The Importance of Vendor Risk Assessments

When buying a car, do you rush right out to the dealership and purchase the first car you find online? Or, do you perform your research and kick the tires, taking it for a test drive? Most of us will conduct our “due diligence” before buying a car and this includes researching the types of cars we’d like to buy, taking several test drives and checking out the mechanics of the car.  This same due diligence should be done for each of the vendors that you plan to use within your company in the form of a vendor risk assessment, regardless of their size. In fact, current vendors within your company should be reviewed every one to two years. For example, did someone review their financials? Do you know if you can get your data back if they go bankrupt? Do you know if they’re governed by laws outside of your country?

In larger companies, vendor risk assessments are typically performed by risk analysts, technology auditors, and information security folks, working in conjunction with the vendor management and procurement departments. In smaller companies, there may be a one or two person team responsible for conducting the vendor risk assessment. In many startup organizations, vendor risk assessments can be an afterthought. If you don’t perform a vendor risk assessment on your vendors today, take a look at this Risk Assessment Toolkit from the State of California’s Department of Technology, Information Security Office to get you started. There are many other sample templates and resources available online, as well. This is a great video on assessing technology vendor risk and security from Monte Ratzlaff, Security Manager, at UC Davis Health System, as he presents “Vendor Risks: Evaluating the Security of New Technology”.

At this point, some of you may think, “well, I don’t need a risk assessment on ____ vendor (insert name of vendor), they’re huge!”. Right? Wrong. I’ve worked with technology audit professionals on the review of hundreds (if not thousands) of technology vendors and yes, some of those “huge” vendors can have red flags for you and your company. Whether it’s the fact that they’re in the middle of a merger, they’re outsourcing their development team, or they don’t have enough insurance to cover you in the event of a breach, the scenarios can vary, depending upon what your company considers a risk and how that risk is categorized. If you need a tool to understand risks associated with the project you’re considering, take a look at this post by BrightHub PM, it has a lot of great info on creating a risk matrix and how to use it.

In the end, just think of a vendor risk assessment as a way to kick the tires of the prospective vendor before buying a lemon whose carburetor is going to explode once you drive it off the lot. If you’re interested in performing a proof of concept or proof of technology with the vendor once they pass the vendor risk assessment, check out a former post that I wrote on this topic and good luck!

Integration: Klingons vs. Elves

Integration is largely dismissed by those interested in purchasing software these days. Quotes like “don’t worry, we’ll make it happen” or “oh, it’ll all come together in the end” are heard in meetings as everyone rushes to sign the vendor’s contracts before the end of the fiscal year. Unfortunately, six months later the same people are saying “the vendors weren’t upfront in their demos with us!” and “I don’t understand what’s so difficult about all this, why can’t they just make it work!”.

If you’ve ever integrated different systems together, you know that integration is where the rubber meets the road so to speak. From a technical perspective, I’m not a fan of bolting two (or more) different systems onto each other and forcing them to talk to one another. However, many times it has to be done and if that’s the case, it needs to be planned accordingly. The best way I can explain an integration effort is this:

System 1, a.k.a. “Worf”: A Klingon who hails from the planet Kronos. Worf has been characterized as a “swarthy humanoid”, doesn’t like cold weather and enjoys a bloody battle. Speaks Klingon.

System 2 a.k.a. “Enel”: An Elf who hails from Valinor in Middle-earth. Wise and immortal, Enel is a skilled hunter and has pledged to preserve the world. Speaks Elvish.

Worf and Enel couldn’t be more different. In fact, they’re completely different in every way imaginable. So, how the heck do you make them talk to one another? Hire an interpreter (i.e. 3rd party software tool) to assist in the language barrier? What similarities does Worf have that Enel can understand (i.e. temporary tables)? What symbol of understanding can be passed between them (i.e. Web Services or APIs)?

To ensure that the Klingons don’t invade the Elven continent of Middle-earth and destroy an ancient civilization, it’s important that you get your Supreme Council in a room (i.e. project stakeholders) along with your Trusted Advisors (i.e. IT architects, etc.) and determine the best way (or ways) for Worf and Enel to communicate with one another before you join their people together as a nation. Otherwise, prepare for Worf’s battle cruiser to enter Middle-earth airspace and it won’t be pretty.

Learning to Swim in the Deep End

Photo Courtesy of

Photo Courtesy of

Every project manager has been thrown into the deep end of the pool. By “deep end of the pool” I mean that you’ve been thrown into some weird, technically challenging, scary projects that you probably knew nothing about. How do you initially survive being thrown into the deep end with barely a pair of water wings?  If you’ve been thrown into a project like this, here are some tips:

1) Figure out how to tread water. What can you do right now to understand the project better? Can you review historical documentation? How about talking to current or former team members? At first the project will seem overwhelming, but you’ll need to put your arms around it quickly. What can you do right now to help you keep your head above water?

2) Figure out who your lifelines are. I call them lifelines because these people truly are your lifelines when you’re learning the ropes of a project, especially one that is challenging. I’ve had many lifelines over the years to whom I am eternally grateful and without whom, I would’ve fallen flat on my face! Lifelines can come in the form of a project stakeholder, a project team member or even a project sponsor. These are your go-to folks that can always be relied upon to help you as you work through the beginning phases of a project.

3) Stay organized. You’re going to meet some crazy challenges and that will be much harder if you don’t know where anything is. Trust me on this one!

4) Be honest. If you don’t know Ruby on Rails, PHP, Java or C++, own it. Don’t walk into your first developer meeting and try to go toe to toe with those folks, pretending like you know something you don’t. You’ll be found out in a heartbeat and it won’t be pretty. If you know enough to be dangerous, mention it, but let them do the talking.

5) Avoid crazy drama.  Scary projects can sometimes come with crazy drama. Crazy drama is not your friend. Don’t let it suck you into its vortex of craziness. If anyone says anything remotely crazy, say something like “hmmmm…” or “I’m still getting up to speed on the project, I wasn’t aware of that”. As a friend of mine once said, “you can’t fight crazy” and you’ll end up battling Will Ferrell’s maniacal Anchorman 2 shark (as perfectly depicted above!).

Now, take a deep breath and get ready to dive into the deep end gracefully!

Preventing a Cloud Data Breach

Breach-WordsMany of you reading this have not (thankfully) experienced a cloud data breach with your technology vendors. However, a cloud data breach is always on the forefront as more businesses embrace cloud technology.

What are the chances that your organization could have a cloud data breach? According to research performed by the Ponemon Institute most companies will have small data breaches rather than large data breaches [1]. Does this mean you can breathe easy? Not so fast. For those of you in the retail and public sectors, your likelihood of experiencing a data breach is higher than those of you in the transportation, communications or even financial sectors [1]. However, each sector is impacted and the average cost of managing a data breach per organization is approximately $5.9 million with the average cost spent per breached record at $201 [1]. 41% of the respondents surveyed in the Ponemon Institute’s research said that malicious or criminal attacks were responsible for their data breach and 31% said that employee negligence was the root cause [1].

With those facts in mind, how do you prevent a cloud data breach?  The Ponemon Institute’s research states that “the most profitable investments companies can make seem to be an incident response plan, a strong security posture, the involvement of business continuity management and the appointment of a CISO with enterprise-wide responsibility” [1]. In addition to this, asking potential (and current) vendors about their cloud technology is also key. This is a nice article written by Julie Lopez that focuses on the right questions businesses should ask their technology vendors.  Her article mainly focuses on health care, but makes a lot of great points that everyone should read regarding vendor management. Speed to market is critical these days and cloud technology gives organizations this benefit. However, this speed to market mentality must be tempered with a sound risk mitigation strategy in order to reduce the chances of a costly data breach.


[1] Ponemon Institute. (2014, May). 2014 Cost of Data Breach Study: United States. Retrieved from

Staying Relevant

trexA friend of mine recently mentioned that he was a “dinosaur” as we were discussing different mobile social media platforms. I started thinking, “How can we, as technology vendor management and procurement professionals, stay relevant in an age of such rapidly changing technology?” For all of you “dinosaurs” out there, here are a few things to assist you in coming out of the Mesozoic Era:

1) Create a Twitter account. Yes, I’m talking to you. Don’t roll your eyes! Twitter is an amazing place where information is spread so quickly that you’ll see it on Twitter before mainstream media picks it up. How does this affect you? Well, if you’re putting together a deal with a certain vendor (think successful start-up) and they’ve been bought out (say by a behemoth T-Rex vendor), you’ll typically find it on Twitter first.

2) Try Blogging. Now you’ve started to panic. “Blog?! I have to Blog?” If you’re just punching in and punching out, waiting for the next boat to Shangri-la, then don’t worry about it. However, if you’re passionate about your field and you have something to say, consider writing your own blog or posting for someone else’s blog. For me, it’s exciting to be able to share my knowledge but also learn from others as I read their blogs.

All in all, staying relevant in the field of technology vendor management and procurement is very important, so give it a try and find me on Twitter, @vendorchronicle!