How do you keep vendors in check for security reviews?

478 views3 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed
Trust does not come from a contract, nor a compliant checklist or questionnaire. That is motion, not progress. While I might need to do that for whatever reason, I don't care about that stuff. I am a relationship-based person. I want to know who's on the other end, and whether they're critical—who's their CISO; who's the chief security officer; who's their CIO? I want to have their cell phone number, I want them to have mine, and I expect that if they have an issue, they’ll call me before it hits the press.

When I have an issue, I might have to reprimand them, but if they respond well, I'll be there to back them up and tell everybody they have their shit together. We all have problems, so give them a bit of a breathing room. That has always worked for me both as a vendor myself, as well as having vendors sell to me.
1 Reply
Sr. Director of Enterprise Security in Software, 5,001 - 10,000 employees

Partnerships are key. I think we sometimes forget that you have to pick a partner that's going to grow with you. For whatever tool or technology you're picking, the vendor needs to have a roadmap that matches what your roadmap is, or else you have the wrong vendor. And the flip side of that is sometimes you outgrow a tool or you outgrow a vendor. They may have been the right vendor for a certain scale, but they aren’t once you scale up.

Sr. Director of Enterprise Security in Software, 5,001 - 10,000 employees
For us, that review is annual, and we try to do it around renewal time. Three months ahead of renewal, we start looking at whether this is the right tool for where we are. As a company, Rubrik is not where it was four years ago. What we're willing to accept as a risk from a supply chain vendor today is significantly different from what it was even a year ago. Someone might say, “Well, you rubber stamped this a year ago,” but a year ago we weren't in the exact same position as we are today. Even if a tool was okay a year ago, let's see their most recent pen test. Now, I may have much more sensitive data, or maybe there is more sensitivity around not being hacked before you IPO, if you're on that track. Don't be afraid to break up with that vendor if they're no longer the right one for you.

Content you might like

Software category14%

Organizational structure45%

New operating model19%



1.9k views1 Upvote

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41k views131 Upvotes319 Comments