How can leaders mature their security vendor management?

1.7k views5 Comments

VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees
The key word is journey. You have to see what the gaps are and which ones are most important. What is the number one thing that you want to solve first with the vendor you're using? Then you just walk down that list from there. Think about a roadmap 2-4 years out—then you have a list of what you want to solve. That can allow you to pick a strategic partner better than if you're just looking at a short list and thinking, “I have to solve this problem because somebody said I have to check this box.” If you have the opportunity to look at the long term, you can work with a vendor who is going the same direction that you are. If they're already there, they can offer you that strategic roadmap that'll help you get to where you want to go. That's where it starts.
Global CIO & CISO in Manufacturing, 201 - 500 employees
With managing vendors and integrations, etc., there’s a maturity level that needs to be communicated. It has to come with top talent. There has to be a pseudo hand of God so people think, “Whatever this team says we have to listen to because we would be at risk.” I love throwing out the technical and legal terms that make some people's hair stand on end, like due diligence, due care, and directors and officers liability insurance (D&O insurance). I ask, “Do you know that the board of directors can be held personally liable for lack of due diligence and due care if proven?” The board of directors will stand up and say, “Oh no, maybe we should focus and look at that budget again.”

When it comes to vendor risk and management, I wholeheartedly go through that exercise of educating, and say “By the way, we have 650 sources that people are logging into. How would you like me to rack and stack those with level risk?” It is a maturity piece, but from a vendor management standpoint, if you don't have the audit controls or assessments, just build them and scare people to death. I've done this before and said, “Did you know that out of 500 accounts, we have 40 admins?” And most people would say, “What? Why is that ratio so high?”

If they don’t think we should do something about that, I'll put that aside. Then when one of those 40 accounts gets compromised, I'll have it attested here that you said you accepted that risk. And I've reached the point where I've also said to folks, “We can't do that unless you get approval from the board.” There's no policy that says that, but I just want to see whether or not they're going to toe the line. Never in 20 years has somebody toe the line or cross them to say no, I absolutely need this. Because it's not going to be on me. I didn't make the decision. I will not make the decision and I've instituted new policies to establish that we're not going to use that vendor. Any vendor that's associated with a now defunct technology approach that could have been the biggest thing since sliced bread is not going to get my backing from a security standpoint.
CISO in Software, 501 - 1,000 employees
Third party supplier management is a headache and not as sexy as it could be, but I think it's going to be an area that we'll focus on so much in the next year and some of those really immature organizations will have to up their game because that's going to be one of those massive businesses in terms of social security for companies.
2 1 Reply
Global CIO & CISO in Manufacturing, 201 - 500 employees

There's definitely a trickle-down effect. Because if you look at it from a legal perspective, or in terms of certification, then you also look at it from the perspective of the configuration management database (CMDB) all the way down. You have to be able to roll all this up and down.

Board Member, Advisor, Executive Coach in Software, Self-employed
I've always thought of my role as being a choice architect. I'm architecting choices for the business, some of which I get to make, and some of them are made by the CIO, the boards, or the CEO. If you architect the choice the right way, you can almost predefine what they’ll choose. Think about as if you're teeing things up; when you do it that way, you are gearing for the positioning. It's a different way of thinking about it. When I was in finance, I was always architecting choices financially. When I ended up in security, I was just architecting risk choices instead.

Content you might like

Senior Director, Technology Solutions and Analytics in Telecommunication, 51 - 200 employees
Palantir Foundry
Read More Comments
6k views15 Upvotes48 Comments

Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
57.3k views48 Upvotes35 Comments

We provide company-wide training57%

We only train certain departments/roles32%

We have a targeted individual training approach.9%

I am unsure how we handle security training.3%




API Gateways26%


Flexible Infrastructure19%

Digital Decoupling10%

Total Replacement6%

Other (please comment below)2%


2.2k views3 Upvotes1 Comment