Sign up to save your podcasts
Or
Share Episode 3: Third-party Risk Management – Beyond the Questionnaire
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 3: Third-party Risk Management – Beyond the Questionnaire
Resources:
- Find us at https://www.cisecurity.org/
- Third-party Risk Association: https://www.tprassociation.org/
- National Institute of Standards and Technology (NIST): https://www.nist.gov/
- CIS Controls: https://www.cisecurity.org/controls/
Can a risk assessment questionnaire be the catalyst for true change to the entire vendor cybersecurity ecosystem? Cybersecurity Where You Are podcast host Sean Atkinson welcomes guest Ryan Spelman, former CIS employee, and now Managing Director at Duff & Phelps on their CYBERCLARITY360 team. Together, Sean and Ryan discuss tactics companies can use to better understand their cyber-risk posture and how stronger relationships between companies and their third parties impact the industry as a whole.
Better use of the third-party risk assessment questionnaire
The go-to “third-party risk assessment questionnaire” being used as a one-and-done exercise is an all too common practice. While completing these questionnaires meets certain regulatory requirements, truly managing risk is about acting on the data collected - not just collecting it.
There is a misconception that the questionnaire is for general information collection and that the same questions can apply to all vendors. Some questions, such as those about overseas relations or services, may be applicable to all vendors. But to more accurately assess a third party’s risk it is important to customize the questions to match the vendor's use case and scope.
This episode shares how an organization can start drafting these inquiries.
Once the questionnaire is crafted, completed, and returned, a plan should also be in place for how to address the issues that arise from the submitted answers.
Beyond the questionnaire – communication is key
The issue of third-party management rests in the hands of both the company and the vendor. Clear, accurate, and truthful communication between both parties makes both entities ultimately stronger.
Building a stronger security ecosystem
This is an “area where the common good can happen,” says Ryan. If a company can make the third party’s security posture better, then everyone else who uses this third party is made better. It ultimately makes a measurable difference in the entire vendor ecosystem.
The Atkinson 9
In the vein of another famous interviewer, Sean asked Ryan his “Atkinson 9,” a quick Q&A about security. Listen now to find out what our guest said!
View all episodes
By Center for Internet Security
5
1313 ratings
Resources:
- Find us at https://www.cisecurity.org/
- Third-party Risk Association: https://www.tprassociation.org/
- National Institute of Standards and Technology (NIST): https://www.nist.gov/
- CIS Controls: https://www.cisecurity.org/controls/
Can a risk assessment questionnaire be the catalyst for true change to the entire vendor cybersecurity ecosystem? Cybersecurity Where You Are podcast host Sean Atkinson welcomes guest Ryan Spelman, former CIS employee, and now Managing Director at Duff & Phelps on their CYBERCLARITY360 team. Together, Sean and Ryan discuss tactics companies can use to better understand their cyber-risk posture and how stronger relationships between companies and their third parties impact the industry as a whole.
Better use of the third-party risk assessment questionnaire
The go-to “third-party risk assessment questionnaire” being used as a one-and-done exercise is an all too common practice. While completing these questionnaires meets certain regulatory requirements, truly managing risk is about acting on the data collected - not just collecting it.
There is a misconception that the questionnaire is for general information collection and that the same questions can apply to all vendors. Some questions, such as those about overseas relations or services, may be applicable to all vendors. But to more accurately assess a third party’s risk it is important to customize the questions to match the vendor's use case and scope.
This episode shares how an organization can start drafting these inquiries.
Once the questionnaire is crafted, completed, and returned, a plan should also be in place for how to address the issues that arise from the submitted answers.
Beyond the questionnaire – communication is key
The issue of third-party management rests in the hands of both the company and the vendor. Clear, accurate, and truthful communication between both parties makes both entities ultimately stronger.
Building a stronger security ecosystem
This is an “area where the common good can happen,” says Ryan. If a company can make the third party’s security posture better, then everyone else who uses this third party is made better. It ultimately makes a measurable difference in the entire vendor ecosystem.
The Atkinson 9
In the vein of another famous interviewer, Sean asked Ryan his “Atkinson 9,” a quick Q&A about security. Listen now to find out what our guest said!
More shows like Cybersecurity Where You Are (video)
View all
Security Now (Audio)
1,969 Listeners
Risky Business
361 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
626 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
363 Listeners
Hacked
183 Listeners
CyberWire Daily
1,004 Listeners
Smashing Security
311 Listeners
Click Here
398 Listeners
Darknet Diaries
7,883 Listeners
Cybersecurity Today
169 Listeners
CISO Series Podcast
187 Listeners
Hacking Humans
314 Listeners
Defense in Depth
77 Listeners
Cyber Security Headlines
129 Listeners
Hacker And The Fed
158 Listeners