You Can't Control Everything in Your EnvironmentShared Service Connected's Bridget Kenyon on Balancing Risk of Using Third Parties
If you don’t understand the security practices of your third-party vendors, you don’t know where your risks are. A major problem with unmanaged or insufficiently managed third parties is that it creates a lack of understanding of liability, responsibility and accountability, said Bridget Kenyon, CISO of Shared Service Connected Ltd.
Understanding vendor risk is like peeling an onion. Your vendors also are using third parties, which may pose more risks. Some organizations may not have a choice about using certain vendors if they are mandated by regulations, needed to meet industry standards, or are wide-ranging software suppliers such as Microsoft. Kenyon advises clients to continuously attack third-party risks through red teaming, pen testing and bug bounties.
In this video interview with Information Security Media Group at Infosecurity Europe 2023, Kenyon discussed:
- The difficulties of achieving visibility of all code, plus alternatives to expensive code reviews;
- Human third-party risks such as untrained employees or someone with malicious intent accessing your system;
- AI risks, ethical controls, parameters and prejudices.
Kenyon is experienced in strategy, planning, managing staff, running security reviews, designing policy and handling security incidents. She is a fellow of the Chartered Institute of Information Security and has held senior roles in the industry including CISO, EMEA region, and information security programs leader at Thales Digital Identity and Security, Global CISO at Thales eSecurity and head of information security at UCL.