The New Era of Third-Party Risks

Trend Micro's Tom Kellermann on Mitigating Advanced Threats
Organizations face new cyber-risks from their third-party service providers. But standard contracts fail to cover these risks. Trend Micro's Tom Kellermann discusses the risk management essentials.

The threats are persistent, Kellermann says. If your own systems and applications are not exploited by an adversary, then one of your key service providers may be. What do you do then to ensure your security?

It's a new era of virtual supply chain risk, says Kellermann, vice president of cybersecurity at Trend Micro.

"You essentially enter into relationships with contracts that are merely service-level agreements that put limited liability on the part of the third party regardless of their reputation, with an over-reliance on encryption to protect you from the fact that they're probably being hunted and targeted by your adversaries so as to leapfrog or island-hop into you," Kellermann says. "I would challenge everyone to have this conversation with their general counsel. Take your general counsel to lunch. You need to evolve your contracts with these third parties to instill a modicum of security. The SAS 70 is not sufficient when dealing with this level of systemic risk."

In an interview conducted at Infosecurity Europe, Kellermann discusses:

  • The island-hopping and watering hole attacks against European organizations;
  • How to mitigate these evolving threats;
  • The impact of European privacy legislation on cybercrime.

Kellermann is responsible for analysis of emerging cybersecurity threats and relevant defensive technologies, strategic partnerships and government affairs. He served as a commissioner on The Commission on Cyber Security for the 44th Presidency and serves on the board of the National Cyber Security Alliance, The International Cyber Security Protection Alliance and the National Board of Information Security Examiners Panel for Penetration Testing. He is a professor at American University's School of International Service and is a Certified Information Security Manager (CISM).

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.