After a recent cybersecurity breach shook both U.S. government agencies and corporations and was proclaimed the worst ever, many colleagues asked me if this was my “I told you so” moment. While I could have gloated a bit, I instead reminded them and anyone else who would listen that the next one is right around the corner if third‐party risk is not front and center in the security discussion.

As an executive at Cisco and Microsoft, I have built new organizations delivering trust, transparency, cybersecurity, compliance, risk management, sustainability and value‐chain transformation. I have been invited to provide testimony to U.S. Presidential Commissions on cybersecurity and currently serve on the executive committee of the Department of Homeland Security's Information and Communications Technology Supply Chain Risk Management Task Force. In addition, I have authored NATO directives and contributed my input to numerous government and industry bodies. In all cases, third‐party risk is my primary concern and focus.

There are no easy answers when it comes to third‐party security and risk. We all operate in a hyper‐connected world and third‐party ecosystems continue to expand. When one considers IT/OT convergence, the proliferation of IoT/IIoT, expanding global supply chains, and the accelerated move to a platform economy, it is obvious that the threat surface for both private and public sector organizations continues to grow. So how do we as security and risk professionals ...