When was the last time you fired a vendor? When was the last time you and your vendor discussed their expected performance criteria and their subsequent progress to that criteria? When is the last time you “stirred the pot” and tried a solution or vendor that did not fit neatly into established silos or functions?
Statistics say you spend somewhere between four to six percent of your IT budget on IT security. That is easy to do given that there were over 350 vendors exhibiting at the 2014 RSA Conference in San Francisco. Clearly there is no shortage of products, or vendors willing to take your money.
Yet with all of this money invested in security, companies are getting breached at increasingly higher rates. The 2014 Mandiant M-Trends Threat report says that not only are companies increasingly getting breached, but that two out of every three times a breach is discovered it is not by the company itself, but by a third party. Sometimes it is law enforcement, but often times it is a partner or customer. The comparative numbers from the 2013 report show a disturbing trend: companies are getting attacked more and detecting less.
Here is the real shocker: the average time from the earliest evidence of compromise to detection is 229 days. The adversary is operating in your environment with relative impunity for almost eight months, pivoting to embed themselves deeper into your systems and obfuscating all evidence of their presence.
You are standing waist deep in the spent shell casings of all of the silver bullets you have been sold; yet there's still a high chance you will be breached. To add insult to injury, your silver bullet solutions are only detecting one out of every three breaches.
You bear the responsibility of ensuring that your vendors become vendor partners by making sure that the vendor understands what is expected of them. There are exceptional vendors that will initiate the partner relationship. Unfortunately, though, most are quite happy to hand over their product and then do the minimum; which oftentimes is simply sending you a renewal notice once per year.
Given this reality, how do you get the most out of your vendors and, by extension, your budget? How can you be sure you have the right vendors on your team, or realize you need to make some serious upgrades?
Map vendors into your strategic plan.
Plans tend to be focused on the tasks and responsibilities of the internal team, leaving the vendors out of the strategic process. The products and solutions of your vendors, and their expected participation, should be an integrated, thoughtful part of any plan. As a bonus of this process, if you find that a vendor does not fit into that plan, then you have identified your first candidate for replacement.
Build a performance plan for each vendor.
Once you have vendors properly defined into the context of the bigger picture of your strategic plan, you should build a set of performance criteria for that particular solution and vendor. As with any performance metrics these should be easily measurable and rationally achievable. The best case would be to build the plan cooperatively with each vendor so they have buy-in and ownership.
Proactively manage vendors to their plan.
Building performance criteria is only the first step – you must proactively hold the vendor accountable to perform to the plan. That means regular (quarterly) reviews with the vendor to review the performance plan; adjust the plan to evolving circumstances, requirements and threats; and design get-well steps to address under performance. Organizations are reluctant to fire a vendor. Vendors know this and behave accordingly. Changing products may be momentarily painful, but you have to be prepared to fire a vendor if they are not performing. And remember, if you have to apply too much leverage to get a vendor to comply, that alone is a red flag that deserves consideration.
Of course, successfully managing your vendors starts with the selection process. When choosing a new solution, too often organizations ask questions about technical viability and price, but do not perform the proper due diligence on the willingness of the vendor to be a true partner. Ask their reference customers if they view that vendor as a partner. Drill into how they define success and how they intend to get you to that state.Finally, think beyond the established behemoths that occupy the oversized booths in the middle of the RSA Conference exhibit halls. This is not a perfect rule, but smaller vendors tend to be hungry vendors who may be more likely to actively engage in a partner relationship. I always remind first time attendees at RSA Conference to move to the edges of the exhibit halls, because innovation is more likely to be found on the edges fighting its way to the middle.