All Articles

Fireside Chat With Cassie Crossley & Bikash Barai

Posted by Biswajit Banerjee on July 3, 2025 at 12:04am in Blog
Fireside Chat With Cassie Crossley & Bikash Barai

In a deep-dive conversation at CISO Platform, Cassie Crossley, Vice President of Supply Chain Security at Schneider Electric, joined Bikash Barai (Co-founder, FireCompass & CISO Platform) to explore one of the most pressing concerns in enterprise security today: supply chain security and how to make third-party risk management (TPRM) future-ready.

Cassie, who recently authored Software Supply Chain Security: Securing the End-to-End Lifecycle for Software, Firmware, and Hardware, brings decades of experience managing large supplier ecosystems in critical infrastructure. The session touched on the evolution of threats, what’s broken in today’s TPRM practices, and how to build more resilient programs.

 

 

Highlights from the Conversation

“TPRM today stops at shallow assessments. You can fool a questionnaire, but not a hacker.”

The Story Behind the Book

Cassie shared that her motivation for writing the book stemmed from her work with over 54,000 global suppliers at Schneider Electric—many of whom lacked visibility into product and application security, despite being part of critical product ecosystems. She aimed to create a practical, global resource—something even startups could use without drowning in compliance documents.

“Startups don’t want to read 1,000 pages of NIST. They need clear, actionable advice.”

 

What’s Broken in Today’s TPRM

While organizations focus heavily on IT infrastructure, they often ignore how third-party software and services impact resilience.

“We have to assume that a supplier will be compromised or go offline. The question is—can your business survive that disruption?”

Cassie emphasized that the traditional approach—questionnaires, certifications like ISO 27001 or SOC 2, and passive risk scoring—misses real-world resilience. She advocated for evidence-based assessments that go beyond surface-level compliance.

 

Building a Modern TPRM Program

Cassie laid out a blueprint for how she would build a TPRM program from scratch in a mid-sized (1,000-person) organization:

People: A 3-Person Dream Team

  • Governance Lead: Aligns business stakeholders and procurement

  • Risk Assessor: Technical background, understands application + network security

  • Program Manager: Orchestrates assessments and tooling

“You don’t need a CISSP. You need someone who’s done real product security or understands build environments.”

Processes to Prioritize

  • Asset and supplier landscape discovery

  • Inherent risk identification during procurement

  • Resilience simulation workshops with executives

  • Continuous monitoring of critical vendors via Threat Intel

“Start by asking simple but powerful questions: What happens if this supplier goes down tomorrow?”

Technology Stack (MVP Version)

  • Risk Rating Tool (e.g., BitSight, SecurityScorecard)

  • Internal Dashboards (e.g., Tableau)

  • Spreadsheet-based vendor tracking (yes, that’s enough for most!)

  • Optional: Open-source intelligence feeds + third-party pentest reviews

 

Key Success Factors

  • Cultural Buy-In: Cross-functional accountability for third-party risk, not just the CISO’s burden

  • Real Conversations: Establishing CISO-to-CISO links with vendors

  • Due Diligence on Scope: Reviewing pentest reports isn’t enough; validate scope, auth testing, and role-based access coverage

“We need TPRM 2.0 — not just assess and rate vendors, but plan for failure and ensure recoverability.”

 

Why Most TPRM Programs Fail

  1. No Accountability: Risk lies with procurement or business, but no one owns it

  2. Surface-Level Assessment: Stop at questionnaires and rating scores

  3. Reactive Posture: Only respond to incidents; no proactive resilience planning

  4. Shadow IT: Lack of procurement controls leads to risky tool adoption

 

Final Thoughts

Cassie’s message was clear: Cybersecurity is not just about protection. It’s about survival. As supply chains become more digitized and interconnected, organizations must move beyond compliance and embrace resilience engineering.

“Cyber folks love talking to cyber folks. Build that direct bridge—it’ll save you when things go wrong.”

Cassie will also be attending Black Hat USA 2025, where she hopes to continue the dialogue on securing the software supply chain. Until then, she encourages the community to explore her book and engage in real conversations about supply chain resilience.

Views: 23
Tags: tprm, fireside, firesidechat, fireside chat, cassie crossley
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Biswajit Banerjee

Community Manager, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

Jun 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
Virtual
  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

CISO Talk (Chennai Chapter) - AI Code Generation Risks: Balancing Innovation and Security

Jul 19, 2025 from 4:00pm to 5:00pm
Virtual
  • Description:

    We’re excited to invite you to an exclusive CISO Talk (Chennai Chapter) on “AI Code Generation Risks: Balancing Innovation and Security” featuring Ramkumar Dilli (Chief Information Officer, Myridius).

    In this session, we’ll explore how security leaders can navigate the risks of AI-generated code, implement secure development guardrails, and strike the right balance between innovation and security. AI…

  • Created by: Biswajit Banerjee
  • Tags: ciso talk

CISO MeetUp: Executive Cocktail Reception @ Black Hat USA , Las Vegas 2025

Aug 4, 2025 from 6:00pm to 10:30pm
Topgolf Las Vegas
  • Description:

    We are excited to invite you to the CISO MeetUp: Executive Cocktail Reception if you are there at the Black Hat Conference USA, Las Vegas 2025. This event is organized by EC-Council & FireCompass with CISOPlatform as proud community partner. 

    This evening is designed for Director-level and above cybersecurity professionals to connect, collaborate, and unwind in a relaxed setting. Enjoy…

  • Created by: Biswajit Banerjee
  • Tags: black hat 2025, ciso meetup, cocktail reception, usa events, cybersecurity events, ciso

6 City Playbook Round Table Series (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

Sep 1, 2025 at 5:00pm to Oct 31, 2025 at 8:00pm
India
  • Description:

    Join us for an exclusive 6-city roundtable series across Delhi, Mumbai, Bangalore, Pune, Chennai, and Kolkata. Curated for top cybersecurity leaders, this series will spotlight proven strategies, real-world insights, and impactful playbooks from the industry’s best.

    Network with peers, exchange ideas, and contribute to shaping the Top 100 Security Playbooks of the year.

    Date : Sept 2025 - Oct 2025

    Venue: Delhi, Mumbai, Bangalore, Pune,…

  • Created by: Biswajit Banerjee