3rd Party Risk Management , Governance & Risk Management , Video

Best Practices for Answering Third-Party Risk Questions

Security Leader Sawan Joshi on Updating and Tailoring Partner Risk Assessments
Sawan Joshi, director of information security and DPO, Cervest, and executive member of the CyberEd Board

Supply chain risk has become more critical in the post-pandemic world, and that means you need to ask "much more focused, targeted questions" about your partners, according to Sawan Joshi, director of information security at Cervest, a climate intelligence startup.

See Also: Cloud Security and Developers: Role of Zero Standing Privilege

Joshi explained how he has put together his "own standard questionnaire" about the security controls of his organization. Organizations are continually asking for this information to ensure their partners and vendors are using good security practices, and Joshi said, "The more transparency you can create, the more trust you can build." These days, partners are asking for that information over a variety of SaaS tools, making the job more complex for security teams.

"What we don't want to do is continue to encourage SaaS-ification and have SaaS sprawl in our organizations. We just want to have a proportional and balanced way to efficiently move into business fast, carefully," Joshi cautioned. "So, in our case, we have a questionnaire that creates more questions depending on the answers, and it does go into: 'What do you use?' We get asked ourselves: 'What partners do we partner with? What software do we use?' In reality, it's a robust asset management transparency."

In this video interview with Information Security Media Group, Joshi discusses:

  • Changes to third-party risk management in a post-pandemic world;
  • Critical components of a third-party risk management program;
  • How independent validation helps assess supply chain risks.

Joshi is an IT risk management professional with over 15 years of experience at organizations that have grown by acquisitions and mergers. He helps these organizations create and deliver strategically aligned IT transformation programs while managing risk, improving scalability and agility, and providing new business enablement.


CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.

Join the Community - CyberEdBoard.io.

Apply for membership


About the Author

Anna Delaney

Anna Delaney

Director, Productions, ISMG

An experienced broadcast journalist, Delaney conducts interviews with senior cybersecurity leaders around the world. Previously, she was editor-in-chief of the website for The European Information Security Summit, or TEISS. Earlier, she worked at Levant TV and Resonance FM and served as a researcher at the BBC and ITV in their documentary and factual TV departments.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.