Information technology and operations technology are converging in this digitized world. It is not enough for organizations to focus only on protecting their internal business models, offerings, and infrastructure. Organizations must look at their value chain holistically and consider whether each third-party that is involved in their business model or touching their offerings poses a risk to their security.

The short answer is that they likely do: Research by the SANS Institute found that 80 percent of data breaches originate from third parties.¹⁵ To reduce risk, organizations must foster a value chain where trust is not implicit and security is everyone’s responsibility. As a foundational step toward achieving this goal, organizations should:

• Identify the key players in their third-party ecosystem and understand what those third parties deliver
• Develop a flexible security architecture that can be shared with and deployed across the variety of third parties in that ecosystem
• Assess whether those third parties are operating within the tolerance levels set by the organization’s security architecture
• Be alert to new security risks that the ecosystem may present as digitization increases

...

Organizations, together with their third parties, need to answer questions such as, “How will data be generated and by whom?” and, “Should the data be digitally mined?” Further clarity requires determining the answers to such questions as, “Who owns the digital assets we are collecting or creating?” and, “With whom must we share that information?” Another critical question to answer: “Who owns what liability and obligation when a breach occurs?”

High