From the C suite down to the help desk, everyone will remember the Target data breach. However, many organizations think about security last when procuring software. They’re more concerned about speed to market, not whether they’ll be facing millions of dollars in penalties for a data breach. In an article entitled “Marrying IT Risk Management with Enterprise Procurement”, Ericka Chickowski details the need for vendor risk to be evaluated during the procurement or contracting phase.
I agree with Ericka’s article and wish that more organizations would see the value in conducting vendor risk assessments in the procurement or contracting phase of an engagement, instead of attempting to clean up after a data breach or other security issue. An older article written by Tim Burt prophetically explores the sensitive data involved in cloud computing and it’s effect on Procurement.
In the race to purchase software from a vendor, organizations should temper that speed with sound vendor and risk analysis in the procurement or contracting phase of an engagement. It shouldn’t take a data breach for organizations to remember that, but sometimes it does.
Below is a great video on assessing technology vendor risk and security from Monte Ratzlaff, Security Manager, at UC Davis Health System, as he presents “Vendor Risks: Evaluating the Security of New Technology”: