Asking Third-Party Vendors the 'Right' QuestionsSchneider Electric Vice President Cassie Crossley Discusses Assessing Suppliers
Many of the cyber-related questionnaires that organizations ask their third parties to complete "are too broad" and not properly focused on questions related to the services or products being offered by that vendor, said Cassie Crossley, vice president of supply chain at Schneider Electric.
That mismatch ultimately does not help security teams get useful information, especially when dealing with smaller suppliers, she said.
For instance, organizations do not want to ask questions to third-party cloud vendors that do not pertain to those vendors' environments, and at the same time, "you may have a physical cyber services supplier, and you don't want to ask them cloud questions," she said. "You have to know what you're buying to ask the right questions."
In this video interview with Information Security Media Group at RSA Conference 2023, Crossley also discusses:
- Upstream and downstream third-party risk concerns;
- Tools and templates to help assess software supply chain cybersecurity;
- Regulatory compliance issues involving suppliers.
Crossley works in the global cybersecurity and product security office at Schneider Electric. She has expertise in information technology and product development and has designed frameworks and operating models for end-to-end security in software development life cycles, third-party risk management, and cybersecurity governance and initiatives.