At what stage of your engagement do you sign an NDA with a vendor you are evaluating? Day 1? POC? Never?

3.9k views1 Upvote6 Comments

Sort by:

Executive Vice President, Chief Digital Officer & Head of Cybersecurity in IT Services2 years ago

It is signed on the day when you are asked to share any information.

Chief Information Officer in Education2 years ago

It depends.

If we are doing something proprietary or a new competitive business initiative then on day 1.

If we are doing something more in the I&O space then at POC.

VP of IT2 years ago

Before sharing any information about the company, it could be on Day 1, POC, contracting, or before implementation. But it must precede sharing any information about the technology or security stack of my company.

Director of Network Transformation2 years ago

When the talks get serious about the tech. Or there is a confidential use case. But never day 1.

CIO in Hardware2 years ago

The day I start having business discussions.. It could be just after the first meeting..

Content you might like

Which vendors/partners are essential to your ability to deliver applications to support your business?

Amazon38%

Google43%

IBM22%

Microsoft61%

Oracle21%

Red Hat13%

SAP12%

Vmware18%

None of these2%

View Results

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?

I'm looking to learn about options for suppliers for Cookie consent platform and interested in learning of any experience with these vendors: https://www.osano.com/ https://www.ketch.com/ https://usercentrics.com/ and if possible, if you have contact emails for their sales/customer service teams? Any other recommendations are welcomed too.

Which is most important when hiring a vendor?

Quality & Delivery time15%

Pricing & Delivery time34%

Pricing & Quality20%

All of the Above30%

Other (comment below!)

View Results

We’re preparing for an IPO on the NYSE as a Foreign Private Issuer and evaluating CIS Benchmarks to measure OS and database hardening.

Our proposed tiers:
• Tier 1 (70–80%) baseline
• Tier 2 (85–90%) for sensitive data
• Tier 3 (95–100%) for mission-critical systems

Is 80% compliance defensible for IPO due diligence with SEC or SFC? Should Tier 3 be considered mandatory for critical systems? And can compensating controls (e.g., PAM, microsegmentation) offset gaps in legacy environments?

At what stage of your engagement do you sign an NDA with a vendor you are evaluating? Day 1? POC? Never?

Sort by:

Content you might like

Which vendors/partners are essential to your ability to deliver applications to support your business?

Which is most important when hiring a vendor?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go