Matt Kelly on Cybersecurity and Suppliers [Podcast]


Post By: Adam Turteltaub

Matt Kelly, Editor & CEO of Radical Compliance makes a strong case in this podcast for a need to reassess cyber risk.  It is becoming, he says, less of a technical issue and more about how companies interact with others:  Employees, contract workers, vendors and customers are all risk points for cyber intrusions.

This calls for organizations to ask some key questions about outside partners:

  • Should they have access to the network?
  • What access should they have?
  • Are they straying where they shouldn’t?

These, he notes, are all questions compliance professionals are likely used to asking about other risk areas.

The solution, he argues, involves training, of course, but it also involves using some of the techniques developed for vetting third parties for anti-corruption risk.  Ask the business people:  How are they going to use the supplier?  Why are we outsourcing this?  Why did you select this third party?

Bottom line is that you need to understand what the business purpose is and ensure the relationship is fit for the purpose and properly monitored and audited.  It’s also critical to ensure that when a relationship ends, access to systems ends with it.

For existing relationships, make sure there is a clear understanding of who owns it.  In some cases, there may no clear owner, which can be a red flag that the vendor probably doesn’t belong on your systems.

Listen in to learn more and hear Matt discuss issues such as how to overcome vendor resistance to audits, understanding when a vendor’s IT security is even better than yours, and the importance of a software bill of materials.


  1. In my opinion, in addition to well established processes to provide a third party access to one’s network and to audit that third party’s activity on the network, there is a VERY IMPORTANT additional point of emphasis worth considering.

    My suggestion is to also ensure there is also a well established process to deactivate a third party’s access to the network. For example, deactivating the third party’s access to the network upon termination of the relationship between the organization and the third party.

    Thanks for posting this podcast and sharing some sound and practical suggestions.


Comments are closed.