The Importance of Vendor Risk Assessments

When buying a car, do you rush right out to the dealership and purchase the first car you find online? Or, do you perform your research and kick the tires, taking it for a test drive? Most of us will conduct our “due diligence” before buying a car and this includes researching the types of cars we’d like to buy, taking several test drives and checking out the mechanics of the car.  This same due diligence should be done for each of the vendors that you plan to use within your company in the form of a vendor risk assessment, regardless of their size. In fact, current vendors within your company should be reviewed every one to two years. For example, did someone review their financials? Do you know if you can get your data back if they go bankrupt? Do you know if they’re governed by laws outside of your country?

In larger companies, vendor risk assessments are typically performed by risk analysts, technology auditors, and information security folks, working in conjunction with the vendor management and procurement departments. In smaller companies, there may be a one or two person team responsible for conducting the vendor risk assessment. In many startup organizations, vendor risk assessments can be an afterthought. If you don’t perform a vendor risk assessment on your vendors today, take a look at this Risk Assessment Toolkit from the State of California’s Department of Technology, Information Security Office to get you started. There are many other sample templates and resources available online, as well. This is a great video on assessing technology vendor risk and security from Monte Ratzlaff, Security Manager, at UC Davis Health System, as he presents “Vendor Risks: Evaluating the Security of New Technology”.

At this point, some of you may think, “well, I don’t need a risk assessment on ____ vendor (insert name of vendor), they’re huge!”. Right? Wrong. I’ve worked with technology audit professionals on the review of hundreds (if not thousands) of technology vendors and yes, some of those “huge” vendors can have red flags for you and your company. Whether it’s the fact that they’re in the middle of a merger, they’re outsourcing their development team, or they don’t have enough insurance to cover you in the event of a breach, the scenarios can vary, depending upon what your company considers a risk and how that risk is categorized. If you need a tool to understand risks associated with the project you’re considering, take a look at this post by BrightHub PM, it has a lot of great info on creating a risk matrix and how to use it.

In the end, just think of a vendor risk assessment as a way to kick the tires of the prospective vendor before buying a lemon whose carburetor is going to explode once you drive it off the lot. If you’re interested in performing a proof of concept or proof of technology with the vendor once they pass the vendor risk assessment, check out a former post that I wrote on this topic and good luck!


Preventing a Cloud Data Breach

Breach-WordsMany of you reading this have not (thankfully) experienced a cloud data breach with your technology vendors. However, a cloud data breach is always on the forefront as more businesses embrace cloud technology.

What are the chances that your organization could have a cloud data breach? According to research performed by the Ponemon Institute most companies will have small data breaches rather than large data breaches [1]. Does this mean you can breathe easy? Not so fast. For those of you in the retail and public sectors, your likelihood of experiencing a data breach is higher than those of you in the transportation, communications or even financial sectors [1]. However, each sector is impacted and the average cost of managing a data breach per organization is approximately $5.9 million with the average cost spent per breached record at $201 [1]. 41% of the respondents surveyed in the Ponemon Institute’s research said that malicious or criminal attacks were responsible for their data breach and 31% said that employee negligence was the root cause [1].

With those facts in mind, how do you prevent a cloud data breach?  The Ponemon Institute’s research states that “the most profitable investments companies can make seem to be an incident response plan, a strong security posture, the involvement of business continuity management and the appointment of a CISO with enterprise-wide responsibility” [1]. In addition to this, asking potential (and current) vendors about their cloud technology is also key. This is a nice article written by Julie Lopez that focuses on the right questions businesses should ask their technology vendors.  Her article mainly focuses on health care, but makes a lot of great points that everyone should read regarding vendor management. Speed to market is critical these days and cloud technology gives organizations this benefit. However, this speed to market mentality must be tempered with a sound risk mitigation strategy in order to reduce the chances of a costly data breach.


[1] Ponemon Institute. (2014, May). 2014 Cost of Data Breach Study: United States. Retrieved from

Surviving a Technology Vendor Acquisition

Oracle sign at Oracle Corporation hea...


In the wake of recent acquisitions this month by IBM (who bought Aspera) and Oracle (who bought Responsys), I put together a technology vendor acquisition survival kit.  As with any acquisition, there will be changes and if your vendor is being acquired by a much larger technology vendor (think Big Blue or Larry E.) the changes could be dramatic.

So, if you’ve found out that your vendor is being acquired and are currently lost in the wilderness of vendor acquisition, this collection of great posts and resources is for you.

  1. Merger Madness – What to Do
  2. What to Do When Your Software is Purchased By Another Vendor
  3. Software Vendor Consolidation
  4. Did Your Software Vendor Get Acquired? Now What?

As mentioned in many of the posts above, create an acquisition strategy for your organization. Don’t sit back and wait for your procurement or legal department to engage you, because they may not be aware of it.  As soon as you’re aware of the acquisition, give your procurement or legal department a call and let them them know what’s going on, engaging them upfront in order to use their expertise.  Be proactive and remember that the key to surviving an acquisition is knowledge and knowledge is power.

How Much Are You Paying Your Technology Vendors Upfront?


Too much? Some of you are thinking, “I don’t pay vendors a dime upfront!”.  Some of you stopped and thought, “Well, I did that before, but I’d never do it again.”  And, some of you said, “Yeah, what’s the problem with it?”

The problem with paying vendors too much upfront is that you lose leverage when the rubber meets the road. When the vendor tells you that the software you paid millions of dollars for upfront is “working as designed” when you know it’s a defect, what leverage do you have? Unfortunately, if you’ve paid too much upfront for the software, you don’t have many legs to stand on.

Now, don’t get me wrong, scenarios where 20% of the contract value is paid upfront isn’t an issue. Tiered payments throughout the contract as the vendor meets their milestones is a great idea and also isn’t an issue.

I’m talking about all or nothing payments up front or large lump sums paid for services not yet rendered or software not yet delivered.  I’ve heard of Tier 1 technology vendors commanding over $1,000,000 up front before performing technology services on a $3,000,000 contract. Really? A cool million? For what? First class seats? You better hope you’ve got the GSA rates in your contract or you really will be paying for first class seats!

If you have a vendor telling you that they have to have all fees paid upfront or a very large sum paid upfront for services or software, ask the five why’s to get to the center of that tootsie roll pop. I guarantee you’ll find something fishy!