The Importance of Vendor Risk Assessments

When buying a car, do you rush right out to the dealership and purchase the first car you find online? Or, do you perform your research and kick the tires, taking it for a test drive? Most of us will conduct our “due diligence” before buying a car and this includes researching the types of cars we’d like to buy, taking several test drives and checking out the mechanics of the car.  This same due diligence should be done for each of the vendors that you plan to use within your company in the form of a vendor risk assessment, regardless of their size. In fact, current vendors within your company should be reviewed every one to two years. For example, did someone review their financials? Do you know if you can get your data back if they go bankrupt? Do you know if they’re governed by laws outside of your country?

In larger companies, vendor risk assessments are typically performed by risk analysts, technology auditors, and information security folks, working in conjunction with the vendor management and procurement departments. In smaller companies, there may be a one or two person team responsible for conducting the vendor risk assessment. In many startup organizations, vendor risk assessments can be an afterthought. If you don’t perform a vendor risk assessment on your vendors today, take a look at this Risk Assessment Toolkit from the State of California’s Department of Technology, Information Security Office to get you started. There are many other sample templates and resources available online, as well. This is a great video on assessing technology vendor risk and security from Monte Ratzlaff, Security Manager, at UC Davis Health System, as he presents “Vendor Risks: Evaluating the Security of New Technology”.

At this point, some of you may think, “well, I don’t need a risk assessment on ____ vendor (insert name of vendor), they’re huge!”. Right? Wrong. I’ve worked with technology audit professionals on the review of hundreds (if not thousands) of technology vendors and yes, some of those “huge” vendors can have red flags for you and your company. Whether it’s the fact that they’re in the middle of a merger, they’re outsourcing their development team, or they don’t have enough insurance to cover you in the event of a breach, the scenarios can vary, depending upon what your company considers a risk and how that risk is categorized. If you need a tool to understand risks associated with the project you’re considering, take a look at this post by BrightHub PM, it has a lot of great info on creating a risk matrix and how to use it.

In the end, just think of a vendor risk assessment as a way to kick the tires of the prospective vendor before buying a lemon whose carburetor is going to explode once you drive it off the lot. If you’re interested in performing a proof of concept or proof of technology with the vendor once they pass the vendor risk assessment, check out a former post that I wrote on this topic and good luck!


Make Your Next Demo a Success

product_demosVendor demonstrations or “demos” as they’re called in the industry are an important part of the technology product review phase. Unfortunately, these demos are typically despised by both business owners and vendors. Vendors don’t look forward to reciting a dry PowerPoint presentation and business owners don’t look forward to “wasting” two or more hours of their day. The funny thing is that this emotional response is what usually results in its failure. Here are a few tips for both vendors and business owners in order to make your next demo a success.

Business Owners

Prepare Ahead of Time. Prepare for the demo by collecting all of the information you’ve received from the vendor up to this point. What do you want to see in the demo? What should the vendor focus on? Reach out to the vendor ahead of time and send them your thoughts on the demo, noting what’s important for you and your stakeholders.

Ask Questions. I’ve seen many demos where business owners don’t ask any relevant questions. This is your chance to ask the vendor about their product. Prepare a list of questions before the demo if needed.

Respect the Vendor. They traveled to your site for a reason. Sure they’re salespeople and they do this all the time. However, I’ve seen business owners act very disrespectfully to vendor reps during demos. There’s no reason for that, everyone should be treated with respect.

Plan the Logistics. Make sure that the conference room is ready and that the vendors have wireless access (if needed) along with anything else required for the demo.  Reach out to the vendor ahead of time and ask them how many people will be attending. Also, think about questions like “Does the vendor need security access?”, “Do we need to serve lunch?”, or “Do we want to have coffee available?” This may seem like small potatoes now, but I’ve seen hours wasted due to poor logistical planning.

Listen. I’ve been in many demos where business owners ask the same question two or three times because they were checking their phone or weren’t paying attention. Listen so that you don’t waste your time and the time of those attending the demo.


Arrive on Time. This is especially true if there are several vendor staff members attending the demo. There’s nothing like starting the demo and having four more vendor staff members trickle in over the course of an hour apologizing for their “late flight”. If flights are that hard to come by to get to the business owner’s site, don’t come in person, instead make it a webEx.

Disregard Pack Mentality. Don’t travel in packs unless absolutely necessary. If this can’t be avoided, let the business owner know up front that you’ll be bringing multiple colleagues.  It throws a lot of business owners off when they’re expecting two people and they end up walking into Oracle World.

Ditch the PowerPoint. Don’t spend an hour on your PowerPoint presentation, get down to brass tacks and show off your product. The PowerPoint is only going to tell your customers so much since it’s a static representation of your product. The PowerPoint presentation can be 10-15 minutes, but from there, start the demo.

Schedule Breaks. The human mind can only process so much information. On top of this, folks need to use the restroom and check their messages. Don’t hold your business owners hostage for 2 hours while you take them through the XML feeds. Schedule ten minute breaks each hour to keep everyone’s blood flowing.

Prepare Ahead of Time. Similar to the advice I gave the business owners above, schedule a discovery meeting with your internal business owner(s) before the demo to understand exactly what they want to see in the demo.

Good luck!

The Price of Innovation?

Image courtesy of Telephonica

Image courtesy of Telephonica

BMC sues ServiceNow. Cisco sues Arista. SAP / Ariba sues Coupa. Is this the ultimate price of innovation?

Start ups are built with hunger, passion and innovation. Oftentimes, they are built with the minds of those that have worked for BMC, Cisco and Ariba. But, is this wrong? In the eyes of the law, it’s wrong when your ideas infringe upon the patented or copyrighted ideas of those that came before you. However, without the experience that those employees gained from being at BMC, Cisco or Ariba, could they have built a better system? Probably not. But, I’m not here to opine on whether BMC or ServiceNow are right. I’m here to open a discussion on today’s price of innovation and the uncanny surge of enterprise companies such as BMC and Cisco suing their nimble and hungry counterparts.

Did these start ups roguely take the ideas of their former employers? Or, are the large, enterprise conglomerates just looking to take down their up and coming competitors? Here’s a great article that’s a few years old, but still relevant entitled “Patent Wars: A New Age of Competition”.

Are You Using “Test” Data in the Cloud?

CloudSecurityKeyhole_468Yes, you read that correctly. The word test is in quotation marks, as in “is it really test data that you have in the vendor’s cloud?”. Astonishingly enough, at least 85% of financial institutions are using live data in their test environments [1]. Could this be you and are you protecting your organization against a data breach effectively?

When a cloud technology vendor makes an offhand remark like, “yeah, we can create a test environment for you and load your test data into the cloud while we work through a Non-Disclosure or Proof of Concept agreement with your legal team”, be afraid. Be very afraid.

Now, I’m not knocking the technology vendors. In fact, to them this is a natural part of the engagement. What you have to be aware of is whether your company’s test data is truly “test data” or not. For example, if you’re in the financial or healthcare sectors where a data breach could expose Personal Health Information (PHI) or Personally Identifiable Information (PII), you should understand your test data thoroughly.

Once you understand your test data, think about putting together a more robust agreement with the vendor besides a Non-Disclosure or Proof of Concept agreement. Non-Disclosure and Proof of Concept agreements typically do not contain the language to protect your company against a data breach. A Master Services Agreement or Subscription Services Agreement should be reviewed by your legal or contracts team to determine if your company will be protected while using the vendor’s cloud if there is a breach with regard to the test data.

Karen Hsu of Informatica explains that “because data stored in a cloud-based ‘sandbox’ environment for testing purposes is vulnerable, it should be masked to protect sensitive information” [2]. She recommends using an automated masking tool to assist with the protection of your data. Regardless of what tools you use, your “test” data should be understood before loading any of it into a vendor’s cloud environment.


[1] Dark Reading News. (2010, March). Live Data In Test Environments Is Alive And Well — And Dangerous. Retrieved from—-and-dangerous/d/d-id/1133220?

[2] Hsu, Karen. (2013, March). Masking Test Data in the Cloud. Retrieved from

Preventing a Cloud Data Breach

Breach-WordsMany of you reading this have not (thankfully) experienced a cloud data breach with your technology vendors. However, a cloud data breach is always on the forefront as more businesses embrace cloud technology.

What are the chances that your organization could have a cloud data breach? According to research performed by the Ponemon Institute most companies will have small data breaches rather than large data breaches [1]. Does this mean you can breathe easy? Not so fast. For those of you in the retail and public sectors, your likelihood of experiencing a data breach is higher than those of you in the transportation, communications or even financial sectors [1]. However, each sector is impacted and the average cost of managing a data breach per organization is approximately $5.9 million with the average cost spent per breached record at $201 [1]. 41% of the respondents surveyed in the Ponemon Institute’s research said that malicious or criminal attacks were responsible for their data breach and 31% said that employee negligence was the root cause [1].

With those facts in mind, how do you prevent a cloud data breach?  The Ponemon Institute’s research states that “the most profitable investments companies can make seem to be an incident response plan, a strong security posture, the involvement of business continuity management and the appointment of a CISO with enterprise-wide responsibility” [1]. In addition to this, asking potential (and current) vendors about their cloud technology is also key. This is a nice article written by Julie Lopez that focuses on the right questions businesses should ask their technology vendors.  Her article mainly focuses on health care, but makes a lot of great points that everyone should read regarding vendor management. Speed to market is critical these days and cloud technology gives organizations this benefit. However, this speed to market mentality must be tempered with a sound risk mitigation strategy in order to reduce the chances of a costly data breach.


[1] Ponemon Institute. (2014, May). 2014 Cost of Data Breach Study: United States. Retrieved from

Becoming a Change Agent

What’s a “change agent”? Dennis Stevenson does a nice job of defining a change agent in his article “What is a ‘Change Agent’?” He states that “A change agent lives in the future not the present” [1]. How many times at your workplace have you seen what’s happening around you and wanted to change it? The outdated process, the “way things used to work”. Living in the future is extremely important for a change agent.

Secondly, Dennis points out that “a change agent is fueled by passion, and inspires passion in others” [1]. I love this, because passion is essential. A change agent that I admire and who is very passionate about changing IT Procurement for the better is Clay Johnson (@cjoh). Clay is the CEO of the Department of Better Technology. Here’s his ebook on “Fixing Procurement” which is posted on GitHub. 

“A change agent has a strong ability to self-motivate” [1]. To me, this is key. As Dennis points out, “there will be many days where everyone around does not understand…the change agent needs to find it within themselves to get up every day and come to work and risk being misunderstood and misappreciated, knowing that the real validation may be far in the future and may be claimed by someone else” [1]. That’s a tough sentence to read, but it’s true. Business process improvement projects can feel disheartening at times. As I was working on my Lean Certification I ran into several tough issues that I discussed with my Master Six Sigma Black Belt mentor. His advice was to “walk towards the problem” and I loved him for that!

Finally, Dennis reminds us that “a change agent must understand people” [1] and that “change will really ‘stick’ when people embrace it” [1]. How many times have you seen a new “process” rolled out in your department and no one cares? That’s one reason why I love Lean, because it involves the folks doing the work, not the managers managing the work. It’s truly “going to the gemba” to determine what work needs to be improved. In fact, managers aren’t typically allowed into the Lean process discussions with team members in order to ensure everyone feels comfortable giving their input into how the broken process can be fixed. 

This week I challenge you to put on your “change agent” hat and look for process improvements in your area. Dennis sums it up well when he states, “we can bring very powerful change to our organizations…but in order to do so, we need to embrace the ‘way of the Change Agent’ and not lock ourselves in Ivory Towers of Technology” [1]. 

[1] Stevenson, D. (2008, April 15). What is a ‘Change Agent’?. Retrieved from

Staying Relevant

trexA friend of mine recently mentioned that he was a “dinosaur” as we were discussing different mobile social media platforms. I started thinking, “How can we, as technology vendor management and procurement professionals, stay relevant in an age of such rapidly changing technology?” For all of you “dinosaurs” out there, here are a few things to assist you in coming out of the Mesozoic Era:

1) Create a Twitter account. Yes, I’m talking to you. Don’t roll your eyes! Twitter is an amazing place where information is spread so quickly that you’ll see it on Twitter before mainstream media picks it up. How does this affect you? Well, if you’re putting together a deal with a certain vendor (think successful start-up) and they’ve been bought out (say by a behemoth T-Rex vendor), you’ll typically find it on Twitter first.

2) Try Blogging. Now you’ve started to panic. “Blog?! I have to Blog?” If you’re just punching in and punching out, waiting for the next boat to Shangri-la, then don’t worry about it. However, if you’re passionate about your field and you have something to say, consider writing your own blog or posting for someone else’s blog. For me, it’s exciting to be able to share my knowledge but also learn from others as I read their blogs.

All in all, staying relevant in the field of technology vendor management and procurement is very important, so give it a try and find me on Twitter, @vendorchronicle!