3rd Party Risk Management , Events , Governance & Risk Management

Asking Third-Party Vendors the 'Right' Questions

Schneider Electric Vice President Cassie Crossley Discusses Assessing Suppliers
Cassie Crossley, vice president, supply chain security, Schneider Electric

Many of the cyber-related questionnaires that organizations ask their third parties to complete "are too broad" and not properly focused on questions related to the services or products being offered by that vendor, said Cassie Crossley, vice president of supply chain at Schneider Electric.

See Also: OnDemand | Secure Your Vendor's Access from Attacks on Third-party Vulnerabilities

That mismatch ultimately does not help security teams get useful information, especially when dealing with smaller suppliers, she said.

For instance, organizations do not want to ask questions to third-party cloud vendors that do not pertain to those vendors' environments, and at the same time, "you may have a physical cyber services supplier, and you don't want to ask them cloud questions," she said. "You have to know what you're buying to ask the right questions."

In this video interview with Information Security Media Group at RSA Conference 2023, Crossley also discusses:

  • Upstream and downstream third-party risk concerns;
  • Tools and templates to help assess software supply chain cybersecurity;
  • Regulatory compliance issues involving suppliers.

Crossley works in the global cybersecurity and product security office at Schneider Electric. She has expertise in information technology and product development and has designed frameworks and operating models for end-to-end security in software development life cycles, third-party risk management, and cybersecurity governance and initiatives.


About the Author

Rahul Neel Mani

Rahul Neel Mani

Founding Director of Grey Head Media and Vice President of Community Engagement and Editorial, ISMG

Neel Mani is responsible for building and nurturing communities in both technology and security domains for various ISMG brands. He has more than 25 years of experience in B2B technology and telecom journalism and has worked in various leadership editorial roles in the past, including incubating and successfully running Grey Head Media for 11 years. Prior to starting Grey Head Media, he worked with 9.9 Media, IDG India and Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.