Even if your organization doesn’t want to address it, there comes a time when every company needs to take a step back, take stock of their tech stack, and ask themselves if it’s time for a change.
By Tim Bandos, Chief Information Security Officer and VP Managed Security Services, Digital Guardian
It’s not your fault – let’s say your organization has grown, not just in size but in business maturity, since you first implemented your current vendor. It may be the case that the provider hasn’t had the capacity or means to scale along with you.
While not always easy to know when the time is right, there are three tell-tale signs that you’ve outgrown your provider.
Lack of innovation
If your provider isn’t staying on top of the latest technology – solutions that can add value to your business and empower employees to learn new skills and execute their work at a high level – it may be time to look elsewhere. Maybe your company has grown too comfortable with legacy technology. Its drawbacks may seem like slight annoyances to you. Still, it could indicate a larger problem or a missed opportunity to cut costs or add customer value with new alternative technology. Your vendor should be proactive in keeping you apprised of the latest technology and solutions, especially if they can help your company become more economical and productive.
Every organization wants to stay focused on maintaining its competitive edge, especially in a market as volatile as the one today. If your vendor isn’t doing their part – investigating in interoperability, so your organization can get a greater return from the sum of your tech investments – it should set off a red flag.
Does your vendor have a CISO? Do they use safe APIs? Are they using DevOps? Have they moved to the cloud for added speed and flexibility? If you answered “no” to any of these questions, you might want to ask them – why not?
Maybe your provider was recently bought and absorbed by another corporation. Whenever a company is acquired and a business changes hands, there’s a lot in flux. With change, it’s not unusual to have some questions about the direction your vendor may be going. With an acquisition, corporate reshuffles are commonplace. Could this impact leadership, engineering, and budget at a vendor you use? Are you willing to trust a company and its vision despite these changes?
In some instances, when a tech company is acquired, innovation is stifled, and the acquiring company does little more than maintain the product. Acquisitions can also result in cutbacks on support resources and failure to invest in new features that help ensure the security of their software.
That’s not to mention that old, depreciated technology can put your employee and customer data at risk. As more and more companies can attest these days, experiencing a data breach can pose a risk to your company’s brand and have a serious effect on carrying out day-to-day business. Your organization is part of a supply chain; it’s essential to ensure that every vendor you partner with is following best practices.
It’s not you, it’s me (your needs have changed)
As I hinted earlier, maybe your organization has grown since you first implemented your current technology vendor, and they haven’t been able to keep up. Perhaps your business has grown so fast that your needs have changed from what they once were.
If your vendor isn’t keeping up by periodically performing audits to ensure that policies and procedures you have in place are effective in meeting those needs, you may have blind spots in your coverage. Your vendors’ IT services should be tailored to meet you. The old marketing slogan, “set it and forget it,” rarely applies to your technology stack. Staying with a vendor that isn’t constantly evolving alongside your business could be hurting your company’s bottom line.
Perhaps your organization has elected to move away from the rigidness of the waterfall software development method and go the agile route to deliver products rapidly and to better respond to changes in your environment. If so, you know that creating a truly agile team requires a big cultural shift and reduced organizational resistance. If your vendor isn’t agile or does something to hold you back from fulfilling that cultural change, you may need one better suited to complement your needs.
Depending on your space, shifting regulatory compliance requirements can often dictate a company’s needs. Satisfying governance, risk management, and compliance (GRC) requirements demand a higher degree of attention. It’s one thing to tick checkboxes associated with regulations like HIPAA, GLBA, and SOX. All of them, in addition to state, federal, and global legislative requirements, require organizations to have the appropriate technical safeguards in place.
To keep up with evolving regulations, especially those slated to take effect soon, organizations need a higher level of engagement, planning, and collaboration from their vendors. Ensuring there’s visibility across all your critical assets to identify data, the organizational policies they’re governed by, and whether it complies, is essential to navigating the risk landscape, too. Your provider should be aware of these changing regulations and offer advice and guidance on satisfying them if they’re not already.
The vendors you use are integral to your company’s success – they help drive growth, revenue, and goals. If yours aren’t, it’s time to reevaluate those relationships…To read the full article, subscribe to CISO MAG.
This story first appeared in the June 2021 issue of CISO MAG.
About the Author
Tim Bandos is the Chief Information Security Officer (CISO) and and VP Managed Security Services for Digital Guardian. He has over 15 years of experience to the position including his five years as VP of cybersecurity at Digital Guardian. Prior to joining Digital Guardian, Bandos was Director of Cybersecurity for Dupont where he was responsible for overseeing internal controls, incident response, and threat intelligence.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
