In this talk, based on years of practical experience in dealing with supply chain security and IT contracts, I am sharing techniques and methods for ensuring that security requirements are properly incorporated into IT contracts, and that business risks are properly assessed – and addressed. The talk will present a number of real-life examples of “contractual security sins”, and from there the attendees will learn what and how to prevent them. This talk is not about learning pre-made templates for security clauses. Rather, it teaches a structured approach based on Threat Modeling principles, for identifying the business risks that require mitigation through contractual clauses, and for aligning the requirements with the organizational risk appetite.
