All Articles

In a deep-dive conversation at CISO Platform, Cassie Crossley, Vice President of Supply Chain Security at Schneider Electric, joined Bikash Barai (Co-founder, FireCompass & CISO Platform) to explore one of the most pressing concerns in enterprise security today: supply chain security and how to make third-party risk management (TPRM) future-ready.

Cassie, who recently authored Software Supply Chain Security: Securing the End-to-End Lifecycle for Software, Firmware, and Hardware, brings decades of experience managing large supplier ecosystems in critical infrastructure. The session touched on the evolution of threats, what’s broken in today’s TPRM practices, and how to build more resilient programs.

Highlights from the Conversation

“TPRM today stops at shallow assessments. You can fool a questionnaire, but not a hacker.”

The Story Behind the Book

Cassie shared that her motivation for writing the book stemmed from her work with over 54,000 global suppliers at Schneider Electric—many of whom lacked visibility into product and application security, despite being part of critical product ecosystems. She aimed to create a practical, global resource—something even startups could use without drowning in compliance documents.

“Startups don’t want to read 1,000 pages of NIST. They need clear, actionable advice.”

What’s Broken in Today’s TPRM

While organizations focus heavily on IT infrastructure, they often ignore how third-party software and services impact resilience.

“We have to assume that a supplier will be compromised or go offline. The question is—can your business survive that disruption?”

Cassie emphasized that the traditional approach—questionnaires, certifications like ISO 27001 or SOC 2, and passive risk scoring—misses real-world resilience. She advocated for evidence-based assessments that go beyond surface-level compliance.

Building a Modern TPRM Program

Cassie laid out a blueprint for how she would build a TPRM program from scratch in a mid-sized (1,000-person) organization:

People: A 3-Person Dream Team

• Governance Lead: Aligns business stakeholders and procurement

• Risk Assessor: Technical background, understands application + network security

• Program Manager: Orchestrates assessments and tooling

“You don’t need a CISSP. You need someone who’s done real product security or understands build environments.”

Processes to Prioritize

• Asset and supplier landscape discovery

• Inherent risk identification during procurement

• Resilience simulation workshops with executives

• Continuous monitoring of critical vendors via Threat Intel

“Start by asking simple but powerful questions: What happens if this supplier goes down tomorrow?”

Technology Stack (MVP Version)

• Risk Rating Tool (e.g., BitSight, SecurityScorecard)

• Internal Dashboards (e.g., Tableau)

• Spreadsheet-based vendor tracking (yes, that’s enough for most!)

• Optional: Open-source intelligence feeds + third-party pentest reviews

Key Success Factors

• Cultural Buy-In: Cross-functional accountability for third-party risk, not just the CISO’s burden

• Real Conversations: Establishing CISO-to-CISO links with vendors

• Due Diligence on Scope: Reviewing pentest reports isn’t enough; validate scope, auth testing, and role-based access coverage

“We need TPRM 2.0 — not just assess and rate vendors, but plan for failure and ensure recoverability.”

Why Most TPRM Programs Fail

1. No Accountability: Risk lies with procurement or business, but no one owns it

2. Surface-Level Assessment: Stop at questionnaires and rating scores

3. Reactive Posture: Only respond to incidents; no proactive resilience planning

4. Shadow IT: Lack of procurement controls leads to risky tool adoption

Final Thoughts

Cassie’s message was clear: Cybersecurity is not just about protection. It’s about survival. As supply chains become more digitized and interconnected, organizations must move beyond compliance and embrace resilience engineering.

“Cyber folks love talking to cyber folks. Build that direct bridge—it’ll save you when things go wrong.”

Cassie will also be attending Black Hat USA 2025, where she hopes to continue the dialogue on securing the software supply chain. Until then, she encourages the community to explore her book and engage in real conversations about supply chain resilience.