Re-Engineering Vendor Security Risk Management

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

In this CyberPHIx podcast, Kelly White, Founder and CEO of RiskRecon, outlines key concepts for effective vendor security risk management. Kelly draws on his experience in healthcare as well as other industries vulnerable to third-party data security breaches.

In 2008, the FDIC set a benchmark for vendor data risk by stating that a financial institution’s board of directors and officers are responsible for third-party actions affecting data security. These same standards apply to healthcare organizations, leading to increased oversight of vendor relationships.

You can outsource your systems and services, but you cannot outsource your risk.

Kelly’s position in the security automation market provides insight into emerging trends of innovation and technology to assess the potential risk of vendor data sharing. Our discussion with Kelly touches on some of the following trends:

  • Vendor risk management in peer industries, such as financial services, reveals opportunities for innovation and more effective oversight over vendor relationships in the healthcare sector.
  • The Value of Risk is a key risk management concept that supersedes the rating of risk by the size of vendors.
  • Focus the lens on the Value of the Risk in risk management activities with small or medium-sized vendors to set remediation priorities.
  • Healthcare is an industry primed to adopt and lead innovation and automation in risk management. The next wave of security automation/innovation is likely to come out of the healthcare industry.


Brian Selfridge: [00:00:09] Welcome to CyberPHIx, the audio resource for information security, privacy and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we'll be bringing you pertinent information from thought leaders and healthcare information, security and privacy. In this episode, we'll be speaking to Kelly White. Kelly is the founder and CEO of RiskRecon. RiskRecon provides a platform to help organizations more effectively manage third-party vendor security risk through frequent, comprehensive and actionable security performance measurements. Kelly and his team are helping the industry tackle a very tricky vendor security risk management problem. We're very excited to speak with him today. We would also like to hear from you as well. So if you have a topic or thought leader that you would like to hear from, just drop us a note at [email protected]. That's [email protected]. Now let's get to our interview. 

Brian Selfridge: [00:01:06] Hello, this is Brian Selfridge, host of the CyberPHIx, the industry's leading podcast for information security and privacy, specifically for the healthcare industry. I'd like to welcome my guest, Kelly White, who's the founder and CEO of RiskRecon. We're really excited to speak with him today. So, Kelly, thanks so much for joining us. 

Kelly White: [00:01:23] Glad to be with you, Brian. 

Brian Selfridge: [00:01:25] So, Kelly, I'd like to dive right into things here. I know you work and RiskRecon works across multiple industry verticals. Now, our audience is primarily in the healthcare arena and healthcare seems to be a bit late to the game historically when it comes to investing and addressing emerging security challenges and at least with respect to other industries. Many healthcare entities are just trying to figure out how to get started with vendor risk management and where to get going. So are there any practices and solutions that have evolved in other industry verticals to address vendor security risk management that you think could be applied to healthcare? 

Kelly White: [00:02:04] Yes, I do. As with most things, doing the basics well is really important. And that applies to third-party risk management just the same. I'd say the very foundation of a good third-party cyber risk management program is just having good governance. What does that mean? It means that you have corporate policies and standards in place that define the third-party cyber risk outcomes you're seeking to achieve and that you have related standards that instantiate a program for achieving those risk outcomes. And so often companies are lacking that, which is a leading sign that they're not really committed to achieving those outcomes. So getting those policies in place that are signed off by the most senior executive management, that these are the third-party cyber risk outcomes we want to achieve and also buying off on the standards that define the requirements and really justify having the program in place are necessary to then get the funding and initiate the work necessary to achieve those risk outcomes that the organization wants. 

Brian Selfridge: [00:03:19] Now in other industries outside of healthcare, is this all self driven, self-motivated activity that's happening, getting the governance together and all that good stuff? Or are there regulations and standards in these other sectors and verticals that are sort of compelling entities to get their act together around vendor risk, governance and management? Is it being forced upon them or are they taking it on because it's the right thing to do? 

Kelly White: [00:03:43] Good question, Brian. So we conducted a study of the third-party cyber risk management programs for 30 companies. And one of the questions that we asked in that study was, what's your motive for having a third-party cyber risk management program? Fifty percent said that it was purely a risk motive, didn't have anything to do with regulation. They are aware of the nature of the risk and the bad outcomes that they want to avoid. And so they stood up programs to achieve good risk outcomes outside of any regulatory motive. Another 30 percent said we only do this because of regulatory requirements. And then the remaining said it's a mix. I can't separate the two. They're so intermingled. So the policymakers have had an effect. But it's not the only motive. Regulations are not the only motive for companies managing third-party cyber risk. Fortunately, a lot of organizations, most organizations, have the intent to do right by their customers and other stakeholders, and that mandates understanding and managing third-party cyber risk. 


Brian Selfridge: [00:04:56] Are there specific regulations of standards that you see outside of healthcare that you think would be most useful or applicable for healthcare to adopt? Like is there some golden state regulation out there or some industry consortium that's pushing down a certain requirement or are there federal guidelines? Is there anything that you would look to as sort of a gold standard that healthcare could say, hey, let's copy and paste that and try to do portions of that here in healthcare? Anything like that out there that we could use? 


Kelly White: [00:05:23] The financial services sector and the regulators had led the way on managing third-party cyber risk and the associated regulations. So you go all the way back to the Federal Financial Institutions Examination Council, the FFIEC, governing body of US financial institutions, all the way back to 2000. They said this, the board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. Now, as time progressed and that was fairly early, that was the first one related to technology outsourcing. That was year 2000. As cybersecurity risk became more important, we saw new regulations come forward. I'd say one of the more concise ones came out in 2008, and it was issued by the Federal Deposit Insurance Corporation, the FDIC, and they said this, an institution's board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling risks arising from such relationships, and this part's important, to the same extent as if the activity were handled within the institution. So I think in the financial services sector, who's been at the regulatory game the longest as it relates to technology, outsourcing and related risk, the standard is that organizations have to understand and manage their risks resident within third-parties as well as if they implemented and operated those programs within their own organizations. And that's the theme, I would say, that the other regulations are following. New York Department of Financial Services NYCRR500 issued in 2018. Even the healthcare sectors, I think the HIPAA security rules, 45CFR, 164308, really point in this direction, where a covered entity has to have satisfactory assurances that their information, their PHI, is going to be properly protected. So I think everybody with the healthcare regulations, with the longstanding financial regulatory themes, what you see with GDPR in the European Union and so forth, I boil it down to this. I think there's plenty of regulation to back it up. You can outsource your systems and services, but you cannot outsource your risk. You have to understand and manage that risk as well as if you were operating those systems and services internally. 

Brian Selfridge: [00:08:07] Healthcare has a pretty bad track record of just sort of looking at HIPAA and saying HIPAA is all we care about and let's get "compliant," and then we'll move on to the business of delivering care. So from a pure regulatory perspective, if you had like a blank sheet of paper, either for the regulatory side itself or the enforcement side, if you had those sort of keys to redraw how regulations or enforcement are done, do you think you would change anything differently than the way it's done today or just focus on that educational piece? Or do you think there needs to be more teeth and more enforcement to sort of force that education in a sense? 

Kelly White: [00:08:48] Well, if I were in charge, I'd actually draft something that looks more like what the NIST Cybersecurity Framework did. This cybersecurity framework is not prescriptive. You must encrypt these data types. You must have this control on an endpoint, so on and so forth, but rather talks about principles and capabilities and so forth and maturity of those capabilities to achieve good risk outcomes. Perhaps something like that for managing third-party cybersecurity risk that outlines what are the outcomes, what are the principles and characteristics and capabilities of an effective third-party cyber risk management program would be more effective, because you do always run this risk if you're regulations overly prescriptive, then people are just literally pursuing the letter of the law instead of the intent or the spirit of the outcome. So, yeah, something along the lines of the NIST Cybersecurity Framework for third-party risk management. And one of the benefits that I think the NIST cybersecurity framework, because of its lack of specificity in implementation, is getting wide adoption. And the conversations that I have with folks who are adhering to or modeling after the NIST Cybersecurity Framework, they're not running checklist type of shops, what's the minimum I need to do to comply, but rather really being thoughtful in making the investments to achieve the good outcomes that are required. 

Brian Selfridge: [00:10:20] Well, switching gears from the sort of big picture regulatory focus standards and the like, maybe providing something a little bit more tangible to some of our listeners. I know some folks are struggling with the volume of new solution providers and vendors that are cropping up in healthcare in particular, where we've got a lot of innovation going on, we've got some really exciting technologies and applications to help deliver better healthcare, support the healthcare ecosystem. And that's awesome. That's exciting. It's fun. But those of us on the security side, and you've seen it I'm sure in droves, trying to figure out how to deal with these small to midsize vendors, in particular that are maybe either in startup mode or early to mid size maturity. That maybe security isn't the first strategic item on the table. Or if it is, maybe they don't know what to do or where to go. What are some of the tactics that you've seen organizations using to deal with those smaller entities and getting them up to speed on security stuff or just validating that they are or are not doing the right thing to protect the data? 

Kelly White: [00:11:28] So I'll talk about some things that have been really interesting to me to observe that I think are innovative in the healthcare space. Primary among those is some leading healthcare organizations have actually boiled down. If you look at a cyber risk management program and you want to do a thorough review of it, you seek assessment questionnaires that can be one hundred, two hundred, three hundred questions long. And while large entities with sophisticated, robust information security programs may have the capability to comply with all of those and answer all those and so forth. As you mentioned, we've got this a lot of small, innovative companies that are providing a lot of value and that healthcare organizations are dependent on for operating their businesses and delivering their services. So you look at those small businesses, and what do you do? They're not going to have a CISO, a dedicated threat, intelligence monitoring team, so on and so forth. I've seen that innovative organizations look at these types of vendors through a lens that's properly adjusted to match again, what's really the risk surface? What's the value at risk in that organization? What's the nature of that? And they kind of approach it in two levels. Many organizations have boiled down some essential characteristics necessary to achieve good risk outcomes that they apply to measuring their vendors. Some of them have said, OK, these 10, or some of them even call it, these are the sacred seven that they must have in place for us to even know that we have a basis for achieving good security outcomes. If they don't meet these basic requirements, then we can't do business with them or we need to get them to meet these basic requirements. Because it often is in doing the basics well, the small number of basics, well, upon which cybersecurity outcomes rest. Examples: software patching. Is there a program and process in place for managing software patching and vulnerabilities? Two: endpoint security. That can mean, is data encrypted? Control of use of external media, managing their own third-party risk, what's that process? Access control, is user authentication in place and so forth. So you look at these basic characteristics, you can certainly slice and dice it down to hundreds. But organizations are starting to look at these very basic characteristics and say, do I trust that this organization has implemented these well and will operate them well going forward? And applying those within the context of the relationship. Not every organization has to have every single security control under the sun to achieve good outcomes. And so I'd say that's how organizations are starting to deal with these smaller companies, really enforcing requirements of basic, good cybersecurity hygiene and then building the relationship over time from there. 

Brian Selfridge: [00:14:22] Now, healthcare tends to have, and this is probably true for other industries, just thousands of different types of vendors in the mix, ranging from both the small and medium size, but also larger entities. Are there any types of "small or medium vendors" that you think pose higher risk to entities that perhaps fly under the radar more often than not? I don't know if there's certain types of services that are carrying high volumes of data that we don't quite think about. Anything like that, that you think you'd recommend entities take a hard look at and not let sort of pass by just because they're small. 

Kelly White: [00:15:00] Yeah, small is no longer directly correlated to the amount of risk, value at risk, with the organization. It used to be that you could look at contract size and say, oh, well, this is a big contract. We've got a lot of risk there. So let's do deeper analysis and have more stringent third-party cyber risk management requirements on them. And then the ones below a certain dollar threshold, we ignore or apply a different set of requirements. That doesn't fly anymore because it's a very small company now, because of cloud computing and so forth, and the advancement of algorithms, very small company under a small contract can be processing a lot of data. So I'd say, push aside, reconsider what your definition of small is and really focus it in on value at risk. So we have to really move away from, again restating that, move away from the traditional approaches to third-party risk management, where it might be based on the dollar volume of the contract or the size of the company and really understand what's the value at risk. What data do they have in physical or electronic form? And what are they doing with that data? What types of services are they providing? So understand that risk surface. Now, as you do that, some things are going to immediately jump to the surface, like healthcare data analytics companies or large claims processing providers for those platforms or maybe some billing solutions. In the healthcare industry, there's so many small organizations that are doing claims processing. They're moving test results around, they're delivering lab results and so forth. And those organizations that aren't traditionally a pure I.T. relationship for data analytics or operating some kind of a platform. Those organizations that are involved in just the business process of reviewing claims, of collecting payments, of processing lab results, those should not be ignored, but they often are because they're not under the banner of, quote on quote, "I.T.", they're in another department. And so they might be managed differently from a different business focus, which is certainly appropriate. But those cannot be ignored. Any organization that is involved in fulfilling those healthcare services, it is essential that the value at risk present with that organization is understood. So bring them into the fold alongside the health catalysts and other types of organizations of the world, where it's obvious that risk exists. 

Brian Selfridge: [00:17:41] Changing the lens a little bit on this problem. It's so easy and so familiar for us that they help organizations manage their vendor risk programs to say, OK, well, the answer is just identify those data analytics vendors and pound them over the head with a mallet and tell them they need to go do the NIST cybersecurity framework and call me when you're ready. That's sort of a natural inclination. But being on the other side of that coin, and I've got a small to midsize business, you do as well. Can these companies, these smaller entry-level type companies, like the data analytics folks, for example, can they afford to do security right? Can they afford to get the certifications to have the resources available, to get the expertise they need to build this stuff, even if they're ready, willing and able? Or maybe frame it this way, what resources are out there to help those types of smaller vendors to get the answer right, in good faith, without having to hire a big powered consulting firm or something like that? 

Kelly White: [00:18:43] Well, there's a number of ways to achieve good third-party risk management outcomes, or restating, there's a lot of good ways an organization can achieve good cybersecurity. They don't all involve massive piles of money and high-powered consulting firms and so forth. So there are many paths to the destination. So that said, I'll answer the question this way. Jeff Belnap, the CISO of Slack, said this, which I thought was really insightful, "If you are in the business of processing other, if your business involves processing the data of other organizations, then you are in the security business." So it goes part and parcel. If you are providing, if you're processing data that belongs to other companies, you are in the security business, and it's just part of being in that part of the business. So you can't play the card, oh, I'm small or, jeez, I can't afford it. Well, if you can't afford it, then you don't have a viable business. If you can't do it, you shouldn't be in the business at all of handling other organizations information, because, again, it's not your data, it's somebody else's. And that somebody else is looking at you. Your customer is looking at you, knowing full well for themselves that they've outsourced systems and services to you, but they have not outsourced their risk. So for every company like you or me or any third-party providing services to other companies where we handle their data, we have to do that knowing that it is their risk, it's the risk of our customers that we've been entrusted with managing well. So size doesn't matter. 

Brian Selfridge: [00:20:23] You've got me thinking back to my days as a CISO for a health system, and I would have a similar conversation with vendors that told me, like, well, no one's asked me about these requirements. I don't know why you're being so hard on me. I would say, look, you know, how did you not know you were getting into a highly regulated business? Like in healthcare, there's no secrets. It's regulated. If you didn't know you had to do this stuff, I'm sorry, you're just figuring it out now, but maybe there's some education too, although I think that's changed in the last couple of years. 

Kelly White: [00:20:54] Well, surprisingly, I still hear that vendors acting like their security program is of no concern or not the business of their customers. And if I were back in my CISO's seat at the financial institution I was at, I would put that as a top red flag. If somebody gave me a response or resisted providing transparency into their program, then that would be a huge red flag, because ultimately this is about trust. Do you trust that that organization is going to protect your risk interests? Yes or no? And if out of the gate, they're being resistant to even being assessed or indicating some things like you mentioned, wow, I would say that that's a big check mark against them being trustworthy. 

Brian Selfridge: [00:21:42] So we talked about regulatory stuff, we've talked about certain types of vendors, but I also recognize you've got one of the more innovative approaches to tackling this problem through technology and automation. And I'm wondering if you can put your crystal ball sort of projecting wizard hat on or whatever and try to think about some ways in which you see vendor security risk management evolving in the years to come. Is there more we can be doing with technologies, are there ways that the automation side of things will evolve from what you're seeing to help move out of maybe some of the more manual processes that exist today of trying to tackle this issue? 

Kelly White: [00:22:24] So framing this, I break down the space of risk management of any kind into two large categories of activity. One is understanding the investments that have been made to achieve good risk outcomes across people, process and technology. And this is where the questionnaires, the documentation reviews, the interviews, the on site visits and so forth are spot on, necessary and helpful. You have to understand the investments for achieving good risk outcomes across people, process and technology. Now the second side is, so that's the first, I've categorized that as attestation, the second category of activity necessary to achieve good risk outcomes is to understand how well the organization implements and operates on those investments. So simple example, attestation. Tell me about people and process and technology across vulnerability management. The attestation back from the vendor might be well, we invested in Qualys Vulnerability Scanner, and we scanned our internet perimeter every day and our internal environments, our entire internal network, every week. And we have people that review that. We have policy that everyone executes to patch critical vulnerabilities in this time frame, et cetera, et cetera. OK, that's good to know. We're in the game. Now, you use that objective data to understand how well do they implement and operate, because they can attest all day to doing the right things. But are they actually doing it well? There's lots of opportunity for innovation on both sides. Does a company have to reinvent their attestation of related to cyber risk management every time somebody wants to look at them? Can we achieve some reusability in that space? I think yes, that's something that's going to happen. On the side of how well does a company implement and operate, there's some really good innovation happening and risk recons in the heart of that, where we from the outside can continuously assess how well an organization implements and operates their cyber risk management across a very wide, surprisingly wide, set of security domains and performance criteria, Web encryption, email encryption, software patching, web application security and so forth. Even reaching into things like, hey, does this organization have effective privacy policies deployed and so forth in their websites? All of that information can be accessed and gathered from the outside through passive analytics of the public content available in their systems and from other sources. So you can get a good understanding of how well companies implement and operate in addition to the attestation of the people, process and technology they've deployed to achieve good risk outcomes. Now, the next step, we fast forward a bit, is how do organizations more intimately intertwine those to inform each other in a way that's automated, that doesn't require an analyst to look at the two data sets independently, but they're automatically intertwined and analyzed to give an understanding of what's my residual risk based on all this information, rather than having the analyst have to answer that question. 

[00:25:53] Are we to the point yet where we can start doing things like predicting which vendors are going to be more of a problem once you start correlating all that data that people process side, that the technology and the validation with the web patching and all this good stuff, can we with any degree of confidence, either now or in the near future, start to predict which vendors are going to be breached, are going to be more of a problem than others? Or is that is that to an outcome? 

[00:26:20] Well, I, I think about it in slightly different terms. Not saying this is the only way to think about it. So let me approach it from this angle. Predicting a data breach. There's a there's a lot of random variables at play where the attackers and their motives and so forth that aren't accounted for, that are difficult to account for, meaning that organizations that do perform well can be targeted. And with sufficient degree of effort, they can be something that can happen. We've seen that happen to good organizations. At the same time, we see organizations that perform very poorly, but they seem to not seem to get away with it. 

[00:27:02] So two things that I think about that are probably more productive. Number one, what's their resistance, strength, resistance to the cyber security threats that are pressing? And that's something that can be objectively measured. It's fact based. It can be observed. It's their software patching rates. Are they managing their IP reputation? Well, are they making good hosting decisions or are they hardening their Web applications? So those that's a measure of resistance strength. Now, the other measure I'd look at is resiliency. OK, well, things go south. 

[00:27:36] I mean, you're a laptop's going to get compromised. How resilient is the organization in that event? Can they contain the blast radius to be very small or does it become a scenario where they end up can compromise and pivot throughout the organization over a long period of time to extract massive amounts of data? 

[00:27:56] So I would look at organizations and say, well, what's the resistance strength and what's their resiliency in the event that the resistance fails? And you have a whole set of objective things that you can measure to conclude and get a good understanding of that resistance, strength and resiliency, perhaps more time and some more math is required or but I think we could get to predicting data breach and size of data breach. But it's going to have to be done in terms of the language of what was there, resistance, strength and at the time, what's the organization's resistance, strength and what's their resiliency that. So there's some more work to do, I think, to build up, to actually predict in breach likelihood. But I would say that there is we would find a very strong correlation between resistance, strength and resistance and resiliency. If we could kind of normalize out the attacker motives, which is a little tricky, is easier said than done. 

[00:28:53] Now, I know the term artificial intelligence is thrown around a lot, and I and I am being very careful about throwing it out there myself. But is there some aspect of either machine learning or true artificial intelligence that would help with some of that math and some of that that analytical calculation of risk, resiliency versus defense, strength, and that kind of thing? 

[00:29:17] Do you think there's an application somewhere down the line for AI in this world or is or is again, is that sort of a little too far afield from where we need to get the fundamentals done first? 

[00:29:28] Absolutely. There is room for this there, and it's in a way that should not be threatening to anyone who is a cyber risk management professional. I don't think it's going to put people out of jobs. If you look at the work that a cyber risk professional does, they're ultimately solving risk. 

[00:29:46] And understanding risk requires you to know at a basic level what are the issues present in an environment and what's the value of the assets that those issues exist in? Only by understanding that can you assess risk and make good risk decisions. Break that out in those two parts, there is a lot of manual and efficient work being done to understand the issues. The questionnaire process is a perfect example. It's a very inefficient way to understand the issues on the attestations side. Now you look at what risk recons doing. We're automating the bringing forward of understanding cybersecurity performance and identifying those issues. So we've taken we have the ability now to assess any organization continuously against 40 detailed, meaningful security criteria and bring forward that information very quickly. And there's a ton of machine learning involved to pull that off. 

[00:30:42] So we have some application there. So you see machine learning algorithms being used, whether it's your internal organization or third-party, to understand the issues side of the risk equation. And the severity of those issues much more quickly and there's room to grow there. You look at the other side of the risk equation, which is you have to understand you don't have risk. Issues are not risks. 

[00:31:02] You only have risk if there's a value that that that could be impacted. And so you have to understand the value of the asset. The issues existed materially today. That's a purely manual process. People go in, they create a catalogue of their systems and they have to manually go in and say, well, this is a high-value system because it's my webmail gateway or this is a high-value system because it's my drug study site or it's my patient oncology portal site, or this is a low value asset because it's just a park domain or it's a medium value asset because it's a brochure Web site advertising insurance policies, but it doesn't collect any information risk. Rickon is invented and deployed some super-sophisticated machine learning algorithms and related platforms that automatically determine asset value. So now we can not only identify the issues in a system, hey, it's running unpatched software and the administration interface has weak authentication and the encryption is broken. 

[00:32:03] But we can also say, and this is a healthcare portal that patients log into to access medical records. Now you have risk. Now you've gotten you've reduced the friction of just understanding risk. And that enables you to you can understand risk much faster, much more clearly with minimal effort, and then you can move to action much faster. So I am super excited about the application of machine learning models to solving risk management, particularly in the third-party risk management space, where customers and vendors are at a tremendous information disadvantage. It's kind of like pulling teeth to try to understand what's going on. The cyber risk management program at your vendors? Well, machine learning algorithms can really make transparent the important parts of the risk equation. What are the issues? What's the severity and what's the the the context of the value of the systems that those issues exist? And speaking to AI, I think some people use that fairly loosely. Some definitions are, well, when you can have a conversation, a conversation with the system and never know, you weren't talking with a person on very broad topics, then you've achieved dayI. So that's a ways out. But the machine learning algorithms definitely massive promise and I think we'll see huge innovation over the next five years. It'll completely transform the space. 

[00:33:35] Well, I'm sorry to say, Kelly, we're running up on time, and I feel like I could go on for hours picking your brain on this stuff because this has been fascinating. Are there any sort of parting thoughts and big picture sort of takeaways that you'd like our listeners to be aware of as they think about the future of third-party vendor risk management, the people, the process, technology, and anything you'd like to leave the group with as we wrap up here? 

[00:33:59] Yeah, I mean, the main message I would say understands the value at risk in the nature of the value at risk across your third parties. Everything pivots from that when there's a compromise or when the FBI contacts you saying, hey, we found some of your information on the dark web. That's too late to really maintain an understanding and awareness of the value of risk in the nature of that with each of your third parties. And then you can start to think about, well, how do we want to manage that risk? Because it is your risk. There is really exciting innovation happening in the space, both on the attestation front and those questionnaires and so forth, but also on the ability to automatically understand how well organizations, your vendors are implementing and operating their security program. Both of them are necessary. They need to have the right investments to achieve good risk outcomes, and they need to implement and operate those investments well. And by leveraging those two capabilities, assuming that you know your vendors and the value at risk there, you can really achieve good risk outcomes. 

[00:35:01] And the automation that's occurring in this space is enabling organizations not only to get those better risk outcomes but also to do it much more efficiently than you might have observed in your own program currently or that you hear about in other programs. So there's a lots and lots of room for innovation. I think healthcare is a really neat industry for third-party risk innovation because it's not overly regulated such that it's hard to innovate. Yet at the same time, there's really material motivation because healthcare organizations know the value of the data that they have and the sensitivity of it and in the harm that could be caused if it gets in the wrong hands. So my last prediction is that the fact that the material innovation and the really rapid innovation, I think will largely come out of the healthcare industry. I think there's just the right mix of motives and a regulatory landscape to enable all of this to happen. 

[00:36:01] Ok, well, I'm ready. I'm ready for healthcare to lead out on something in healthcare and cybersecurity. So I am with you and truly hopeful and supportive that that prediction comes through. 

[00:36:11] Well, we'll watch it closely. 

[00:36:13] Kelly, thank you so much for taking the time to be with us here today. My guess is completely wiped from Riscoe providing some fascinating insights into where we are and where we're headed with vendor risk security risk management. So, Kelly, thanks so much. It's been a pleasure. Thank you, Brian. 

[00:36:33] Again, I would like to thank our guests, Kelly White, who was the founder and CEO of Risk Recon. Kelly shared some great insights with us about the state of third-party vendor security risk management practices. And some ways we can expect to see the space evolving in the years to come. As always, we would like to have your feedback and hear from you our listeners. Feel free to drop us a note about what topic you would like to hear about or thought leader you would like to hear from. Our email address is CyberPHIx@Meditology We look forward to having you join us for the next CyberPHIx podcast coming up soon. See you then.