When sourcing new cyber tools, do you conduct a separate evaluation to assess the vendor independently of their product?

Process ManagementThird Party Risk Management (TPRM)

Yes 65%

Only in some cases 33%

No3%

40 PARTICIPANTS
358 viewscircle icon1 Upvotecircle icon1 Comment
Sort by:
Senior VP & CISO15 hours ago

We have a standard process called an "AoA" (Analysis of Alternatives) that takes the capability requirements and evaluates the candidate offerings against those requirements. Those requirements are typically split between "fit for use" and "fit for purpose" and are prioritized and weighted. Once the suppliers are scored, then the top 1-2 are typically brought into our lab to be tested and validated against the "paper study" that was done as part of the AoA. Those testing results are then compared to the AoA and a decision is made.

Content you might like

Have you ever exited a vendor relationship specifically because of its poor response to a breach?

Yes 61%

No 26%

Prefer not to say 13%

Other

View Results

How often do you survey your organization for new, emerging risks? My company currently does quarterly surveys and I am contemplating dropping it down to 2x/year. Appreciate the insights!

Read More Comments

What are some best practices to follow when your organization is preparing to end a vendor relationship? What can you do to minimize the operational disruption that would result?

Do you think that "process debt" (workflow inefficiency) is more potentially harmful than technical debt when implementing AI? How do you identify and quantify process debt in your organization, and how do you begin to address it?