Supply Chain Risk Management: Managing Third Party and External Dependency Risk

March 2015 • Podcast

Presenter John Haller, Matthew J. Butkovic Interviewer Julia H. Allen

In this podcast, Matt Butkovic and John Haller discuss approaches for more effectively managing supply chain risks, focusing on risks arising from “external entities that provide, sustain, or operate Information and Communications Technology (ICT)."

Publisher:

CERT

Subjects

Cyber Risk and Resilience ManagementCyber Risk and Resilience Management

Listen

Abstract

One caveat of outsourcing is that you can outsource business functions, but you cannot outsource the risk and responsibility to a third party. These must be borne by the organization that asks the population to trust they will do the right thing with their data.

In this podcast, Matt Butkovic, the Technical Manager of CERT’s Cybersecurity Assurance Team, and John Haller, a member of Matt’s team, discuss approaches for more effectively managing supply chain risks, focusing on risks arising from "external entities that provide, sustain, or operate Information and Communications Technology (ICT) to support your organization." This is sometimes referred to as third party or external dependency risk.

About the Speaker

John Haller

John Haller is a member of the technical staff on the Cybersecurity Assurance team within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. As a member of this team, Haller performs research on critical infrastructure protection, focusing on methods, tools and techniques for managing external dependency and third party risk. Prior to joining CERT in 2010, Haller was analyzing cybercrime attacks on the financial industry in collaboration with a U.S. law enforcement agency. Haller received his Juris Doctor from the University of Pittsburgh and is also a GIAC Certified Incident Handler.

Matthew J. Butkovic

Matthew Butkovic is the Technical Manager of the Cybersecurity Assurance team within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon ...

Matthew Butkovic is the Technical Manager of the Cybersecurity Assurance team within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Butkovic performs critical infrastructure protection research and develops methods, tools, and techniques for evaluating capabilities and managing risk.

Butkovic has more than 15 years of managerial and technical experience in information technology (particularly information systems security, process design and audit) across the banking and manufacturing sectors. Prior to joining CERT in 2010, Butkovic was leading information security and business continuity efforts for a Fortune 500 manufacturing organization.

Butkovic is a Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Julia H. Allen

Julia Allen is a principal researcher within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen’s areas of interest include operational resilience, security governance, and measurement and analysis. Prior to this technical assignment, Allen served as acting director of the SEI for an interim period of six months as well as deputy director/chief operating officer for three years. Her degrees include a Bachelor of Science in Computer Science (University of Michigan) and a Master of Science degree in Electrical Engineering (University of Southern California). Allen is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley 2001) and moderator for the CERT Podcast Series: Security for Business Leaders. She is a co-author of Software Security Engineering: A Guide for Project Managers (Addison-Wesley 2008) and CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience (Addison-Wesley 2010).

Software Engineering Institute