Summit on Security & Third-Party Risk
Session Abstracts
Recovery Over Resistance: The New Paradigm in Cyber Defense
John Anthony Smith, Founder & CSO at Fenix 24
An organization’s ability to recover data post-breach and quickly bring operations back online can be assured with the proper orchestration of immutable data backup technology. In this session, attendees will learn: 1.) Data recovery and restoration to operations can be assured in the event of a cyberattack/ransomware event. 2.) Establishment of immutable backup technology is the best weapon of defense against threat actors. 3.) Resistance to cyberattacks is important, but such activities must complement a robust data recovery program.
Modernizing Data Driven Operational Resiliency
Prateek Agrawal, Head of Technology Resiliency at Centene Corporation
Constantly evolving threats arising from cyber, supply chain, climate change, geopolitical or socioeconomic risks require every firm to withstand and be "invocation ready" to minimize customer disruption. The current industry approach is largely siloed across cyber, data, third party and continuity communities, with point in time plans. The session will focus on modernizing resiliency and leveraging data to build "Resilient by Design" capabilities and response.
Efficiency Meets Third-Party Risk: The New Age of Third-Party Risk Assessment
Sagar Behere, Head of TPRM – Senior Manager at Circle Internet Financial
As organizations move from building to maturing their Third-Party Risk Management (TPRM) programs, the focus shifts to speed and efficiency without compromising risk. This presentation reveals how AI-driven tools and intelligent design are cutting third-party onboarding times by almost 70%, transforming cumbersome processes into streamlined, scalable systems. Learn how automated risk assessments, smart questionnaires, customer GPTs and parallel approval workflows are enhancing decision-making, reducing manual effort, and ensuring compliance. Attendees will leave with actionable strategies to optimize onboarding, improve risk visibility, and evolve their TPRM programs to meet the demands of a fast-paced business environment.
ABC's of TPRM
Mike Carver, Director, TPRM at Arkansas Blue Cross and Blue Shield
We will walk through the ABC's of kicking off and establishing our TPRM program at Arkansas Blue Cross Blue Shield (ABCBS). From the initial gathering of data (spreadsheets) of vendors, gaining leadership support, setting up a steering committee, building an inventory, assessing and due diligence, and continuous monitoring. We will discuss what has worked well, improvements we've made, and our next steps.
Can AI Be Your Trusted Partner in Securing Your Extended Business Ecosystem?
Phani Dasari, Global CISO at HGS
Traditional third-party risk management (TPRM) approaches are struggling to keep pace with the ever-evolving threat landscape. Enter Artificial Intelligence (AI), poised to revolutionize TPRM, with which we will see exponential growth in speed and accuracy. By leveraging AI’s analytical prowess and automation capabilities, organizations can significantly strengthen their TPRM posture.
Panel Discussion: Embedding an Effective Security Awareness Program into Your Organization's Culture
Brenda Albeño, Manager of Governance, Risk & Compliance at Loeb & Loeb LLP
Patrick Fennessey, Manager of Information Systems Security at Manatt, Phelps & Phillips, LLP
Ken Fishkin, Senior Manager of Information Security at Lowenstein Sandler LLP
Raenesia Jones, Cyber Security Analyst II at Davis Wright Tremaine LLP
Most employees feel that security awareness training is boring and a waste of their time to sit through. Usually, employees are forced to listen to a canned video once a year and answer a few questions to make sure that they were paying attention. While this does meet most compliance requirements, this form of training is not enough to educate employees about the latest threats throughout the year within their own organization. Since security awareness training is a critical component to protecting an organization from potential financial and reputational damage, a taskforce known as the PHISH (Pretexting, Hacking, Impersonating and Scamming Humans) Committee, has been developed to provide a multifaceted approach to continuous training for a better user experience. Join us for a lively panel discussion, where you will learn about various tools, tactics and techniques on how to make security awareness training more impactful, personal and entertaining.
Cyber Threat Intelligence: The Critical and The Practical
Bill Kyrouz, Information Security Director at Paul, Weiss, Rifkind, Wharton & Garrison LLP
What does a threat intelligence program look like in small to medium sized enterprises? Could social media be your best kept secret? What kind of intelligence monitoring is actionable? We'll cover these and other questions, and discuss what is working for our colleagues in the audience.
25 Years of Information Sharing: Past, Present, and the Future of Collective Resilience
Bill Nelson, Former CEO of FS-ISAC & Founder of GRF
Bill played an instrumental leadership role in the growth of the information sharing and analysis center (ISAC) movement. As CEO of Financial Services ISAC, and later Global Resilience Federation, he was a pioneer in the development of collective defense, cross-sector sharing, and advancements in industry resilience. In this presentation he’ll discuss some of the key milestones in today’s security environment, from the advent of email threat lists, and the inception of the Traffic Light Protocol, to the launch of secure sharing portals and the movement into automated threat exchange. Reflecting on his long history in the threat information sharing industry, he will pose to the audience what he expects to be the greatest future threats and the ways in which we can work together to overcome them.
Predict, Prioritize, Protect: Next-Gen Third-Party Risk for the Retail Enterprise
Jefferson Pike, Director, Third-Party Risk Management at Lowes
In today’s volatile retail landscape, information security risk managers are under pressure to predict and mitigate third-party risks faster and more intelligently. This session explores how AI-driven assessments, predictive risk modeling, and the FAIR methodology can be leveraged to prioritize and remediate third-party threats—especially as geopolitical tensions and cyber regulations evolve. Attendees will gain actionable insights on integrating forward-looking analytics into their TPRM programs, using real-world examples from large-scale retail environments. The session will also highlight how to align these practices with operational resilience goals and drive meaningful security outcomes.
Developing Resilient TPRM Programs in a Dynamic Risk World
Julie Gaiaschi, CEO at Third Party Risk
As the third-party risk landscape evolves, so must the people who are leading it. This session explores how strategic leadership and cross-functional relationships can lead to operationalized risk mitigation and organizational resilience. We will discuss techniques for how resource-strapped organizations mature TPRM amid budget, staffing, and stakeholder challenges. Attendees will leave with strategies to cultivate internal champions, align with enterprise risk management, and lead with clarity in an increasingly complex risk environment.
Intelligent Vendor Risk Management
Jake Wefel, Sr. Security Engineer at Amazon
Bhawna Khayani, Sr Technical Program Manager at Amazon
In today's digital ecosystem, managing vendor security risks at scale presents unprecedented challenges for organizations. This presentation showcases Amazon's approach to transforming vendor risk management through Generative AI, demonstrating how we've revolutionized our security operations while maintaining rigorous standards. We introduce what we call "ThirdEye," which has dramatically improved our ability to detect and assess vendor risks. Using GenAI, we've increased accuracy in identifying data sharing relationships by asking scope based questions to determine accurate inherent risk. This has enabled us to shift from reactive to proactive risk management, identifying potential security threats before they materialize. Our approach incorporates three key innovations: automated evidence validation reducing human hours with LLM-powered peer reviews, expanding quality control coverage from 10% to 100% of assessments, and our AI concierge that handles 70% of customer security consultations. These advancements have transformed our response window into near-instantaneous resolution, significantly enhancing customer experience while maintaining security integrity.
Fail-Safe Collaboration: Securing Mission-Critical Communications in a Connected World
Paul Harrison, Senior Security Engineering Lead at Mattermost
Collaboration is the backbone of operational continuity, ensuring the resilience and security of mission-critical communications is no longer optional—it’s imperative. This session explores the evolving landscape of secure collaboration, highlighting the risks posed by third-party dependencies, fragmented communication channels, and increasingly sophisticated cyber threats. Attendees will gain insights into best practices for building a resilient communication infrastructure that remains operational under stress, supports zero-trust principles, and aligns with regulatory and compliance frameworks. Through real-world scenarios and lessons learned from high-stakes environments—ranging from incident response to national security operations—we’ll examine how organizations can maintain operational integrity even when traditional systems fail.
AI in Cybersecurity & Third-Party Risk Management
Priyaranjan Samal, AVP - Cybersecurity Assurance at Genpact
As businesses continue to grow, working with third parties and partners has become essential to staying competitive and innovative. In this session, we’ll dive into how Artificial Intelligence (AI) is changing the game in cyber security with focus on third-party risk management (TPRM). We’ll look into how AI-driven tools are helping teams spot risks in real time, predict potential threats, and automate responses. We will also briefly touch upon what Genpact is doing in this space.
Enhancing Operational Resilience through Risk and Response Maturity
Donna Speckhard, Director, Enterprise Resiliency Governance, Risk and Tools at USAA
The session will cover a structured approach to assessing and improving an organization's risk and response maturity, ensuring that resilience is not just a compliance requirement but a strategic differentiator. We will use case studies, look at emerging risks, maturity models, and benchmarking a security program.
Smarter AI Procurement: A Cross-Functional Approach to Managing Risk
Radhika Bajpai, Global Head of Technology & Information Security Governance, Risk & Compliance at College Board
AI adoption is revolutionizing business, but each AI vendor brings risks like regulatory exposure, security vulnerabilities, biased models, and opaque supply chains. Traditional procurement and third-party risk management (TPRM) processes weren’t built for AI, creating critical blind spots for CISOs, CROs, GRC, Legal, and Procurement leaders. This session explores how organizations can adapt AI vendor risk management to balance innovation with security, transparency, and accountability. Attendees will gain actionable strategies for AI risk-aware sourcing, vendor due diligence, contracting for AI accountability, and continuous monitoring. Learn how to align AI procurement with compliance frameworks while strengthening vendor oversight and driving business success.
The Enterprise Impact of Third-Party Disconnect and Reconnect
Karl Bode, Senior Lead Information Security Analyst at Wells Fargo Bank
Third-party supply chain attacks are a primary attack vector for threat actors. There is an increasing global trend of initiating third-party disconnects in response to a cyber incident at a third-party provider, as well as a preemptive risk mitigation strategy. Developing a robust third-party disconnect/reconnect program is necessary to enable a predictable path toward restoration of critical services.
Diving Deep into Resilience
Vivek Khindria, Former SVP Cyber Security, Network and Technology Risk at Loblaw Companies Limited
CISOs and C-Suite leaders need to communicate risks in terms of business resilience to boards and regulators. This includes cyber risks but must also include other material and emerging risks such as Artificial Intelligence, quantum computing, and geopolitical, for a holistic view and prioritization of resources. All of these risks represent both challenges as well as opportunities. Using stories from scuba diving and hiking, this session will get the audience up to speed and have them walk away with actionable items that will directly impact strategy, questions being asked, risk mitigation, and maximization of opportunities.
Navigating the Gray Areas: How Building a Compliance Culture Shapes Cybersecurity Success
Nathanael Dick, Director of Cybersecurity at SteelFab Inc
This session will discuss innovative ways to use a compliance baseline like ISO 27001 or CMMC (cybersecurity maturity model certification) as a way to initiate change within an organization and create a security culture. There will be emphasis on using frameworks like NIST 800-171 and others to build a secure information system.
AI vs. Advanced Cyber Threats: Building a Resilient Ecosystem Amid Third-Party Risk
Sanat Pattanaik, Principal Security Architect at ADP
As cyber threats become more sophisticated and third-party risks continue to rise, traditional security approaches are no longer sufficient. This presentation explores how artificial intelligence is transforming threat detection, incident response, and risk mitigation across complex digital ecosystems. We’ll examine real-world applications of AI in identifying anomalies, predicting attacks, and strengthening defenses against supply chain vulnerabilities. Attendees will gain insights into building a resilient cybersecurity posture that leverages AI to stay ahead of emerging threats and evolving third-party risks.
You've Been Told You Have to Create a Third-Party Risk Program...Now What?
Matthew Ridenhour, Senior Manager, Third Party Risk at UKG
Creating a third-party risk program from scratch can be a daunting task. Where do you start? How do you assess your vendors? Which vendors do you prioritize? In this session, you will learn all of this, and more, in simple and straightforward terms. This session will give you the tools to get your program off the ground, and the knowledge on how to expand it in the future.
Supply Chain Security at Honeywell - Accelerating Compliance
Depender Singh, Director - Governance, Risk & Compliance at Honeywell International
See how Honeywell has streamlined complex and highly regulated supply chain risk management compliance requirements into a single intuitive solution. This session offers an in-depth discussion on Honeywell's ongoing supply chain security journey enabled by a digital backbone. You will gain insights into how we are taking a risk-based approach in building data-driven compliance automation, ensuring customer trust and what it takes to manage risks intelligently. Join us for this unique opportunity to hear directly from a business transformation leader and apply these insights to your own third-party risk management strategies.
Building Operational Resilience for the Digital Economy: Trends Shaping the Future
Amir St. Clair, VP, Enterprise Risk at Advocate Health
As the digital economy evolves, institutions face a critical imperative: adapting to rapid technological advancements while maintaining resilience in the face of emerging risks. This session will delve into the intersection of enterprise risk management and digital transformation, exploring how organizations can proactively build operational resilience to thrive in a digital-first world. Key topics include the role of risk frameworks in navigating advancements in digital infrastructure, the strategic integration of artificial intelligence and machine learning, and the use of data analytics to enhance decision-making. Attendees will gain insights on aligning risk management strategies with digital innovation to address both challenges and opportunities - along with actionable strategies to safeguard against vulnerabilities and improve business continuity in the dynamic digital landscape.
Building Resilient Foundations: Establishing TPRM Excellence
Morgan Binder, Head of Third Party Risk at Stripe
Gary Donoghue, Business Resilience Manager at Stripe
Join us as we explore the essential foundations of a successful Third-Party Risk Management (TPRM) program. Discover best practices to build steadfast relationships with stakeholders and ensure clear communication throughout your TPRM initiatives. We'll share real-world examples that highlight organizations successfully managing third-party risks. Engage in an interactive Q&A to exchange ideas and solutions with fellow professionals in the industry. Whether you're embarking on a new TPRM journey or fine-tuning your existing program, this session will equip you with the confidence to manage complex third-party relationships and mitigate potential risks.