A big challenge for sourcing specialists is needing to rely on security domain experts internally to judge provider quality. The internal team, already working on their day jobs, often doesn’t have as much time to devote to the selection and negotiation process as sourcing leaders want. It’s important for sourcing teams to get smarter about security themselves to lessen their dependence on domain experts for preliminary RFP screening and downselecting.
In our upcoming security services Blueprint, we asked the client references (themselves security experts) what advice they’d give non-technical teams on buying security services. Some of them are general sourcing best practices, and some are very specific to security. But they’re all important to ensuring the success of your security services engagement. Here are some of their key recommendations:
- Make a map of your security landscape. You need to cover your bases regarding what kinds of security technology you’re using – end point, antivirus, etc. -- so you can ask the provider about its expertise in each one. Ask in-depth questions about what kind of expertise it has with those tools, and look for specific clients and places where it can demonstrate the details of its experience. Have the provider pull it all together into a diagram and one vision so you can see it and make sure it matches your expectations.
- Communicate. A lot. How you interact with the provider will have as much bearing on the engagement’s success as the technical security. Make sure you’re not so focused on technical questions that you ignore challenges in communication. Remember the provider’s on its best behavior during the RFP process and it’s unlikely that communication problems get better after signing the contract. As one client reference said, “if the communication is good, you'll get it right 90% of the time.”
- Ask references about mundane details. Beyond the technology expertise, talk to references about what their daily experiences are like. Ask about little things like how quickly the provider answers emails and responds to questions that aren’t part of a service issue. Talk to people who have direct experience with the processes and skills you’re buying to make sure what the provider wrote in the RFP response is actually borne out in client engagements. For example, one client we spoke with mentioned a situation where its incumbent provider proposed expanding scope based on its process for innovation – yet the process described in the proposal looked nothing like the process the client experienced every day with the provider. So even tactical steps within a proposed process need to be explored.
- Weight flexibility and potential highly when grading. One client reference expressed sympathy for his sourcing counterparts: “It's hard to know what questions to ask and know how to evaluate the answers,” he said. But he then explained that evaluating a provider’s flexibility is critical to engagement success. He points out that flexibility matters because even if you ask the right question, your questions will change over the course of the work. So flexibility and potential capability are better than specific current capability that may not be relevant in another year.
- Pick a supplier that can meet you in the middle. It’s been a truism of outsourcing to hire for areas where you’re weak. But this often leads to provider teams that can’t effectively work with client teams because they have no common skill sets. One client pointed out that she relies on her provider’s ability to speak “business language” when discussing security. Can the provider talk about security from a business perspective or are they expecting you to translate their technical discussions for your stakeholders? What you really want is a provider that can go deep in the technology but still have a business discussion, while you’ll match those skills with your internal security experts and stakeholders.
Bottom line: Don’t be intimidated by the lack of deep technical security knowledge. It’s important to bring in domain experts as much as possible, but sourcing teams can dramatically improve their own efforts by making sure they focus on the business side of security.
Posted in: Security and Risk