IT security experts share their tips for managing vendors

Have you ever thought about asking a vendor what their solution doesn’t do well? This isn’t a trick question, but it is a way to see how honest a potential new vendor is willing to be with you. Members of the Wisegate professional networking group offer their tips on how to manage vendors to your benefit.

The brain trust at Wisegate has just published a report to share their insider tips on managing security vendors. Wisegate is an online professional networking community of CIOs, CISOs, CSOs and other IT leaders. They confer regularly to share their experiences and best practices with all things pertaining to IT and IT security. The latest report, Top 10 Tips for Managing Vendors, is freely available online, but I’ll summarize the highlights for you here.

The report addresses three phases of the solution buying cycle:

1. Managing vendor hype before you decide to buy the product

2. Managing your total budget and fitting a new purchase in

3. Managing the vendor relationship once the purchase order is signed

Managing the vendor hype

The Wisegate members say hype often comes from new companies with new solutions who are looking for attention in a crowded space. That doesn’t mean they aren’t offering effective solutions, but busy CISOs can’t answer the call from every salesman. In fact, the group suggests trying to make better use of what you already have before looking to bring a new product into the mix.

One InfoSec director indicates he’s trying to whittle his list of vendors by focusing on getting more from the products and relationships that are working well. His company already uses more than 40 vendors and this makes it difficult to establish strategy cohesion and communication among the vendors.

Another member noted that his company wasn’t using its existing toolset to the fullest extent. Some of the tools had overlap and many had capabilities that weren’t even being used. His team mapped the products’ capabilities against the company’s security requirements and determined they could get rid of some of the tools, saving money and reducing complexity in the end.

But sometimes you need to bring a new solution into the security mix. Members advise approaching your existing vendors first. They may have updates or add-ons that can address your need, or they may partner with another vendor that can do what you’re looking for. When you need to look outside your circle of existing vendors, see what professionals in your network recommend. One CISO who works in higher education talks to other schools that are similar to his. “If we find that one or two or maybe even three vendors are popular with a lot of schools, then those are the ones we start looking at.” This helps cut through the vendor hype and takes you right to the products that most likely do what you need them to do.

When you do engage directly with a vendor, don’t be afraid to ask tough questions. One CISO asks potential suppliers “What are you not good at?” and “What do your competitors do better than you?” The purpose is to see how honest and open the vendor.

Managing the budget

In many organizations – and in particular government agencies – there is a “use it or lose it” mentality when it comes to the budget. Conventional wisdom says if you don’t spend your entire budget this year, it might get cut next year. One CISO avoids spending her entire budget to gain credibility with executives. “When I follow this practice,” she says, “the executives realize that I’ll only spend the money that I need to accomplish reducing the risk and affording compliance for all of the organizations.” Of course, the money is there if she really needs to use it, and if she has to ask the board for more, they understand it’s a truly serious request.

Let the vendor know what your budget can sustain. If they want your business, they will find a way to work with you.

The vendor relationship changes when you go from kicking the tires to driving off the lot. Effective management skills are critical to success. “Hold them accountable to what they promised,” one CISO stresses. And if you are really pleased with their delivery, be an honest reference for them—it leads to a great working relationship if the vendor knows they can count on you.

Be strong but fair in your relationship. For example, if the vendor is giving you poor support, don’t hesitate to speak up about it. On the other hand, if they’ve assigned someone to you who is doing an exceptional job, let that person’s management know they’ve got a winner. Says one security veteran, “You have to confront them when necessary, but give them the kudos when earned.”

Keep in mind that a good working relationship can benefit both. You can build a lot of trust over the length of a long term relationship. A vendor who is really watching your back will look for ways to bring more value to you as threats change and solutions evolve.

Linda Musthaler is a Principal Analyst with Essential Solutions Corporation.  You can write to her at

Essential Solutions Corp. researches the practical value of information technology, and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10