One of the challenges that modern CISOs face is knowing where to channel investment. And given that there are many vendors, often offering similar services, choosing a provider or product can be difficult.
A good vendor-end-user relationship based on trust and long-term partnerships is crucial.
We asked three industry experts how vendors and end-users can get the best out of their partnerships. Here’s what they had to say…
Ghazal Asif, Senior Director of Worldwide Channels at Cybereason
Build the human connection
In an age of rapidly evolving technology, we often forget the importance of the human connection. At the heart of every great relationship is a feeling of mutual trust. Building trust requires time and patience. The former is something we don’t have, especially when there are so many vendors knocking on end-user doors. Once an end-user has identified a shortlist of vendors they will partner with (in a project, or generally), make the time to build the trust and relationship outside of the office. Coffee, dinner, a round of golf – there are unlimited ways to build the human connection.
- Make peer to peer connections
Most strategic partnerships span across multiple business units and disciplines between end-users and vendors. For example, a CISO to CISO connection is excellent, and necessary, but going up and across the organisation and making those peer-to-peer connections gives both parties a fuller picture on the organisation. For example, end-user procurement staff connecting with vendor procurement staff can lead to a better understanding of the paper process and potentially good practice sharing.
- Creating value
The strongest end-user and vendor relationships are based on creating value. This is especially important for vendors. The only way to create value for an end-user is to truly understand and empathise with the pain in their role, fully understand the priorities and then find ways to create value. Creating value can be done through sharing best practices, sharing key research that aligns to their pain and desired outcome, leading workshops with the end-user teams for knowledge sharing and finding ways to share relevant expertise from the work completed by the end-user.
- Build a joint success plan
Agreeing to a joint success plan which is fully documented is a fantastic way to ensure the end-user gets the most out of the investment. A joint success plan should include quantifiable metrics on what success looks like, especially post-sales. This is also a great way for the end-user to hold the vendor accountable.
- Define and align on outcomes
Priorities change regularly for companies and pains experienced by one end-user will quite likely be dramatically different with others within the same company. This makes it imperative to set expectations on timelines and communication in order define what a great outcome will be for the end-user.
In addition, the more transparent end-users can be with vendors regarding goals, objectives and outcomes, the more likely of achieving success. It could be something as simple as scheduling follow up phone calls. If the end user isn’t interested in receiving calls on a certain day or time because of other commitments, its’s important for the vendor to know this.
Maybe the end-user doesn’t want a follow-up call on a Monday because their calendar is already filled with existing appointments. Therefore, scheduling the call on a Tuesday could go a long way in building trust. It seems simple but working extremely hard to not lose control of the basics is important.
Richard Archdeacon, Advisory CISO at Duo Security
As businesses demand greater agility and flexibility for their in-house and external teams, vendors must reflect that change. This is particularly important in the area of security which, although vital to the success of an organisation, is not often seen as necessary.
An author wants to write, a designer to design. They do not come in to work to be a security professional. So success will depend on the vendor ensuring that the end-user works in partnership to secure the organisation.
Vendors must ensure solutions are easy to use and do not impede the user and their work experience. A key way in which vendors can work with end users is to focus on the design of their solutions and ensure that they are effective but easy to use.
An example of this would be ensuring a common experience across all the platforms open to end users in their daily activities – a solution should be similar across laptops, mobile phones and intelligent watches.
The vendor needs to ensure that the functional requirements are implemented without interrupting the user workflow.
If it interrupts what a person needs to do it will create a negative experience and, understandably, users will develop workarounds, therefore undermining the purpose of any control.
By making authentication simple whilst running checks on devices in the background, end users can stay secure without degrading performance or interrupting work. If an update is needed to a device then rather making it intrusive the vendor can develop an approach which includes the end user in the decision and implementation process.
To develop these solutions, vendors need to have a programme which includes end users in the development of new solutions.
Making it easy to use is the first step but ensuring that end users test it and provide their input is a critical second step before release. So keeping it simple and consistent while supporting – not interrupting – the end user is the way to get the best out of the partnership.
Paul Farrington, EMEA CTO at Veracode
As a society, our digital lives are dependent on code, whether it’s managing our banking, controlling our vehicles and critical infrastructure or operating our medical devices. Meanwhile, every business now relies on software as a source of strategic differentiation, competitive advantage and top-line revenue generation. Cyberattackers have taken note of this increasing attack surface, compromising systems at an alarming rate, and breaches are hurting companies.
According to Verizon’s 2019 Data Breach Investigations Report, 62% of breaches and 39% of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, we can assume that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware and harvesting payment card data to create a profit.
Meanwhile, analysis from Veracode’s most recent State of Software Security report shows that the number of vulnerable apps remains staggeringly high and open source components continue to present significant risks to businesses. More than 85% of all applications contain at least one vulnerability following the first scan and more than 13% of applications contain at least one very high severity flaw. In addition, organisations’ latest scan results indicate that one in three applications were vulnerable to attack through high or very high severity flaws.
Vendors must closely manage the security of their software, whether that’s software they buy, use or sell, in order to help prevent breaches and to retain trust of their customers. It is easy to forget that third party applications can be just as vulnerable as the applications companies build for themselves.
Leading organisations such as OWASP, the PCI Council, FS-ISAC and NIST are raising awareness about the need to better understand and reduce the security risks associated with the use of third-party software.
Why is this critical for maintaining strong vendor and end-user partnerships? Because when you install applications or software components from a third party, you also take ownership of all the vulnerabilities in their software.
Since we now rely on software for everything – health, safety and well-being – a policy of ‘just trust me’ to handle the security of our software puts us all at risk. It is no longer acceptable to fail to demonstrate that you actually are producing secure software. There’s too much at stake and customers are aware of the risks created by their software supply chain. They want assurances and independent validation that the software they procure from their software providers is compliant with their corporate security policies.
After all, many other industries such as transportation, food and pharmaceuticals require independent audits and assessments related to product safety. This is a common practice of checks and balances aimed at addressing product issues that would otherwise harm consumers. Why should software be any different?
To enhance the compliance of third-party suppliers with your corporate security policies, Veracode:
- Acts as an independent party for enterprises procuring third-party software and for software vendors selling to enterprises
- Analyses third-party applications and attest to their security posture while protecting the vendor’s intellectual property through the use of binary static analysis
- Provides software vendors with detailed and prioritised remediation guidance
- Keeps enterprise customers up to date with detailed program status reporting from vendors within the program
- Brokers and manages the program and creates attainable compliance goals
Software purchasers must demand security attestation for the software they are purchasing. Software companies are not going to simply offer this information if no one is asking. Companies that are purchasing software from a vendor should ensure they’re asking about secure development as a way to manage vendor IT risk.
Businesses that take steps to prove to end users, new prospects and partners and integrators that they follow secure software development practices gain a competitive advantage in the marketplace. By proving they take security seriously and demonstrating that value both inside the company and to external stakeholders, these businesses will outperform competitors that fail to keep pace with market demand for secure software.