Topic: Third-Party Risk Panel Discussion
Description: Third-party risk remains a core governance challenge for most organizations. Regulations including HIPAA-HITECH, the EU's GDPR, GLBA, among others require organizations to appropriately evaluate the risk of service providers and other third-parties.
Unfortunately, current third-party risk management practices rarely scale and require new approaches. Our panelists bring a broad, multi-disciplinary/multi-industry perspective on how to re-think third-party risk. Some of the questions that will be addressed during this moderated discussion include:
Value of standardized questionnaires and on-boarding process for third parties
Value of independent audits and assessments - e.g., SSAE18, SOC 2, PCI DSS, ISO, etc. and their role in third-party risk management
Onsite Risk Assessments - how to effectively plan and execute
Ongoing monitoring - tools and processes
Contracting with third parties
Termination of relationships and data decommissioning
Jonas Hagman, Information Security Director at Visa
Jonas Hagman is an Information Security compliance professional with extensive IT risk and controls experience from Visa and KPMG. He has led the Cybersecurity Third Party Technology Risk team at Visa for the past 5 years responsible for information security assessments of vendors, partners and joint ventures both remotely and onsite. Prior to this role he has functioned in various compliance and IT Risk roles at Visa including PCI DSS Readiness and Advisory, SOX and Internal Audit.
Cyrus Bulsara, Chief Information Security Officer at Scripps Health
Cyrus has 15 years experience in information security operations and risk management. He began his career in KPMG’s IT risk advisory services practice with a strong focus on security GRC, pivoting to security operations in private industry over time. He enjoys the opportunity to leverage the breadth of his experience in his current role as CISO of Scripps Health. He is the executive accountable for all aspects of Scripps’ security posture, including GRC, SOC, vulnerability management, Red/Blue Team, engineering/architecture, and data governance.
Kory Klein, Director in Global IT Audit, Risk and Control Department at Sony Corporation
Kory is an information technology audit and security professional with over 15 years of consulting and industry experience with KPMG and Sony Corporation. He is experienced with assessing and auditing all aspects of information/cyber security, including third-parties. More recently, he is researching and experimenting with non-traditional approaches to assessing information/cyber security risk and compliance.
Moderator: Matt Stamper, MPIA, MS, CISA, CISM, CIPP/US, ITIL
Matt is the president of the San Diego ISACA chapter and a member of the San Diego CISO Roundtable. Matt Stamper is also the co-sector chief for the communications sector for the San Diego chapter of InfraGard. Matt is a CISO at EVOTEK and a former research director with Gartner where his research covered incident response, breach and attack simulation, security program design, the cybersecurity skills challenge, and IT risk management. Matt is the co-author of the CISO Desk Reference Guide (Volumes 1 & 2).