As CISOs seek to consolidate vendors and reduce costs, building effective relationships with key security vendors can be the foundation for security program success.
Many security leaders take a “check the box” approach to purchasing technology. With today’s average enterprise using upwards of 20 security technology vendors, perhaps this isn’t surprising. Unfortunately, this approach fails to leverage all of the benefits that can be obtained by building a strong “human” relationship with these vendors. This not only assures the vendor will know the CISO’s business needs, but can also greatly improve success. Vendors have the ability to be more responsive if there are existing, clear lines of communication with the customers they are serving.
In a recent Harvard Business Review article, two security leaders used the analogy of an automobile noting that, “technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver.” It seems clear that skilled security leaders are critical to an effective defense. Technology has not replaced human beings. However, the automobile analogy illustrates the need for a cooperative approach between the vendor and the customer. The best automobile is worthless without a good driver, but it is equally true that the best driver will not be successful driving a poor performing or slow race car.
Creating a successful vendor-customer partnership means syncing the security team “drivers” with a high-performing technology “race car.” Below are four key ways security leaders can build a successful vendor relationship to maximize the value of a true partnership.
Select a quality vendor based on leading indicators
Select a vendor that is recognized by peers and independent trade groups (i.e., Gartner, IDC, Forrester) as leaders in their specific area. It is important to have a single harmonized platform where vendor consolidation can create efficiency. However, be sure not to pursue consolidation at the risk of poor security performance.
Selecting market leaders who have a proven history of delivering results is imperative because security leaders need good tools. Meet with the vendor’s team, not just the sales representatives, and ask yourself if the vendor is readily available, if they are transparent, and whether they provide clear communication with you and your teams. Are expectations clearly set? Is the vendor a good fit for your organization’s culture and needs? If you’re confident in your answers to these questions, then these are all good indicators of a positive, successful and enhanced partnership with the vendor.
Set clear expectations early and often
This imperative step should be done as early as possible in order to establish a good working relationship. The vendor contract will set out deliverables, but it’s important to have a group meeting that sets step-by-step project plans and long-term and short-term goals. Many times a security team may purchase a new technology but never share how this fits into their overall and cumulative strategy. If a vendor understands the intended use and goal, they can better support the objectives. There may be features or methods that should be added, or perhaps taken away to save costs if they are not needed. Professional services can also be tuned to support the use objectives and long-term program plan.
A good security vendor will want to be clear about the features of their product and how it addresses the issues that will be conquered with the deployment. The vendor should also explain the process for raising concerns, expectations for response time and the resources available to customers. It is also the vendor’s responsibility to help the customer connect with key leaders within their organization who can fully support the set client goals.
Establish clear communications channels
In a time of crisis, a security leader does not have time to figure out how to reach a vendor for support. It is critical at the start of any relationship to establish a cadence of open communication channels and know who is available for support, or to resolve concerns. Smart vendors have customer liaisons on their staff who can be extremely helpful in quickly resolving any issues. These liaisons are focused on ensuring customer success and building strategic partnerships with their customer base. It is also important to be transparent about goals and intended use for technology. As noted above, this can help the vendor better focus on the unique needs or goals of the customer.
Engage with customer advisory groups
Many vendors have advisory groups of customers that are intended to provide feedback and improve products. Being involved in these groups is a small investment of time with potentially big rewards. As a customer, it is an opportunity to provide direct input into the features and capabilities you want to see developed. It may also provide you with additional communication and influence opportunities to promote your company needs. This is like having your own development team building the tools you really want. Don’t miss this opportunity to influence your products and services. You will also have an opportunity to meet and network with your peers as part of this advisory board. This provides an opportunity to share ideas and learn new approaches which can be very valuable.
Navigating cybersecurity risk can be challenging. Without the right tools to understand how and where the business is at risk, there can be security blind spots. New and increasing threats are identified every day. Staying ahead of cyber risks can feel like treading water, and to be successful, CISOs need to be strategic, invest resources in the right places and get the right team of vendors in place to support their security program. It is important to consider whether a vendor fits your needs and team culture. Investing time at the start of a vendor relationship can save many hours of frustration later. By setting clear expectations and open communication, the CISO can receive better service and improve overall security.
Adam Palmer, contributing author