- With the goal of aiding CISOs deal with security vendors, Wisegate, a private, practitioner-based IT research service for IT pros, released its top 10 tips to best manage vendor relationships. Included within the tips are CISOs’ experiences with vendors and how to best focus on the task at hand while handling the security budget and vendor interactions.
The report, “Managing the Vendor”, divides the top 10 tips into in three categories: managing the hype, managing the budget and managing the vendor relationship:
Managing the hype
Regardless of which product a CISO chooses, any new product purchase should be needed because a simple upgrade wouldn’t fill the requirement. As a security veteran from the insurance industry said, it’s important to “buy a solution, not the hype.” Sometimes that may involve ignoring vendor calls or treating a vendor pact with a more scrutinizing point of view, but there are clearly different ways to approach this topic.
1. Better integration of existing products can be better than more new products
A Director of InfoSec from a Fortune 100 company said that the market has essentially become saturated and it’s a chore dealing with a large number of vendors that may have different specialties. “I counted up the different vendors and we had over 40 different security vendors. That makes it difficult to establish any real strategy cohesion and interfacing between the vendors.” The director wants to consolidate his vendor count and though it may force him to cut out some of those specialties, he said he believes that better product integration will help make up for those losses.
There’s also overlap to deal with, as another security veteran from the defense industry supported this idea that better use of existing products should be tried before looking at new products. “Last year,” he explained, “we looked at our suite of tools and we said, we’ve got too much overlap here. We’re using 30% of the capabilities of this tool, 80% of this and only 5% of this tool.” Subsequent requirements mapping against capabilities allowed him to get rid of two of the tools, “noticeably reducing costs and complexity.”
2. Make better use of the vendor relationships you already have
When a new trend or technology comes out, WiseGate says to look to your incumbent vendors first to see what updates or offerings they could provide. If a CISO is forced to look at another vendor, ensure the product is interoperable with the current system. What I don’t want, a healthcare CISO explained, “is a bunch of disparate tools that don’t integrate with each other and cause my cost-of-administration to go through the roof—or to have so many people on board that we start having miscommunications between what the tools are trying to tell us.”
3. Consult others in your network
Since an internal IT team will be the part of the organization that manages the product along with the rest of the infrastructure, buy-in from that group is important. I’ll give them a couple vendors maybe, or types of tools I’d like and I let them decide which one they can manage the best. If I can get a buy-in from them, then I know it’s going to be a successful project,” said one CISO.
4. Stay up-to-date on trends and technologies
Knowing what products are out there is important, but understanding how they fit into an organization’s infrastructure can be nearly as crucial. One CISO in the report compares vendors using a magazine while another will take a vendor call himself.
“I let them describe the product to me briefly and if it’s something that interests me, I will take the call. I even do a webinar on occasion just to keep up with some of the trends. I do read magazines and reports as well but sometimes seeing it on the screen actually makes a difference.”
5. Ask vendors the tough questions to get the right answers
The CISOs mentioned in the report are looking for transparency on the part of vendors in terms of who their competitors are and what their weaknesses may be. A CISO from a large industrial manufacturing company said this: “It’s like when you go to a restaurant and ask, ‘What’s the least popular dish?’ I take a similar approach with vendors. ‘When are you not good? What do you do worse than your competitor?’ If you’ve done your research with Gartner or SC Magazine you can gauge the honesty of the vendor’s reply. And that in turn will help you judge whether any relationship will work on the personal level rather than just the technology level.”
Managing the Budget
If your organization has a limited security budget, going all-in may not make many friends for you among board members. A few CISOs offered up their experiences on maximizing and managing their budget.
6. Question the use-it-or-lose-it standard thinking
One CISO explained that she avoids using her whole budget because she doesn’t want the organization to be under the impression that she’s spending for the sake of spending and in case of an emergency.
“The practice that I’ve adopted is to avoid spending my whole security budget,” she explained. “When I follow this practice, the executives realize that I’ll only spend the money that I need to accomplish reducing the risk and affording compliance for all of the requirements.” She adds, “Of course, if I use it, I use it—but if not that ends up serving me well in the long term.
…if an emergency comes up that’s not covered by my budget and I have to go in to the board and ask for an exception to that budget spending, then they’re going to trust that I really need it because I’m not just out buying the latest and greatest gadget.”
7. Put the budget ball in the vendor’s court
In addition to item No. 5 where a CISO asks for transparency from the vendor, they also should be up front with the vendor on their budget. “Let them know your budget. But also let them know they’re in for the long run if you can reach agreement,” said a security veteran.
Managing the Vendor Relationship
These tips call for CISOs to take the long-view approach to a vendor relationship in which you have continual dialogue regarding areas such as implementation and product effectiveness.
8. Demand the best, get what you’re promised
Accountability and communication are important to receive the best support, said one security veteran. “One vendor was providing really bad support—so I went to the managing director and said, ‘Hey, I don’t want this guy any more. He’s not giving us what we paid for.’ Well, they found us someone else, and the new guy is much, much better. So I said, ‘Anything that needs touching, I only want this guy to touch it,’ (it was actually to tune up our SIEM). And that’s the only guy we’ll accept now.”
Alternatively, if the vendor is doing their job well, you have to alert them of that fact as well. And a CISO needs their own IT support staff on board to help the vendor as well.
9. The best benefits are mutual benefits
Some CISO prefer to go through the channel to work with vendors and use value-added resellers (VARs) to understand the market and perhaps some contractual responsibilities as well. “I like to establish long term relationships with my vendors,” commented a CISO working for state government. “The one I use now I’ve had for seven years.” Over that length of time mutual trust can develop. “This vendor,” he said, “is not necessarily the most technical vendor around; as a VAR he’s not strong in the ‘V’ part.” But, and this is the point, the CISO can go to his VAR and say, “Look, here’s the problem we got. Can you solve it? And if you can’t solve it yourself, can you find me someone who can?”
10. Be reasonable with vendor gift policies
Most CISOs say that vendor gifts are okay – within reason.
“In our opinion,” commented one security practitioner, “an outright prohibition of vendor gifts is not reasonable. Our policy sets a dollar value limit for individual gifts, events and favors. And this works well for us.”