As regulatory pressures and digital threats increase, enterprises are scrutinizing third-party relationships. Vendors and suppliers enable go-to-market strategies by providing valuable capabilities and managed services. Improving vendor management can increase visibility into IT systems, optimize IT operations, and enhance compliance and security. However, the converse is also true: Poorly managed vendor relationships can open the door to information and operational risks. Nearly all companies (98%) affiliated with a third party have experienced a breach, and third-party attacks have led to 29% of all breaches. Similarly, relying on a strategic or operational vendor that can’t perform can create business instability.
As a result, many companies have set up vendor management functions and closely track key performance indicators, such as return on investment, compliance and contract performance, lead times, service delivery and quality, pricing and competitiveness, and customer support (including issue resolution time).
To discuss how to “Optimize IT Operations with Effective Vendor Management,“ host Michelle Dawn Mooney welcomed Scott Bickley to “The Hitchhiker’s Guide to IT,” Device42’s podcast. The podcast can be viewed here.
Bickley is the Advisory Practice Lead at Info-Tech Research Group. Before joining Info-Tech, Bickley began his career in the steel industry but moved to technology, working for Lucent, Amazon, and the regulated gaming industry in project management, quality assurance, procurement, and fulfillment roles. At Info-Tech, Bickley has built the company’s contract review and vendor management practices, creating a team that offers world-class research and advisory capabilities.
| The Purpose of This Blog This blog provides practical insights to help IT operations professionals protect their IT environments, improve audits, and streamline software maintenance while staying compliant. |
How Vendor Management Is Evolving Across Industries
Host Mooney asked Bickley how vendor management is changing to address enterprise challenges related to compliance, security, and operational efficiency.
Bickley gave a brief history of vendor management, illustrating companies’ move from purchasing raw materials from suppliers to build capabilities to purchasing cloud services needed to run their businesses. “You’ve seen this shift from building out big data centers, investing in hardware, networking equipment and servers and large IT teams to run them, to using third parties, such as cloud for infrastructure or application services,” said Bickley.
As a result, companies are interacting with more third parties than ever, from hyperscalers to managed service providers and outsourcing companies, and accomplishing more work than they could with staff alone. However, one cost of this pivot is the loss of complete control over products and services, including guardrails on how information is used, transmitted, and stored. “Now you’re putting that information in other people’s hands. So, you have to change your business practices for safeguarding and securing data, holding vendors accountable, and ensuring they’re following policies on what they should be doing with that information,” said Bickley.
Compliance and Security Challenges Companies Face
Companies face increased breach risks due to the fast pace of change, the growing number of vendors they use, and the volume and sophistication of attacks launched by malicious parties. Many attackers now use AI to develop and productionize attacks at speed and scale. “Nothing’s impermeable. If someone wants to infiltrate your system, they can find a way to get in,” said Bickley.
Vendor management teams work with chief information security officers (CISOs) to wrap people, processes, and technology around their programs – and require that vendors do likewise. Companies are implementing Service Organization Control (SOC) and International Organization for Standardization (ISO) controls, adopting best practices such as encrypting data at use and rest, implementing stringent access controls, and implementing firewalls and other technology safeguards.
“Your vendor management teams should validate that their companies have the right insurances in place and the right controls and serve as a liaison to the security team in that regard,” said Bickley.
Companies are also evolving compliance. Governance, risk, and compliance (GRC) and enterprise risk management (ERM) teams implement frameworks and controls and work with vendor management teams to monitor and ensure third-party compliance. However, companies also face risks not covered by these processes, including financial, reputational, operational, and strategic risks. Vendor management teams must update their processes to address this broader range of risks.
Strategies for Using Vendor Management to Optimize IT Operations
Bickley offered the following strategies for improving the effectiveness of vendor management.
- Assess vendors across pillars: Bickley recommends managing vendors across multiple pillars, including contracts, relationships, performance, and risk management. Companies can create a vendor management office or initiative to integrate those pillars.
- Avoid reactive approaches: While companies with fewer resources often attack a pain point to make progress, this approach delivers limited value.
- Establish a vendor management function: A vendor management function can help drive innovation and proper use of external resources by focusing on the vendors who provide the organization’s most significant strategic and operational value. Info-Tech provides a two-by-two model companies can use to map their strategic, operational, and commodity vendors.
- Set up a cross-functional leadership team: Bickley said companies need the “right people” leading vendor management to see the big picture, identify priorities, build consensus, and facilitate decision-making.
- Setting up relationships for success with effective communication: Bickley recommends maintaining relationships and meetings at different levels; having honest conversations about capabilities, resource limitations, and friction points; leveraging business alignment meetings and two-way scorecards to assess progress; and defining escalation paths and resolution processes when expectations aren’t met.
Why Companies Need Full Visibility into Vendors and Contracts
Returning to the topic of security, Bickley said that contracts should specify the standards vendors must meet, whether they must provide an attestation that they meet key controls or open themselves up to audits, and whether they provide indemnification and limits on liability. He cited the CrowdStrike outage and Delta’s decision to sue them for the $500 million in damages it incurred. CrowdStrike has now moved to dismiss the lawsuit, citing a contract clause limiting its liability and capping damages.
“Someone at Delta signed that contract with minimum and maximum limits, much less than the pain they experienced with the outage. Have your contract provisions adequately negotiated? Do you have cyber insurance that will make you whole?” Bickley asked.
Before they sign contracts, vendor management teams should carefully review third parties, assessing their marketplace reputations, customer reviews, finances, breach history, and litigation track record. Vendors should be financially healthy enough to honor their technical commitments in contracts. In addition, companies should pay for cyber insurance to cover business interruptions due to cyber-attacks and other outages.
Contracting Red Flags That Vendor Management Teams Should Identify
Bickley cited the following issues as red flags for beginning or extending a vendor relationship. They include:
- Exploiting auto-renewals: Vendor teams should closely track contract terms, including renewals. “One of the biggest gotcha clauses out there is an auto-renewal clause. If you don’t do anything, the contract will auto-renew for another year or multiple-year term unless you give notice,” said Bickley. Most vendors require a 30-day notice of non-renewal. However, Bickley said he’s heard of a six-month notice, with the vendor refusing to let the company out of the auto-renewal.
- Sending notices at the last minute: Some vendors may also wait until the last minute to send notices, forcing clients to renew so they won’t go without support. “Those predatory tactics are meant to pressure you to act and react, not take your time and fight what you should be fighting. We call that running out the clock,” stated Bickley.
- Providing contract renewals that lack price protections: Vendor renewal contracts may increase prices by up to 60% instead of the 5-10% that company vendor management teams expect.
These tactics create adversarial relationships between companies and their vendors. Vendor management teams will study whether it is possible to terminate the relationship and move to another provider. However, that’s not always possible. Delta is still using CrowdStrike as it pursues litigation because the technology is intertwined with its business processes.
Protecting Companies from Predatory Vendor Tactics
Vendor management teams can avoid or minimize these issues by taking the following steps:
- Reviewing contracts: Vendor management teams should carefully review contracts for renewal, pricing, contract escalation, and dispute resolution terms to understand what they are agreeing to.
- Building price protections into contracts: Bickley recommends trying to gain 10-year visibility into pricing if possible or at least five-year visibility if not. “If you don’t do that, you’re setting yourself up for pain down the line,” he said.
- Reviewing termination clauses: Vendor management teams should negotiate a termination for convenience clause, even if they must pay a release fee. “That’s better than being stuck in a multiyear agreement that’s costing you a ton of money, where you’re not getting the value or the deliverables you need out of it,” said Bickley.
- Investing in contract templates: While SaaS vendors typically won’t allow customers to provide their contracts, boutique consultancies likely will, as long as terms and conditions are fair, Bickley said. That’s because they’re trying to build their business.
“If you have to go to the contract, you’re already in trouble because you have not developed the relationships you need to solve problems in an amicable and business-like manner,” warns Bickley.
Improving Compliance, Security, and Operational Efficiency
Vendor management is typically not top-of-mind for CIOs focused on developing data, analytics, and AI capabilities and solving security challenges. Leaders striving to implement this function should connect the function to a pain that CIOs experience, such as redundant contracts due to decentralized operating models or excessive spending on renewals due to fragmented, reactive processes. In addition, they can share a maturity assessment demonstrating the benefits of evolving processes. “Sometimes CIOs will be amazed when they see no one tracking those renewals. They just assume it was being done,” said Bickley.
Bickley says creating a vendor management function and maturing processes is in companies’ best interests. Companies spend more on external services and are exposed to risks from third parties and vendors. “A vendor management function that can help you perform due diligence, develop the guardrails and programs to manage vendors, and build meaningful relationships to achieve the business outcomes you’re looking for. That’s probably the most underinvested capability right now,” said Bickley.
Want to learn more?
