There's no shortage of frameworks telling organizations what to do about third-party and supply chain risk. What they don't have is a program. In this episode of Absolutely Critical, host Lee Mangold sits down with Jeffrey Sweet, a 35-year risk management veteran, former Security Director at American Electric Power, and founder of Resolute Cybersecurity Strategies, to talk about the hard work that lives between the executive briefing and the team that has to make it run.
Jeffrey built and scaled TPRM from scratch at one of the largest utilities in the country, managing risk across more than 24,000 vendors. He and Lee dig into why most programs stall at the questionnaire stage, what it actually takes to get procurement and legal working with you instead of against you, and how to build a tiering system that focuses your limited resources on the vendors that can genuinely take you down. Get it wrong and you're not just failing an audit. You're leaving the door open for the next SolarWinds.
You'll learn more about:
The Questionnaire Trap: Why collecting answers isn't the same as running a program and what validation, continuous monitoring, and contract accountability actually look like.
The 24,000-Vendor Problem: How to tier vendors by risk so you're spending your limited resources on the vendors that can actually hurt you.
Too Big to Assess: What to do when your largest vendors, the Microsofts and Oracles of the world, simply won't respond to your requests.
The FOCI Dashboard: How surfacing foreign ownership, control, and involvement data turned procurement from a roadblock into an ally.
Don't Eat the Whale: Jeffrey's sequenced approach to building a mature program over time, starting with contract language, then questionnaires, then continuous monitoring, then SBOMs, and why trying to do it all at once guarantees failure.
This podcast is for: CISOs, GRC professionals, and security leaders responsible for protecting critical infrastructure and human capital against evolving AI-driven threats.