Integrate cybersecurity into TPRM to reduce vendor breach impact, meet DORA and NIST C-SCRM expectations, and monitor fourth-party exposure using SBOM-driven diligence, threat intelligence, and automation.
Key Features
Design TPRM lifecycle linking vendor risk to cyber -outcomes Map NIST, ISO 27036, DORA, GDPR to audit-ready controls Enforce contracts, SLAs, due diligence across 3rd/4th parties Implement continuous monitoring beyond questionnaires -Develop breach response playbooks with SBOM
Book DescriptionModern organizations rely on complex vendor ecosystems, but third-party risk management (TPRM) and cybersecurity often operate in silos. This book shows how to connect vendor risk management with supply chain cybersecurity using a practical, lifecycle-driven approach. Youll design a program covering onboarding, vendor risk assessment, continuous monitoring, and offboarding. Instead of static questionnaires, youll use threat intelligence, security ratings, and real-world signals to strengthen third-party security and improve decisions across procurement, legal, and security teams. The book aligns practices with NIST supply chain risk management (C-SCRM), ISO 27036, DORA compliance, and GDPR, translating them into audit-ready controls and governance. Youll learn how to embed vendor due diligence into contracts, manage fourth-party risk, and extend security requirements across suppliers. It also covers SBOM (Software Bill of Materials) standards such as SPDX and CycloneDX to improve software supply chain transparency. Finally, youll develop vendor breach response playbooks and apply automation and AI-driven risk scoring to scale your program. By the end, you can build a resilient, intelligence-led TPRM capability.What you will learn
Build a TPRM lifecycle for supply chain cybersecurity Perform vendor risk assessment and tiering Align with NIST C-SCRM, ISO 27036, and DORA Embed vendor due diligence into contracts and SLAs Identify and manage fourth-party risk exposure Apply SBOM (SPDX, CycloneDX) to supplier security Run vendor breach response for supply chain incidents Use AI and automation to scale vendor risk management
Who this book is forThis book is for cybersecurity leaders, TPRM/VRM practitioners, risk managers, and procurement professionals who need a repeatable way to evaluate and monitor vendors and critical suppliers. Compliance teams and in-house counsel working with DORA, GDPR, HIPAA, and related requirements will also benefit. Basic familiarity with security principles and vendor management helps.
Table of Contents
The Disconnect TPRM vs. Cybersecurity in the Supply Chain
The New Attack Surface A Taxonomy of Supply Chain Risks
The Foundational Framework A TPRM-Driven Security Lifecycle
The Regulatory Blueprint Navigating Key Frameworks
The Legal Foundation Embedding Cyber into Contracts
The Unseen Threat Managing Fourth-Party Risk
Deep Dive threat Intelligence, uncovering hidden risks
The Incident Blueprint Responding to Thirdand Fourth-Party Breaches
Measuring and advancing TPRM maturity
Connecting TPRM and SCM - Due Diligence of Suppliers and understanding
threats
Understanding your service provider SBOM - Applying first party SBOM D
diligence to all service providers
The Technological Imperative Leveraging AI and Automation
The Software Ingredient List SBOM and Software Supply Chain Security
Building an Advanced Program From Compliance to Resilience
Eric Richardson has had a distinguished technology career in roles from CISO/ to executive to volunteer AP Comp Sci teacher with over 30 years of experience specializing in the critical intersection of Cybersecurity, Artificial Intelligence, and Operational Risk. Currently serving as the Global Leader of Artificial Intelligence and Security Engineering at Cisco, he spearheads corporate-wide standards for secure AI implementation and evaluates complex architectures to ensure robust security controls. His deep technical expertise in AI is evidenced by his authorship of "Prompt Engineering: Hands-on guide to prompt engineering for AI interactions". Eric resides in Washington State with his Wife Stacie and his daughters Katie and Maddie. Eric possesses a Masters in Computer Science with a focus on cybersecurity Engineering as well as a MBA. Filipi Pires is an internationally recognized cybersecurity leader, researcher, and global speaker specializing in adversary emulation, identity security, and offensive security operations. With over 15 years of experience in the cybersecurity industry, he has built a career at the intersection of technical research, product strategy, and community leadership, helping organizations understand, simulate, and defend against real-world cyber threats. He currently serves as Head of Technical Advocacy at SCYTHE, where he leads global initiatives focused on Breach & Attack Simulation (BAS) and Adversarial Emulation & Validation (AEV). In this role, Filipi works closely with enterprises, government organizations, and security teams worldwide to operationalize adversary simulation, validate defensive controls, and mature cyber resilience programs through realistic attack scenarios. Beyond his corporate role, Filipi is the Founder & Investor at CROSS-INTEL, a global cybersecurity consulting and market-expansion firm, and Advisor & Investor at Sherlockeye, an AI-driven OSINT intelligence platform designed to accelerate cyber investigations and threat intelligence operations. He serves as Organizer of BSides Porto, one of Europe's fastest-growing community cybersecurity conferences, and Director of the Red Team Village at DEF CON, one of the most respected offensive security communities in the world. He is also Senior Advisor at Raíces Cyber Academy and Founder of the Red Team Community across Brazil and Latin America, initiatives dedicated to developing the next generation of offensive security professionals. As an international conference speaker, Filipi has delivered technical presentations and research at many of the world's most prestigious cybersecurity events, including multiple editions of Black Hat USA, DEF CON, Black Hat Middle East & Africa, RSA Conference-related events, and numerous BSides conferences worldwide. His talks focus on identity-centric attack paths, cloud privilege escalation, supply-chain compromise, breach simulation, and real adversary tradecraft. He has been recognized among the Top 3% Most Active Security Speakers globally, reflecting both the volume and impact of his contributions to the industry. His industry recognitions include AWS Community Builder and Snyk Ambassador. He is also known globally as an advocate for hacking through his long-standing initiative Hacking is NOT a Crime, promoting responsible research, education, and collaboration across the cybersecurity ecosystem. Through his work spanning industry, research, education, and community leadership, Filipi Pires continues to advance adversary simulation practices, identity-focused security, and the global maturation of offensive cybersecurity capabilities.
