Risk to the Nth-Party Degree

Third-party risk management is consistently a top priority for CISOs across Evanta communities in our annual Leadership Perspective Survey. Third party relationships are closest and may prove to be the most tangible risks to a business, yet the whole supply chain of business partners still pose a substantial threat. Most organizations’ vendor relationships extend to the 8th party. CISOs need to understand this web of connectedness to better manage and communicate enterprise risk.

At the Vancouver CISO Executive Summit on October 8, Peter Ling, Vice President, Global Cybersecurity Partnerships and Cyber Resilience Programs at Mastercard, led a boardroom discussion on managing third party risks, “Risk to the Nth-Party Degree.” Mastercard Cybersecurity will also host this conversation at the upcoming New York CISO Executive Summit on December 4 and at the Toronto CISO Executive Summit on December 11. 

The discussion focuses on how to gain visibility into risk across the whole supply chain, strategies for effective risk management and monitoring business partners, and overcoming resource challenges to prioritize third-party and extended supply chain risk. Here, Peter is sharing insights on the topic and what CISOs might be thinking about based on where their organization is in monitoring and managing these risks.

Peter Ling of Mastercard has more than 25 years of cybersecurity experience. He has held various senior roles leading distributed technical and business teams, constantly championing creative strategies, and unlocking significant new business growth through channels and alliance partnerships. Peter has an excellent track record of building and scaling security practices and achieving or exceeding objectives. He has successfully brought dozens of innovative cybersecurity and compliance products and services to market internationally. 
 

Tell us more about your session, “Risk to the Nth-Party Degree.”

We plan to build the roundtable discussion based on where the security leaders are collectively at when it comes to third party risk. We start the conversation with third party risk as those relationships are the closest and may prove to be the most tangible risks to a business – yet, the whole supply chain of business partners still pose a substantial threat. 

We will explore how security leaders notify their third-party partners in a constructive way and how they may be exposed based on their partners’ exposure. There is a connective tissue between organizations, and they have similar objectives in trying to remain secure.

But security keeps extending farther and farther through the supply chain, and we will explore the state of their supply chain visibility and how to improve it. Organizations are at varying levels of maturity when it comes to securing the supply chain, but it’s important to explore it and learn what their peers are doing. 
 

What are some of the challenges CISOs face in this area?

CISOs all face the same or similar challenges in the area of third-party risk management. Some have broader or deeper risks, some are deeper into supply chain risk – but everybody has third parties. 

Along with organizations being at different stages of maturity, they are using different technologies or even manual approaches to managing third parties. From a technology perspective, there is nothing worse for a CISO than dealing with disparate technologies coming in from different vendors. How do you manage that? How do you reconcile the information if they are using different platforms or questionnaires? It’s a big lift for security leaders if you don’t have the right tools in place.

We encourage automation, and our discussion will dive into their platforms of choice. We will talk about cyber risk scoring providers and the data they provide – some of which must be reconciled. We will share how to achieve a low level of false positives from these providers. 
 

Why is it critical for Evanta CISO Community members to have this conversation now?

This is a great opportunity for security peers from across segments and sectors to collaborate on creating more visibility into third party risk. CISOs have to wear multiple hats, and they touch many pieces of the business. This discussion will enable them to bounce ideas off like-minded peers with the same challenges and pressures. Third-party risk management is a common issue regardless of industry, and it’s critical to share with peers on this topic. 
 

What are you most looking forward to about the session?

It’s great to be able to help CISOs plan for their next step. We sit down at a table, talk about where they are now, and where they can take their security programs. It’s so engaging to be able to help people find solutions toward their next layer of security protection and visibility. I’m also looking forward to this discussion being a dynamic session driven by the CISOs themselves.

Security leaders can join this conversation on third party risk management with Peter Ling of Mastercard at the New York CISO Executive Summit on December 4 and at the Toronto CISO Executive Summit on December 11. 

If you are not yet an Evanta community member, apply to join a CISO community near you to connect with other CISOs on critical topics like third-party and supply chain risk management.
 

Special thanks to Mastercard Cybersecurity.

by CISOs, for CISOs
 

Join the conversation with peers in your local CISO community.