S5E5: Greg Rasner - Zero Trust and Third Party Risk Management

- You recently wrote a book titled Zero Trust and Third Party Risk. Can you tell us a bit about the book, why you wrote it and how you see the convergence of ZT and TPRM?

- There's been a lot of discussion lately around Software Supply Chain Security, but also Cybersecurity Supply Chain Risk Management, or C-SCRM. Do you see the former being part of the latter, and what challenges do you think organizations face trying to tackle both?

- TPRM often involves manual subjective lengthy questionnaires that we are all painfully familiar with. How effective do you think these are and do you think we are going to see a future based on machine-readable attestations and more automated assessments to augment some of the traditional manual questionnaire type activities?

- Most organizations struggle to implement fundamental security practices and processes within their own organization, let alone thoroughly ensuring all of their 3rd and nth tier suppliers are, is this a gordian knot type situation?

- What are your thoughts on first party self-attestations vs 3rd party assessments? Each has its pros and cons and challenges. 

- The name Zero Trust is a bit of a misnomer, as we know it means no implicit trust, and it also seems a little counter-intuitive in our increasingly inter-connected ecosystem and society. How do you see the push for Zero Trust playing out when we look at the broader supply chain ecosystem?