3rd Party Risk Management , Governance & Risk Management , Video
Best Practices for Answering Third-Party Risk Questions
Security Leader Sawan Joshi on Updating and Tailoring Partner Risk AssessmentsSupply chain risk has become more critical in the post-pandemic world, and that means you need to ask "much more focused, targeted questions" about your partners, according to Sawan Joshi, director of information security at Cervest, a climate intelligence startup.
See Also: Cloud Security and Developers: Role of Zero Standing Privilege
Joshi explained how he has put together his "own standard questionnaire" about the security controls of his organization. Organizations are continually asking for this information to ensure their partners and vendors are using good security practices, and Joshi said, "The more transparency you can create, the more trust you can build." These days, partners are asking for that information over a variety of SaaS tools, making the job more complex for security teams.
"What we don't want to do is continue to encourage SaaS-ification and have SaaS sprawl in our organizations. We just want to have a proportional and balanced way to efficiently move into business fast, carefully," Joshi cautioned. "So, in our case, we have a questionnaire that creates more questions depending on the answers, and it does go into: 'What do you use?' We get asked ourselves: 'What partners do we partner with? What software do we use?' In reality, it's a robust asset management transparency."
In this video interview with Information Security Media Group, Joshi discusses:
- Changes to third-party risk management in a post-pandemic world;
- Critical components of a third-party risk management program;
- How independent validation helps assess supply chain risks.
Joshi is an IT risk management professional with over 15 years of experience at organizations that have grown by acquisitions and mergers. He helps these organizations create and deliver strategically aligned IT transformation programs while managing risk, improving scalability and agility, and providing new business enablement.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.