Like what you read and curious about the conversation? Visit CISO Perspectives to get further insights into this topic. CISO Perspectives is a weekly column and podcast where Kim Jones explores the evolving landscape of cybersecurity leadership, talent, and risk—because success in cybersecurity is about people, not just technology. We'd love to hear what you think of this season of CISO Perspectives. Visit this link to share your perspectives with us.
Why is the vendor role so contentious in the cyber ecosystem?
Welcome to the CISO Perspectives Weekly Briefing, where we break down this week’s conversation, providing insights into relevant research and information to help you further understand the topics discussed.
At 500 words, this briefing is about a 4-minute read.
Picking a vendor.
Selecting a vendor can be challenging, especially given the rapid rise in the number of available options. Notably, Gartner found that there are over 3,000 cybersecurity vendors. This explosion of vendors reflects the growing demand for stronger and more effective cybersecurity capabilities. However, this sudden growth has made selecting a vendor all the more complex. Furthermore, this search can become even more challenging when factoring in other variables, such as budget, organizational structure, and operational constraints.
While there is no one-size-fits-all approach, as every organization is different, there are best practices that should be considered whenever selecting a vendor. Recently, Dr. Leah Zitter wrote an article to help detail how best to select a vendor. Dr. Zitter defined the selection process into two phases, with the first involving shortlisting your vendors and the second step involving thoroughly evaluating your vendors.
To begin shortlisting your vendors, organizations need to first understand themselves, understanding their organization’s most critical data, systems, and vulnerabilities. Alongside understanding your organization, it is also important to define your current cybersecurity goals to understand what you want your posture to be and what gaps your organization cannot fill. Once an organization understands its needs, it can then begin assessing what vendors can meet these requirements and ensure that they have a strong history of success and validated credentials.
With a shortlist in hand, the next step is to evaluate each vendor through a structured and documented process. This process involves:
- Tracking their record and offerings: Evaluate each vendor’s performance history and relevancy.
- Assess their security and incident response process: Examine their security practices and how they respond to incidents.
- Ensure compatibility: Vendors need to integrate well with your existing systems and current support needs.
- Evaluate Contracts: Scrutinize these legal documents, including service-level agreements, liabilities, and other similar documents.
While this guide is not comprehensive, these steps can help organizations make more informed and effective decisions when it comes to selecting a vendor.
Monitoring your vendors.
Although vendor selection can be complex and time-consuming, it is equally as important to continuously monitor your vendors and ensure their services continue to meet your organization’s evolving needs.
Selecting vendors should not be seen as a one-time decision, even if the selection process is thorough, but instead should be one that has constant ongoing oversight. Vendor management is a continuous lifecycle. As your organization grows and changes, so too will vendors, whether through changes in their services, prices, capabilities, or strategic direction. These shifts can benefit and sometimes potentially hinder your organization, which is why it is essential to stay proactive.
Recognizing this dynamic is critical. Effective vendor management not only reduces risk but also strengthens solutions and fosters more resilient, transparent, and value-driven partnerships.