Hi [[ session.user.profile.firstName ]]

Building a Successful Third Party Risk Management Program for a Modern World

The challenges that organizations are facing today are increasingly more complex than the past. A global health crisis, an unstable economy and changing dynamics of business risks and opportunities make decision making difficult. These reasons, coupled with ever evolving changes to compliance rules and regulations makes driving a successful Third Party Risk Management Program challenging.

Throughout this webinar, our speakers - Optiv’s Director of Security Operations, Chad Peterson, along with SecurityScorecard’s Lead Systems Engineer, Matt Barth - will discuss:
- Strategies on how to accurately and efficiently assess your high priority vendors.
- Best practices on how to create a Third Party Risk Management Program that is efficient but can scale effortlessly using automation and technology.
- Why going beyond the questionnaires and risk scores by providing the human element to third party vendors will build a sturdy foundation for a program that is equipped for the future
Recorded Jul 16 2020 50 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Chad A. Peterson - Director, Security Operations at Optiv Security &Matthew Barth, Senior Sales Engineer at SecurityScorecard
Presentation preview: Building a Successful Third Party Risk Management Program for a Modern World
  • Channel
  • Channel profile
  • Transforming Enterprise Cloud Security to Supercharge Developer Velocity Nov 19 2021 5:00 pm UTC 60 mins
    Josh Stella, CEO and Co-Founder, Fugue, and Rajat Sharma, Co-Founder, CWS
    Security has become the rate-limiting factor for how fast software development teams can go in the cloud. Security reviews, remediations, and audits soak up valuable engineering resources and steal away the speed and agility that the cloud promises.

    That's because cloud security is still laden with inefficient and ineffective manual processes. But with automation using Policy as Code, enterprises can create a security-first culture that collapses the time and investment required to deliver secure infrastructure and applications much faster.

    In this session, Josh Stella (Founder, Fugue) and Rajat Sharma (Founder, CWS) will outline why cloud security isn't the same as datacenter security—it's about tuning your processes with policy-based automation rather than intrusion detection or network monitoring.

    Attendees will walk away with actionable insights and strategies on:

    * Assessing your current cloud security posture and developing a prioritized roadmap to bring your environment into compliance
    * Implementing automation using Policy as Code to build security into every aspect of cloud operations, from design to production
    * Empowering developers with tools that help them find and fix issues in infrastructure as code, when making changes is easier and faster
    * Putting guardrails in place that prevent dangerous misconfiguration vulnerabilities without slowing anyone down
    * Creating security awareness within your cloud engineering team to avoid costly technical debt and significant remediations

    If it takes your organization months to deploy new environments and weeks to update them because of security, this session is for you.
  • Why Collecting the Right Metadata is Crucial for Scaling a Security Program Nov 18 2021 5:00 pm UTC 60 mins
    Gurneet Kaur, Engineer, Cloud OpSec Team
    At Adobe, security is a critical priority for us and we believe in defense-in-depth, which begins with monitoring — from collecting event logs and configuration data made available by public cloud providers to logs from EDR systems and vulnerability scanning pipelines. These logs are centrally collected and analyzed by the Adobe security organization using SIEM tools in order to proactively identify potential vulnerabilities or misconfigurations and generate action items (in the form of conveniently trackable tickets) for product teams. But to do this effectively, it is important to identify who owns a particular set of resources. In an organization with thousands of services and developers, this is not a simple task. Unassigned or misassigned tickets can delay resolution of security issues that could increase exposure to malicious attacks. So how do we bridge this gap between visibility (using monitoring tools to detect potential risks at the infrastructure layer) and accountability (assigning and remediating these issues in a timely manner)? Join Gurneet Kaur from the Adobe Operational Security (OpSec) team as she talks about this project, lessons learned, and offers best practice suggestions on how you can implement a similar program to help better scale your own security program for cloud operations.
  • Standardize Identity Security: From On-Prem to Multi-Cloud Nov 16 2021 5:00 pm UTC 60 mins
    David Higgins, EMEA Technical Director, and Chris Maroun, Senior Director, Global Technology Office, CyberArk
    Modern organizations face an exponentially complex identity landscape – cloud migrations, remote work, and rapidly evolving security and compliance philosophies are creating a proliferation of identities across on-premises and multi-cloud environments.

    Standardization is the key to security at scale. By unifying Identity Security controls across siloed environments and risk boundaries, organizations can establish equally dynamic security processes that scale and continuously improve to meet the complex needs of their end users.

    Join the Directors of CyberArk’s Global Technology Office, David Higgins and Chris Maroun, for a discussion on establishing consistent controls at enterprise scale.

    Key topics will include:

    ● Reducing risk of data loss and leakage
    ● Standardizing and securing access for all hybrid and multi-cloud identities
    ● Least privilege access and Just-in-Time workflows
    ● Simplifying secrets management and secure application development
    ● Monitoring and auditing cloud operations.
  • Hybrid Cloud Security: Risks & Mitigation Nov 11 2021 8:15 am UTC 45 mins
    Ricson Singson QUE, Welland CHU, Jason BRASILENO, Mark FROGOSO, Narudom ROONGSIRIWONG
    Panel Discussion

    ​Timothy Grance (NIST) shared that no hybrid cloud existed when he co-authored the landmark NIST definition of different clouds. He has never expected hybrid clouds to become so pervasive and popular. This panel of experts will endeavor to address the following issues: What are the differences between hybrid and multi clouds? What are the risks in a hybrid cloud environment compared to on-prem and how does one go about mitigating each of these risks. How does one assess the effectiveness of these mitigation measures? And finally how would these mitigation measures benefit organizations/businesses?

    MODERATOR: Ricson Singson QUE (VP, Education, CSA Philippines Chapter)

    - Welland CHU (Director, Business Development, APAC, Thales Group, CPL)
    - Jason BRASILENO (VP - Head for Business & Enterprise Risk (Philippines), Lazada)
    - Mark FROGOSO (CISO, GCash, Mynt)
    - Narudom ROONGSIRIWONG (SVP, Senior Cloud Architect, Digital Innovation and Data Group, Bank of Ayudhya PCL)
  • Mitigation Measures for Risks, Threats & Vulnerabilities in Hybrid Cloud Nov 11 2021 7:30 am UTC 30 mins
    Feng ZOU (Director, Cybersecurity Planning and Compliance, Huawei & Co-chair, Hybrid Cloud Security WG, CSA)
    Hybrid clouds are often the starting point for organizations in their cloud journey. However, any cloud model consists of risks, threats, and vulnerabilities. Earlier this year, the Hybrid Cloud Security Working Group examined hybrid cloud model risks, threats, and vulnerabilities in its Hybrid Clouds and Its Associated Risks white paper. However, after this review of risks, threats, and vulnerabilities, it’s critical to identify adequate mitigation controls. This presentation will cover countermeasures organizations can implement to improve hybrid cloud risk management and cybersecurity practices.
  • ​Introduction to the Cloud Controls Matrix v4.0 Nov 11 2021 6:45 am UTC 30 mins
    Lefteris SKOUTARIS (Program Manager, CSA)
    The presentation aims to provide a synopsis about the latest release of the Cloud Control Matrix version 4.0, a greater insight into its development and new components, the current activities of the CCM working group (ongoing works, published and future works) and finally an update on CSA’s STAR program and transition policy from CCMv3.0.1 to CCMv4.0.
  • Securing the Cloud via CCSK Nov 11 2021 6:15 am UTC 15 mins
    Ekta MISHRA (Country Manager India, CSA)​
    As organizations migrate to the cloud, they need information security professionals who are cloud-savvy. The Certificate of Cloud Security Knowledge (CCSK) is widely recognized as the standard of expertise and provides an individual with the foundation they need to secure data in the cloud. Learn how CCSK can bridge the gap and provide an important first step in establishing baseline knowledge for individuals in cloud security.
  • The Future of Cloud & Cybersecurity in 2040 Nov 11 2021 5:30 am UTC 30 mins
    Debashish JYOTIPRAKASH (VP Asia, Qualys)

    ​Self-healing is already happening, so we are talking about self-thinking, sentient and even self-coding systems in Cyber by 2040. Days will continue to be 24hrs long but productivity and efficiency from that 24hrs will have grown multi-fold. You will be able to do more with less.

    Today it’s Industry v4.0 and we are marching to 5.0 by 2030 and 6.0 by early next decade. Industry 5.0 refers to people working alongside robots and smart machines. It’s about robots helping humans work better and faster by leveraging advanced technologies. While the cloud will make all this revolution possible, highly integrated systems will become vulnerable to systemic risks such as total collapse. Hyper-connectivity creates new social and political structures. If left unchecked, they might lead to authoritarian governance too. CyberSecurity will evolve at a similar scale to tackle things like FireSale in Cyber.
  • Let's talk about ABC: Assume Nothing, Believe Nobody, Check Everything Nov 11 2021 4:30 am UTC 45 mins
    Gonz GONZALES, Ian LIM, Drexx LAGGUI, Roleen Del PRADO
    Panel Discussion

    For many people, Zero Trust spells the end of an era – the end of the perimeter defence. McKinnon said: "It’s a failure of the paradigm that you can have a gate and castle wall and everything on the inside is fine".

    MODERATOR: Gonz GONZALES (VP, Governance, CSA Philippines Chapter)

    - ​Ian LIM (Field Chief Security Officer, Palo Alto Networks)
    - Drexx LAGGUI (Principal Consultant, Laggui & Associates, Inc.)
    - Roleen Del PRADO (Head, Cyber & Information Security, DITO Telecommunity Corporation)
  • Myths and Best Practices of Security by Design Nov 11 2021 3:45 am UTC 30 mins
    ​Mel T. MIGRINO (VP and Group CISO, Meralco)
    With the new normal continuously shaping, organizations are moving rapidly to migrate to the cloud to achieve business agility and resilience. However, cloud migration and cybersecurity are efforts taken separately. Thus, a shift left approach to secure applications is crucial to implement security measures during the entire development lifecycle. Shifting security to be left aims to adopt the principles of security by design with security best practices built in, and to detect and address security issues and vulnerabilities as early as the initial stages of the development cycle.
  • Why We Need to Secure the Cloud & the Enterprise Nov 11 2021 3:00 am UTC 30 mins
    Donald Patrick L. LIM (COO , DITO CME & CIO, Udenna Corp)
    CSA PH Summit 2021
  • Securing the Cloud: It All Starts with Identities Nov 11 2021 2:15 am UTC 30 mins
    Josiah WINSTON (Regional Solution Architect, ASEAN, CyberArk)

    As organizations increasingly pursue cloud or multi-cloud strategies, they face the challenge of achieving consistent security controls across each cloud platform’s distinct entitlements paradigm. Additionally, the rapid increase in the number and complexity of identities organizations must manage as they expand in the cloud lends extra urgency to securing access. In this session, we will dive into cloud identities and how securing them can help organizations achieve cloud security.
  • Data Provenance and Cloud Security: Challenges & Opportunities Nov 11 2021 1:30 am UTC 30 mins
    Prof. Ryan KO (Chair & Director, UQ Cyber Security, University of Queensland, Australia)

    At the heart of all cyber and cloud security attribution challenges is the problem of data provenance tracking and its reconstruction. In this talk, I will cover past, present and developing provenance research in computer science, and cover its relation and usefulness to accountability, traceability, trust, forensics and proactive cloud and cyber security. It will feature some of the cloud data provenance research I have conducted in the past decade, discussed unsolved (or seemingly unsolvable) problems, and will discuss some of the recent developments in academia, industry, and international standards.
  • Welcome Remarks, Welcome Address & Opening Address Nov 11 2021 1:00 am UTC 30 mins
    Dr. Hing-Yan LEE, Don SACAMOS & Jim REAVIS
    Welcome Remarks
    ​Dr. Hing-Yan LEE (EVP APAC, CSA)

    Welcome Address
    Don SACAMOS (President, CSA Philippines Chapter)

    Opening Address
    Jim REAVIS (Co-Founder & CEO, CSA)
  • Can security and usability co-exist in a remote working environment? Nov 10 2021 6:00 pm UTC 60 mins
    Michael Covington, VP of Product Strategy, Wandera
    Now that we’ve settled into the rhythm of remote working, companies need to transition from the bootstrapped survival plans that were implemented back in 2020 to mature(r) remote working strategies.

    The early gripes of remote working such as an improper desk setup, disconnect after disconnect from the corporate VPN or multiple 2FA prompts throughout the day may have been tolerable initially, but cannot persist in the long term.

    IT teams are now charged with provisioning technologies to eliminate productivity drain and enable employees to work effectively wherever they are. While business growth hinges on employee productivity, IT professionals will undoubtedly be mindful of the security-usability tradeoff.

    Users need to be granted an appropriate level of access without making authentication arduous. Devices need to be thoroughly analyzed for threats and vulnerabilities regardless of ownership and management status. Access to corporate applications needs to be brokered whether hosted on-premise or in the cloud.

    In our upcoming session, we’ll discuss how to balance security and usability in the context of remote working:
    Usability: employees shouldn’t have to worry about how they’re going to get their work done; it should be as simple as flipping open a laptop and logging on. We’ll discuss how an SDP can eliminate the productivity problems associated with remote working without compromising security.

    Performance: an architecture that scales and adapts to the growing needs of your business is important for manageability. We’ll go over how an SDP reduces the management burden of traditional access technologies while eliminating the need to adopt point solutions to deal with niche security use cases.

    Privacy: employees are more mindful of the blur between work and personal lives, mainly because there hasn’t been a division for the past two years. How can IT teams overcome the privacy concerns of employees while making sure that they have the needed observability?
  • Anatomy of a cloud breach: how to harden your cloud against attack Nov 9 2021 6:00 pm UTC 60 mins
    Fred Meek, Enterprise Solutions Engineering Manager, Wiz
    Security breaches in the cloud usually don’t exploit a single misconfiguration or vulnerability but rather a toxic combination of multiple issues that in isolation wouldn’t raise a red flag given the abundance of alerts that teams get. In this webinar, we’ll discuss how to look for these toxic combinations across internet exposure, identities and entitlements, software vulnerabilities, and misconfigurations that when combined together make your cloud susceptible to a breach.
  • Automating and Orchestrating the Top 3 Cloud Security Use Cases Nov 8 2021 6:00 pm UTC 60 mins
    Harrison Parker, Senior Solutions Architect, Siemplify
    As security operations teams manage rapidly evolving and increasingly complex cloud infrastructures, there is more need than ever to reduce an organization's attack surface, increase speed and reliability by automating as many processes as possible, and bridge the gap between on-premise and cloud security.

    Security orchestration, automation and response (SOAR) platforms can help streamline detection and response workflows with repeatable and custom dynamic playbooks for a litany of cloud-related security alerts.

    In this webinar, we'll cover how you can easily address the following cloud security use cases, including:
    - Automatically respond to compromised developer breaches and data exfiltration on multi-cloud applications.
    - Detect and remediate hybrid malware via novel file synchronization attack vectors.
    - Systematically investigate and patch cloud vulnerabilities and misconfigurations.
  • Key Considerations to Get Buy-in for a SaaS Data Security Program Nov 3 2021 4:00 pm UTC 60 mins
    Izak Mutlu, former CISO, Salesforce and Arnaud Treps, CISO, Odaseva
    Despite increased calls to action from cloud experts, many IT leaders still believe SaaS data security is not their responsibility. A recent study by analyst firm ESG found that more than ⅓ of IT leaders rely solely on SaaS applications to protect data. Meanwhile, security threats are becoming bolder and more advanced, also targeting SaaS applications. While SaaS vendors' security efforts actually relieves customers from some concerns, a SaaS data security program remains a must-have to avoid security breaches that could result from user errors, misconfigurations, technical issues, bugs in custom code or even an advanced attack on the SaaS vendor itself.

    But first, you need buy-in from Security, IT, Legal & Compliance stakeholders. This webinar will feature SaaS data security experts Izak Mutlu, former CISO of Salesforce, and Arnaud Treps, CISO of Odaseva, breaking down key considerations security professionals can use to reinforce the need for SaaS security with their colleagues.

    Join this webinar to learn about the top considerations to get buy-in for a SaaS data security program which include:
    - Why typical SaaS security controls like MFA are not silver bullets
    - Why SaaS platforms are the ideal target for motivated hackers
    - Why SaaS data is much harder to restore in the event of a data loss
    - Why customers remain accountable for regulatory compliance
  • Are we losing or gaining control of SaaS Data Access? Nov 2 2021 4:00 pm UTC 60 mins
    Justin Somaini, Chief Security Officer, Unity, and Adam Gavish, CEO, DoControl
    Organizations use SaaS apps to drive business enablements across all departments and workforce. Collaboration with 3rd party vendors, customers, and partners over SaaS data is the new normal - and we just love it when things get done quickly right?

    This poses two threats for security practitioners:

    1. Insider threats
    • Leaving employees share SaaS data with their personal accounts which not only exfiltrate company data with personal accounts but also pose extra risk since personal account in most cases don’t have multi-factor authentication set up
    • Employees overexpose sensitive data internally (finance and engineering can consume each other’s information)
    • Sensitive data is being shared with the wrong 3rd party

    2. External threats
    • 3rd party collaborators have access to your company data forever
    • Your vendors share your company data with their vendors, who were never gone through a 3rd party risk assessment by you
    • 3rd party collaborators with your company data with their personal accounts which in most cases don’t have multi-factor authentication set up

    This is a candid discussion on the threat models above and beyond. Our goal is to raise awareness on what’s going on as well as suggest industry best practices and “war stories” so that you will walk away with better knowledge and tools to remediate such risks in your organization.
  • Impact of Digital Transformation on Security Strategy Oct 28 2021 5:00 pm UTC 60 mins
    Jason Hicks, Coalfire, Jerome Bell, IBM Cloud, James Carder, LogRhythm, and Elad Yoran, Cloud Security Alliance
    As companies shift their people, processes, and technologies into the digital age, cybersecurity strategy is sometimes an afterthought instead of an integrated part of planning. In fact, a recent survey of C-level executives* showed that nearly one-third of security controls and management are still siloed from a functionality standpoint.

    At the organizational level, this siloing can result in policy decisions that fail to address critical security gaps within a strategic plan, resulting in an increase in time and resources dedicated to retroactively addressing these gaps. Transformation can also mean disruption to teams, exposing skill gaps that hamper progress.

    This panel discussion features seasoned cyber executives who will share their lessons learned and best practices for harnessing cyber strategy to improve the digital transformation journey.

    You’ll hear:
    • The top challenges when aligning security strategy to cloud migration and other digital transformation steps.
    • Best practices throughout the digital transformation journey, including:
    o Creating efficiencies in a hybrid environment.
    o Getting into a DevSecOps mindset from the start.
    o Securing Board and leadership buy-in on cybersecurity strategy.
    • How best to transition your team to minimize disruption and staff turnover.
    • How to message the business value of the transformation to the Board and other key stakeholders.
    • How to effectively monitor your new environment and proactively respond in a cloud-forward way.

    * Survey sponsored by Coalfire and completed by Dark Reading.
Educational series on cloud computing, security and privacy.
CSA CloudBytes was launched as a webinar series to help us educate the industry on all matters related to the cloud. Our channel is designed to inform our audience about trending topics, new technologies, and latest research. Learn more at cloudsecurityalliance.org. Join the Cloud Security Alliance on LinkedIn and follow us on twitter: @cloudsa

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Building a Successful Third Party Risk Management Program for a Modern World
  • Live at: Jul 16 2020 5:00 pm
  • Presented by: Chad A. Peterson - Director, Security Operations at Optiv Security &Matthew Barth, Senior Sales Engineer at SecurityScorecard
  • From:
Your email has been sent.
or close