Zero Trust Journey
Zero Trust Journey isn’t about taking sides—it’s about real conversations, sharing research, and learning together. Our goal is to explore Zero Trust from every angle and help cybersecurity practitioners make sense of it in a practical, no-fluff way. And yes, we do love to chat about coffee and listen to the occasional dad joke along the way.
Here’s what we do:
- Conversations with Experts: We chat with subject matter experts who share their opinions, experiences, and Zero Trust journeys.
- Research and Product Insights: We explore Zero Trust products and solutions in the market that may fit into a Zero Trust architecture.
- A Zero Trust Architecture: We’re building and refining an ever-growing architecture focused solely on the needs of cybersecurity practitioners.
- CSA CCZT Study Group: We host a study group for the Cloud Security Alliance (CSA) Certificate of Competence in Zero Trust (CCZT).
If you’re a cybersecurity professional looking for honest discussions, practical insights, and tools that evolve with your Zero Trust strategy (plus the occasional coffee tip), Zero Trust Journey is for you. Join us!
Zero Trust Journey
Episode 46: Navigating Third-Party Risk and Continuous Monitoring
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode, host Tiernan O'Malley sits down with Rachel Curran, GRC practitioner and founder of Locktivity, to unpack the complexities of Governance, Risk, and Compliance (GRC) in a cloud-first world.
We dive deep into why third-party risk management cannot just be a "check-the-box" compliance exercise and how organizations must shift their focus from merely assessing vendors to actively managing how they interact with them.
What You’ll Learn:
◈ The Fallacy of the Checklist: Why passing an audit doesn't automatically equal operational security.
◈ Continuous vs. Point-in-Time: The true value of SOC 2 audits and where continuous monitoring actually needs to step in (like catching missing 2FA).
◈ Quantifying Risk for Leadership: How to move beyond dollar amounts and make cyber risk personal and relatable to the C-suite.
◈ Silent Attack Vectors: The danger of stale OAuth tokens, unenforced SSO, and secrets left in commit histories.
Key Moments:
02:40 ➔ The Breach Reality: Why assessing vendors to completely avoid breaches is impossible, and why impact mitigation is the real goal.
05:43 ➔ The Snowflake Example: How point-in-time audits often miss critical dynamic configurations like 2FA.
10:53 ➔ Personalizing the Threat: How agentic AI integrations exposed a CEO's tax history—and why that changes the security conversation.
16:36 ➔ The OAuth Danger: Why leaving unused OAuth tokens active is like leaving your front door open while on vacation.
18:34 ➔ Warning Signs: How M&A activity, mass layoffs, and vendor evasiveness can predict upcoming security risks.
🎙️ Meet the Guest:
Rachel Curran is a GRC practitioner with over a dozen years of experience building SOC 2 and ISO security programs for startups. She is the founder of Locktivity, a platform focused on helping companies understand where their true third-party risk lies and how to proactively limit impact.
➔ LinkedIn: Rachel Curran
➔ Locktivity: locktivity.com
About the Host:
Host: Tiernan OMalley, Framework Security
Subscribe to our LinkedIn to never miss news, updates, and quizzes to earn digital badges.
Disclaimer: The views expressed are those of the speakers.
