After an inspiring discussion of how interoperability is the future for community health at last week's CIE Summit, the sobering reality is that 3rd party cyber risk is a huge and complex problem.
With 100's if not 1000's of data ineroperability partners exchanging sensitive data, the complexity drives risk to a level that slows progress to a halt. In fact, the overarching theme of the event was how to "get to yes" for data sharing.
The "Getting to Yes" theme included bringing diverse stakeholders to the table from government, legal, Community-Based Organizations (CBOs) and privacy / security to find ways to communicate risk and risk context to the constituent organizations. By communicating the risk consistently, organizations could then make good decisions on what services to provide and to whom.
This is not a unique problem. As reported by Ericka Chickowski on April 19th, "third-party cyber risk and vendor risk management remains largely immature at most organizations - Dark Reading". This observation is demonstrated by the ongoing spate of breaches originating from 3rd party contractor systems and accounts.
The solution to this problem is not easy. Aligning customer and vendor contracts, privacy policies and service commitments can be challenging and costly. Begin by assessing which vendors have the most access to sensitive or regulated data and focus your efforts there.
Almost every organization is having this conversation (or should be), so you are not alone. There are an emerging group of risk management providers and tools to help you make sense of it all. Particularly if your organization is regulated by CalCPA or GDPR, you may want to consider engaging a 3rd party expert to help you understand your liability and build a path to compliance AND security.