Good day all!!
Consider the situation - a third party that has been providing services for many years has revealed (during a review) that they do not provide encryption services (as per the customer requirements) as it's not viable for them financially. At the onset of the business relationship this was not the practice and it was ignored for some years and over time due to some regulations it has come up with high priority.
Third party service provider not ready to provide the required service
Moving to another service provider will incur huge cost to the org
Encryption service is necessary for the compliance otherwise a huge fines and great danger to the business
what is the best course of action?
Document each course of action. Then do simple math to attempt to figure out best course of action.
Option 1) Do nothing. Yes this is always an option that most people forget about. Risk = Huge fines, breach of data, damage to corporate reputation, etc.
Option 2) Fire the current 3rd party and replace with new. Document the replacement cost vs current cost + fines
Option 3) Pay current vendor to remedy situation. Figure out cost to "upgrade" the service. Compare against costs of option #1.
Option 4) Can the service be brought in house? Figure out the costs and compare against all other options.