3rd Party Risk Management , Events , Governance & Risk Management
Asking Third-Party Vendors the 'Right' Questions
Schneider Electric Vice President Cassie Crossley Discusses Assessing SuppliersMany of the cyber-related questionnaires that organizations ask their third parties to complete "are too broad" and not properly focused on questions related to the services or products being offered by that vendor, said Cassie Crossley, vice president of supply chain at Schneider Electric.
See Also: OnDemand | Secure Your Vendor's Access from Attacks on Third-party Vulnerabilities
That mismatch ultimately does not help security teams get useful information, especially when dealing with smaller suppliers, she said.
For instance, organizations do not want to ask questions to third-party cloud vendors that do not pertain to those vendors' environments, and at the same time, "you may have a physical cyber services supplier, and you don't want to ask them cloud questions," she said. "You have to know what you're buying to ask the right questions."
In this video interview with Information Security Media Group at RSA Conference 2023, Crossley also discusses:
- Upstream and downstream third-party risk concerns;
- Tools and templates to help assess software supply chain cybersecurity;
- Regulatory compliance issues involving suppliers.
Crossley works in the global cybersecurity and product security office at Schneider Electric. She has expertise in information technology and product development and has designed frameworks and operating models for end-to-end security in software development life cycles, third-party risk management, and cybersecurity governance and initiatives.