Truist

Transcript:

Iken Ilabuchi (Ike) – Truist

My name is Iken Ilabuchi, but I go by Ike. I work for Truist, which was formed through a merger between Heritage SunTrust and Heritage BB&T. We’re a financial services company specializing in wealth management, commercial lending, payments, and other lending business practices, as well as commodity and small banking support.

At Truist, I’m responsible for managing the Cyber Third-Party Risk Monitoring team, which includes functions like cyber third-party incident monitoring, third-party connections approval, and continuous monitoring for our higher-risk vendors.

Today, our focus is on managing risk from a supply chain perspective—how do we proactively detect risks and mitigate them before they become incidents? And if an incident does occur, how do we attribute it, investigate, and ensure we contain it from a cyber impact standpoint?

My team is embedded in the Cyber Operations function. We collaborate closely with other cyber stakeholders, including the cyber threat intel team, cyber architecture, and our Security Operations Center (SOC), to ensure we are collectively managing supply chain risks. We use platforms like SecurityScorecard to monitor and measure those risks.

Although our team is separate from the SOC, we work in collaboration with them. The SOC monitors internal logs and alerts, while we leverage SecurityScorecard to monitor external-facing assets of our vendors. This allows us to map and investigate those risks and determine the appropriate mitigation steps.

Before SecurityScorecard, we were using a different solution. Our processes weren’t well-defined, and the previous platform generated a lot of noise and false positives. There was a lack of clarity and innovation that we were looking for in a solution—something that could view supply chain risk holistically and evolve with emerging threats.

We went through an RFP process and evaluated multiple vendors before ultimately selecting SecurityScorecard. It fit our use case best, particularly because of its automation capabilities, strong API integrations, and proactive approach to supply chain risk management.

Today, we’ve implemented SecurityScorecard by conducting a tiering process to prioritize our most critical vendors—those with connectivity to us, those handling critical data, or those with a history of cyber incidents. We narrowed down the alerts we monitor to the most critical security concerns and created targeted portfolios in the platform. This allows our analysts to quickly engage vendors for remediation or mitigation.

SecurityScorecard has helped us focus on what really matters—both to our organization and our vendor ecosystem. It’s allowed for more targeted engagements with vendors instead of broad, ineffective outreach. Now, I can sleep better knowing we are engaging with the right vendors for the right reasons.

It’s also enabled us to perform deeper, more specific research with our analyst teams—not just looking at general risks, but assessing the actual impact to our organization based on how we use a given vendor’s services. This gives us actionable, holistic insights into vendor risks and allows us to engage in more precise and effective risk management.