A CISO has the responsibility of building a solid relationship with their peers and staff. Building this rapport takes time and is built on mutual trust, open communication, and mostly similar goals – organizational success. The Certified Chief Information Security Officer (C|CISO V1 and V3) program builds on these skills. Vendor relationships need similar attention.
By Chuck McGann, COO, The McGann Group
Every organization has some level of dependence on, or interaction with, a vendor or vendors at some point. Most use vendors all the time. It doesn’t matter what the sector, business function, or geographic location. This article provides advice and tips for addressing requirement needs, vendor selection, negotiations, and role and responsibility swim lanes.
I’ll state this upfront: This article will not delve into these areas but provide some helpful tips to consider, whether in your public or private life. This is not a primer on the procurement process, developing Statements of Work (SOW), Service Level Agreements (SLA), or Master Service Level Agreements (MSA).
The definition of Vendor Management from Gatekeeper: “… we define vendor management as the process by which relationships with your vendors, and the documentation that underpins them, are actively created, monitored and cultivated to ensure that yours and their business objectives are achieved. It’s both a formal and informal process.” View www.gatekeeperhq.com/blog/what-is-vendor-management for details.
My additions to the accepted definition focus on overall value, creating a high level of trust, Strategic Plan inclusion, Tactical accountability, and total value added to all parties in the relationship. Yes, there is contract language to ensure compliance with the Terms and Conditions, but where is the “trust” accountability of the relationship measured? Thus, the change to Vendor Relationship Management – it is a relationship, not just a business transaction.
Soft Skills in Vendor Relationships
A CISO can leverage the Procurement office for many of the details referenced in the definition. It’s important to understand how the CISO interacts with vendors to ensure the trust relationship is protected and the strategic roadmap for the organization is followed, to deliver the expected tactical solutions interfacing with existing tools, technologies, and processes.
The C|CISO (V1 and V3) course presents Vendor Management in Domain 5 and provides a good review and solid foundation for Vendor interaction and contract management, some of this information is referenced.
Our goal of this article is to advise on the development of the “Soft Skills” a CISO needs in a Vendor Relationship – trust, strategic alignment, tactical implementation/integration, all at a high level. How does a CISO do this? Through communication, by making the vendor a partner in “your” success. It’s important to recognize the partnership. Your success is the vendor’s success – you each benefit from a trusted working relationship. A botched alignment resulting in installation, integration, or relationship failures impacts the vendor in many ways, not just with your organization.
Vendors are a part of everyday life – we expect service for compensation – whether that is delivered in some finance system, cash, or using a barter system. We identify a need, develop requirements, seek out a viable supplier, and “make the deal.” This can be a one-time “arrangement,” but in business, it is likely to be frequently recurring contract agreements and for longer terms – three to five years! Some complementary relationships last decades.
Contract language should exist to ensure satisfaction with our dealings and overall transactional relationship. Putting this into perspective, it’s important to understand the limitations of the “managing” of the relationship. There may be limited alternatives to service providers and therefore boundaries on what can be “managed.” The CISO must guard against putting the organization in a potentially perilous position – avoid sole source and custom-built solutions where possible. Sole source providers have the leverage, and custom-built solutions are costly to maintain and replace once ingrained into your infrastructure.
Forging Vendor Relationships
Vendor Management starts with the Requirements Statement – and that includes the typical – when, where, why, and how. The “Who” is what we expect to generate after an evaluation of suppliers to determine the capabilities of those wishing to satisfy these stated needs! When building out the requirements you need to consider your current state – do you have existing trusted providers that can add on services to meet your needs, or will these new needs interface with your existing technologies and process and enhance some current capability?
The Vendor relationship starts with the development of the Requirements Statement but starts in earnest with the selection. You might be asked to provide input and if you have a personal relationship with the vendor, steer clear of any discussions, utilize other team resources to avoid perception issues. Meeting with the vendor support team is critical – adherence to the Statement of Work and the Service level agreements become the measuring tools for performance of both teams. Positive performance assessments add value to the relationship.
The Relationship can start before the procurement process – frequently from a meeting at a conference, trusted introduction, or peer usage recognition. The first meeting between Vendor and CISO can either make or break the relationship and start the trust factor meter. This first impression is critical and infrequently challenging. Each party goes into the encounter with a different set of filters, and not all of them accurate or of significance to the transaction – be professional.
CISO Strategies for Vendor Relationships
CISOs need to be open and honest on their needs and biases, and how they think the vendor can support those needs while interfacing with the existing environment. Vendor evaluations…To read the full story, subscribe to CISO MAG.
This story first appeared in the January 2021 issue of CISO MAG.
About the Author
Chuck McGann is currently the COO of The McGann Group, small security consulting LLC in Raleigh, NC. He is a former CISO for the U.S. Postal service retiring in late 2014 (27 years of service) and moved on to the private sector as a VP and Chief Security Strategist for CRGT and then Salient CRGT – starting The McGann Group, LLC in 2017. Chuck’s focus is to educate potential and current Security Professionals through his affiliation with EC Council and Learning Tree International, delivering multiple courses for senior leaders and practitioners. Having spoken at numerous conferences and workshops, he continues to help grow the profession and educate the next generation of Risk Managers and Security Leaders in the skills needed for success. He holds an MBA, and an undergrad degree from the University of Massachusetts in Computer Science and Management, two Associate Degrees. His Certifications include the CISSP, C|CISO, CISM, and IAM certificate.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.