Cyber at the Top: Third-Party Risk: Challenges and Strategies for Security Leaders

Episode Overview

Podcast: RSAC – Cyber at the Top
Episode Title: Third-Party Risk: Challenges and Strategies for Security Leaders
Date: February 19, 2026
Guest: TJ Patterson, VP and Information Security Officer at Star Financial Bank

This episode dives deep into the growing urgency of third-party risk management for CISOs. Host RSAC and guest TJ Patterson discuss the unique challenges, methodologies, and practical strategies that security leaders can use to identify, assess, and manage the risks presented by external vendors, suppliers, and service providers. The conversation offers actionable insights on critical vendor classification, ongoing monitoring, vendor resistance, regulatory trends, and effective leadership communication on third-party risks.

Key Discussion Points & Insights

1. TJ Patterson’s Role and Perspective (01:48)

Overview of TJ’s Work: Mix of strategy and operations—policy compliance, control validation, close partnership with IT, proactive planning 6–12 months out, and ensuring both security and data availability.
Quote:

“If it involves information, whether that’s paper information or technical information, I’m involved to make sure that that information stays safe.” (01:52 – A)

2. Why Third-Party Risk is a Top Priority (03:13)

Main Reason: Customers hold organizations—not vendors—accountable for data breaches, regardless of origin.
Due Diligence: The necessity to align third-party controls and risk maturity with internal standards.
Quote:

“Our customers don’t care if information is taken or affected, whether it’s us or whether it’s a vendor. They just know that the relationship they have is with us.” (03:17 – A)

3. Impact Differences: Third-Party vs. Direct Breaches (04:28)

Loss of Visibility: Less control and insight during third-party incidents due to reliance on the vendor’s incident response.
Regulatory Complexities: Ensuring partners meet the same requirements as regulated organizations can be challenging.
Quote:

“One of the challenges with a third party is that lack of visibility. If an incident occurs...we're reliant on the incident response of that organization.” (04:32 – A)

4. Identifying and Classifying Critical Third Parties (05:29)

Factors to Assess:
- Type and sensitivity of data accessed or stored
- Criticality to business operations
- Geographic and resilience considerations (especially with major cloud providers)
Consistency is Core: Develop a repeatable, threshold-based approach.
Quote:

“Another aspect is how critical that third party is to operations...if that vendor were to be disrupted...that might fall into a higher classification.” (06:26 – A)

5. Depth vs. Practicality of Assessments (09:07)

Balancing Act: Aim for consistency and maturity rather than exhaustiveness for every vendor.
Plan for the Inevitable: Assume vendors will experience incidents; focus on their business continuity and communication plans.
Quote:

“Every partner that any company has, there should be an expectation that it will experience a security incident or a material disruption.” (09:18 – A)

6. Ongoing Monitoring Beyond Initial Due Diligence (11:13)

Tier-Based Review Frequency: Match monitoring to vendor criticality.
Key Tactics:
- Annual or biannual review of pen test and SOC reports
- Watch for decreases in vendor self-assessment rigor
- Use external monitoring tools and Google alerts
Leverage Relationships: Educate internal vendor relationship owners to help surface incidents.
Quote:

“If you can now build some rapport with those relationship owners ... now they know to report that. And that’s one way to lean into some of the education and some of the relationship building that security leaders have to do.” (12:41 – A)

7. Handling Resistant Suppliers (14:22)

Security Leader’s Role: Compile and communicate risks clearly to governance bodies, with documentation for transparency and defensibility.
Decision Making: Final risk acceptance or rejection should rest with governing bodies or executives, not solely with security leaders.
Quote:

“Security leaders should be communicating that risk effectively, making the decision in the right place, and then lastly, making sure that’s documented.” (14:48 – A)
“It’s about ensuring that they’re aligned with the organization’s maturity level.” (15:49 – A)

8. Value and Shortcomings of Tools, Attestations, and Audits (16:59)

Monitoring Tools: Useful, but ratings can be misleading if scope is limited.
Attestations & Audit Reports: Offer a high-level view of maturity, but may not guarantee specific control effectiveness without independent validation.
SOC Reports Example: Good for overall maturity check but should be supplemented with direct questions if needed.
Quote:

“Sometimes the tools and the attestations can be a little bit weak...a lot of times companies will say things like we have encryption at rest...if an independent party isn’t validating that, an organization really doesn’t have a way to verify those controls exist.” (18:37 – A)

9. Regulatory Trends & Future Planning (19:55)

Anticipating Regulation: Stay informed about international compliance (e.g., DORA); know your customer base and cross-border obligations.
Fourth-Party Risk: Growing importance in regulations, particularly in the financial sector.
Emerging Tech Risks: AI processing and governance may soon require risk assessments and new controls.
Quote:

“One of the things in the back of my mind is...at what point are we going to need to do further due diligence on those subservice organizations? ...Another thing...may need to be considered is the usage of AI.” (21:31 – A)

10. Communicating Risk to Boards & Executives (23:18)

Simplicity & Relevance: Translate risks into impacts on financials, legal exposure, and time.
Avoid Technical Overload: Focus communication on what the board and executives prioritize.
Quote:

“Communicate really three things, financial, legal and time. How does it affect those three?” (23:21 – A)
“If you can find a way to quantify that...that goes a long way with the board or governing bodies where they don't want in the weeds of all the day to day security speak.” (24:17 – A)

11. Final Advice for CISOs (25:07)

Consistency Above All: Mature risk programs by being consistent in classification, monitoring, and documentation.
Leverage Industry Frameworks: Use frameworks like NIST or CIS to anchor your due diligence and risk reviews.
Quote:

“I’ll go back to that consistency and it seems very fundamental. But what I found personally is...I start to bite off more than I can chew. But when I think about maturity...and being consistent...I'm finding that it's being delivered upon a lot better.” (25:09 – A)
“Leverage an existing industry framework, whether that's, you know, NIST cybersecurity framework or CIS framework...so that your third-party risk is aligned with what the organization is already using.” (25:36 – A)

Memorable Moments & Notable Quotes

“Our customers don’t care if information is taken or affected...they just know that the relationship they have is with us.” (03:17 – A)
“One of the challenges with a third party is that lack of visibility....we're reliant on the incident response of that organization.” (04:32 – A)
“Consistency is key. Not to be trivial, but maybe it’s a simple math equation...that’s one way to stay at least consistent.” (07:35 – A)
“Every partner...should be expected to experience a security incident or a material disruption.” (09:18 – A)
“If you can now build some rapport with those relationship owners...it makes solving other security challenges better down the road.” (15:57 – A)
“If an independent party isn’t validating that, an organization really doesn’t have a way to verify those controls exist.” (18:37 – A)
“Communicate really three things: financial, legal, and time.” (23:21 – A)
“Leverage an existing industry framework...so that your third-party risk is aligned with what the organization is already using.” (25:36 – A)

Useful Timestamps

Role & Responsibility: 01:48
Why Third-Party Risk is Critical: 03:13
Breach Impact Differences: 04:28
Classifying Critical Vendors: 05:50
Balancing Assessment Depth: 09:07
Ongoing Monitoring: 11:13
Handling Resistant Vendors: 14:22
Tools, Attestations, Audits: 16:59
Regulation & Emerging Trends: 19:55
Board & Executive Communication: 23:18
Final CISO Advice: 25:07

Summary

This episode provides a comprehensive, real-world framework for CISOs and security leaders looking to mature their third-party risk programs. TJ Patterson stresses the importance of consistency, clear risk communication, tiered assessments, and ongoing relationships with both internal and external stakeholders. He encourages leveraging established frameworks for program alignment and planning for both current and emerging regulatory requirements. The guidance centers on practical, scalable strategies, making it a must-listen (or read) for anyone responsible for third-party risk management in cybersecurity.

Episode Overview

Key Discussion Points & Insights

1. TJ Patterson’s Role and Perspective (01:48)

Overview of TJ’s Work: Mix of strategy and operations—policy compliance, control validation, close partnership with IT, proactive planning 6–12 months out, and ensuring both security and data availability.
Quote:

“If it involves information, whether that’s paper information or technical information, I’m involved to make sure that that information stays safe.” (01:52 – A)

2. Why Third-Party Risk is a Top Priority (03:13)

Main Reason: Customers hold organizations—not vendors—accountable for data breaches, regardless of origin.
Due Diligence: The necessity to align third-party controls and risk maturity with internal standards.
Quote:

“Our customers don’t care if information is taken or affected, whether it’s us or whether it’s a vendor. They just know that the relationship they have is with us.” (03:17 – A)

3. Impact Differences: Third-Party vs. Direct Breaches (04:28)

Loss of Visibility: Less control and insight during third-party incidents due to reliance on the vendor’s incident response.
Regulatory Complexities: Ensuring partners meet the same requirements as regulated organizations can be challenging.
Quote:

“One of the challenges with a third party is that lack of visibility. If an incident occurs...we're reliant on the incident response of that organization.” (04:32 – A)

4. Identifying and Classifying Critical Third Parties (05:29)

Factors to Assess:
- Type and sensitivity of data accessed or stored
- Criticality to business operations
- Geographic and resilience considerations (especially with major cloud providers)
Consistency is Core: Develop a repeatable, threshold-based approach.
Quote:

“Another aspect is how critical that third party is to operations...if that vendor were to be disrupted...that might fall into a higher classification.” (06:26 – A)

5. Depth vs. Practicality of Assessments (09:07)

Balancing Act: Aim for consistency and maturity rather than exhaustiveness for every vendor.
Plan for the Inevitable: Assume vendors will experience incidents; focus on their business continuity and communication plans.
Quote:

“Every partner that any company has, there should be an expectation that it will experience a security incident or a material disruption.” (09:18 – A)

6. Ongoing Monitoring Beyond Initial Due Diligence (11:13)

Tier-Based Review Frequency: Match monitoring to vendor criticality.
Key Tactics:
- Annual or biannual review of pen test and SOC reports
- Watch for decreases in vendor self-assessment rigor
- Use external monitoring tools and Google alerts
Leverage Relationships: Educate internal vendor relationship owners to help surface incidents.
Quote:

“If you can now build some rapport with those relationship owners ... now they know to report that. And that’s one way to lean into some of the education and some of the relationship building that security leaders have to do.” (12:41 – A)

7. Handling Resistant Suppliers (14:22)

Security Leader’s Role: Compile and communicate risks clearly to governance bodies, with documentation for transparency and defensibility.
Decision Making: Final risk acceptance or rejection should rest with governing bodies or executives, not solely with security leaders.
Quote:

“Security leaders should be communicating that risk effectively, making the decision in the right place, and then lastly, making sure that’s documented.” (14:48 – A)
“It’s about ensuring that they’re aligned with the organization’s maturity level.” (15:49 – A)

8. Value and Shortcomings of Tools, Attestations, and Audits (16:59)

Monitoring Tools: Useful, but ratings can be misleading if scope is limited.
Attestations & Audit Reports: Offer a high-level view of maturity, but may not guarantee specific control effectiveness without independent validation.
SOC Reports Example: Good for overall maturity check but should be supplemented with direct questions if needed.
Quote:

“Sometimes the tools and the attestations can be a little bit weak...a lot of times companies will say things like we have encryption at rest...if an independent party isn’t validating that, an organization really doesn’t have a way to verify those controls exist.” (18:37 – A)

9. Regulatory Trends & Future Planning (19:55)

Anticipating Regulation: Stay informed about international compliance (e.g., DORA); know your customer base and cross-border obligations.
Fourth-Party Risk: Growing importance in regulations, particularly in the financial sector.
Emerging Tech Risks: AI processing and governance may soon require risk assessments and new controls.
Quote:

“One of the things in the back of my mind is...at what point are we going to need to do further due diligence on those subservice organizations? ...Another thing...may need to be considered is the usage of AI.” (21:31 – A)

10. Communicating Risk to Boards & Executives (23:18)

Simplicity & Relevance: Translate risks into impacts on financials, legal exposure, and time.
Avoid Technical Overload: Focus communication on what the board and executives prioritize.
Quote:

“Communicate really three things, financial, legal and time. How does it affect those three?” (23:21 – A)
“If you can find a way to quantify that...that goes a long way with the board or governing bodies where they don't want in the weeds of all the day to day security speak.” (24:17 – A)

11. Final Advice for CISOs (25:07)

Consistency Above All: Mature risk programs by being consistent in classification, monitoring, and documentation.
Leverage Industry Frameworks: Use frameworks like NIST or CIS to anchor your due diligence and risk reviews.
Quote:

“I’ll go back to that consistency and it seems very fundamental. But what I found personally is...I start to bite off more than I can chew. But when I think about maturity...and being consistent...I'm finding that it's being delivered upon a lot better.” (25:09 – A)
“Leverage an existing industry framework, whether that's, you know, NIST cybersecurity framework or CIS framework...so that your third-party risk is aligned with what the organization is already using.” (25:36 – A)

Memorable Moments & Notable Quotes

“Our customers don’t care if information is taken or affected...they just know that the relationship they have is with us.” (03:17 – A)
“One of the challenges with a third party is that lack of visibility....we're reliant on the incident response of that organization.” (04:32 – A)
“Consistency is key. Not to be trivial, but maybe it’s a simple math equation...that’s one way to stay at least consistent.” (07:35 – A)
“Every partner...should be expected to experience a security incident or a material disruption.” (09:18 – A)
“If you can now build some rapport with those relationship owners...it makes solving other security challenges better down the road.” (15:57 – A)
“If an independent party isn’t validating that, an organization really doesn’t have a way to verify those controls exist.” (18:37 – A)
“Communicate really three things: financial, legal, and time.” (23:21 – A)
“Leverage an existing industry framework...so that your third-party risk is aligned with what the organization is already using.” (25:36 – A)

Useful Timestamps

Role & Responsibility: 01:48
Why Third-Party Risk is Critical: 03:13
Breach Impact Differences: 04:28
Classifying Critical Vendors: 05:50
Balancing Assessment Depth: 09:07
Ongoing Monitoring: 11:13
Handling Resistant Vendors: 14:22
Tools, Attestations, Audits: 16:59
Regulation & Emerging Trends: 19:55
Board & Executive Communication: 23:18
Final CISO Advice: 25:07

wavePod

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

Episode Overview

Key Discussion Points & Insights

1. TJ Patterson’s Role and Perspective (01:48)

2. Why Third-Party Risk is a Top Priority (03:13)

3. Impact Differences: Third-Party vs. Direct Breaches (04:28)

4. Identifying and Classifying Critical Third Parties (05:29)

5. Depth vs. Practicality of Assessments (09:07)

6. Ongoing Monitoring Beyond Initial Due Diligence (11:13)

7. Handling Resistant Suppliers (14:22)

8. Value and Shortcomings of Tools, Attestations, and Audits (16:59)

9. Regulatory Trends & Future Planning (19:55)

10. Communicating Risk to Boards & Executives (23:18)

11. Final Advice for CISOs (25:07)

Memorable Moments & Notable Quotes

Useful Timestamps

Summary

Summary

Episode Overview

Key Discussion Points & Insights

1. TJ Patterson’s Role and Perspective (01:48)

2. Why Third-Party Risk is a Top Priority (03:13)

3. Impact Differences: Third-Party vs. Direct Breaches (04:28)

4. Identifying and Classifying Critical Third Parties (05:29)

5. Depth vs. Practicality of Assessments (09:07)

6. Ongoing Monitoring Beyond Initial Due Diligence (11:13)

7. Handling Resistant Suppliers (14:22)

8. Value and Shortcomings of Tools, Attestations, and Audits (16:59)

9. Regulatory Trends & Future Planning (19:55)

10. Communicating Risk to Boards & Executives (23:18)

11. Final Advice for CISOs (25:07)

Memorable Moments & Notable Quotes

Useful Timestamps

Summary