Archived: Third-party Risk and the Supply Chain

On-Demand Event

Earn 6.5 CPE credits by attending this virtual event

2021 was a real eye opener for businesses and government agencies reliant on third-party technology and services. Before SolarWinds sent out infected Orion updates, most businesses never thought about their ‘protected’ vendor updates being a vector. Nor did they think that their Microsoft Exchange platforms could cause them harm. These two events alone have brought third-party vendor risk to the top of the list of IT leaders’ concerns. 

On January 26-27, SC Media hosted the Third-party Risk and the Supply Chain eSummit where experts discussed and presented topics including: 

  • Results from our Third-party Risk Research survey
  • The high cost of supply chain risk
  • Streamline vendor selection and third-party risk

Register to access this on-demand content now to reduce your company’s risk.

Featured Speakers



10:45 AM ET 
Program Opens 

11:00 AM ET 
KEYNOTE | The best questions and metrics for evaluating third-party risk 
Angela Davis Dogan, Senior Director of Information Security GRC, Option Care Health 

It’s important to know that your current and prospective business partners are in alignment with your own company’s cyber risk tolerance. This session will examine what questions and metrics are best when assessing third-party risk – and then reveal ways companies can supplement basic questionnaires with site visits, pentesting, in-person interviews and other methods of evaluation both before and after the contract is signed. It will also look at how businesses can update these evaluation procedures on the fly in the event of a major security development like Log4Shell. 

11:30 AM ET 
Geographic risks within the supply chain – A CISO perspective   
Stuart Phillips, Product Marketing Director for Cyber, Interos 

CISOs typically focus on cyber-risk scoring when looking at their suppliers and partners. Other risk factors can also cause problems for the organization. Geographic risks are common but not well understood or addressed by most CISOs. Join this session to review the multiple aspects of geographic risk and how a CISO should manage them, including:   

  • Sanctions and restrictions, including the expanded definition in the recent Biden administration rules on China and forced labor 
  • The different data privacy rules by country and how to address them 
  • The problems with data sharing and foreign governments 
  • How can a CISO leverage this information in board-level conversations   

12:00 PM ET 
10 essential steps to streamline vendor risk assessments  
Sam Parket, Third-Party Risk & InfoSec Solutions Engineer, OneTrust 

You spend countless hours assessing your vendors, stuck in spreadsheets, trying to sift through last year’s emails to find the right vendor contact and the most up-to-date questionnaire. And when assessments are finally completed (which can take months), you still need to review and validate the answers, as well as mitigate any identified risks.  

As your program evolves, the need to simplify the vendor risk assessment process becomes unavoidable. So, what can you do to streamline assessment completion and simplify vendor risk reviews? In this session, we’ll outline the latest vendor risk assessment tips and tactics that you can implement to build a more efficient third-party risk management practice. Register to learn:   

  • How you can save hours on vendor risk assessments 
  • How you can leverage inherent risks and tiered assessments 
  • How Cyber Risk Exchanges are reinventing the assessment process 

12:30 PM ET 
Beyond paper-based risk assessments: How attack surface management tools can help manage third-party risk 
Rickard Carlsson, Co-Founder & CEO, Detectify 

The number of entry points through which an attacker can infiltrate a company’s web environment is nearly endless today, and it’s no longer enough to “contract away” the security of vendors. To keep third-party risks at bay, companies need to move beyond paper-based vendor assessments and continuously test their suppliers’ attack surfaces for exploitable weaknesses. 

Join this session to learn about: 

  • The different levels of vendor risk assessment, their pros and cons 
  • Why you should move beyond paper-based risk assessments  
  • The benefits of using attack surface management tools when assessing and managing third-party software 

1:00 PM ET  
Break: Visit Solutions Center 

1:15 PM ET
Third-party risk research session: Threat priority is high, but visibility is low

Spooked by the SolarWinds and Kaseya attacks, and trouble by their own overreliance on external partners, organizations are increasingly designating third-party risk as a top security priority. Unfortunately, visibility into third-party dependencies often remains frustratingly incomplete. This past fall, CyberRisk Alliance polled hundreds of security professionals and discovered that over the last two years, roughly three out of five respondents experienced an IT security incident that can be attributed to a third-party partner. 

This session will look at some of the other key findings from CRA’s research, including how companies plan to allocate their budgets toward third-party risk, the biggest challenges impeding third-party risk management, and which frameworks companies are using to assess their partners’ risk. 

2:00 PM ET 
Third-party risk deep dive: How to calculate inherent risk  
Ed Thomas, SVP Marketing & Sales Operations, Process Unity 

When building an efficient vendor risk management program, it is critical to prioritize which vendors present the most risk. Knowledge of your third parties’ inherent risks can help increase security and performance and change the way you run your vendor risk management program. In addition, by understanding where to prioritize your time, you can invest resources in assessing and monitoring the third parties that matter most to your business.  

In this session, you’ll learn how to:  

  • Develop inherent risk calculations and a scoring methodology 
  • Tier your third parties by criticality and high risk 
  • Scope and schedule vendor assessments based on inherent risk scores  

2:30 PM ET 
How to apply intelligence across your third-party suppliers  
Jason Steer, Principal Security Strategist, Recorded Future 

Attend this session to understand the challenges that vendor managers must deal with today and learn how threat intelligence can be applied to improve the security of not only your organization, but the security of your third-party suppliers.  

Key talking points include: 

  • What challenges do we deal with third-party suppliers today  
  • What insights can threat intelligence provide to improve your decision making 
  • When you can use threat intelligence in the supplier lifecycle 
  • What questions could/should you be adding to your third-party supplier questionnaire 

3:00 PM ET
Reduce your attack surface before your third-party risks become your problem  
Abhishek “Abhi” Anbazhagan, Product Marketing, Cortex Xpanse, Palo Alto Networks 

Onboarding partners or acquiring a company shouldn’t mean inheriting security risks. Centralize the oversight of your organization’s attack surface by monitoring vulnerabilities and routing risky asset management to the responsible stakeholders, whether in your organization or a third-party. 

Many strategic suppliers hold your sensitive intellectual property or customer data. Xpanse alerts you about exposed services like database servers or remote access points, and monitors network traffic to detect risky network activity on your suppliers’ networks. With Cortex Xpanse, you can discover risks on the internet that no one else can find. 

In this session, you will learn: 

  • Why traditional asset inventory is incomplete and error-prone 
  • How to gain visibility into all risks to your organization from your third-party partners 
  • How to control those risks and find the right stakeholders to quickly mitigate issues 

3:30 PM ET 
KEYNOTE | Vetting 4th and 5th parties: How far up the chain must you go?  
Julie Gaiaschi, CEO and Co-Founder, Third Party Risk Association 

Your third-party vendors have their own vendor partners. And those partners have their own partners too. And so on down the line. If one of those fourth- or fifth-party partners suffers a major security crisis, that crisis can potentially find its way down the supply chain into your organization. Which leads to the question: just how far out in your ecosystem must your cyber risk team investigate? At what point does due diligence become a fool’s errand? This session will explore this complex conundrum. 


10:45 AM ET 
Program Opens 

11:00 AM ET  
THOUGHT LEADERSHIP PANEL | Log4Shell: Managing third-party risk while in crisis mode 
Rocco Grillo, Managing Director – Global Cyber Risk & Incident Response Investigation Services, Alvarez & Marsal 
Kostas Georgakopoulos, Global CTO & CISO, Mondelēz International

The critical zero-day exploit that was discovered in Log4J late last year shows how a major security crisis can completely upend security/risk executives’ priorities and rewrite their agendas. Making matters more difficult, such crises must be addressed not only internally but also externally with a myriad of third-party partners. This session will look at how organizations have had to pivot their third-party risk strategies on the fly in the face of Log4Shell and similarly challenging incidents – and offer tips on how to be more prepared, nimble and resilient when the next one inevitably surfaces. 

11:45 AM ET  
Secure and insure: The future of comprehensive cyber risk management  
Jim Goldman, Co-Founder and CEO, Trava 

“A random collection of cybersecurity tools does not equate to a comprehensive cybersecurity program.” That’s how Jim Goldman, former Task Force Officer on National Security and Criminal Cyber Squads for the FBI, begins his session. 

What does he mean? Join this session to learn: 

  • How to think about cybersecurity from a holistic sense 
  • What the average business owner should consider when choosing the best cyber risk management tools for their company 
  • Why SMBs need to fully understand the particular problems they face before seeking a solution 
  • How cyber insurance is, and will continue, to evolve into a critical component in a comprehensive cyber risk management program. 

12:15 PM ET 
Log4Shell deep dive: Live debugging Log4J
Micah Silverman, Director of Developer Education, Snyk 

In this session, we start with an overview of the recent vulnerability in the Log4J library that impacted the global developer community. We’ll then conduct a deep dive into vulnerable code, traversing the network layers involved in real-time. Finally, we remediate the vulnerability and demonstrate how the exploit no longer works. 

12:45 PM ET 
Learning to handle supply chain dependency strategies like a CISO  
Richard Archdeacon, Advisory CISO, Duo Security 

No organization is an island. Even traditional environments centered on locally hosted services can’t do everything in-house. In order to function at scale in a connected world, organizations must depend on vendor- and partner-supplied services. However, a successful attack aimed at a third-party supplier can quickly spread to other resources or partners and can introduce new attack surfaces. How do CISOs tackle these risks in 2022 and beyond? As the volume and burden of required third-party assessments steadily grows, how can security leaders keep up? Join this session with Duo Security Advisory CISO Richard Archdeacon for answers to these questions and more, and an executive perspective on drafting your supply chain security strategy. 

1:15 PM ET
Break: Visit Solutions Center

1:30 PM ET 
Analyst hour: False sense of security — shadow code remains a supply chain risk  
Michael Osterman, President, Osterman Research, Inc. 
Kim DeCarlis, Chief Marketing Officer, PerimeterX 

More than 90% of websites use third-party scripts and open-source libraries for common functions such as payments, customer reviews, tag management and social media integration. But website owners lack visibility into this Shadow Code – scripts added without approvals or ongoing security validation – to know for certain that their site is safe from cyberattacks, introducing hidden risks into an organization. As the risk of supply chain attacks increases, how does your security posture prevent the severe consequences of a client-side data breach? 

Join us for a discussion as Michael Osterman, President, Osterman Research Inc and Kim DeCarlis, CMO, PerimeterX discuss the hidden risk of using third-party scripts. Learn how to secure your modern web applications from supply-side attacks to avoid the risk of a data breach, ensure data privacy and comply with regulations. 

This session will cover: 

  • Vulnerabilities introduced by third-party scripts in your web applications 
  • Attack detection methods and challenges 
  • Visibility into code changes using third-party scripts 

2:00 PM ET 
How to shift security left with a remediation-first approach  
Shiri Ivtsan, Director of Product, WhiteSource 

Join our session to hear about the barriers to integrating AppSec into development and how organizations can provide developers with the processes and tools that they need to ensure that AppSec is shifting left, and that security is addressed from the earliest stages of development.

2:30 PM ET 
Ransomware incident response: Zero to full domain admin  
Joseph Carson, Chief Security Scientist & Advisory CISO, ThycoticCentrify 

Join ThycoticCentrify’s Chief Security Scientist and Ethical Hacker, Joseph Carson, as he explains how a ransomware attack progresses from initial credential compromise to escalated privileges, exfiltrated data, and ultimately the ransomware deployment and ransom demand. 

Watch a step-by-step example of how to: 

  • Effectively respond when an attack is detected 
  • Gather evidence to craft a contextual response that remediates the attack 
  • Better secure your environment against future attacks 

3:00 PM ET 
KEYNOTE | Viewing risk from your third-party partner’s perspective  
Ryan Spelman, Vice President, Kroll 
Shay Colson, Associate Managing Director – Cyber Risk, Kroll 

Third-party risk is a two-way street. Companies often have stringent demands for their vendor/supplier partners to help identify and reduce risk, report and address points of weakness, and perhaps provide a software bill of materials. But security/risk departments must also be prepared for some resistance and be willing to see things from their partners’ POV so they can convey reasonable expectations and make risk assessment a truly collaborative process. This session will tackle questions such as: 

  • At what point do assessment requests become unreasonable or invasive? 
  • How does one respond if vendors/suppliers charge fees for highly complex assessments? 
  • What kinds of assistance should the assessing company be providing their partners to facilitate the ongoing risk evaluation process? 


DetectifyDuo SecurityInterosOneTrustPalo AltoPerimeterXPrevalentProcessUnityRecorded FutureSnykThycoticCentrifyTravaWhitesource