The key theme: third party risk management

Changes in the way that we use and depend on our IT infrastructures over the past year have thrown a spotlight onto the sheer complexity of our supplier ecosystems. Whether that be through rapid transitions to cloud-based services, or our heightened awareness of the cyber risks shared among large groups of stakeholders, third party risk management (TPRM) is now firmly on the agenda of most cyber security and data protection teams.

By far the most challenging question when starting to address TPRM is knowing who that ecosystem of providers are. Whether examining a software solution that unifies services from multiple suppliers, or considering the stack of data centres, platform providers, software providers and plugins present in a cloud environment, one contract can have many dependencies.

”The more interconnected and dependent those services become the fewer degrees of separation there are likely to be between those who know they’ve been affected and everybody else”

 As well as complexity in our own supplier systems, with every decision we make we have to be aware that we’re adopting complex systems, where so many of our decisions are made looking at black boxes,  knowing neither the stakeholders nor the potential responsibility gaps that there may be between them.

This has implications for both data protection and security. Every time that a large scale data breach or high impact vulnerability hits the press, decision makers are left wondering if it’s an issue that touches their system … and the more interconnected and dependent those services become the fewer degrees of separation there are likely to be between those who know they’ve been affected and everybody else.

As this area of cyber security grows, the importance of defining ownership, assessing risk over broader scopes, sharing information, and maintaining channels of communication between technical teams increases.

The agility that businesses have to demonstrate in current, rapidly shifting, economic circumstances means that we not only have to understand our risks better, but we need to gain that understanding faster.

In managing the fallout of the rapid transition to cloud many organisations implemented at the start of the pandemic, as well as the need to respond to ongoing changes to working practices, data protection teams are also on the front line.

Tech providers are potentially making higher-risk decisions than normal, developing new functions more rapidly and investing in more in cyber resilience than preventative measures, to ensure that they remain competitive in a market of disruptive technologies.

These decisions flow through to the customers that they supply, who were already experiencing the challenges of responding to third party data breaches.

One thing is certain – when the board asks for a summary of the cyber and data protection risks their business faces, the answer can’t come from inside clear perimeters as directors might imagine, but from a collation of information about third party dependencies. The question is how accurate those estimations are, how quickly we can respond when something goes wrong and how resilient our businesses are to a third party breach.

Emma Osborn, cyber security consultant