Show me who your third-parties are, and I'll show you how secure you are. #justsaying #tprm #tpcrm #cyber #security #risk #management

If you are a CISO, a board member or an executive with responsibility over information security and compliance at an enterprise, stop and read this amazing article by CybersecurityHQ right now: https://newsletter.cybersecurityhq.com/p/the-interdependence-collapse-why-fortune-100-cisos-are-losing-control-of-their-security-outcomes

It very clearly articulates the major challenges security programs are suffering from right now. My favorite quotes:

"Your third-party risk program is theater. Point-in-time questionnaires and annual SOC 2 reviews do not detect the vulnerabilities that matter. They exist to satisfy auditors, not to prevent breaches. The Salesloft-Drift attackers operated for six months before detection. Annual assessments would not have found them."

"Sixty percent of your breach exposure now sits in domains you depend on but cannot control. Your security program is optimized for the 15% you own."

"Your board does not understand the ecosystem it is accountable for. Only 17% of organizations report their leadership fully understands third-party cyber risks. The SEC is watching. Disclosure requirements are tightening. Fiduciary exposure is expanding. Ignorance is not a defense—it is a liability."

#tprm #tpcrm #cyber #security #enterprise #risk #management #grc

The second episode of the Alice in Supply Chains podcast is out!

This is a podcast where @sawaba and I discuss what we consider some of most important news related to Third-Party Cyber Risk Management from the previous month.

You can check it out on the major podcast platforms.

Youtube: https://www.youtube.com/watch?v=CMYDeb56FWs

Spotify: https://open.spotify.com/episode/7qPB7IauZ1QGdmuczircB8?nd=1&dlsi=7972d56c585442c6

Apple Music: https://podcasts.apple.com/br/podcast/episode-2-february-2025/id1791990827?i=1000694446509

Amazon Music: https://music.amazon.com.br/podcasts/baac01b9-a19b-4c3a-837b-637fad39be4d/alice-in-supply-chains

This is based on the longer monthly newsletter of the same name published by @TenchiSecurity on LinkedIN. You can find the latest edition at https://www.linkedin.com/pulse/issue-30-february-2025-tenchisecurity-aejkf/

#tprm #tpcrm #cyber #risk #compliance #management

Happy to announce the launch of the Alice in Supply Chains #podcast, posted monthly, focusing on topical discussions on the top news relevant to Third-Party Cyber Risk Management.

"Plant a tree, have a child, and write a book. These all live on after us, insuring a measure of immortality." We all know that these days, the writing a book part would probably be replaced with "host a podcast".

Given that inevitability, I have finally decided to face my impostor syndrome and my non-native and accented English and give that a go. Standing on the shoulders of the collective effort we do at @TenchiSecurity on publishing high-quality content on Third-Party Cyber Risk Management in the Alice in Supply Chains newsletter, and counting on the vast experience and expertise of my good friend and co-host @sawaba .

Please check it out and let us know what you think, we are really at the beginning of the learning curve here and can use the feedback. Hope you like it!

Youtube: https://www.youtube.com/playlist?list=PL22qeD49pJIix3gpBoeYvzcdATBhCoGLR

Spotify: https://open.spotify.com/episode/2GLA4H22nRixBWMwSgfr2M?si=SuhuCiHtS92-O5KdvYeNMw&nd=1&dlsi=1bc786e899e14f09

Amazon: https://music.amazon.com.br/podcasts/baac01b9-a19b-4c3a-837b-637fad39be4d/alice-in-supply-chains

Apple: https://podcasts.apple.com/us/podcast/alice-in-supply-chains/id1791990827

If you haven't subscribed to the newsletter yet, you can do so now at https://podcasts.apple.com/us/podcast/alice-in-supply-chains/id1791990827

#tprm #tpcrm #cyber #security #risk #management

My thoughts on the Blue Yonder incident and the value of Security Scoring, as a follow-up and reflection of the conversation @riskybusiness and
@metlstorm had at the Risky Business podcast: https://www.youtube.com/watch?v=cstfm5FbRFI&t=1481s #tprm #tpcrm #cyber #security #risk

Since I am unable to upload my video here, I'll add the LinkedIN post link: https://www.linkedin.com/posts/sieira_tprm-tpcrm-cyber-activity-7270431264942215168-yZFm

Yet another reminder of the importance of Third-party Cyber Risk Management: https://cybersecuritynews.com/starbucks-hit-by-ransomware-attack/ #tprm #tpcrm #cyber #security #risk #management

It is worth pointing out that there are no shortcuts on how to manage the security of third-parties. Blue Yonder, the third-party involved in this incident, boast having SOC2 type II and ISO 27001 certifications. They surely answered all of the different self-assessment questionnaires it received to their customers' satisfaction. Their security ratings scores were certainly acceptable, if they were brought on as vendors.

And I know none of those things are strict guarantors of perfect security. Even companies that are mostly doing things well can be compromised. But at the same time, we need to wake up as an industry to the fact that the existing TPCRM practices are failing to protect us.

We need to work together to do better, go beyond the illusion of risk avoidance and risk transfer, and actually manage and mitigate third-party cyber risk.

Wow, @TenchiSecurity 's monthly newsletter of curated Third-Party Cyber Risk Management news has reached 12,000 subscribers!

This is a low-volume, high signal newsletter for the time strapped risk manager, highlighting breaches, regulatory changes and more.

Issue 27 is out, check it out and let me know what you think! https://www.linkedin.com/pulse/issue-27-november-2024-tenchisecurity-qhl8f/ #tprm #tpcrm #cyber #risk #compliance

The #CFP for @TenchiSecurity 's #TPCRM #Conference is open! If you have experience to share in this field, either with technical insights, GRC or privacy expertise we'd love for you to apply to our call for papers!

We would love to have international speakers join us with an audience of some of the leading financial services, telecom and healthcare providers in Latin America to a content-focused discussion Third-party Cyber Risk Management in São Paulo, Brazil this November 5th.

You can apply now at https://docs.google.com/forms/d/e/1FAIpQLSc9aK5UafStfv3QHH9tWfYjt0OPKhgbnG8CATowd6-BASxDIw/viewform

We are back with our Issue #21:  “Alice in Supply Chains Newsletter” - the most up-to-date content on third-party cyber risk management (TPCRM) curated by our team of experts.

In yet another packed edition, cloud issues are once again at the forefront. Our first headline this month is the Cyber Safety Review Board report on the breach that Microsoft (and, by extension, the US government) suffered last year when a Chinese threat actor gained access to cloud-hosted email accounts. Our second story is the Sisense breach, which has been oddly under-reported, in part due to how little information the company has decided to release publicly.

We also have our usual round-up of third-party breaches and government news, as well as some follow-ups on the ransomware attack against UnitedHealth Group and the XZ backdoor story (or, more generally, social engineering attacks against open-source project maintainers).

We hope you enjoy the read!

https://www.linkedin.com/pulse/issue-21-may-2024-tenchisecurity-ycjzf

#Cybersecurity #TPCRM

I had a blast talking to @sawaba about Third-Party Cyber Rrisk management at #RSAC2024 ! Check out the interview recording at https://www.youtube.com/watch?v=_g6zfDLA6l4 if you missed the live broadcast. #tprm #tpcrm #rsac

Super happy about this milestone on the @TenchiSecurity journey! We just raised a $7MM Series A from Bradesco PE&VC, L4 Venture Builder and Accenture.

The company was on a solid financial footing, and did not need to raise a round. But we decided to anyway once we found investor partners who saw the value in what we are doing and bring much more than "just" capital, and will help us strategically in executing our thesis.

The additional funding will allow us to accelerate product development, sales and marketing. Our goal? To be a proudly Brazilian global cyber security player, and disrupt the Third Party Cyber Risk Management space.

Huge thanks to all the customers, partners and team members who put their trust in us. Rest assured we will continue working hard to exceed your expectations.

https://www.tenchisecurity.com/tenchi-security-raises-a-7-million-million-series-a-from-bradesco-l4-venture-builder-and-accenture/

#tpcrm #cyber #security #startup #funding #round

Interesting statistics related to Third Party Cyber Risk Management on the World Economic Forum's Global Cybersecurity Outlook 2024 report.

54% of organizations have insufficient visibility of the vulnerabilities of their supply chains, including 64% of executives who believe their own organizations meet their minimum resilience requirements.

To me this clearly shows just how big of a blind spot #TPCRM still is for most companies. After all only companies that don't outsource any critical functions and don't give any third parties access to critical data could simultaenously believe that a) they meet their resilience requirements and b) they don't understand their third parties' vulnerabilities... and how many of those are out there? I have personally never bumped into any companies this vertically integrated, even in regulated markets.

The report also highlights the real impacts of neglecting this discipline. It claims 41% of companies that suffered a material impact from a cyberattack said it originated from a third party. This dovetails nicely from data we've seen elsewhere, including a figure that incidents originated at third parties were the leading source of cyber insurance claims in Q2 of last year.

You can read the full report here: https://www.weforum.org/publications/global-cybersecurity-outlook-2024/

This is why here at @TenchiSecurity we decided to tackle #TPCRM, which is gradually starting to get the visibility and prioritization it deserves. Get in touch if you want to learn more about how we are disrupting this market by going beyond risk reporting and focusing on risk reduction through a cooperative approach.

Third-party issues disrupt 45% of firms despite cybersecurity spends https://securitybrief.co.nz/story/third-party-issues-disrupt-45-of-firms-despite-cybersecurity-spends #tprm #tpcrm

Your regular reminder that “independent” audits are not truly independent if the auditor is chosen and paid by the organization being audited.

Always comes to mind when thinking of third-party risk management processes that blindly accept certifications as a substitute for proper 1st party due diligence.

I mean, this level of mistake happens with some of the most reputable auditors in finance, where they can face serious consequences.

When was the last time you saw an ISO 27001 or SOC2 auditor be sanctioned for failing to conduct an assessment properly and causing harm to 1st parties that trusted their certifications? 🤔

#tprm #tpcrm #infosec #audit

https://news-sky-com.cdn.ampproject.org/c/s/news.sky.com/story/amp/kpmg-braced-for-record-fine-over-audit-of-collapsed-carillion-12967766

I'll be at Las Vegas for the security conferences as usual this year.

Hit me up if you want to talk about third party cyber risk management, cloud security, entrepreneurship or just about anything else related to information security.

#tprm #tpcrm #cloud #security #blackhat #defcon #bsides

Issue #11 of Alice in Supply Chains, @TenchiSecurity 's monthly newsletter about the latest third-party cyber risk management news, is now available!

You can read it now at https://linkedin.com/pulse/issue-11-july-2023-tenchisecurity

#tprm #tpcrm #cybersecurity #news

Thinking it might be a good idea for #TPCRM teams to ask third-parties whether they have Internet-facing Fortinet or file transfer appliances (MoveIT, Accelion, etc), and consider it a critical finding if they say yes.

https://www.crn.com/news/security/new-moveit-transfer-vulnerabilities-include-critical-flaw

https://arstechnica.com/security/2023/07/336000-servers-remain-unpatched-against-critical-fortigate-vulnerability/

Really like this article by @csoandy on the shortcomings of Third Party Cyber Risk Management in the wake of a big player in the industry pulling off a bad marketing stunt.

Please stop what you are doing and read it if you are in any way involved with this discipline.

The one thing I dare to add to Andy's beautifully written piece is that he mentions in passing that the scoring companies are producing risk scores. They are not. They are at best trying to create security posture scores.

A true risk score would take into account the probability and impact to the 1st party in case the 3rd party has a security incident.

This depends not only on the 3rd party's information security, but also on the nature of the relationship between the 1st and 3rd parties. Which business processes depend on the 3rd party and how critical are they? How much and what types of sensitive data is shared with the 3rd party?

This is where we should stop talking about bits and bytes, and start talking to the relevance of this company and relationship to the business. That's when we actually start talking about risk.

https://www.csoonline.com/article/3699433/why-assessing-third-parties-for-security-risk-is-still-an-unsolved-problem.html #tprm #tpcrm #security #risk

Issue #10 of the @TenchiSecurity newsletter on Third Party Cyber Risk Management is now available!

This is ad-free and focused on curating news stories related to #TPRM and #TPCRM topics such as incidents, regulatory developments and more.

You can read it and subscribe to future issues at https://www.linkedin.com/pulse/issue-10-june-2023-tenchisecurity/

Had a wonderful time talking to Robert Martin from @mitrecorp about their new Supply Chain Security framework System of Trust (https://sot.mitre.org/).

I truly believe this has the potential of catching on in a big way with the risk management and #TPRM #TPCRM community much the same way the ATT&CK framework caught on the security monitoring and testing folks, and for the same reasons.

Watch it now at https://www.youtube.com/watch?v=Fpjq1FhNCes