Managing multiple IT providers is not easy. Especially when the security of your organisation is in the hands of several vendors and an internal or external service desk.
Cyber threats continue to rise. Cybercriminals and hackers are getting smarter, deploying more sophisticated attacks against companies, which means vendors and IT providers need a proactive approach to reduce the risks from external threats.
Gartner estimates that globally, spending on Security Information and Event Management systems (SEIM) will exceed $98 billion in 2018. Businesses are moving from hardware and on-site systems to applications in the public cloud, security testing tools and software as a service (SaaS) vendors.
For businesses, maintaining these relationships is going to get more challenging. Instead of one or two security partners, medium to large companies could have dozens of overlapping security partnerships. That means dozens of service level agreements (SLAs) to monitor, outcomes, ticketing systems, account managers to work with, and an extra layer or two of complexity should anything go wrong.
Gartner also expects that 40 percent of SEIM and managed security service (MSS) will be bundled in with other IT contracts and outsourced to IT partners in 2020. For those considering this option, or already looking to outsource security and other key vendor relationships, here are a few ways you can make managing multiple providers easier and less risky.
#1: Have a strategy
Juggling multiple vendors without a long-term strategy is a recipe for confusion.
Clearly map out the goals, for this and the next two years. Know what you want to achieve, what current vendors and partners can help with, how some may need to improve and what services/skills you need if a replacement vendor is required.
Home Office CTO Sarah Wilkinson told CIO UK that; “A useful strategy must describe the right approach to delivering progress, for each business, at each point in time.” Having a clear idea of each vendor's strengths, weaknesses and recent SLA timescales, compared to the agreement, is useful before meeting them and outlining a new strategy.
#2: Cultivate cooperation and collaboration
When there are multiple vendors, there is always a risk that - should anything go wrong - they will blame each other and start competing to earn a larger share of your IT budget. Try to avoid inter-team politics and rivalries extend to outsourced partners.
Instead, ensure there is one IT partner with overall responsibility for vendor relations. Ask that this partner creates uniformed processes for responding to support tickets (e.g. single point of contact, proactive monitoring, individual areas of responsibility) and interacting with the team in your organisation managing these relationships.
Create a culture and framework for collaboration, such as a setting up a steering group meeting once a month. This way, vendors can work together, grievances aired in public (instead of inboxes) and future plans discussed.
Effective communication between vendors, and between the lead IT partner and those in your IT management team is essential. Keep partners informed of any changes to the business that could impact their services, and ensure long-term security plans are being delivered through these partnerships, with regular updates on progress.
A collaborative environment will support this implementation. As will balancing resources to ensure that security vendors can take a proactive approach to threat management: reactive is no longer good enough. Cyber threats are sophisticated enough now that once you know malware has entered your system, it’s often too late for the data you are trying to protect.
#4: Monitor performance
Monitoring performance compared to SLAs is a full-time role when you have multiple vendors. Hence the benefits of working with a primary IT partner to manage security vendor relationships. Supplier relationship management (SRM) software can be a useful investment, giving senior managers a way to check performance is on track, whilst also highlighting areas for improvement in a timely fashion.
#5: Plan for disaster
When it comes to security, it would be foolhardy not to have plans in place should disaster strike. From fire and floods to cyber attacks, being prepared needs to be built-into supplier relationships and the strategy, so that if anything happens, vendors can respond to ensure your business gets back and up running as soon as possible.
Disaster planning is even more important with GDPR around the corner; knowing that you have plans in place should a data breach occur should make things run more smoothly if anything happens.