Lakshmi Hanspal, Box, Global Chief Information Security Officer
- Vendor evaluation typically involves many stakeholders, including the business owner trying to bring a third party into the environment, procurement or sourcing, legal,
security or the trust office, and compliance. - Supply chain cyber risk management requires evaluation based on continuous monitoring and scanning, logging, and alerts triggered by noncompliant changes mapped back to legal and regulatory obligations.
“When we think about managing risk in our supply chain, we have to treat our third parties first and foremost as partners.”
Most chief information security officers (CISOs) have complete visibility into their supply chain risk management process or accountability for managing cyber risk posed by third parties. “I’ve always had accountability for third-party risk,” says Lakshmi Hanspal, global CISO at Box. “For Box, third-party risk is a specific category in our enterprise risk management.”
Third-party risk is not only about evaluating the potential dangers of bringing on an outside vendor but how you effectively manage third-party cyber risk once a vendor is on board. In Hanspal’s years of experience, that risk management requires having close partnerships with your third parties. “When
we think about managing risk in our supply chain, we have to treat our third parties first and foremost as partners,” she says. “A partnership is strategic. A partnership aims to deepen use cases, to establish a continuous evaluation methodology rather than transactional or trigger-based evaluation.” It also
establishes a relationship in which Hanspal can work cooperatively with vendors if a security event occurs. “We share what we see as indicators of a compromise. We trade indicators, and we give them greater peripheral vision. We see the process more as a joint investigation,” she says.
This is an excerpt from 7 Experts on Evaluating and Managing Supply Chain Risk. This eBook was generously sponsored by BlueVoyant.