Your company’s vendor management program may not be what you need to get the most out of your cybersecurity vendors, so I’ll focus on a Cyber Vendor Optimization Strategy. The goal is to synchronize your annual cyber strategy / plan with your current vendors to make everyone successful in accomplishing your mission.
There is a careful balancing act when engaging vendors. I feel like many vendors’ objective is to make as much money off of the customer they can with minimum engagement. Others seem to want to engage you all the time but only to talk about the next thing you can purchase from them.
Finally, some act like partners that are focused on delivering value and making the customer successful, seeking a long-term relationship (while also making money). Depending on which vendor you’re dealing with, what you share about your challenges and how you leverage the vendor could be completely different things.
I tend to use a combination of what we spend with them and what impact they have on reducing risks. I put them in one of three buckets: Strategic Partner, Critical Vendor, and Standard Vendor. This allows me to focus on vendor engagements with the best ROI and manage the amount of time I spend on vendor management.
These categories may not match the corporate vendor management definitions, as you will base the decision on your cybersecurity program, not the entire company. The spend levels will often be lower and the risk focus is on how much the vendor will reduce security risk vs. the risk to operations if they were to fail. There may also be a couple of niche vendors that are critical and should be included in this list.
A quick note on an optional criterion: you may want to consider what network access or sensitive data the vendor has access to as part of their normal operations. This will often tie to contract clauses that ensure audit access for security reviews, notification SLAs around data breaches, and requirements to quickly answer questions around industry-wide security issues (for example, after the SolarWinds incident, questions about what software the vendor uses).
Choices to make
Once you have categorized your vendors in a more formal process-based way, you will need to decide how to share both your strategy and provide feedback on how they are doing. It can be hard to share information that could be sensitive due to it being easy to map back to the company’s high-risk issues or vulnerabilities, but it may be necessary to allow the appropriate partner to team with you on the mitigation. Again, this is typically with established vendors who have proven they are dependable partners and have NDAs in place.
So, once you have them categorized, think about the things you want from a good partner: training on their capabilities, ability to scale with engineering support, access to architecture collaboration on technical strategies, insight in how to optimize to reduce OPEX, and innovation. Making these desires clear to your vendors allows them to deliver on them.
Let’s discuss providing feedback to your vendors next. It’s easy to ignore the ones who are doing a good job, but I think this can lead to problems down the road. You need to train your important vendors to provide you actionable metrics that help you with both risk management and ROI estimates. Score cards can be a useful tool. This should take an hour or less once per quarter. You may meet other vendors less often or assign the meetings to junior members of your team. You should also track what improvements they are making to the product.
Understanding their roadmap will allow you to see if they are keeping up with the threat landscape and if they are delivering on time. It will also allow you to plan resources to test and implement major changes.
I had great success with kick-off meetings with my top six strategic cybersecurity infrastructure partners, during which I present my organization’s strategy / plan and expectations for the year. I broke the meeting into two phases. First, we had the technical experts in the room with the sales team on the phone and I talked about what our strategy / plan for the year was. The second half was only for the technical experts to talk about how each one could contribute and collaborate to get it done.
We stressed that we did not expect anyone to talk about their contract deliverables or any confidential information about their products, but that we did need them to talk about where they could integrate / collaborate with each other. I also wanted to be open where there was overlap with capabilities. The goal was to leave the meeting with everyone able to map out a plan to support my goals for the year.
Your vendor management strategy
Along with your strategy / plan for the year mapping out your objectives, I think you need to track “tech debt” around your vendors capabilities. Understanding where you have not optimized current capabilities or are behind in upgrades can be just as important to your overall risk profile as your new plans. Holding both your team and vendors accountable is key here.
The closely related topic of vendor consolidation can be another great area to consider as part of your vendor management strategy. As you think about how to execute your strategy / plan for the year, I think it is critical to leverage your vendors. This synchronization will result in better performance from them which results in better protection for your company and your customers.