Reducing Risk by Breaking Down Supply Chain SiloesSecurity Leader Matt Marciniak on Rethinking Risk and Increasing Resiliency
Supply chains for large organizations are complex and highly siloed, posing hidden security risks from potentially dozens of places. That’s why an enterprisewide risk management program framework is essential to managing multiple vendors, says information security manager Matt Marciniak of financial service organization Quantile.
"It is not feasible for us to go on-site to every vendor and physically audit them … but supply chain risk is one of the risks we should not be managing in a silo," Marciniak says.
Marciniak recommends adopting an "agile" approach to third-party risk management. Organizations must move quickly to stay ahead of new cyberattacks and keep up with the vendor security landscape, which is "changing quite frequently."
In lieu of sending 200 or 300 questions to vendors, Marciniak advises cybersecurity risk executives to focus on 50 of the most important questions about an incident to "quickly identify what actions to be taken."
In this audio interview with Information Security Media Group, Marciniak discusses:
- How to assess supply chain security;
- Tools and processes to monitor and manage third parties and their services;
- How to measure the risk of a vendor or partner that is compromised.
Marciniak is responsible for defining and implementing the security strategy and roadmap at Quantile. He previously served as head of attack surface reduction for Santander U.K., where he was pivotal in tactically addressing the growing risk of ransomware. He strongly believes in a practical risk management approach focusing on architecture and governance fundamentals as the bedrock of an effective security program.