As organizations grapple with escalating risks in the digital realm, the imperative for robust risk management has never been more pressing. In this era of increased scrutiny from regulators and stakeholders, businesses are compelled to demonstrate airtight security postures and transparency in their operations. The emergence of Chief Risk Officers, Privacy Officers, and Third-Party Risk Management programs reflects a paradigm shift in how companies approach risk mitigation.



Here is the verbatim discussion:

Similar to what bees is mentioning the tools that he has in place that reduces the burden on the it organizations it allows them to provide that information to the third- party risk management programs and what I've been seeing across the industry customers vendors are going through a lot more scrutiny so the the the customers have have to show to their uh their the customers have to show that that um sorry the vendors have to have to show to their customers the different uh the different measures that they put in place you can't just do business with other companies nowadays without providing some of that evidence that you have the right security posture in place so anything that can automate that anything that can show that hey we we have continuous uh security scanning on our environment here's our exposure here's our external threat uh threat ATT or to surface and that we've scanned it and we've we've put the appropriate measures in place so that that uh it's one of the big drivers that you're seeing in addition to Regulators is that customer vendor relationship that vendor management uh relationship so onboarding offboarding customers working with other vendors uh that is you need to provide some kind of security before it was a MSA you sign you do business with someone now it's show me that you have a good security posture we can connect to your environment and providing that evidence to all your your your vendors or your customers depending on the relationship is a challenge so I would definitely leverage this ass solution to provide me with that evidence that that we've continuously have that program in place uh risk management so that's the other part I know I stayed at a very philosophical level but it's very hard to go tactical it would probably need days or weeks to build a program for risk management now back to nashin the other thing which you mentioned like uh one thing we would be very happy to uh for anybody in the audience um if you would like we would be happy to offer you a kind of uh free discovery of your attex surface and how does the hackers view of your attack surface look like what kind of exposure you have we would be happy to conduct an assessment and provide you with the results so you will have a kind of good view of how does the attack surface look like are there some unknown unknowns any any surprises if you are on Sand and if you don't go enough depth and figure out a really solid structure whatever you build on top of it it really doesn't matter that might look very strong the um the walls and doors and windows but if the fundamentals are not strong it's going to just collapse and that is something which happens a lot with this kind of risk management models the fundamental assumptions and the fundamental models are not strong enough so unless you really have a very mature process I would say like doing some kind of risk quantification like that is very hard so mature not just process very mature organization where you have really tested out those models and there are a lot of organizations who does it decently well like any any underwriter for insurance they have to build a very strong model otherwise their companies at stake right like they have built certain things but even they know that their assumptions has to be tested over a period of time when you do insurance for people's life life insurance they have data for like 50 60 years or even more for this it's new so but they know the RIS they adequate time so if you do not have very high maturity going that route is not very helpful so that's one thing which I wanted to mention then what is the other way to solve this I think a better way or a easier way in certain ways which could also be more practical and more useful is to look at it from the perspective of adversity go and look at Verizon DB and see what kind of attacks the bad guys are doing which are causing Brees look at from that perspective look at the various threat intelligence data and use that information like my adversary or our adversary are XYZ and they use these kind of techniques and they use this kind of attacks so let me prioritize based on that so definitely you can prioritize your assets that's very that's much easier if you know the assets you can prioritize you know which has got high value.


Highlights :

Evolving Dynamics of Customer-Vendor Relationships: In today's business landscape, the mere exchange of contracts is no longer sufficient. Companies must showcase their security measures to forge trustworthy partnerships. The burden falls on vendors to provide evidence of their robust security postures to gain the confidence of customers, thereby emphasizing the importance of continuous risk management practices.

The Role of Automation in Risk Mitigation: Automation tools play a pivotal role in alleviating the burden on IT departments and enabling organizations to streamline their risk management processes. Solutions such as SAS offer the ability to provide repeatable and predictable outputs, crucial for meeting the demands of third-party risk management programs.

Importance of Structured Data Management: Structured approaches to data management, including classification and labeling, are essential for effective risk mitigation. By prioritizing the protection of critical data assets and implementing encryption and access controls, organizations can fortify their defenses against potential threats.

Offering Proactive Risk Assessments: To stay ahead of evolving threats, organizations can benefit from proactive risk assessments. By conducting assessments of their attack surfaces and leveraging threat intelligence data, businesses can identify vulnerabilities and prioritize mitigation efforts accordingly.

Embracing Adversity as a Strategy: Rather than solely relying on internal risk models, organizations can gain valuable insights by studying adversary tactics. Analyzing threat intelligence data and understanding the techniques used by cybercriminals can inform proactive risk management strategies and enhance overall resilience.


In a landscape characterized by heightened risks and regulatory scrutiny, organizations must adopt a proactive approach to risk management. By leveraging automation, structured data management practices, and insights from threat intelligence, businesses can strengthen their security postures and navigate the complexities of the digital age with confidence. Embracing adversity as a strategy allows companies to stay ahead of emerging threats and build resilience against potential cyberattacks. In this dynamic environment, effective risk management is not just a necessity but a strategic imperative for long-term success and sustainability.


Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.



Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.


Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.


Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.



E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa