By Aleksandr Yampolskiy, Philip Reitinger May 10, 2021 Every time there’s another massive cybersecurity breach, which like SolarWinds finds its roots in a security issue at a third party, policymakers and security experts ask, “Where do we go from here?” The private sector and the federal government haven’t figured out how agencies can best address risks posed by their vendors. The problem is especially acute for small- and mid-sized organizations. Individually engaging, evaluating and auditing every vendor, from custodial services to cloud providers, is cost prohibitive and unrealistic for the vast majority. Today, those of us in cybersecurity are just like medieval barbers doing our best not to kill our patients. We struggle to know if an organization was breached due to poor security or if it was doing everything right and was simply overpowered by a nation-state.