not too close: Mitigating third-party risk 
Speaker(s): Linda Tuck Chapman, Chief Executive Officer at Third Party Risk Institute Ltd. 

Virtually every organization’s cybersecurity is tied in part to the constellation of third-party vendors, partners and sponsors they rely on, each one offering determined attackers a potential pathway into other networks. In this keynote discussion, Linda Chapman, CEO of the Third-Party Risk Institute, will discuss what companies need to consider when it comes to vetting these relationships and mitigating risk. Attend this session and learn:

  • how to map out and categorize different relationships between third parties and how it impacts your risk posture; 
  • the difference between third party risk and supply chain risk, and why it matters; and 
  • about using good third parties to suss out bad ones: identifying trusted, independent evaluators in different industries and sectors.


CyberGRXPrevalentRecorded Future