Podcasts about third party risk management

  • 112PODCASTS
  • 340EPISODES
  • 24mAVG DURATION
  • 1MONTHLY NEW EPISODE
  • Jun 18, 2026LATEST

POPULARITY

20192020202120222023202420252026


Best podcasts about third party risk management

Show all podcasts related to third party risk management

Latest podcast episodes about third party risk management

GREY Journal Daily News Podcast
Will a Senate Study Recast Bank Fintech Partnerships?

GREY Journal Daily News Podcast

Play Episode Listen Later Jun 18, 2026 1:33


Senators introduced a bill directing the Government Accountability Office to study bank fintech partnerships and their oversight across the OCC, FDIC, Federal Reserve, and CFPB. The review would assess charter renting concerns, dispute resolution in multi party arrangements, and the clarity of consumer disclosures about where funds are held. Regulators have already raised expectations through the June 2023 Interagency Guidance on Third Party Risk Management. Recent shocks, including Synapse's 2024 bankruptcy that disrupted access to funds at several fintech apps, have highlighted operational risks. Enforcement actions at Cross River Bank in 2023 and at Blue Ridge Bank in 2022 and 2023 show supervisors' focus on third party oversight. Founders should prepare for tighter controls, longer onboarding, and greater demands for audits, contingency plans, and transparent disclosures.Learn more on this news by visiting us at: https://greyjournal.net/news/ Hosted on Acast. See acast.com/privacy for more information.

ChannelBuzz.ca
Third-party risk management: The recurring revenue opportunity hiding in your clients’ vendor stack

ChannelBuzz.ca

Play Episode Listen Later May 6, 2026 35:53


Tim Coach, chief evangelist at Cynomi For most managed service providers, the security services story has followed a familiar arc: endpoint protection, email security, security awareness training. Each category added value, then became table stakes. Third-party risk management – TPRM – is what comes next, and according to Cynomi Chief Evangelist Tim Coach, it may be the stickiest revenue category yet. The case is straightforward. Every business relies on a web of vendors, software providers, and service partners. Each one is a potential vulnerability. And most SMBs have no formal process for knowing how well those third parties are managing their own security – or what happens to them downstream if one of those vendors gets breached. Research from Cynomi suggests 45 percent of organizations will face supply chain attacks, and 30 percent of data breaches already involve a third party. The attack surface has shifted to the things organizations trust most. For Canadian MSPs, the regulatory pressure is specific and near-term. OSFI’s Guideline E-21, with a September 2026 compliance deadline for federally regulated financial institutions, puts third-party oversight explicitly on the agenda. The cascade effect on their vendors – and the MSPs serving those vendors – is already in motion. Perhaps the sharpest signal in this conversation: cyber underwriters are now denying SMB coverage not because of anything the SMB did, but because they are connected to an MSP. The managed service provider, long positioned as the path to better insurance outcomes, has become a risk factor in its own right. Coach’s recommended first move for any MSP building into TPRM isn’t a vendor questionnaire – it’s a Business Impact Analysis. Understand how the client actually makes money, which vendors are critical to those revenue processes, and what an hour of downtime costs. That reframes the conversation from technical widgets to revenue, cost, and risk – the language every business owner speaks. – UPLOAD AUDIO Read Full Transcript Robert Dutt: Hello and welcome to In The Channel from ChannelBuzz.ca, bringing news and information to the Canadian IT channel for the last 16 years. I’m Robert Dutt, editor of ChannelBuzz.ca, your host for the show. My guest today is Tim Coach, Chief Evangelist at Cynomi, a vCISO platform purpose-built for MSPs and MSSPs. Tim brings an unusually grounded perspective to the space. He’s an engineer by training who spent nearly two decades building, running, and consulting on managed service practices before landing at Cynomi after seeing the platform first-hand and recognizing it could have solved one of his biggest operational headaches as an MSP owner – the CISO bottleneck, the point at which growth stalls because the security function can’t scale without adding expensive headcount. That personal history shapes everything he thinks about TPRM, third-party risk management, which is increasingly being talked about as the next major revenue category for MSPs after human cyber risk. Today we’re talking about what building a TPRM practice actually looks like, why cyber insurance has quietly flipped the MSP value equation, and why the right starting point isn’t a vendor questionnaire at all. Let’s get right into it, my chat with Tim Coach. Tim, thanks for taking the time. I appreciate it. Tim Coach: I absolutely love to be on. Thanks so much for having me, and for having Cynomi on your webinars. We’re always happy to do these things and educate the community. Robert Dutt: You’ve spent a long time in and around the MSP community. How did you end up at Cynomi specifically, and what was it about the opportunity around TPRM that pulled you in? Tim Coach: TPRM was eventually in the process – let me back up. What got me into the community was my engineering background. I went to college for what was called network communications back in those days. Basically I’m a network guy – I always point at the front-end programming guy and say, “It’s your fault,” and the programming guy says, “No, no, it’s the network’s fault.” So I did that for a large-scale nationwide company for many years, and then I fired my MSP. The owner was like, “Well, if you’re so good, why don’t you come over here and run this?” And I said okay. It took me about 24 hours to realize I didn’t have a clue what was going on – the place was chaos. But through process and procedure, and a military background, I knew I could get it under control. I ended up with a business partner from that experience, and we spent about 20 years rebuilding and consulting with MSPs. About five years ago, I just needed something different. The kids were a little older. I started looking at what else was out there, talked to a couple of mentors in the space – I’m sure if I mentioned their names everyone would know them – and they said, “You should come over and do this.” So I jumped. I went to work for a Canadian company, grew them quite a bit in the first year, then moved to an Australian company, grew them, and then went back to consulting for a short time. David from Cynomi was recommended to me as a consulting connection. We were going back and forth and he said, “Why don’t you come on board?” And I said, “I’m not really interested in selling a widget” – and it’s a security widget, right? There are so many great widgets and great personalities in the security space already. Probably not my jam. But he said, “No, no – let’s look at it.” And he showed me what Cynomi did, and I was blown away. The reason I was blown away is that at my most successful MSP, we hit a stopping point in our growth. The reason was our CISO – and this was before CISO was even a cool term. He was our bottleneck. Not because he was inefficient as a person, but because of the way he had to work: 80 pages of Excel spreadsheets and hours and hours of questionnaires. When I first saw Cynomi, I thought, “Here’s a way I could have doubled the size of my company with the same staff, the same CISO.” That’s what really inspired me to come on board – seeing that dashboard and connecting it to the personal pain I’d experienced around the security bottleneck. Now with the addition of TPRM, that excites me even more, because back in my MSP days I had a lot of bank clients, and banks are SOC 2 all over the place. Part of SOC 2 is that you have to have TPRM – you have to be responsible for everybody in the chain. So now we’ve built out a platform that lets the MSP, MSSP, ITSP, or whatever SP you want to put in front of those letters, easily manage vendor relationships and understand where clients are in their security posture. Robert Dutt: You may not feel it’s cool, but it’s certainly foundational security. Tim Coach: And that’s the problem, right? That’s why we’re still talking about security – because nobody knows how to talk business. They all talk widgets, bits and bobs: here’s this cool firewall, MDR, XDR. But you know what your clients don’t care about? The widgets. They care about being secure. Until we can bridge that gap – until Cynomi brings something that says, here’s an easy way to get to the data and details you need, here’s CISO-level intelligence so the MSP can translate it into business terms for the doctor’s office, the manufacturing company, whatever vertical you want – we’re going to keep having this same conversation. Robert Dutt: Let’s do a little bit of that with TPRM itself. Let’s take a step back and look at it from the viewpoint of an MSP who’s heard the acronym but hasn’t really dug in yet. Third-party risk management – what are we actually talking about, and what problem does it solve? Tim Coach: What a lot of people need to understand – and I try to say this in a way that’s easy to grasp – is: manage security first, and compliance becomes a default. What I mean is that you need a baseline, whether it’s CIS Controls, Cyber Essentials Plus, CMMC 2.0, one of the financial frameworks, HIPAA, whatever applies. You need a baseline you’re actively managing your security against. In the process of meeting that baseline, compliance follows. What we’re increasingly seeing is that certification bodies, auditors, and insurance underwriters all want to see that your solutions and partners are just as secure as you are. I was at Canalys Barcelona last year and someone made a statement that blew me away: for the first time ever, we’re seeing insurance underwriters deny coverage to an SMB because they’re connected to an MSP – and the MSP is what they consider the risk. We went from being the most important people in the room, essential workers, to being the risk factor. And on top of that, helping clients with their insurance has been one of our foot-in-the-door conversations for the last decade. That’s where TPRM comes in. The frameworks and insurance underwriters now want to see not just that you’re secure, but that everyone you’re working with is secure. The problem has always been how you manage that. Back in my day, you had to call the vendor, find the right person, ask for evidence of their SOC 2 compliance, get bounced around, end up with legal, sign an NDA, and eventually get the report. Now people share that information a bit more freely, but you still need a central place to manage it – so when an auditor or insurance broker asks, you can point to it and say, “Here it is.” We do a community call every Wednesday at noon Eastern, and we’ve had a gentleman on a couple of times who has written books specifically on TPRM. He’s sounding the alarms – not bad alarms, just “it’s coming.” But like a lot of SMBs, MSPs are having to drag their clients toward where they need to be. Once you make it easy for the MSP, you make it easy for the SMB, and you finally have a way to prove you’re taking those measures. Robert Dutt: Supply chain attacks have certainly been a theme in the channel for a while – Kaseya, SolarWinds, MOVEit. But TPRM as a formal managed service element feels newer. The insurance side sounds like a big driver. What else changed to make it go from a theoretical concern to something MSPs can actually build a practice around? Tim Coach: I firmly believe you cannot be a business partner without knowing how your partner makes money and how you need to protect them. I can’t protect them if I don’t know what they’re using. It’s the old adage: if two people are managing something, nobody’s managing it. TPRM is really the next step for the ITSP to move from a transactional relationship to a true business partnership – ensuring that everyone your clients are using is also protected. Because what happens is what always happens: it doesn’t matter what you have hard-coded in the contract about not being responsible for X. When something goes wrong, the SMB comes back and says, “But I thought you were managing this.” We go over it in the contract reviews, sure, but the conversation still happens. When you’re genuinely talking business – saying, “I’m going to protect how you operate quarter after quarter, year after year” – you’re protecting their entire environment, not just your piece of it. That’s when you move to a real business relationship instead of a sales relationship where every conversation is an upsell or a cross-sell. We’ve done it to ourselves a little bit, honestly. It’s like an insurance agent in Oklahoma trying to sell hurricane insurance. That’s not what we should be doing as business partners. TPRM allows us to have a full understanding of the client’s environment and make sure everything is protected – or at minimum, that the gaps are known by everyone. Robert Dutt: Cynomi has described TPRM as the next major revenue category after human cyber risk. Can you walk me through what the recurring revenue model actually looks like, and what makes it sticky? Tim Coach: Everything leads to MRR – that’s business. But you have to start with a project. You need to understand where the client is in their security journey before you can manage them ongoing. SMBs don’t do things for free, and neither do our partners. This is a revenue generator. But it’s a revenue generator because it actively has to be managed. I always say: I can’t throw a server at security. I can’t throw a firewall at it and declare myself secure. The best analogy I’ve heard for security is a block of Swiss cheese. There are holes, and you can stick a fork through those holes quite a way. But if you slice that block and turn every slice 90 degrees, the holes are still there – they’re just not as deep or vulnerable. That’s TPRM. There is no set-it-and-forget-it. It has to be actively managed, and that active management is where the recurring revenue lives. Robert Dutt: What does a typical engagement look like early on, for an MSP starting from zero with a client? Where does the work begin, and what surprises people about the scope as they go deeper? Tim Coach: Everything begins with an assessment. With Cynomi’s tools, we can use Cyber Essentials Plus or CIS Controls as a self-regulating baseline and add a couple of hours to the initial assessment to incorporate the security piece. We all do assessments upfront to understand what we’re getting into – or what needs to be fixed before we really dig in. Once you’re in the security layer, the next step is TPRM. And TPRM brings with it something I think is critically important: the Business Impact Analysis. It’s not enough to ask, “What does your client do?” They make dog food – do they? Or is that just the end product? When I was an MSP, I had a metal manufacturer that cut and stamped metal. But if you asked their CFO what the business was, he’d say, “Making pallets – I make more on pallets than on the stamping work.” I used this example in a presentation just yesterday. Years ago I was walking through a manufacturer’s facility and asked about a machine: “What does that one do?” “That runs the software that completes our product.” “Why isn’t it plugged into the network?” “It’s a Windows 98 machine.” “Why are you still running that?” “Because it runs decade-old German software that costs ten million dollars to replace. And we only have that one machine.” If you’re not walking through and genuinely understanding how they make money, you don’t know where the risks are. And that’s what TPRM forces you to do. Ideally, I’d love to sell a project that includes a full security assessment, a BIA, TPRM, BCP, IR planning, all of it from day one. But it doesn’t happen that way. You have to phase it. Once you understand the BIA and what they’re actually doing, you understand where the software and systems that carry real business risk are, and you can start building that into their security posture. It’s the same principle: why hack an individual when you can hack the software that manages all the individuals? Why try to crack one account when you can compromise an MSP’s RMM tool and get access to everybody? If you go into a business without understanding their software environment and vendor posture, you at minimum need to be able to tell them where the risks are. Because the language they speak is revenue, cost, and risk. TPRM is a risk if it’s not being managed – and that’s why we’re seeing so much attention on it lately, even though some of us have been doing this for decades. We just used to call it vendor management. Robert Dutt: We’ve talked a lot on the show about MSP tools as an attack surface – RMM agents, remote access tools, backup platforms. The MSP is supposed to be managing the client’s vendor risk, but the MSP’s own toolchain is also someone else’s third-party risk. How should MSPs be thinking about that? Tim Coach: It comes back to the BIA again. What are they using? What’s creating the security gaps, and how do you build better overall management around it? There’s a project in there, but every project should lead to MRR – period. It still has to be managed. Remember when Exchange servers went away and everyone panicked about where the revenue was going to go? There was still an entire environment to manage. We always made some revenue on hardware, though that’s gotten harder – the real money is in managing the ongoing environment. TPRM is the same thing: it’s a significant security gap in the overall posture of your clients, and that gap has to be actively managed. Robert Dutt: Pushing on that a little further – TPRM platforms are pulling in a pretty comprehensive map of an organization’s vendor ecosystem: the gaps, what’s been remediated, basically a full picture of the landscape. If one of those platforms gets compromised, that’s not just a breach – that’s a pretty rich target list for an attacker. How do you think about that? Tim Coach: Think about a CNC factory. Their job is building molds to produce a specific part, and the software on their server has all the schematics fully built out. What happens if that software gets hacked? You lose all the schematics for the CNC machine – so suddenly you can’t produce anything. And if the attacker gets in early enough in the process, the downstream supply chain impact goes way beyond that one facility. That’s the risk. If you’ve got $200,000 five-axis CNC machines – and I may have a little experience with this – and you’re not protecting the software running them, and you don’t understand from a TPRM perspective what the vulnerabilities look like, that’s an ongoing, persistent risk. You always have to be managing it. Robert Dutt: Sitting where Cynomi is, how do you think about the security side of running a TPRM solution, and what should MSPs be asking vendors in this space about that? Tim Coach: Efficiency. How efficient can you make it? I’ll probably get in trouble for saying this, but we’ve essentially stupid-proofed the first few levels. We’ve built it out for you. And look – I know AI is a word we’ve managed to avoid for about the last half hour, but AI is meant to enhance the human. It’s a tool. What we’ve done at Cynomi is build AI agents and intelligence into the platform to make this work manageable at a lower labor level. If I can take work that previously required a CISO – an expensive asset – and bring it down to a tier-two technician, my margins go up because my labor costs go down. That said, we’re not replacing the CISO. I used to work with a company that built a component for Apache helicopters – no public-facing anything. If a tier-two tech runs a report showing no web security for that client and flags it as a critical gap, the CISO might be the only person who knows that client has no public-facing presence by design. That context matters. The CISO still needs to be the final approval layer. What Cynomi has done is open up bandwidth for other people to do the groundwork, so you can grow your company without adding another six-figure salary. When your staff becomes more efficient, the CISO is less of a bottleneck – which was the original problem we started with. Robert Dutt: For the Canadians listening, there are some very specific regulatory drivers on the table right now. OSFI’s Guideline E-21 has a September 2026 compliance deadline for federally regulated financial institutions. Can you talk about the role you see TPRM playing in responding to that kind of regulation? Tim Coach: What we’re seeing is that the insurance underwriters, auditors, and regulators are the ones setting the standard, and the industry has to meet it – but the industry isn’t yet at a point where it can easily meet a TPRM standard. So what will probably happen, whether it’s Canada, the US, the UK, or EMEA, is a pattern we’ve seen before: they’ll release a guideline, there’ll be a period of voluntary adoption, and then they’ll give it teeth. Like HIPAA – they threw it out there, and eventually it got enforcement. The thing I’ve always loved is watching the auditors, because they’re typically running a couple of years ahead of the regulation. If you stop treating auditors like your mortal enemy – “they’re here to expose everything I’m doing wrong” – and start paying attention to what they’re flagging, you can get ahead of the game. Auditors are a leading indicator. It’ll always come down to government forcing the policy, and then insurance trying to find a way out of paying claims when it’s not followed. But if you’re watching the auditors and TPRM is showing up in their reviews, you already know what’s coming. Robert Dutt: For an MSP listening to this and thinking, “I should be doing this” – what’s the realistic first move? Not the ideal end state, but the practical starting point? Tim Coach: Start with the BIA – the Business Impact Analysis. Research suggests every SMB has three to five critical processes that drive about 80% of their revenue. Do they actually know what those are? Probably not. They make dog food. They take care of kids. Whatever it is – they don’t actually know how they make money. I have an old client who’s also a friend – he works in retirement planning. If you asked how he makes money, you’d assume it’s from managing portfolios. It’s not. He makes money by selling the policy, and the insurance company pays him a commission on that. If you don’t start by understanding the BIA, you don’t really know what solutions your clients are dependent on. Start with: who is your critical software outside of us? Who maintains it? Do we have a relationship with them? Does it connect directly to how you make money? And tie it to cost of downtime. If a doctor’s office goes down for four hours – and in a medical practice you call them providers, not doctors, right? Speaking their language, not ours – what does that cost? If the pallet machine on an assembly line goes down, and that pallet machine is the only thing holding product so the rest of the line can keep moving, what’s the cost per hour? If you don’t know that, you don’t actually understand how to service your client. You’re still talking bits and bobs instead of revenue, cost, and risk. Robert Dutt: Future-looking question to wrap up: where do you see this category going over the next couple of years? Is TPRM a standalone practice, or does it fold into a broader vCISO or governance offering? Tim Coach: I think it’s going to be both. For more mature MSPs, it’ll be baked right into their silver, gold, and platinum packages – TPRM is just part of what you get at a certain tier. For others, especially those that aren’t at a full vCISO-as-a-service level yet, it’ll be available as a standalone – a meaningful piece of the security posture they can deliver to clients without committing to the full stack. Growth and maturity, right? As people build their practices, the more advanced will have it embedded. But there’s also a real path for someone starting out to say, “I need to at least get this piece right, because it’s critical to the overall security posture of my clients.” Robert Dutt: Fascinating. It’s an interesting area of technology and – to your greater point – business. I appreciate you taking the time to share some thoughts on how service providers can get involved. Tim Coach: Thanks for having me on. I always appreciate it. Robert Dutt: There you have it – Tim Coach from Cynomi. I’d like to thank Tim for taking the time today. He’s been around the MSP space long enough that when he points at something and says it’s the next thing, it’s worth listening. A few things I want to make sure land from this conversation. The first is the Business Impact Analysis as the true starting point. Before you think about vendor questionnaires or risk scoring tools, you need to understand how your client actually generates revenue – which processes drive the majority of the business, and which vendors are load-bearing in that equation. That’s not a security conversation. That’s a business conversation. And that’s the shift that moves an MSP from tool vendor to genuine business partner. The second is the insurance signal. When underwriters start denying SMB coverage not because of something the SMB did, but because they’re connected to an MSP – that’s a warning and an opportunity in the same breath. MSPs who can demonstrate they’re actively managing their clients’ third-party risk have a new and better story to tell. And the frame to carry with you: security first, compliance becomes a default. Build the practice to the right security baseline and the compliance checkboxes largely take care of themselves. In The Channel is available on Apple Podcasts, Spotify, YouTube, and most major podcast directories. If you’re finding value here, ratings and reviews are always appreciated – they help other people in the Canadian IT channel find the show. Until next time, I’m Robert Dutt for ChannelBuzz.ca, and I’ll see you in the channel.

From the Editor's Desk
Aaron Nicodemus Reflections on March and April in Compliance Week

From the Editor's Desk

Play Episode Listen Later Apr 3, 2026 25:30


In this episode of From the Editor's Desk, Tom Fox sits down with Aaron Nicodemus for a lively and insightful look back at the biggest compliance stories from March, while also previewing the trends, enforcement issues, and events set to shape April. They also begin the countdown to the 2026 Compliance Week National Conference in May. Tom and Aaron break down the fast-moving, policy-driven shifts in U.S. sanctions on Venezuela, Iran, and Russia, and explore how companies are balancing business opportunities with escalating geopolitical and compliance risks amid a volatile oil market. They spotlight Compliance Week's feature on illegal mining, unpacking its deep connections to financial crime, corruption, and supply chain exposure. The conversation also examines a notable March FCPA declination under the DOJ's new Corporate Enforcement Policy, focusing on what it signals about voluntary self-disclosure, remediation, cooperation credit, and the Department's continued emphasis on prosecuting individuals. Along the way, they consider possible aggravating factors, including payments tied to designated criminal or terrorist groups, and what these developments may mean for the future of cross-border enforcement cooperation. Looking ahead, Tom and Aaron preview the 2026 Compliance Week National Conference, taking place May 6–8 in Washington, DC, including awards finalists, anticipated remarks from DOJ and SEC officials, and timely sessions on AI, whistleblowers, and emerging compliance challenges. They also highlight the conference's expanded commitment to new voices and share an early look at the Third Party Risk Management & Supply Chain Summit, coming October 26–28 in Chicago.   Resources: Aaron Nicodemus on LinkedIn Compliance Week

The Other Side Of The Firewall
AI Vulnerability Scanning, FBI Surveillance, and America's New Cyber Strategy

The Other Side Of The Firewall

Play Episode Listen Later Mar 12, 2026 57:52


This episode covers the latest in cybersecurity, AI vulnerabilities, government system security, and the importance of human validation in AI-driven security tools. Ryan, Shannon, and Chris discuss recent breaches, AI safety, and strategic government initiatives. Article: OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues https://thehackernews.com/2026/03/openai-codex-security-scanned-12.html FBI investigating ‘suspicious' cyber activity on system holding sensitive surveillance information https://federalnewsnetwork.com/cybersecurity/2026/03/fbi-investigating-suspicious-cyber-activity-on-system-holding-sensitive-surveillance-information/ President Trump's CYBER STRATEGY for America https://www.whitehouse.gov/wp-content/uploads/2026/03/president-trumps-cyber-strategy-for-america.pdf Buy the guide: https://www.theothersideofthefirewall.com/ Please LISTEN

CISO-Security Vendor Relationship Podcast
Managing Risk Has Been a Priority Ever Since You Asked About It (LIVE in NYC)

CISO-Security Vendor Relationship Podcast

Play Episode Listen Later Jan 13, 2026 40:37


All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Matthew Southworth, CSO, Priceline. Joining them is sponsored guest, Saket Modi, CEO, Safe Security. This episode was recorded live at FAIRCON25 in NYC. In this episode: AI won't stay broken Identity before intelligence People decide risk appetite Automate with oversight Huge thanks to our sponsor, Safe Security SAFE is the leader in Cyber Risk Quantification and the first company to deliver 100% autonomous Third-Party Risk Management. Powered by Agentic AI and built on FAIRtm, SAFE empowers CISOs, cybersecurity, and TPRM leaders to continuously quantify, prioritize, and mitigate cyber risks across their entire attack surface – enabling digital growth and organizational resilience. Learn more at testdrive.safe.security/

zeb Sound of Finance
DORA in der Praxis: Erste Prüfungserfahrungen aus der Finanzbranche

zeb Sound of Finance

Play Episode Listen Later Nov 24, 2025 30:08


Am 17. Januar 2025 ist der „Digital Operational Resilience Act“, kurz DORA, in Kraft getreten. Seitdem stehen Finanzinstitute und IT-Dienstleister vor der Herausforderung, ihre digitale Widerstandsfähigkeit nicht nur auszubauen, sondern auch nachweisbar zu machen. • Was sind derzeit noch die größten Baustellen in der Umsetzung der Anforderungen aus DORA? • Welche Themenfelder stehen bei der ersten Prüfung durch Jahresabschlussprüfer, aber auch Regulatoren aktuell besonders im Fokus? • Und welche Lehren lassen sich für die Institute insgesamt ziehen? Auf diese Fragen geben Jan Krone, Berater im zeb, und Dr. Saskia Hohe eine Antwort. Saskia ist Partnerin bei zeb und hat bereits zahlreiche Prüfungen begleitet, sowohl von Prüfer- als auch von Mandantenseite. Das heißt, sie bringt spannende Einblicke aus der Praxis und erste Erfahrungen direkt von der „Prüfungsfront“ mit.

FCPA Compliance Report
Virna Di Palma on The Evolution of Third-Party Risk Management and the Role of AI

FCPA Compliance Report

Play Episode Listen Later Nov 17, 2025 24:10


Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Virna di Palma, Head of Global Content and Brand at Ethixbase360. Virna offers insights into her extensive background in third-party risk management, with a focus on FCPA compliance and the evolution of due diligence. They discuss the ongoing importance of third-party risk management, recent shifts in FCPA enforcement, and the growing impact of new regulations on corporate compliance. Virna highlights the transformative role of automation and AI in enhancing compliance programs while emphasizing the need for human analysis. The conversation also addresses emerging issues, such as modern slavery and sustainability, and explores how organizations can optimize investments in risk management to drive business growth and resilience. Key highlights: Importance of Third-Party Risk Management Impact of FCPA Enforcement Pause Technological Advancements in Compliance Human Rights and Modern Slavery Future of Third-Party Risk Management Resources: Virna Di Palma on LinkedIn Ethixbase360 Tom Fox Instagram Facebook YouTube Twitter LinkedIn Learn more about your ad choices. Visit megaphone.fm/adchoices

The ORX Operational Risk Podcast
Which risks are top of the agenda for financial services firms? ORX Top Risk Review results H2 2025

The ORX Operational Risk Podcast

Play Episode Listen Later Nov 11, 2025 18:06


In this episode of the ORX Podcast, Melanie Lavallin, Emilie Odin and Natasha Smith-Craig reveal the biggest risks on the radar for financial services firms, based on our latest Top Risk Review H2 2025 survey. Our team also features insights from our latest Insurance analysis report and introduces our first-ever Asset management analysis report. What's on the agenda? Headline findings from the Top Risk Review Risk ranking analysis Emerging insurance trends and analysis Data influencing industry decisions Outlook for next year's Top Risk Review For full access to the Top Risk Review H2 2025 report, ORX members and ORX Lite subscribers can download it for free via the ORX website: https://orx.org/resource/top-risk-review-h2-2025. In addition, ORX has released a comprehensive Insurance analysis report that provides in-depth insights tailored for professionals in the insurance industry. Access the complete report here: https://orx.org/resource/top-risk-review-h2-2025#insurance. Our first Asset management analysis report can be read here: https://orx.org/resource/top-risk-review-h2-2025#assetman. Additional information is available on the Top Risk in the recent press release, 'Top Risk Review H2 Shows Fraud Risks Surging Across the Financial Sector,' which can be found on our website here: https://orx.org/blog/top-risk-review-h2-shows-fraud-risks-surging-across-the-financial-sector.  More about the topic on Third Party Risk Management can be found here: https://orx.org/resource/third-party-ecosystem-risk-management-2025. To find out more about ORX Membership, ORX subscription services, and access other operational risk resources, just search ‘ORX' or visit: www.orx.org 

Good Morning BSS World
Poland's Global Moment: How America Sees the Future of Outsourcing

Good Morning BSS World

Play Episode Listen Later Nov 5, 2025 38:35 Transcription Available


In this episode of Good Morning BSS World, I had a pleasure of hosting three exceptional professionals who represent both sides of the Atlantic - Shelli Ryan (CEO of Ad Hoc Communication Resources), Michael Nacarato (Head of Third-Party Risk Management and member of IAOP's Strategic Advisory Board), and Jens R. Voigt (Global Outsourcing Leader at eBay). Together, we explored how American companies approach outsourcing, nearshoring, and offshoring - and what this means for Poland and Central Europe.The conversation was inspired by our recent meeting at the Follow the Leaders event in Gdańsk, where we discussed how Polish and Central European businesses can attract more American investors. Shelli emphasized the importance of building a clear narrative and value proposition for Polish service providers - focusing not only on cost but on talent, multilingual skills, and innovation. Michael highlighted the shift from chasing arbitrage to chasing talent and value, especially in the era of AI and automation. Jens shared insights from eBay's global outsourcing strategy, underlining Poland's strengths: education, infrastructure, safety, and stability - all crucial for long-term partnerships.We also talked about the need for a unified, public-private marketing effort to promote Poland abroad - similar to campaigns led by African nations - and how Poland can position itself as Europe's major investment gateway, just like Ireland once did.This episode is a must-listen for anyone in global business services, outsourcing, or economic development. It's a candid, cross-continental conversation about the future of global delivery, talent, and how to bridge American expectations with European excellence.Key points of the podcast:Poland's competitive advantages in the BPO sector include a highly educated workforce, significant infrastructure investments, and a stable regulatory environment, making it an attractive destination within Europe.To attract American businesses, Poland must enhance its public relations efforts, potentially through a public-private partnership to create a unified and aggressive marketing campaign that highlights its technological advancements and safety.Engaging in direct outreach, such as organizing roadshows in the US and inviting American executives to visit Poland, can help showcase the country's capabilities and foster stronger business connections.  Links:Shelli Ryan - https://www.linkedin.com/in/shelliryan/Michael Nacarato – https://www.linkedin.com/in/michael-nacarato-cop-90705311/Jens R. Voigt – https://www.linkedin.com/in/jrvoigt/Ad Hoc Communication Resources - https://adhoccr.com/IAOP - https://www.iaop.org/Talk to AI about this episode - https://gmbw.onpodcastai.com/episodes/pBhcfzq4adl/chat  ****************************  My name is Wiktor Doktór and on daily basis I run Pro Progressio Club - https://proprogressio.com/en/activity/pro-progressio-club/1 - it's a community of many private companies and public sector organizations that care about the development of business relations in the B2B model. In the Good Morning BSS World podcast, apart from solo episodes, I share interviews with experts and specialists from global BPO/GBS industry.If you want to learn more about me, please visit my social media channels:YouTube - https://www.youtube.com/c/wiktordoktorHere is also link to the English podcasts Playlist - https://bit.ly/GoodMorningBSSWorldPodcastYTLinkedIn - https://www.linkedin.com/in/wiktordoktorYou can also write to me. My email address is - kontakt(@) wiktordoktor.pl  ****************************  This Podcast is supported by Patrons:Marzena Sawicka https://www.linkedin.com/in/marzena-sawicka-a9644a23/Przemysław Sławiński https://www.linkedin.com/in/przemys%C5%82aw-s%C5%82awi%C5%84ski-155a4426/Damian Ruciński https://www.linkedin.com/in/damian-ruci%C5%84ski/Szymon Kryczka https://www.linkedin.com/in/szymonkryczka/Grzegorz Ludwin https://www.linkedin.com/in/gludwin/Adam Furmańczuk https://www.linkedin.com/in/adam-agilino/Anna Czyż - https://www.linkedin.com/in/anna-czyz-%F0%9F%94%B5%F0%9F%94%B4%F0%9F%9F%A2-68597813/Igor Tkach - https://www.linkedin.com/in/igortkach/Damian Wróblewski – https://www.linkedin.com/in/damianwroblewski/Paweł Łopatka - https://www.linkedin.com/in/pawellopatka/Ewelina Szindler – https://www.linkedin.com/in/ewelina-szindler-zarz%C4%85dzanie-mark%C4%85-osobist%C4%85-0497a0212/Wiktor Doktór Jr - https://www.linkedin.com/in/wiktor-dokt%C3%B3r-jr-916297188/  Once you listen, give a like, subscribe and join Patrons of Good Morning BSS World as well. Here are two links to do so:Patronite - https://patronite.pl/wiktordoktor  Patreon - https://www.patreon.com/wiktordoktor Or if you liked this episode and would like to buy me virtual coffee, you can use this link https://www.buymeacoffee.com/wiktordoktor - by doing so you support the growth and distribution of this podcast.Become a supporter of this podcast: https://www.spreaker.com/podcast/good-morning-bss-world--4131868/support.

Cyber Security Today
Navigating Cybersecurity in Small and Medium Businesses with White Hat Hacker Graham Berry

Cyber Security Today

Play Episode Listen Later Oct 25, 2025 41:10 Transcription Available


In this episode of Cybersecurity Today, host Jim Love sits down with Graham Barrie a CISO and white hat hacker, to discuss the critical importance of cybersecurity for small and medium-sized businesses. From the moment Berry fell in love with technology through a Tandy TRS 80 to his current role helping businesses secure their data, this conversation covers the evolution of cybersecurity. They delve into how Berry assists businesses in understanding cybersecurity risks, communicating effectively with clients, and preparing for and recovering from cyber incidents. This episode is packed with insightful stories, practical advice, and a deep dive into the realities of cybersecurity for businesses of all sizes. 00:00 The Urgency of Cybersecurity 00:33 Introduction to the Podcast 01:00 Meet Graham Berry: A White Hat Hacker 01:31 Graham's Journey into Technology 04:04 From Technology to Cybersecurity 05:49 The Reality of Cyber Threats for Small Businesses 10:44 The Importance of Cyber Insurance 14:23 Engaging with Clients on Cybersecurity 17:08 Turning Around a Reluctant Client 20:10 The Growing Demand for Cyber Coverage 22:12 Third Party Risk Management 22:50 Effective Tabletop Exercises 23:58 Engaging Executives in Cybersecurity 26:43 Importance of Cyber Insurance 28:33 Successful Recovery Stories 34:16 Challenges with AI in Security 38:57 Looking Forward in Security 40:21 Conclusion and Farewell

IT und TECH Podcast
IT-Compliance & Third Party Risk Management smart managen | microfin bei #KIundTECH

IT und TECH Podcast

Play Episode Listen Later Oct 13, 2025 36:40


Wie können Unternehmen IT-Governance und IT-Compliance effizient und nachvollziehbar managen?Wie lassen sich regulatorische Anforderungen automatisieren, dass sie nicht bremsen, sondern Mehrwert schaffen?Wie kann Third Party Risk Management digital abgebildet werden – ohne Excel-Chaos?Und was braucht es, damit Compliance im Unternehmen nicht als Pflicht, sondern als Chance verstanden wird?Diese Fragen beantwortet Branimir Brodnik, Geschäftsführer der microfin Unternehmensberatung GmbH, im Gespräch mit Holger Winkler.Im Mittelpunkt steht die SaaS-Lösung CloudGate, die Governance-, Risk- und Compliance-Prozesse workflowbasiert digitalisiert.Sie erfahren, wie Unternehmen regulatorische Anforderungen effizient erfüllen, Risiken transparent steuern und dabei sogar Freude an Compliance entwickeln können.Warum sollten Sie dieses Interview nicht verpassen?Sie erfahren, wie CloudGate Compliance-Prozesse automatisiert und vereinfacht.Sie lernen, wie Unternehmen regulatorische Anforderungen effizient und sicher abbilden können.Sie entdecken, wie Microfin Best-Practice-Prozesse aus der Finanzwelt auf andere Branchen überträgt.Sie erfahren, wie sich die Zusammenarbeit zwischen Fachbereichen und IT mit CloudGate verbessert.Sie bekommen praxisnahe Einblicke, wie Governance und Risk Management digital funktionieren.Takeaways aus dem Interview:CloudGate digitalisiert und automatisiert Compliance-Prozesse über eine workflow-basierte Engine.Die Plattform reduziert den administrativen Aufwand und verbessert die teamübergreifende Zusammenarbeit.Microfin bringt tiefes Know-how aus der Finanzdienstleistungsbranche in regulatorische Softwarelösungen ein.Best-Practice-Prozesse sorgen für hohe Effizienz und schnelle Implementierung.Die Lösung steigert Akzeptanz und Transparenz in der täglichen Compliance-Arbeit.Unternehmen profitieren von deutlicher Zeitersparnis und geringeren Fehlerquoten.Weiterführende Links► Internet: https://www.microfin.de/solutions/cloudgate/ ► LinkedIn-Firmenseite: https://www.linkedin.com/company/microfin-unternehmensberatung-gmbh/ ► LinkedIn: https://www.linkedin.com/in/branimir-brodnik-865a165/ Willkommen beim KIundTECH PodcastHier spricht Holger Winkler regelmäßig mit spannenden Persönlichkeiten aus der KI- und TECH-Welt – über alles, was Entscheidern im Mittelstand hilft, KI & TECH praktisch zu verstehen und wirksam einzusetzen: unabhängig, faktenbasiert, journalistisch.► Mehr erfahren: https://kiundtech.com/ ► Holger Winkler auf LinkedIn: https://www.linkedin.com/in/holger-winkler/ Du möchtest einen Gast vorschlagen oder selber zu uns in die Sendung kommen?Alle Informationen und ein Bewerbungsformular findest du auf unserer Webseite!

CISO-Security Vendor Relationship Podcast
We All Agree That Prevention Is the Best Advice We're Never Going to Follow

CISO-Security Vendor Relationship Podcast

Play Episode Listen Later Sep 9, 2025 44:27


All links and images can be found on CISO Series. This week's episode is hosted by David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Jason Loomis, CISO, Freshworks. In this episode: Making organizations take their security medicine Building CISO support systems Holding the door for humans Underappreciated risks: beyond the headlines Huge thanks to our sponsor, Safe Security SAFE is the category leader in Cyber Risk Quantification (CRQ) and the first vendor to deliver fully autonomous Third-Party Risk Management.We help CISOs, GRC, and TPRM leaders continuously and efficiently quantify, prioritize, and mitigate cyber risks across their entire attack surface — enabling digital growth and resilience. Learn more at tprmdemo.safe.security.  

Risk Management Show
Building modern Third-Party Risk Management programs with Eric Hensley

Risk Management Show

Play Episode Listen Later Aug 26, 2025 23:12


Prevent third-party data breaches with this proven strategy! In this episode of the Risk Management Show, we discuss how organizations can mitigate cyber risks in their supply chain by implementing modern third-party risk management systems. In this Risk Management Show episode with Eric Hensley, CTO and CSO at Aravo, a leader in third-party risk and resilience solutions powered by intelligent automation. Eric shares his insights on why indirect relationships with third and fourth parties often become entry points for attackers and how traditional IT risk assessments fall short in today's interconnected tech environment. We explored practical strategies for aligning IT, security, and procurement functions to ensure accountability, and Eric highlights the role automation and AI play in scaling effective risk management processes. If you're a Chief Risk Officer, cyber security leader, or simply looking to enhance your organization's sustainability and resilience, this episode is packed with actionable advice. Don't miss Eric's unique perspective on breaking down silos and rethinking how organizations view their supply chains. If you want to be our guest or suggest a guest, send your email to info@globalriskconsult.com with the subject line "Guest Proposal."

Simply Solving Cyber
Third-Party Risk Management in Healthcare

Simply Solving Cyber

Play Episode Listen Later Aug 25, 2025 22:02 Transcription Available


Ever wonder why healthcare organizations are such prime targets for cyberattacks? In this eye-opening conversation with Kelly White, founder of Risk Recon, we uncover the startling reality that healthcare accounts for 37% of all breach events in the last decade.Kelly's journey from soldering Timex Sinclair computers in the late 70s to founding a pioneering third-party risk management platform offers a fascinating perspective on cybersecurity evolution. He shares how his side project—identifying indicators of vendor cyber health through internet-accessible information—grew from 30,000 lines of weekend code into a successful enterprise now providing crucial breach insights.The data tells a compelling story: organizations with good cybersecurity hygiene experience breach events at rates four to six times lower than those with poor practices. Yet many companies still chase sophisticated security solutions while neglecting fundamentals like secure remote access, proper network filtering, and effective identity management. As Kelly puts it, "If you don't have those foundations in place, you don't have much to build on."We explore AI's emerging role in third-party risk management, where it shows tremendous promise in automating questionnaire reviews and helping security professionals focus on meaningful risk treatment rather than administrative tasks. Kelly's advice for security leaders rings especially true: "Don't try to script your career so tightly that you're not open to opportunities," and remember that "growth begins where comfort ends."Whether you're a healthcare security professional, a CISO working with limited resources, or someone interested in the intersection of risk management and emerging technologies, this conversation offers invaluable insights from someone who's successfully navigated the cybersecurity landscape from practitioner to entrepreneur. Listen now to transform how you think about security fundamentals and third-party risk!

CISO-Security Vendor Relationship Podcast
We'll Worry About Recovering From the Attack Once We Ace This Audit

CISO-Security Vendor Relationship Podcast

Play Episode Listen Later Jul 22, 2025 43:23


All links and images can be found on CISO Series. This week's episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Peter Clay, CISO, Aireon. In this episode: Purple teaming evolution misses operational realities Effective postmortems require systematic failure analysis Risk expertise requires business context over methodology Compliance and resilience serve different purposes Huge thanks to our sponsor, Safe Security SAFE is reinventing Third-Party Risk Management with Agentic AI. Our AI Agents automate onboarding, assessments, and monitoring—giving security teams real-time visibility and zero-effort control across their vendor ecosystem. See why SAFE is the fastest-growing TPRM platform on the market at https://testdrive.safe.security/.

The FIT4PRIVACY Podcast - For those who care about privacy
How is the CISO Role Changing with Aman Tara and Punit Bhatia in the FIT4PRIVACY Podcast E143 S06

The FIT4PRIVACY Podcast - For those who care about privacy

Play Episode Listen Later Jul 17, 2025 20:11


The CISO role is no longer just about protecting IT assets — it's about navigating AI risks, complex regulations, and building digital trust across the enterprise. In an era where digital trust is more important than ever, how do CISOs stay ahead of evolving threats? What impact does AI have on cybersecurity and privacy compliance? And how can organizations empower every employee to contribute to ongoing digital safety? Join cybersecurity expert and former military major Aman Tara in conversation with Punit Bhatia as they explore the evolving responsibilities of CISOs in today's digital landscape. Aman shares why CISOs must think like hackers to stay ahead, how to manage emerging AI threats, and ways to ensure compliance with global data privacy laws. If you want to understand the future of cybersecurity leadership and how to foster trust in an AI-driven era, this episode is a must-watch! KEY CONVERSION 00:01:44 What is Digital Trust for Aman Tara 00:02:44 What role does the CISO play in creating Digital Trust? 00:04:59 How to manage overlap in a CISO role with privacy function 00:06:17 Do you have regular meetings with privacy counterparts? 00:08:19 Impact of AI and emerging technologies on the role of CISO 00:09:58 How Should a CISO respond when using unsafe tools and create risk in organization? 00:12:00 What can everyone do to ensure ongoing digital trust and safety? 00:15:17 Amman's Book and Personal Journey  ABOUT GUEST Aman Tara is an ex-military Major and a qualified attorney. He holds an associate diploma in Software Engineering, a bachelor's degree in Life Sciences and Economics, a degree in Law, and his MBA from Iowa, USA. He is a Certified Information System Auditor, Certified Data Privacy Solutions Engineer, Certified Fraud Examiner, Certified Amazon Web Services Cloud Practitioner and a Scrum Master. He has also done a Cybersecurity course at Massachusetts Institute of Technology (MIT).  After serving in the military for a decade in various combat and staff roles, he moved to the corporate world in 2011. He has worked on IT audits, IT security and Cybersecurity assessments, Third Party Risk Management projects for various Fortune 500 companies across the USA and South Asia. Presently, he is the Executive Director for one of the world's largest banks, working in their Cybersecurity department and Board of Directors of three Non-Profit Organizations based outside of the USA.  He has been featured in articles overseas and invited as speaker for various US based and international seminars. He conducts workshops for corporates on stress management, hosts a live radio show every week in Texas, USA, and has also authored a book ‘Just Did It'.  ABOUT HOST Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high privacy awareness and compliance as a business priority. Selectively, Punit is open to mentor and coach professionals.  Punit is the author of books “Be Ready for GDPR' which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 30 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts.  As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one's value to have joy in life. He has developed the philosophy named ‘ABC for joy of life' which passionately shares. Punit is based out of Belgium, the heart of Europe.  RESOURCES Websites www.fit4privacy.com,www.punitbhatia.com, https://www.linkedin.com/in/aman-tara-cisa-cdpse-cfe-b6095483/ Podcast https://www.fit4privacy.com/podcast Blog https://www.fit4privacy.com/blog YouTube http://youtube.com/fit4privacy   

ILTA
#0088: (CT) Beyond the Tech

ILTA

Play Episode Listen Later May 19, 2025 21:08


In this podcast session, the speaker will provide a deeper dive into all the prospective questions organizations must ask their technology providers prior to moving forward with a deal.   Although, the technology works, great, but does the company as a whole?   Moderator: @Christina Wojcik - Head of Innovation & Partnerships, Pierson Ferdinand LLP   Speaker: @Krishna Vyas - Director of Third Party Risk Management and Information Security, CITI   Recorded 5-15-2025

Defense in Depth
Can AI improve Third-Party Risk Management (TPRM)

Defense in Depth

Play Episode Listen Later Apr 3, 2025 29:00


All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Jason Elrod, CISO, MultiCare Health System. Joining us is our sponsored guest, Nick Muy, CISO, Scrut Automation. In this episode: Supercharging teams Shifting to proactive A unique opportunity A human in the legal loop HUGE thanks to our sponsor, Scrut Automation Scrut Automation empowers compliance and risk teams of all sizes to build enterprise-grade security programs effortlessly. With powerful automation, AI-driven efficiencies, and seamless integrations, Scrut eliminates compliance debt and enables proactive risk management—helping your business stay secure as it scales. Visit www.scrut.io to learn more or schedule a demo.

ai shifting ciso supercharging third party risk management david spark multicare health system ciso series
Cracking Cyber Security Podcast from TEISS
teissTalk: Protecting critical services without disruption

Cracking Cyber Security Podcast from TEISS

Play Episode Listen Later Mar 20, 2025 44:30


Whether compliance-as-security in CNI offers security or false confidenceNavigating tool and dashboard complexity to avoid CNI cyber blind spots Attracting cyber talent into CNI and away from finance and tech This episode is hosted by Jonathan Craven:https://www.linkedin.com/in/thomlangford/Sofia Martinez Gomez, VP, Risk & Tech Practice - Cybersecurity, Privacy & Compliance, AlixPartnershttps://www.linkedin.com/in/sofia-martinez-gomez-8b5534136/?locale=en_US  Monika Atanasova, Global Head of Third Party Risk Management, Raiffeisen Gruppehttps://www.linkedin.com/in/monika-atanasova-746633b7/?originalSubdomain=chDeryck Mitchelson, Global CISO, Check Point Software Technologieshttps://www.linkedin.com/in/deryckmitchelson

Corruption Crime & Compliance
[Replay] Natalie Druckman from Certa on AI-Enhanced Third-Party Risk Management

Corruption Crime & Compliance

Play Episode Listen Later Mar 17, 2025 31:18


This week we are pleased to bring you one of our most popular episodes of 2024. Please enjoy, and we will be back next week with more insights from the Corruption, Crime, and Compliance podcast.How do you manage risk when the vulnerabilities are outside your organization aren't in your hands? In this episode of Corruption, Crime, and Compliance, we delve into the world of third-party risk management with our guest, Natalie Druckman, from Certa. As we discuss the regulatory landscape in EMEA and the US, Natalie highlights the higher regulatory burden faced by companies in EMEA, and how Certa uses AI to streamline workflows, provide intuitive data visualization, and enhance risk forecasting capabilities. AI is the future of third-party risk management, now and in the future.Cybersecurity has become one of the top concerns for organizations. In 2012, Target worked with a third-party vendor and, as a result, suffered an attack that exposed their customers' credit data. Since then, compliance departments have started working closely with IT to prevent such vulnerabilities. Unlike the US, EU companies don't benefit from gaps created between state and federal regulations. EMEA faces a mandatory and substantial regulatory burden, particularly in areas like ESG and compliance. A forced labor scandal can sink a company, so ESG's importance is on par with cyber security.Global companies are increasingly recognizing the importance of addressing ESG topics alongside cybersecurity and financial risks. ESG considerations, such as diversity, modern slavery, and gender pay gaps, have significant reputational and revenue impacts.AI is changing the world in many ways, including compliance. Certa aims to provide a comprehensive solution for third-party risk management, compliance, and operational risks by streamlining processes and incorporating AI capabilities to enhance efficiency and effectiveness.Certa utilizes various AI capabilities, including design AI, which allows users to create workflows using plain language. They don't need to know anything about tech; they can simply dictate the process, and AI generates the necessary code and infrastructure for it. This allows the company to remain flexible and able to quickly adapt to change.Insights AI is another capability that collects and analyzes data, making it far more accessible and efficient in managing up-to-the-minute risks and developments. This technology also uses design AI, allowing for plain language inputs to immediately create actionable, detailed reports.Recall AI allows companies to guarantee rapid and consistent responses from suppliers and customers by recalling past interactions to create surveys, forms, workflows, and processes. This removes the back-and-forth burden on all parties while still retaining the human touch.Smaller and midsize companies should prioritize their risk management processes and consider automated solutions like Certa. These companies can benefit from the efficiency and effectiveness of an automated platform, regardless of their industry or size.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law GroupNatalie Druckman on LinkedInCertaEmail Natalie: nat@certa.ai

AML Conversations
Beyond Legal Risks in Third-Party Risk Management

AML Conversations

Play Episode Listen Later Feb 19, 2025 14:24


Legal issues are only one element of third-party risk. Learn what other risks your program should detect and mitigate.

AML Conversations
Using Technology in Third-Party Risk Management

AML Conversations

Play Episode Listen Later Jan 29, 2025 15:47


Learn how changing technologies can support your third-party risk management program.

CISO Tradecraft
#217 - Includes No Dirt (with Bill Dougherty)

CISO Tradecraft

Play Episode Listen Later Jan 27, 2025 44:59


In this episode of CISO Tradecraft, host G. Mark Hardy sits down with Bill Dougherty, CISO of Omada Health, to discuss a groundbreaking threat model called 'Includes No Dirt'. This comprehensive model integrates security, privacy, and compliance considerations, aiming to streamline and enhance threat modeling processes. The conversation covers the origin and principles of the model, its applicability across different sectors, and the essential aspects of threat modeling. Listeners are also treated to insights on handling third-party risks and adapting to emerging AI challenges. The episode provides practical advice for cybersecurity leaders looking to effectively manage and mitigate risks while reducing redundancy. Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration! The No DIRT Threat Model can be found here: http://www.includesnodirt.com/nodirt.pdf Transcripts: https://docs.google.com/document/d/1vWq4Zx7pzM_B65W933m8_TE0fLKaUw3X Chapters 03:27 The Genesis of Includes No Dirt 05:05 Combining Security, Privacy, and Compliance 07:24 Implementing the No Dirt Model 11:42 Scoring and Evaluating Risks 17:41 Third-Party Risk Management 25:49 Evaluating SaaS Requests Based on Risk 27:55 Adapting Threat Models for AI 31:24 Principles of Minimum Necessary Data 33:42 General Applicability of Security Principles 35:12 Includes No Dirt: A Comprehensive Threat Model 40:15 Final Thoughts and Recommendations

CISO Tradecraft
#217 - Includes No Dirt (with Bill Dougherty)

CISO Tradecraft

Play Episode Listen Later Jan 27, 2025 44:59 Transcription Available


In this episode of CISO Tradecraft, host G. Mark Hardy sits down with Bill Dougherty, CISO of Omada Health, to discuss a groundbreaking threat model called 'Includes No Dirt'. This comprehensive model integrates security, privacy, and compliance considerations, aiming to streamline and enhance threat modeling processes. The conversation covers the origin and principles of the model, its applicability across different sectors, and the essential aspects of threat modeling. Listeners are also treated to insights on handling third-party risks and adapting to emerging AI challenges. The episode provides practical advice for cybersecurity leaders looking to effectively manage and mitigate risks while reducing redundancy.   Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!   The No DIRT Threat Model can be found here: http://www.includesnodirt.com/nodirt.pdf   Transcripts: https://docs.google.com/document/d/1vWq4Zx7pzM_B65W933m8_TE0fLKaUw3X   Chapters 03:27 The Genesis of Includes No Dirt 05:05 Combining Security, Privacy, and Compliance 07:24 Implementing the No Dirt Model 11:42 Scoring and Evaluating Risks 17:41 Third-Party Risk Management 25:49 Evaluating SaaS Requests Based on Risk 27:55 Adapting Threat Models for AI 31:24 Principles of Minimum Necessary Data 33:42 General Applicability of Security Principles 35:12 Includes No Dirt: A Comprehensive Threat Model 40:15 Final Thoughts and Recommendations

Reimagining Cyber
Risky Business: The Art of Third-Party Risk Management - Ep 126

Reimagining Cyber

Play Episode Listen Later Dec 4, 2024 22:35


In this episode of Reimagining Cyber, host Rob welcomes Tony Gonzalez, Principal at Inner Vision Services LLC and former CISO for QBE North America. They delve into the topic of third-party risk management, exploring its evolution from a checkbox approach to a comprehensive part of an organization's risk posture. They discuss the challenges and responsibilities involving third, fourth, and even fifth-party risks, especially within large organizations across various sectors like financial services, insurance, and biotech. Regulatory influences such as NYDFS and PCI are also examined, along with practical advice for prioritizing and improving third-party risk assessment processes, highlighting the importance of strategic partnerships and efficient communication.Follow or subscribe to the show on your preferred podcast platform.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com

Defense in Depth
What's Working With Third-Party Risk Management?

Defense in Depth

Play Episode Listen Later Aug 29, 2024 31:02


All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Nick Muy, CISO, Scrut Automation. In this episode: Segment and test Focus on you Embrace the risk lifecycle Not all vendors are the same Thanks to our podcast sponsor, Scrut Automation Scrut Automation allows compliance and risk teams of any size to establish enterprise-grade security programs. Our best-in-class features like process automation, AI, and 75+ native integrations reverse compliance debt and help manage risk proactively as your business grows. Visit www.scrut.io to learn more or schedule a demo.

Venminder Inc.
Common Third-Party Risk Management Findings in Exams and Next Steps

Venminder Inc.

Play Episode Listen Later Aug 21, 2024 5:19


If your organization is in a regulated industry, you should anticipate regular examinations. It's good to review your regulators website to become familiar with their exam process, classification of issues, etc. In this podcast, learn common exam findings and next steps.

Outcomes Rocket
Safeguarding Health: AI's Role in Third-Party Risk Management with Ed Gaudet, CEO and founder of Censinet

Outcomes Rocket

Play Episode Listen Later Aug 15, 2024 27:48


Cyber attackers are becoming smarter and more organized, making it crucial for healthcare systems to stay ahead with robust cybersecurity measures. In this episode of "The Future of AI in Health" podcast series, co-hosts Dr. Jenny Yu and Saul Marquez interview Ed Gaudet, CEO and founder of Censinet, on how AI revolutionizes healthcare, particularly in third-party risk and enterprise risk management. Ed shares how his company is revolutionizing the way hospitals assess the cybersecurity readiness of third-party vendors through automation and a multi-sided network, drastically reducing the time required for cybersecurity risk assessments in healthcare. Addressing the complexities of AI in healthcare, he emphasizes the importance of robust governance. He also explains why organizations need to establish clear policies for AI use, considering the unique risks associated with AI, which extend beyond traditional cybersecurity threats. Join us as we explore the future of AI in healthcare and the critical role it plays in ensuring patient safety and improved care. Stay tuned! Resources:  Watch the entire interview here. Check more episodes of this Thought Leadership Series here. Connect with and follow Ed Gaudet on LinkedIn and email him here. Follow Censinet on LinkedIn and the website. Check out the Risk Never Sleeps podcast. Connect with and follow Jenny Yu on LinkedIn. Learn more about Healthline Media on LinkedIn and their website.

Risk Management Show
The Power of a Business-Integrated Risk Management Approach with Michael Schank

Risk Management Show

Play Episode Listen Later Aug 14, 2024 26:17


In this episode of the Risk Management Show poidcast, we welcome Michael Schank, a seasoned management consultant with over 25 years of experience in financial services. Michael discusses the limitations of traditional Enterprise Risk Management (ERM) programs and introduces the Process Inventory Framework, a methodology he developed to improve risk management, compliance, and strategic decision-making. Key Topics: Michael's Career Path: His journey in risk management and founding Process Inventory Advisors LLC. Why Traditional ERM Programs Fail: Blind spots, data quality issues, and confusion in operating models. The Process Inventory Framework: How it enhances risk management by integrating a detailed process inventory. Improving Data Quality in Risk Management: Addressing root causes and leveraging process taxonomy in GRC systems. Reducing Chaos and Increasing Accountability: Streamlining operations and improving risk management efficiency. Application Across Risk Types: Benefits for Operational Risk, Compliance Risk, Operational Resiliency, and Third-Party Risk Management.  

erm grc orm third party risk management operational risk enterprise risk management erm integrated risk management
Cyber Security Weekly Podcast
Episode 409 - Series Insight 3 of 4 - Supply chain defence and Third Party Risk Management

Cyber Security Weekly Podcast

Play Episode Listen Later Aug 13, 2024


Nick McKenzie, CI&SO with Bugcrowd & Sumit Bansal, VP Asia Pacific & Japan, BlueVoyant discuss CxO perspectives on supply chain defence and Third Party Risk Management (TPRM).To join the series visit https://mysecuritymarketplace.com/bugcrowd-register-to-access/ #bugcrowd #mysecuritytv

Corruption Crime & Compliance
Bryn Sedlacek, Vice President at Aravo, on Holistic Third-Party Risk Management and Unitary Visibility

Corruption Crime & Compliance

Play Episode Listen Later Jul 15, 2024 28:05


Bryn Sedlacek, Vice President and Product Manager at Aravo, joins us on the podcast to discuss third-party risk management focusing on holistic risks and unified visibility. In a wide-ranging discussion, Mike Volkov and Bryn Sedlacek discuss the challenges in implementing a third-party risk management program that captures holistic risks and maintains a consistent, unified line of sight across the organization's risk profile. They focus on sanctions, capturing the source and ultimate destination of products/services and including those in screening, leveraging how to handle conflict minerals as a model, and how data intelligence providers can help. Additionally, Bryn discusses unified visibility, which provides comprehensive visibility to executives and decision-makers across risk domains and performance. Finally, they discuss InfoSec risk with third parties, where to start, and the future of risk - technology and alternative risk strategies. Join Michael and Bryn as they navigate the complexities of compliance in today's corporate landscape.Bryn discusses how crucial it is to start with a realistic approach to building a compliance program and continually improve compliance programs to mitigate risks effectively.Having a platform like Arvao's is valuable for companies as it is highly configurable and tailored to meet the unique needs of each client's business structure and risk management requirements.The partnership between IT and cyber security in a compliance program is vital for addressing cybersecurity risks effectively within organizations. It is a growing trend for IT and cyber security to focus on collaboration and meeting the unique needs of each department.Unified visibility across different risk domains and third-party activities is essential for making informed decisions and managing risks effectively. Continuous monitoring and auditing are crucial in compliance programs, with a risk-based approach to optimize resources and ensure proactive risk management.Sanctions compliance is a growing area of focus, requiring proactive monitoring, risk-based approaches, and continuous updates to mitigate risks effectively.ResourcesBryn Sedlaceck on the WebEmail: bsedlacek@arvavo.comMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

SRA Risk Intel
Season 2 | Ep. 29: Optimizing Third-Party Risk Management: Due Diligence, Contracting, and Monitoring

SRA Risk Intel

Play Episode Listen Later Jul 9, 2024 24:09


In this episode of the Risk Intel Podcast, host Ed Vincent invites Shawn Ryan back to the show to dive deeper into the recent Interagency Third-Party Risk Management (TPRM) Guidance released in May 2024. The guidance from the Federal Reserve, FDIC, and the OCC included five critical aspects of third-party risk management: planning, due diligence, contract negotiation, ongoing monitoring, and termination.  In Part 1 of this series, Shawn discussed in detail the Planning and Termination stages of third-party engagement. In this episode, Shawn covers the critical aspects of due diligence, contracting, and monitoring that financial institutions must navigate, especially when dealing with FinTech and RegTech firms. Follow SRA to Learn More.Follow us to stay in the know!

SRA Risk Intel
Season 2 | Ep. 28: Enhancing Third-Party Risk Management: How to Safely Onboard & Partner with FinTechs

SRA Risk Intel

Play Episode Listen Later Jul 2, 2024 18:30


In this episode of the Risk Intel Podcast, host Ed Vincent, sat down with Shawn Ryan, Chief Financial Officer at SRA Watchtower, to delve into the intricacies of third-party risk management relating to safely onboarding FinTech partners. Their discussion centered on the recent May 2024 joint interagency guidance on third-party risk management and its implications for community banks. This episode is a must-listen for financial institutions navigating the complex landscape of risk and innovation. Follow SRA to Learn More.Follow us to stay in the know!

FCPA Compliance Report
Brad Hibbert on Prevalent's 2024 Third Party Risk Management Report

FCPA Compliance Report

Play Episode Listen Later Jun 17, 2024 25:34


Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this edition of the FCPA Compliance Report,  I have a take a deep dive into the Prevalent 2024 Third Party Risk Management Report with Brad Hibbert, the Chief Strategy Officer and COO at Prevalent. Hibbert drives Prevalent's product vision and strategy development, which draws from the Third Party Risk Management Report. The Prevalent Report outlines  the complexities of managing third-party vendor relationships, highlighting the various phases involved such as onboarding, contracting, and offboarding. It examines the inefficiencies and risks that arise from fragmented processes and technologies handled by different teams. Our conversation explores how these challenges impact risk visibility and resource management, emphasizing the downstream effects on program scalability and decision-making. Highlights in this Episode ·       Introduction to Vendor Relationship Phases ·       Challenges in Managing Vendor Relationships ·       Inefficiencies and Risks in Vendor Management ·       Impact on Risk Visibility and Decision Making ·       Pressure on Teams and Resource Implications Resources  Brad Hibbert on LinkedIn Prevalent Prevalent's 2024 Third Party Risk Management Report  Tom Fox Instagram Facebook YouTube Twitter LinkedIn   For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

@BEERISAC: CPS/ICS Security Podcast Playlist
Ep. 47: Brad Hibbert on Third-Party Risk Management

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later May 25, 2024 29:37


Podcast: ICS Pulse PodcastEpisode: Ep. 47: Brad Hibbert on Third-Party Risk ManagementPub date: 2024-05-2150% of respondents still rely on spreadsheets and multiple tools for third-party risk management. In this episode of the ICS Pulse Podcast, we talk to Brad Hibbert of Prevalent about the company's 2024 Third-Party Risk Management Study and how to create more effective risk management practices.The podcast and artwork embedded on this page are from Industrial Cybersecurity Pulse, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

@BEERISAC: CPS/ICS Security Podcast Playlist
Ep. 47: Brad Hibbert on Third-Party Risk Management

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later May 25, 2024 29:37


Podcast: ICS Pulse PodcastEpisode: Ep. 47: Brad Hibbert on Third-Party Risk ManagementPub date: 2024-05-2150% of respondents still rely on spreadsheets and multiple tools for third-party risk management. In this episode of the ICS Pulse Podcast, we talk to Brad Hibbert of Prevalent about the company's 2024 Third-Party Risk Management Study and how to create more effective risk management practices.The podcast and artwork embedded on this page are from Industrial Cybersecurity Pulse, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

SRA Risk Intel
Season 2 | Ep. 22: 2024 Third-Party Risk Management Guidance: Phil Goldfeder, CEO, American Fintech Council

SRA Risk Intel

Play Episode Listen Later May 21, 2024 20:55


In the fast-paced world of FinTech, navigating regulatory landscapes requires a keen understanding of evolving standards and proactive collaboration. Listen as we explore insights from a recent Risk Intel episode featuring Phil Goldfeder, CEO of the American Fintech Council, and Ed Vincent, CEO of SRA Watchtower as they discuss regulations around third-party risk management and how the new Guide for Community Banks can be leveraged.  Let's dive into three key themes: continuous adaptation, the importance of regulatory guidance and best practices, and the need for collaboration and communication. Follow SRA to Learn More.Follow us to stay in the know!

ITSPmagazine | Technology. Cybersecurity. Society
Navigating the Future of AI Governance with LogicGate | A Brand Story Conversation From RSA Conference 2024 | A LogicGate Story with Matt Kunkel and Nick Kathmann | On Location Coverage with Sean Martin and Marco Ciappelli

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later May 8, 2024 20:53


The RSA Conference in San Francisco is renowned for being a hub of cutting-edge discussions around everything related to cybersecurity, and this year, one of the spotlight was on and AI governance. In this conversation featuring industry experts from LogicGate, the focus was on unraveling the challenges organizations face in adapting to the rapidly evolving landscape of AI implementation.Unveiling the ExpertsModerated by Sean Martin, the discussion kicked off with a warm welcome to the LogicGate team, setting the stage for a deep dive into the complexity of AI governance. Matt Kunkel, the CEO of LogicGate, shared insights from his extensive consulting background in building GRC solutions for a diverse range of organizations. His vast experience culminated in the creation of the Risk Cloud Platform, a versatile tool that aids organizations in automating risk management processes tailored to their specific needs.The CISO PerspectiveNick Kathmann, the Chief Information Security Officer at LogicGate, brought to the table over two decades of experience in cybersecurity. His journey through managing security compliance for major players like Virtustream and RSA highlighted the intricate web of challenges posed by evolving technologies like AI. Nick emphasized the critical importance of aligning internal governance with external regulations to ensure a robust security posture.Demystifying AI GovernanceAs the conversation continues Sean Martin steered the discussion towards demystifying AI governance and its impact on organizational frameworks. The panel shed light on the dual challenges organizations face – the risk of embracing AI too recklessly and stifling innovation versus the risk of over-regulating and impeding progress. The consensus was clear – a balanced approach that marries speed and security is imperative for a successful AI governance strategy.The LogicGate SolutionMatt and Nick unraveled the intricacies of the AI governance solution developed by LogicGate, designed to provide organizations with a holistic framework for managing AI risks. By integrating AI governance with existing risk management protocols, LogicGate's platform offers a transformative approach that streamlines processes, enhances visibility, and ensures compliance with emerging standards.Looking Towards the FutureThe conversation concluded with a forward-looking approach, underscoring the rapidly evolving nature of AI technologies and the indispensable need for agile governance frameworks. The consensus was that staying ahead of the curve demands continuous assessment, adaptation, and alignment of AI governance with overarching business objectives.In ClosingThis episode of On Location Coverage at the RSA Conference 2024 offered a glimpse into the complexities and opportunities that AI governance presents for organizations worldwide. With LogicGate leading the charge in innovative solutions, the future of AI governance looks promising, anchored in a foundation of collaboration, foresight, and strategic alignment.As organizations navigate the uncharted waters of AI implementation, partnering with pioneers like LogicGate is poised to be the key to unlocking the full potential of this transformative technology. Stay tuned for more insights and developments on AI governance as we journey towards a future powered by innovation and resilience.Learn more about LogicGate: https://itspm.ag/logicgate-92d6bcNote: This story contains promotional content. Learn more.Guests: Matt Kunkel, CEO at LogicGate [@LogicGate]On LinkedIn | https://www.linkedin.com/in/matt-kunkel-91056143/Nick Kathmann, Chief Information Security Officer at LogicGate [@LogicGate]On LinkedIn | https://www.linkedin.com/in/nicholaskathmann/ResourcesLearn more and catch more stories from LogicGate: https://www.itspmagazine.com/directory/logicgateView all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

healthsystemCIO.com
Reexamining Third-Party Risk Management Around Critical Service Providers

healthsystemCIO.com

Play Episode Listen Later Apr 30, 2024 58:32


Recent industry-shaking events have made it clear that serious points of risk lurk throughout healthcare. They've also revealed that operational risk and IT security risk are deeply intertwined, making it incumbent for CISOs and CIOs to work with others in their health systems – from the chief risk officers, to clinical leaders, to emergency management – to help develop a joint picture of third-party risk that analyzes the implications of losing services not only from a cyber outage, but for any reason. In this timely webinar,  we'll speak to leaders who are committed to going back and reviewing key third-party service providers through the lens of recent learnings so appropriate levels of total risk can be assigned, and plan Bs can be developed. Source: Reexamining Third-Party Risk Management Around Critical Service Providers on healthsystemcio.com - healthsystemCIO.com is the sole online-only publication dedicated to exclusively and comprehensively serving the information needs of healthcare CIOs.

Risk Management: Brick by Brick
The Importance of Third-Party Risk Management with Brad Hibbert of Prevalent Inc.

Risk Management: Brick by Brick

Play Episode Listen Later Apr 26, 2024 15:48


On the latest episode of Risk Management: Brick by Brick, Jason Reichl is joined by Brad Hibbert, the COO and CSO at Prevalent Inc., a company that provides third-party vendor risk management solutions to eliminate security and compliance exposures.

ISACA Podcast
Effective Third Party Risk Management in 2024: AI's Impact and Future Trends

ISACA Podcast

Play Episode Listen Later Apr 24, 2024 31:23


Traditional security questionnaires just aren't cutting it anymore. Tune into this ISACA Podcast episode, Chris McGowan chats with VISO TRUST CEO and Co-founder, Paul Valente as they delve into the evolving landscape of Third-Party Risk Management (TPRM), exposing the limitations of current methods and exploring how emerging AI trends are shaping a more secure future and driving more effective third-party risk management programs. To learn more about VISO Trust please go to https://visotrust.com/

The Sourcing Industry Landscape
Revolutionizing Third-Party Risk Management, featuring Dina Ghobrial, Founder, Halo AI

The Sourcing Industry Landscape

Play Episode Listen Later Apr 16, 2024 13:19


On this episode of the Sourcing Industry Landscape podcast recorded live during the Global Executive Summit, Dina Ghobrial, founder of Halo AI, discusses her transition from Chief Procurement Officer at Coupa Software to launching Halo AI - a cutting edge platform that aims to revolutionize third-party risk management by leveraging technology to streamline vendor vetting processes. Halo AI utilizes diverse data sources, such as cybersecurity, financial viability, ESG, climate, and sentiment analysis, to generate instant vendor scores. Tune in to hear about Dina's journey and how Halo AI has the potential to transform third-party risk management within the procurement industry.    Learn more about Halo AI: https://www.gohalo.ai/ 

ITSPmagazine | Technology. Cybersecurity. Society
From Regulations to Relationships: Navigating the Maze of Third-Party Risk Management | A Conversation with Branan Cooper | Redefining CyberSecurity with Sean Martin

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later Apr 5, 2024 44:24


Guest: Branan Cooper, Financial Services execOn LinkedIn | https://www.linkedin.com/in/brananc/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn this episode of the Redefining Cybersecurity Podcast, hosted by Sean Martin, we dive into the intricate world of third-party risk management with the insightful Branan Cooper, boasting an impressive three-and-a-half decades of experience in financial services. Throughout this discussion, Cooper and Martin explore the evolution and critical aspects of managing third-party risk within businesses, emphasizing the ever-increasing interconnectivity and dependencies in the digital age.Branan Cooper draws on his vast experience, touching on the regulatory milestones that have shaped third-party risk management practices, from early quality assurance efforts in the '90s to the recent comprehensive interagency guidance. Highlighting the intertwined nature of third-party risk with operational, cybersecurity, and compliance aspects, the episode sheds light on the need for a holistic approach encompassing due diligence, ongoing monitoring, and a lifecycle approach to vendor relationships.Significantly, the conversation delves into practical strategies for mitigating third-party risk, the importance of fostering a culture of communication and collaboration across departments, and the pivotal role of documentation in managing and mitigating risks effectively.Cooper also shares invaluable insights into the nuances of vendor relationships, from assessing and prioritizing risks to the crucial aspect of planning for potential exit strategies. This episode not only serves as a primer on the complexities of third-party risk management but also as a guide for navigating these challenges proactively, offering listeners actionable advice and best practices drawn from decades of experience.Whether you're a business leader, IT professional, or risk management practitioner, this episode provides a wealth of knowledge on safeguarding your organization in a interconnected business ecosystem.Key Questions AddressedHow have regulatory milestones shaped third-party risk management practices over time?What are the key strategies for effectively managing and mitigating third-party risks?How does coordinating across departments contribute to managing third-party risks more effectively?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

CISO Stories Podcast
Third-Party Risk Management - BEC Compromises and the Cloud - Michael Swinarski - CSP #167

CISO Stories Podcast

Play Episode Listen Later Mar 26, 2024 23:00


Third-Party Risk Management is essential for safeguarding an organization's assets, reputation, and operations. By identifying, assessing, and managing risks associated with external partners, organizations can enhance their resilience, protect sensitive information, and maintain the trust of stakeholders in an increasingly interconnected business ecosystem. We have seen the threat landscape change in the last few years. It has always been important to properly identify, categorize, and address risks created by our vendors and strategic partners, to now having to understand the entire supply chain, and how interruptions can affect your business. Even more recently, with the rise of Business Email Compromise (BEC), risks may also come from organizations you have no previous relationship or agreements with. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-167

Unleashed - How to Thrive as an Independent Professional
566. Craig Callé, Third Party Risk Management and Cyber Security

Unleashed - How to Thrive as an Independent Professional

Play Episode Listen Later Mar 25, 2024 34:06


Craig Callé talks about third party risk management (TPRM) and cyber security. TPRM is a subset of Governance Risk and Compliance (GRC), which aims to help organizations achieve their objectives, address uncertainties, and act with integrity. TPRM is crucial as over half of all data breaches occur through insecure third parties. Companies need to understand their relationships and monitor them more carefully, which requires a variety of tools and processes. Chris explains that third party risk management includes cybersecurity, reputation management, supply chain issues, and other risk categories such as financial liability. Cybersecurity has become the primary focus due to the numerous issues it addresses. Privacy is another important risk, with regulations like GDPR in Europe, CCPA in California, and others worldwide ensuring companies have a firm grip on consumer data. Companies must follow through with privacy regulations unless they can follow data to third parties. Areas of Scrutiny in Third Party Risk Management Craig mentions that ESG and sustainability are also areas of scrutiny, as companies must ensure their third parties align with their company's goals and objectives. However, he stresses that one must also be aware of laws pertaining to sanctions around the world. Issues of reputation, child labor, anti-money laundering, and bribery, are also important to be attentive to, not just for their own company but also for third parties they work with. Defining Third Party Risk Management Chris explains that third party risk management and enterprise risk management, are all subcomponents of GRC. He mentions that the term includes outsource providers, software as a service (SaaS) apps, cloud hosts, contractors, ecosystem partners, technology partners, and counterparties. Emergency third party risk management is a broader category that includes enterprise risk management, business continuity or operational resilience, compliance, and internal compliance. Global Risk Control (GRC) includes enterprise risk management, a risk register, business continuity or operational resilience, and compliance. A risk register compiles all the potential threats that can impact a company, and it is crucial to continually build a more predictable and measurable system to achieve its objectives at the lowest possible risk. GRC Frameworks Craig adds that business continuity or operational resilience is an important aspect of GRC, as it involves a set of controls and risks in place to understand where the company is in the journey and be able bounce back when bad things happen. Compliance is another area under GRC, as it involves creating a methodology for ongoing monitoring of operations and ensuring compliance with global rules and regulations. He mentions that a lot of GRC work involves picking a framework and building a program around it; for example, in cybersecurity circles, a popular standards body would be NIST, and he mentions a few others that give leaders a roadmap apropos to achieving high standards of operation. Governance in Risk Management Strategy Craig states that, in the context of Global Risk Control, the governance aspect is a crucial part of the organization's overall risk management strategy and that it is set in the roadmaps that have been developed with a team for each area, such as compliance or continuity.  The head of GRC is responsible for overseeing the system and ensuring that the organization operates within its control frameworks. For example, in a Fortune 500 company, a C-suite executive responsible for GRC would report to a Chief Risk Officer or CRO, with a solid line to the CEO and a dotted line to the board audit and risk committee.He goes on to explain various titles that may be given to the person in charge of GRC and why he believes there is a deficiency in putting all risks under one umbrella. The Director of Third Party Risk Management Role Explained The director of third party risk management might have several processes, such as onboarding new third parties, periodic audits, ongoing real-time monitoring, reporting functions, and investigating and dealing with incidents and responses. However, the responsibilities depend on the organization's level of maturity and the complexity of the process. David offers a few examples to clarify the complexity of the many situations involved that have to be taken into consideration, including the fact that risk management processes can often be seen as blockers, and additionally, offers a tip on how to overcome this issue.  The Importance of Third Party Risk Management in Organizations The discussion revolves around the importance of third party risk management in organizations. It discusses the use of questionnaires and cyber risk ratings, which are non-invasive and objective tools that help triage the community of third parties and quantify vulnerability to data breaches. These tools allow TPRM professionals to compare responses on lengthy questionnaires with objective data, allowing for deeper discussions and corrective action when necessary. The discussion also touches on the need for human involvement in the processes, as automation has become increasingly popular. AI has become an important tool for parsing through voluminous data to identify central facts. However, human involvement remains an essential element in the process. Software for Third Party Risk Management Craig talks about the different types of software within the third party risk management universe. Some of the essential platforms include workflow automation platforms like Process, Unity, MetricStream, ServiceNow, LogicGate, BitSight and more. These platforms facilitate the issuance of assessments, review of responses, and routing to specific people or groups within an organization. Cyber risk ratings, which have been around for over 10 years, represent over half the market share and are now a natural complement to flow platforms. They provide easy-to-digest results that don't require an IT certification and are not based on FICO scores or letter grades. Overall, the discussion emphasizes the importance of human involvement in the third party risk management process to ensure effective and influential outcomes. Forecasting Improvements in the GRC Arena Craig believes that over the next decade, the focus of third party risk management will evolve from a risk focus within GRC to a high-electron level orchestration across CISOs, risk officers, and procurement people. This will lead to a more comprehensive view of risk and performance, ensuring that companies are not just scratching the surface when it comes to the risk aspects of third parties. Craig talks about the importance of selecting the right software for clients, highlighting the pros and cons of a best of breed approach versus a multi-module suite and a GRC-oriented suite. He explains that there are pros and cons to sharing data across modules, but there is also an opportunity for cross-sharing information across platforms. For example, if a company has a privacy module and wants to attack vendor risk, there is a natural logic to connect the data map to third parties that might pull data that needs to be aware of. However, this can be a different silo, and it can be difficult to cross-share information across platforms. He also emphasizes the need to understand the problem and inherited solutions, as well as the timeframe and budget constraints.  Timestamps: 05:15 Third-party risk management and GRC 11:57 GRC roles and responsibilities in a Fortune 500 company 16:10 Third-party risk management processes and responsibilities 21:59 Third-party risk management software and techniques 27:26 Third-party risk management and platform automation 32:21 GRC and third-party risk management Links: Company Website:https://sourcecalle.com/ LinkedIn: https://www.linkedin.com/in/craigcalle/ Unleashed is produced by Umbrex, which has a mission of connecting independent management consultants with one another, creating opportunities for members to meet, build relationships, and share lessons learned. Learn more at www.umbrex.com.  

Venminder Inc.
Risk-Based Due Diligence in Third-Party Risk Management

Venminder Inc.

Play Episode Listen Later Mar 20, 2024 4:01


Although a vendor's risk can change over time, risk-based due diligence is a a good strategy that provides consistent results. In this podcast, learn three ways risk-based vendor due diligence can improve your efficiency.

Corruption Crime & Compliance
Natalie Druckman from Certa on AI-Enhanced Third-Party Risk Management

Corruption Crime & Compliance

Play Episode Listen Later Jan 15, 2024 31:04


How do you manage risk when the vulnerabilities are outside your organization't in your hands? In this episode of Corruption, Crime, and Compliance, we delve into the world of third-party risk management with our guest, Natalie Druckmann, from Certa. As we discuss the regulatory landscape in EMEA and the US, Natalie highlights the higher regulatory burden faced by companies in EMEA, and how Certa uses AI to streamline workflows, provide intuitive data visualization, and enhance risk forecasting capabilities. AI is the future of third-party risk management, now and in the future.Cybersecurity has become one of the top concerns for organizations. In 2012, Target worked with a third-party vendor and, as a result, suffered an attack that exposed their customers' credit data. Since then, compliance departments have started working closely with IT to prevent such vulnerabilities. Unlike the US, EU companies don't benefit from gaps created between state and federal regulations. EMEA faces a mandatory and substantial regulatory burden, particularly in areas like ESG and compliance. A forced labor scandal can sink a company, so ESG's importance is on par with cyber security.Global companies are increasingly recognizing the importance of addressing ESG topics alongside cybersecurity and financial risks. ESG considerations, such as diversity, modern slavery, and gender pay gaps, have significant reputational and revenue impacts.AI is changing the world in many ways, including compliance. Certa aims to provide a comprehensive solution for third-party risk management, compliance, and operational risks by streamlining processes and incorporating AI capabilities to enhance efficiency and effectiveness.Certa utilizes various AI capabilities, including design AI, which allows users to create workflows using plain language. They don't need to know anything about tech; they can simply dictate the process, and AI generates the necessary code and infrastructure for it. This allows the company to remain flexible and able to quickly adapt to change.Insights AI is another capability that collects and analyzes data, making it far more accessible and efficient in managing up-to-the-minute risks and developments. This technology also uses design AI, allowing for plain language inputs to immediately create actionable, detailed reports.Recall AI allows companies to guarantee rapid and consistent responses from suppliers and customers by recalling past interactions to create surveys, forms, workflows, and processes. This removes the back-and-forth burden on all parties while still retaining the human touch.Smaller and midsize companies should prioritize their risk management processes and consider automated solutions like Certa. These companies can benefit from the efficiency and effectiveness of an automated platform, regardless of their industry or size.KEY QUOTE“I think there is a very strong drive here for companies and stakeholders, not just to do the right thing… but doing the good thing as well.” - Natalie DruckmanResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law GroupNatalie Druckman on LinkedInCertaEmail Natalie: nat@certa.ai

Defense in Depth
Doing Third Party Risk Management Right

Defense in Depth

Play Episode Listen Later Jan 4, 2024 30:30


All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Erik Decker, CISO, Intermountain Health. In this episode: Why are we all struggling trying to manage third-party risk? Why do the hated questionnaires seem like compliance checkbox efforts? Does anyone believe it reduces risk? What's the right approach and how do you strike the right balance? Thanks to our podcast sponsor, Praetorian Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.

ITSPmagazine | Technology. Cybersecurity. Society
RSA Conference ESAF Report 2023: How Top CISOs Are Transforming Third-Party Risk Management | A Conversation with Laura Robinson | Redefining CyberSecurity Podcast with Sean Martin

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later Oct 24, 2023 36:04


Guest: Laura Robinson, ESAF Program Director at RSA Conference [@RSAConference]On Linkedin | https://www.linkedin.com/in/laurarobinsoninsight/At RSA | https://www.rsaconference.com/experts/laura-robinson____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesIn this episode of Redefining CyberSecurity Podcast, host Sean Martin engages in a conversation with Laura Robinson, the ESAF Program Director at RSA Conference, about the changing landscape of third-party risk management. They explore the need for organizations to shift their approach in assessing third-party risk and the limitations of relying solely on questionnaires. Laura emphasizes the importance of more detailed assessments and manageable requirements for suppliers.The conversation touches on the significance of fostering a culture of security and collaboration between organizations and their third-party partners. They discuss the challenges faced by small businesses in meeting complex regulatory requirements and the difficulties in finding the right cybersecurity services and talent. The episode showcases case studies that highlight successful third-party risk management programs and their positive impact, including significant reductions in incidents and quantifiable risk reduction.The discussion also delves into the potential benefits of standardization in the industry, such as shared assessments, resources, and frameworks such as NIST CSF and HITRUST. Sean and Laura underscore the importance of collaboration, community, and a change in mindset to effectively address third-party risk in the evolving cybersecurity landscape. Throughout the conversation, practical insights and success stories are shared, providing listeners with a deeper understanding of the progress being made in third-party risk management while acknowledging that there is still work to be done.The episode offers a thoughtful exploration of the topic, focusing on the need for collaboration, cultural shifts, and the development of more effective assessment approaches in order to mitigate third-party risk effectively.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

The CyberWire
Mirai hits the honeypots. Medical device telemetry attacked. More on infostealers in the C2C market. Third-party risk management practices. Cyber skills gaps in the UK. SiegedSec hits NATO sites

The CyberWire

Play Episode Listen Later Jul 27, 2023 28:35


The Mirai botnet afflicts Tomcat. CardioComm services are downed by cyberattack. Uptycs calls infostealers “organization killers" as related security incidents double in a year. Legacy third-party risk management practices meet with dissatisfaction. Cyber skill gaps reported in the UK's workforce. Our guest is George Prichici of OPSWAT with a look at a Microsoft Teams vulnerability. Our new Threat Vector segment features a conversation with David Moulton and Michael Sikorski on the potential threats from LLMs and AI. And SiegedSec hits NATO sites. On this first segment of Threat Vector, Michael "Siko" Sikorski, CTO & VP of Engineering for Unit 42, joins host David Moulton to discuss LLMs & AI and the impacts to expect on social engineering, phishing, and more. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/142 Threat Vector links. Palo Alto Networks Unit 42 Selected reading. Tomcat Under Attack: Exploring Mirai Malware and Beyond (Aquasec) CardioComm, a provider of ECG monitoring devices, confirms cyberattack downed its services (TechCrunch)  Detecting the Silent Threat: 'Stealers are Organization Killers' (Uptycs) Cyber security skills in the UK labour market 2023 (DSIT) NATO investigates alleged data theft by SiegedSec hackers (BleepingComputer) NATO investigating apparent breach of unclassified information sharing platform (CyberScoop)  SiegedSec Compromise NATO (Cyberint)