About the Speakers & Their Topics

Join us in welcoming industry experts and speakers for the TPRA 2022 Third Party Risk Management Conference

2018-05-02 - Ashley Owens27170-Edit-Social-Media-2.jpg

Keynote: Ashley Owens

Networking Concierge 

Ashley Assists LLC

Ashley Owens is the first and only Networking Concierge that puts you in the right situation or gets you out of the wrong one. As a networking concierge, she trains, coaches, and speaks on becoming an authority at generating revenue by networking with intention. As a networking concierge, Ashley is a host of two digital TV talk shows on RVNTV and This is it TV, speaking and interviewing on the topic of tactical networking. She has taken hundreds of introductory phone calls with business professionals looking to grow their network and has given close to 2000 introductions. She has spoken to over 250 networking groups, organizations, associations, companies, and conferences and has over 185 referral partners. 

How to Not Suck at Networking

Networking is such a personal activity—it is not a one-size-fits-all practice. It’s easy to get bogged down in the details and miss out on the foundation of how to build and retain an effective network. At the end of the day, no one cares what you do as much as whether you know and like them and whether you can be trusted. In an industry built on the power of connecting face-to-face, establishing and growing meaningful relationships is undeniably critical to long-term success. During the current pandemic, networking has shifted from onsite to fully online. 

In this presentation, networking concierge Ashley Owens shares ways to nurture your current business relationships to create your own tactical, individualized approach. Save time by recognizing the best strategic partners and effectively engaging contacts through email, messaging, social media, and other digital tools. Dive in and engage with your peers in this highly interactive session , and learn how to balance your strengths, network strategically and with confidence, and craft an authentic, powerful, professional networking process to achieve a wildly successful career.  

 
thumbnail_y3t1-CR.jpg

Keynote: Chris Roberts

Strategic Advisor

Hillbilly Hit Squad

Chris is currently serving as a vCISO and advisor for several entities and organizations around the globe.  His most recent projects are focused within the deception, identity, cryptography, Artificial Intelligence, and services space. Over the years, he's founded or worked with several folks specializing in OSINT/SIGINT/HUMINT research, intelligence gathering, cryptography, and deception technologies. These days he’s working on spreading the risk, maturity, collaboration, and communication word across the industry. (Likely while coding his EEG driven digital clone that’s monitoring his tea and biscuit consumption!)

Welcome to the Dark Side, we own EVERYONE’S Cookies...

Abstract:

There you are! So, how’s it going? Good?

Y’all caught up on your awareness training?

Know what to click and what to avoid?

Figured out your passwords yet? (Summer20201! Doesn’t count)

Sorted out the OWASP top 10 yet?

 

Great!

So, feeling all good, protected, ready to fight the good fight, and do battle?

 

Splendid...

What if I told you it doesn’t make a damm difference...?

 

Really.

Like, not a difference. I mean you get that warm fuzzy feeling, and we all get a check in the audit box and go along on our merry way and feel good about things...

 

But it’s not going to change a damm thing.

Your ass belongs to me, and there’s nothing you can do to stop me from getting in.

 

Got your attention?

Good, let’s talk!

 
 
AshishPShah_Headshot.jpg

Ashish Shah

Product Manager - 3rd Party Cybersecurity Risk 

Chevron 

Ashish P. Shah is the Team Lead of Cybersecurity Risk Assessment & Operational Excellence with Chevron. Leading Chevron’s program for Third Party Supplier Risk Management is one of the domains within his areas of responsibility. He has been with Chevron for 9 years and has been working for 20+ years in the area of Information Security and Privacy experience. Ashish graduated from Baylor University in 2002 with an MBA, and a Master of Science-Information Systems. He started his career with ExxonMobil, and then transitioned to Deloitte & Touche LLP, followed by joining Chevron in 2012.

Managing Third Party Risk to Secure Your Assets 

Third party cybersecurity is a high visibility topic amongst board of directors at organizations of all sizes and multiple industries. Outsourcing certain activities to a third party poses potential risk to the enterprise. Third-party risk is greatly complicated by the added complexity that sub-service suppliers pose and the level of due diligence that is required to ensure assets are protected from compromise. Establishing key relationships with functions such as Procurement, Legal, Compliance is a core component of successful program implementation. The process should include vendor inventory management, implementing risk-based approach, contract clause review, risk remediation/mitigation, and ongoing monitoring of suppliers. Selection of a supplier risk management platform to complement the process is essential for automation and efficient risk management. It’s not a question of “if” the data will be exposed, but of “when” and how much corporate reputation will suffer as a result of loss of trust. 

 
WMD headshot.png

Bill Deller

Managing Consultant - Cybersecurity Risk & Compliance 

Schneider Downs 

As a cybersecurity risk and compliance professional and practice leader, Bill helps businesses across all industries manage, build, and mature their security and third party programs with a risk-based approach. He and the teams at Schneider Downs manage and execute TPRM programs for numerous Fortune 100 organizations, produce hundreds of annual SOC reports, validate and assure compliance with the alphabet soup of regulatory requirements, provide offensive and defensive security testing, and regularly provide co/outsourced IT Internal Audit services.

SOC Report Secrets Revealed 

The ability to leverage SOC reports efficiently and effectively can save a TPRM program hundreds, if not thousands of hours. However, SOC reports are not built equally. In this session, we will address each of the following from 3 perspectives - the customer, service organization, and service auditor: 

- Who/What/Where/Why/When of SOC Reports 

- SOC vs other standards-based assessments (ISO, HITRUST, PCI, NIST, HIPAA, CMMC, etc.) 

- SOC pros and cons 

- An optimal SOC report leverage model 

 
Greg DeLeon.jpg

Greg DeLeon

Third Party Risk Manager

Tripactions

speaking with Prabhath Karanth

Greg DeLeon is a GRC/cybersecurity professional with more than 12 years of industry experience and a passion for building governance, risk and compliance programs. In his professional experience, Greg has managed enterprise risk, operational risk, information security risk, third party risk, business continuity, and compliance frameworks (i.e. NIST, CMMC, Fedramp, SOC2, ISO 27001). Greg serves as a Third Party Risk Manager at Tripactions, a single-platform solution seamlessly manages travel booking, itinerary management, corporate payments and expenses. In his role, Greg partners with stakeholders to implement a comprehensive third party risk program. The TPRM program focuses on delivering effective policies, processes and risk management to ensure regulatory compliance and consistencies with interdependent functions.

Essentials of a Third Party Risk Program

The Third Party Risk Management Program is an important part of an organization's security program. In recent years, major news media have reported examples of security breaches that have been traced back to third-party suppliers. Some examples include SolarWinds, Target, Uber and other high profile companies. The session will focus on key essentials of an TRPM program to establish efficient and scalable processes for managing third party risks.

 
Prabhath Karanth.png

Prabhath Karanth

Director of Security Assurance and Compliance

Tripactions

speaking with Greg DeLeon

Prabhath Karanth has spent his 15+ year career in various technical and leadership roles spanning across hyper-growth startups, fortune 50 and big 4 consulting firms. Currently as the Head of Security Assurance and Compliance at Tripactions, a leading worldwide travel and spend management platform trusted by more than 5,000 companies globally Prabhath brings his decades of information security experience to growing the company’s security and compliance program and serves as the single voice for security to and with the customer and drives the customer trust program. Prabhath previously served in several security leadership roles in Adobe where he architected the Adobe common controls framework and Championed the implementation of CCF across all Adobe cloud products, services, platforms and operations. Prabhath built and drove several strategic security programs and initiatives at Adobe which had a significant impact on improving Adobe’s overall security posture. Prabhath is very active in the security community and mentors several young security professionals, advising security startups to solve security and business problems at scale. Prabhath is a business enabler and believes in prioritizing the needs of the business and eliminating the friction caused by security tools and processes while formulating scalable, pragmatic security strategies to reduce risk and improve security posture.

 

Essentials of a Third Party Risk Program

The Third Party Risk Management Program is an important part of an organization's security program. In recent years, major news media have reported examples of security breaches that have been traced back to third-party suppliers. Some examples include SolarWinds, Target, Uber and other high profile companies. The session will focus on key essentials of an TRPM program to establish efficient and scalable processes for managing third party risks.

 

Greg Rasner

Greg Rasner.jpg

Author of Cybersecurity & Third Party Risk and SVP 

Third Party Threat Hunting

Greg has worked as a cybersecurity and IT leader in Finance, Biotech, Technology and Software fields. He holds a BA from Claremont McKenna College along with certifications: CISSP, CCNA, CIPM, ITIL. He is the author of the book “Cybersecurity and Third Party Risk: Third Party Threat Hunting” published by Wiley, written several online articles for major publications, and is a frequent speaker at forums and conferences on related topics. He has five kids and a wife who is also a cybersecurity professional. Rasner was in the USMC and was co-chair for the Truist Veterans and First-Responders Business Resources Group. Greg created the cybersecurity program at Johnston Community College, is a board member on the Technology Advisory Board, and teaches there part-time at JCC as well. Fun for him is camping and traveling with his family.

 

How to prepare for the Joint Interagency (FRB, OCC, FDIC) Guidance for Third-Party Governance

Greg Rasner and Rohan Ranadive will share their thoughts on how to prepare for the Joint Interagency (FRB, OCC, FDIC) Guidance for Third-Party Governance from a third party risk management and cybersecurity perspective.

 

Collin Schwartz

Collin Schwartz HSBW.jpg

Head of Legal/Regulatory Affairs & Methodology

TruSight

Collin Schwartz is the head of legal and regulatory affairs and head of methodology for TruSight, the financial industry's leading provider of third-party risk data and risk assessments. Collin has held management roles for financial institutions such as Citigroup, Deutsche Bank, Scotiabank, and MUFG, with a focus on regulatory compliance for risk and compliance functions, including third-party risk management. Collin has also designed and enhanced the third-party risk assessment processes for these large international financial institutions.

 

The Time is Now to Adopt a Standard, Globally Recognized Third-Party Risk Assessment Methodology

The lack of a simple and comprehensive approach to gathering and validating third-party risk assessment information has resulted in financial institutions and third parties spending valuable resources requesting, providing, and validating assessment information in an inefficient and duplicative manner. The burden on businesses that serve the financial services industry is particularly high, as these companies receive hundreds (in some cases thousands) of duplicative requests for information on an annual basis, requiring a major investment in time and capital to respond. With limited resources to handle these complex due diligence requests, vendors often only provide the minimal amount of information required, resulting in incomplete risk data. More importantly, they end up diverting precious resources to redundant documentation rather than actually managing and mitigating risk. To better meet the growing challenges of managing vendor risk, institutions should collaborate on a consistent set of standards for assessing third parties, one that is built on the best practices of the industry. This presentation will address how a universally adopted methodology for collecting and validating third-party risk data can benefit everyone who participates in the financial industry by:

  • Enhancing the quality and depth of third-party risk assessments for risk practitioners, enabling them to make more informed decisions on how to evaluate and mitigate risk.

  • Creating operational efficiency, allowing leaders of financial institutions to save costs or to reallocate capital to mitigating and managing risk rather than chasing third parties to collect data.

  • Alleviating the strain on the third parties who serve the financial industry by establishing consistent expectations, and reducing the time spent responding to individual questionnaires and requests. The simplified assessment requirements would also enable them to streamline their client acquisition and relationship management processes and deliver a higher level of responsiveness and services to their clients

profile pic (2).jpg

Rebecca Newton

Senior Manager Global Vendor Management 

Ansys Inc.

Becky Newton CISA and CRISC, Sr Manager Global Third Party Provider Risk Management (“TPRM”) at Ansys Inc. has over 20+ years of experience in audit and accounting, risk management and information security and technology. She is responsible for development of the Global Third Party Provider Risk Management Policy and Program at Ansys.  Focusing on ensuring Ansys compliance to international standards, laws, and regulations governing the use and monitoring of third party providers as well as overseeing compliance to the Ansys’s Third Party Risk Management Policy.

Prior to working at Ansys, Becky was the Director of Third Party Risk Management at a midsize Community Bank, where her work included the creation and development of the third party risk management program.  Becky gained much of her risk management knowledge as a Manager with PricewaterhouseCoopers (PwC) where she managed engagements that focused on assessing accounting, information technology and operational risks and controls.

 

TPRM Risk Assessment vs Self-Assessment 

Many TPRM programs utilize a version of third party provider (TPP) self-assessment/assertion.  While useful, that approach provides limited insight to the TPP's governance and control considerations, beyond what was disclosed by the TPP themselves. Another often employed risk assessment approach, requests policies, procedures, and independent audit/assertion reports.  This too gives the assessing company information, but to what end?  What if TPRM teams could reduce the work performed on or even eliminate the vendor facing questionnaires?  This new approach tries to answer the questions many TPRM departments face:  When is a TPP questionnaire sufficient (TPP self-assessment/assertion)?  When should documents be requested from TPPs?  What documents should be requested and how should companies utilize the documentation once provided?  What are the risks of obtaining supporting documentation?  Shouldn't the residual risk rating consider the documents beyond existence?

 
 
Joseph Lau Headshot.jpeg

Joseph Lau

Director of TPRM

Mirato 

Lau has served in a variety of senior leadership roles in risk management and technology infrastructure over his career, most recently as vice president of third-party assessments at Santander Bank. Prior to joining Santander Bank, he was vice president of third-party assurance at Citizens Bank. Lau has also held various roles in information technology at H.C. Starck, Bayer Corporation and the Gillette Company. Lau earned a B.S. in business administration from Northeastern University. 

 

How to Prevent Software Supply Chain Attacks by Integrating Third-Party Risk Intelligence with the Software Bill of Materials (SBOM) 

The most important catalyst for the growth we are witnessing in technology in the last decade is open source and R&D teams' ability to share ready-tested, quality packages. However, open and closed source packages are presenting new risks that are becoming more and more elusive to find.

 

Software Bill Of Materials (SBOM) is designed to help organizations understand how the products they are using are built and what open and closed packages are used as building blocks. However, even if organizations collect the SBOM, it does not mean they can use it to mitigate risk - they do not speak code.

 

This presentation will provide risk management leaders with takeaways for how to expand their efforts across the growing ecosystem of third parties and will discuss:

  • Why organizations' responses often occur only after a breach has been detected and the damage has been done.

  • How a "shift left" approach can help ensure software supply chain breaches are proactively prevented rather than reactively defended.

  • How organizations can mitigate risk by using solutions that have already proven to be successful in other industries. 

 
Profile Pic.jpeg

Stefan Peekel

Chief Growth Officer

Owlin

Stefan is excited about how technology drives organizational change. As such he's leading the global growth of Owlin. A Natural Language Processing solution that is transforming the TPRM world. Prior to Owlin he has a 16 year technology consulting background with KPMG. When not working he's an avid amateur chef and sailor. 

 

Technology & Data Trends for today’s and tomorrow’s TPRM Challenges

Multiple market surveys show that TPRM leaders believe they don’t have the right insights and datato make sufficiently informed decisions and/or effectively monitor their third (and fourth) party environment. In this session, Owlin’s vision on the TPRM space will be presented, and a broader vision on how technology and alternative data (e.g. adverse news) can be a key building block in meeting today’s TPRM challenges. If you are on a journey to expand your coverage and ability to monitor third party risk in real time - this session is for you.

 
kimberley headshot.png

Kimberley Allan

Global Marketing Initiatives

Aravo Solutions

Kimberley leads Aravo Solution’s global marketing initiatives including brand, corporate communications, digital marketing, thought leadership, demand generation, and business development activities. 

 

Kimberley brings more than a decade of marketing leadership experience in the GRC space, building brand recognition, thought-leadership, and revenue-accelerating marketing programs at companies including Thomson Reuters, SAI Global, the Global Association of Risk Professionals, Practical Law Company and Complinet. At Thomson Reuters, Kimberley was part of the senior leadership team that rapidly built the GRC and Risk Division from its inception and also helped launch Thomson Reuters’ Org ID KYC Managed Service. She led a global marketing team responsible for marketing communications, product marketing, marketing operations, and customer insight, with their efforts being recognized with the award of Oracle’s Global Markies ‘Marketing Center of Excellence’ in 2013. In her tenure she oversaw and moderated at the company’s Governance, Risk and Compliance Regulatory Summits in London, Singapore, and the US.

 

Kimberley graduated from Massey University in New Zealand with a Bachelor of Arts, English; a Diploma Media Studies (Distinction), Media Studies; and a Master of Philosophy (1st Class Hons), Business Communications.


A Practical Approach to AI/ML for TPRM

If you believe the hype, AI and machine learning will take control of your program and either solve all of your problems or create a load of new ones in a “black box.” This session is designed to separate truth from hype, explaining:

  • What AI/ML is

  • What it isn’t

  • Why you should incorporate it into your program

  • How to get started

Attendees will be able to use this information to begin building a practical AI/ML strategy that fits their environment, skill set, and risk appetite.

 
John Tondreau1000x1000.png

John Tondreau

Senior Director and Product Specialist

ProcessUnity

John brings more than 17 years of experience in the areas of risk and compliance to his role as Senior Director and Product Specialist at ProcessUnity. Prior to joining ProcessUnity in 2014, John was the Vice President of Vendor Assurance for Citizens Bank, and previously held positions at KPMG and PwC. John’s deep understanding of the end user’s prospective on Vendor Risk Management, has proven to be invaluable when implementing and deploying successful programs for ProcessUnity customers.  John is one of our in-house vendor risk management experts.

Next-Generation Third-Party Risk Management: Aligning Cybersecurity & Third-Party Risk

Each day organizations face new threats that jeopardize their critical networks. Gaining visibility into the security risks your supply chain or third-party vendors pose to your organization is a growing priority among cybersecurity leaders. Next-generation cybersecurity practices will require organizations to align both internal and external cybersecurity risk processes to create a standardized process to facilitate effective third-party cyber risk mitigation. 

Join us for a one-hour session as we explore the intersection of third-party risk management and internal cybersecurity practices. We’ll review new strategies and outline the steps to mature your program. 

You will learn how to:

  • Map external third-party risk to internal cybersecurity controls

  • Evaluate control effectiveness against both internal and external risks

  • Prioritize cyber/third-party risk projects based on control gaps and domain inefficiencies

  • Build a united cybersecurity program that protects against internal and external threats

 
Sandeep Suresh.jpg

Sandeep Suresh

Head of Operations & Technology

Supply Wisdom

Speaking with Rohan Ranadive, Head of Third Party Risk Management for Truist

Sandeep Suresh brings over 20 years of experience at leading research, data, and analytics teams. Formerly from Symphony Services and Evalueserve, Sandeep has been at Supply Wisdom since its beginning. At Supply Wisdom, he leads Operations and Technology and is focused on customer success. He is an expert in global sourcing, third party risk, and supply chain risk.

Scale your TPRM Program with Continuous Risk Intelligence

Enterprises are facing increasingly significant threats of disruption. Operational resilience – the ability to continue to deliver on strategic objectives in spite of the challenges of the current risk landscape – requires organizations to evolve beyond legacy risk management practices that take a siloed, reactionary, and recovery focused approach.

 

A modern approach to operational risk and resiliency can help your businesses perform better. How can you build a program that delivers value beyond the traditional TPRM role?

 

  • How current is your data about third parties?

  • What are the blind spots in your TPRM program?

  • Can you identify the early warning signs of cascading risks?

 
Jason Sabourin.png

Jason Sabourin

Director of Product Management

OneTrust

Jason Sabourin is the Director of Product Management for OneTrust Vendorpedia – part of the largest and most widely used technology platform to operationalize third-party risk, security, and privacy management. In his role, Sabourin is responsible for driving the development and delivery OneTrust Vendorpedia’s product line, as well as driving the refinement of the toolset and offerings.  He takes a customer-based approach to product development and derives the majority of his backlog from customer feedback and direction.  Prior to OneTrust, Sabourin spent six years at Manhattan Associate’s as a Design Lead where he collaborated with customers and R&D directors to identify market trends and opportunities for efficiency gains within clients distribution centers by utilizing Warehouse Management for Open Systems (WMOS). Sabourin is a Certified Information Privacy Professional (GRCP, CIPP/E, CIPM, CSPO) and a Certified Scrum Product Owner. He holds a Bachelor of Engineering in Mechanical Engineering from Vanderbilt University.

5 Ways to Step-Up Your Business Resilience with Better Third-Party Management

The Apache Log4j vulnerability, SolarWinds, and the Colonial Pipeline ransomware attack have highlighted the need for greater business resilience as it relates to third parties. It’s no longer a question of IF a high-impact event that affects a third party takes place, but WHEN? Many organizations already have Business Continuity and Disaster Recovery plans in place to address resilience. But many of those plans don’t focus enough on the potential impact a third party can have on business operations. And what about your third parties themselves – do they have business continuity and disaster recovery plans in place? Are they ready for a ransomware attack? How will they respond?​

Now more than ever, it’s time to refocus on your third parties to understand how they are hindering (or helping) your business resilience. With the increased role of third parties in business-critical activities, the bottom line is directly affected by third parties.

Picture1_edited.jpg

Peter Pernebo

MD, Global Head of Third Party Risk Management Solutions: KY3P

IHS Markit - a part of S&P Global

Peter Pernebo leads the commercial, strategy and client delivery of third-party risk management solutions at IHS Markit.  The KY3P suite of solutions is designed in close cooperation with large industry organizations to provide efficiencies and standardization to the third-party due diligence process.

Before joining IHS Markit, he spent eight years leading various engagements within Goldman Sachs third party risk management office, establishing vendor management policies, procedures and infrastructure to support the firm’s program. 

Prior, Mr. Pernebo was the head of the US NE region for Totality, a silicon valley technology upstart providing operational support for major ecommerce clients.  His responsibilities included sales, client service delivery and consulting. As part of the executive leadership team, Mr. Pernebo was responsible for product and growth strategies. Totality was acquired by Verizon Business and Mr. Pernebo led the integration of Totality services.

Before joining Totality, he was a Senior Director at Accenture, leading global supply chain projects for clients in the US, Canada, Japan, UK, Sweden and many other locations.  

He holds a BSc in Business Strategy from Lund University as well as minors in History and Sociology.  Mr. Pernebo is ITIL certified.

 Third Party Risk – Your responsibility, but not in your control

Few corporate leaders would consider ignoring the dangers of failing to manage third party risk. But exactly how to successfully manage it is a far trickier question.

 

This session will provide insight on how the TPRM practice has evolved, latest trends, challenges in standing up a program and how to overcome them without creating burdensome processes and large teams.

 
Dr. Jayne Suess - TPRA 2022 In Person Conference Speaker Information  Agreement.jpg

Dr. Jayne Suess

Third Party Risk Consultant

Erie Insurance

 Dr. Jayne Suess is a Cyber Security Professional currently focused on third-party risk with over 30 years of Information Technology, Internal Audit, Information Security, and Information Assurance experience. She has worked with consulting firms, Fortune 500 companies, and small to medium-sized businesses. She has also served as the Chief Information Security Officer for small and medium-sized for 14 years. Jayne holds the following certifications: CISSP, CCSP, CDPSE, CISA, CRISC, CTPRP, CTPRA, and PSIA. Jayne completed her doctorate in Cyber Security at Capitol Technology University in 2019, researching factors impacting the performance of critical security controls in protecting consumer personally identifiable information. 

How to Mature Your Third-Party Risk Program: Generating a convincing program maturity roadmap 

Does your third-party risk program only perform due diligence assessments? Who is responsible for the third-party risk management program vision? What are the drivers to generate a roadmap that increases the maturity of the program? This session will provide attendees with tools to grow and mature third-party risk programs. Methods to present maturity findings to the board when requesting increases to your third-party risk budget will also be included. Lastly, attendees will gain insight into moving to a continuous risk management mode versus static risk management. 

 
 
Dave-Rusher-Leadership.jpg

David Rusher

Chief Sales Officer

Aravo

As Chief Sales Officer, David is responsible for leading Aravo’s global sales organization. He’s passionate about helping customers solve critical business issues with solutions that support their long-term success and strategic objectives. By delivering the best outcomes for our customers, David helps drive Aravo’s revenue growth through new business, expansion, and renewal sales leadership.

David has over 20 years of executive experience in the enterprise software industry, which spans across most functional areas of business including engineering, product management, product marketing, solutions consulting and sales leadership.

Prior to Aravo, David served as SVP of Enterprise Feedback at Market Tools where he was responsible for global sales of MarketTools CustomerSat™ Enterprise Feedback Management solution. Prior to MarketTools, David worked with RightNow Technologies – a leading provider of SaaS customer experience management solutions. He initially served as Vice President of Solutions Consulting for the Americas where he worked closely with Product Management and Engineering to influence and prioritize key features and capabilities, addressing functional gaps and innovations based on market demand; he was promoted to Vice President of Sales for the Eastern U.S. and Latin America. Prior to that, he held various solutions leadership roles during a 9-year period with Siebel Systems, culminating in the role of Director, Industry Solutions.

David holds a Bachelor of Science degree in Computer Science from Oklahoma City University.

Apprentice Track: Aravo Demo

Picasso Sponsored Demo - Bringing attendees tools and techniques to accelerate their TPRM programs.

 
1584387316027.jpeg

Tim Wallace

Third-Party Risk Consultant

OneTrust Vendorpedia

Tim Wallace serves as a Third-Party Risk Consultant for OneTrust VendorpediaTM  – a purpose-built software designed to operationalize third-party risk management. In his role, Wallace advises companies throughout their third-party risk management implementations to help meet requirements relating to relevant standards, frameworks, and laws (e.g. ISO, NIST, SIG, GDPR and CCPA). Wallace works with clients to centralize their third-party information across business units, assess risks and performance, and monitor threats throughout the entire third-party relationship, from onboarding to offboarding.

Spring Cleaning: 7 Steps to Reduce Your Vendor Risk

Are your vendors safe to do business with? This question is one that many organizations have trouble answering. If you’re not sure which vendors you work with, how you work with them, or if they have the right safeguards in place – you’re not alone.

Ultimately, the goal of any third-party risk management program is to reduce vendor risk. This is easier said than done as risks come from many angles, whether it’s data breaches, compliance violations, ethical concerns, or countless other issues. A well-run vendor risk management program eliminates these uncertainties and offers risk managers the clarity they need to feel confident when outsourcing key tasks to vendors.

So, how do the most successful TPRM programs reduce vendor risk?

In this session, we’ll explore:

  • The most common threats and risks when managing vendors

  • How to prioritize risks and take an efficient mitigation approach

  • Practical steps to mitigate your more pressing vendor risks

  • How to build automated mitigation workflows across key stakeholders

  • Risk reduction best practices developed by leading risk management professionals

  • Lessons learned when building vendor risk management programs

 
1558493688842.jpg

Michael Takla

Co-Founder and Chief Revenue Officer

HackNotice

Michael Takla is the Co-Founder and Chief Revenue Officer of HackNotice (hacknotice.com) the only company-wide threat awareness platform. Before his current role, Michael worked extensively in the third party cyber risk space with CyberGRX and as Director of Inside Sales for SecurityScorecard during their initial product / market fit. He graduated from Rutgers University, New Brunswick in 2011, and when not bootstrapping cyber startups enjoys hiking, chess, and live music in Austin, TX.

The Breach Epidemic: Personal & Nth Party Cyber Risk 

Ransomware is the most prominent threat organizations are facing now. Businesses can mitigate the risk of being victims by tracking, tracing, and reviewing ransomware exploits, to ensure no compromising data is exposed, leading to a security breach. These risks, however, are no longer limited to third parties that are part of an enterprise TPRM program – exposed data leading to compromise originates with 4th parties, 5th parties, and the personal vendors and third parties that employees use in their daily lives. This talk explores these trends with data on recent breaches and the evolution of TPRM beyond vendors and partners that are programmatically tracked to the hidden risks of nth party and personal services.

 
IMG_8465_Edit-2.jpeg

Nader Zaveri

Senior Manager, Incident Response & Remediation

Mandiant

Nader Zaveri has over 15 years of experience in IT security, infrastructure, and risk management. Nader has assisted client’s incident response investigations to help investigate and understand the storyline of the attack for most allusive nation-state threat actors that are associated with infamous on-prem and cloud-based breaches. He also leads the remediation efforts with his knowledge and experience by providing strategic short, medium, and long-term remediation recommendations to those breached organizations. He has conducted interviews and presentations for dozens of organizations and conferences regarding cloud and on-prem Incident Response and Remediation topics. He regularly provides security updates and briefings to Federal and Local Government organizations, as well as C-Suite personnel during and after an incident. Prior to Mandiant, Nader Zaveri spent several years in leadership positions at major cyber security consulting firms, and as a lead practitioner for multi-national organizations

A Golden Ticket to the Cloud 

In a post-pandemic world, more and more organizations are moving to the cloud. Due to this rapid migration, we have also observed an influx of cloud-based breaches that we have been requested to investigate and respond. Late last year, the SolarWinds breach introduced another novel method of gaining access to a cloud environment bypassing Federation Services in a technique dubbed the Golden SAML attack. Hope is not lost, though, because even if the federation certificates are compromised, these unauthorized logins are still detectable, as long as authentication logs are correlated between the federation and the cloud environment. By abstracting the attack technique to its core components, using open-source tools, we can engineer detection events relevant to multiple providers and environments. The presenters will also provide a case study of this novel attack technique (Golden SAML) and demonstrate high-fidelity detection approaches to assist the Security Operations in defending against adversaries. We also will be discussing multiple open-source tools an organization can utilize to assist their understanding of their cloud environments and provide the possibility to identify misconfigurations.

 
Jon-sternstein-2021.JPG

Jon Sternstein

Founder & CEO

Stern Security

Jon Sternstein is the Founder/CEO of Stern Security, the cybersecurity company behind Velocity, the internal and vendor risk management platform (https://www.velocitysec.com).   Jon is the co-author of the Cisco Press course titled “Security Penetration Testing (The Art of Hacking) LiveLessons”.  Jon holds many security certifications including: GPEN, CISSP, and Certified Ethical Hacker.  Jon Sternstein has been a featured Cyber Security Expert on ABC News, WRAL News, CBS News, ISSA Journal, PenTest Magazine, and Business North Carolina Magazine.  

12 Pro Tips for Performing Effective Vendor Reviews

As members of the security community, we should all be on a mission to secure the planet. Reviewing our vendors to see if they can protect our data is an essential part of this process. Unfortunately, performing vendor security reviews is time consuming, complex, and varies in accuracy. Thankfully, there are solutions to help and we’ll discuss 12 pro tips to ensure your vendor security reviews are more efficient and accurate.

 
Picture1.jpg

Rohan Ranadive

Head of Third Party Risk Management

Truist

Rohan is a senior executive with 25 years of leadership success in Banking, Financial Services, and Technology. He has consistently inspired and led large and diverse global teams to achieve business resiliency and operational excellence while effectively balancing risk management and regulatory compliance. Rohan brings a blend of business development, client and stakeholder management, culture alignment and change management skills to every endeavor.

Rohan joined Truist's predecessor BB&T in 2007 and was responsible for leading teams that delivered on enterprise efficiency programs streamlining technology, operations and risk functions resulting in over $500M in operational efficiencies. Prior to his current leadership role in Third Party Risk Management, Rohan led the banks digital transformation agenda powered by AI, Automation and Advanced Analytics to deliver successful and secure client experiences enabled by technology and touch. 

Prior experiences include engineering and product management at Silicon Valley based Startup Company Middlewire; and business and technology consulting to help clients evaluate spinoffs into Financial Guaranty, International market entry strategies (Italy, Spain, Eastern Europe), risk premium valuations on Mortgage Backed Securities (MBS) and structured finance deals etc.

Rohan holds an MBA from Wake Forest University and is a graduate of the Stonier School of Banking and Wharton Executive Leadership Program. Rohan is a sought after speaker for his demonstrated leadership across Supply Chain, Risk Management and Digital Transformation. He has previously served on the Advisory board for Sourcing Industry Group and current serves as an Advisory member on the Risk Board.

Rohan lives in Charlotte, North Carolina with his wife and son and is an avid tennis player.

How to prepare for the Joint Interagency (FRB, OCC, FDIC) Guidance for Third-Party Governance

Greg Rasner and Rohan Ranadive will share their thoughts on how to prepare for the Joint Interagency (FRB, OCC, FDIC) Guidance for Third-Party Governance from a third party risk management and cybersecurity perspective.

Also speaking with Sandeep Suresh on "Scale your TPRM Program with Continuous Risk Intelligence."

 
200x200-kristi-kuhn.jpg

Kristi Kuhn

Principal Solutions Consultant

ProcessUnity

Kristi is a Principal Solutions Consultant here at ProcessUnity. She has more than 15 years of experience implementing Risk and Compliance programs for literally hundreds of organizations during her time here and previously with Paisley and Thompson Reuters.

Sponsored Demo: Practitioner Track