Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors

Posted on by Ben Rothke

Every organization has external software, hardware and 3rd-party vendors they have to deal with.  In many cases, these vendors will have direct access to the corporate networks, confidential and proprietary data and more.  Often the software and hardware solutions are critical to the infrastructure and security of the organization.  If the vendors don’t have effective information security and privacy controls in place, your data is at risk.  In addition, when selecting a product to secure your organization, how to you ensure that you are selecting the correct product?  All of this is critical as in the event of a breach, when the lawyers start circling, they will be serving subpoenas to your company, not your 3rd-party vendors.

With that, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors is a valuable resource for those looking for a basic introduction on of how to understand the risks involved when sharing data with 3rd-parties, in addition to selecting the appropriate products for your organization.

Many Fortune 1000 organizations have formal programs and processes to evaluate the vendors they interact with, in addition to software and hardware procurement.  For those that don’t, this 80 page reference is a good place to start.

The book shows you how to find the right balance between performing a superficial assessment and one that is way too deep.

While the book has a healthy dose of checklists, it is not about simply acting like an auditor filling out the checklists and adding up the totals.  Author Josh More writes that robust information assurance processes and regulations aside; successful vendor management involves a wide range of skills; from technical assessment to business communications, to negotiation and much more.

An effective aspect of the book is that it has many questions that you should ask the vendor as part of the assessment process.  Too many organizations simply take the vendors word, without performing effective due diligence.  Rarely will one find a company where too many questions were asked to the vendor.

Given that the book is but a short 80 page, More writes that it focuses mainly on the initial assessment process, with a goal to select a vendor to solve a specific problem that your organization is experiencing, improving an existing process or adding new capabilities.  Given its short length, the book does not delve very deeply into the continued operation of a formal vendor management program.

For those that need a larger more formal guide, they may want to turn to Forrester and Gartner for their processes which are more formalized and detailed, and offer a turn-key solution.

The main thrust of the first chapter is around preliminary vendor research.  It shows how to identify vendors for specific products and build criteria for effective vendor selection.

An important point in chapter 1 is that the primary rule in vendor assessment and selection is to always keep your needs first in mind.  Far too many organizations let the vendors drive the process, and in turn, the vendor will ensure that their needs are made primary. 

One of the topics in chapter 3 is testing confidentiality.  When comparing vendors, they will often swear that their product is secure; but will often not provide any details attesting to how secure it really is.  The chapter shows how you can perform internal hands-on testing to ensure all of the promised security features do in truth work.

The book provides a lot of common sense advice that may not be intuitive to many people.  One bit of invaluable advice to taking the steps to confirm that the vendor you are considering is not selling you gray or black market products.  This is especially true for products from Cisco, Check Point and Juniper, which are rampant on the gray and black markets.  While buying gray market products may initially be cheaper, they can be much more expensive in the long run when you find out that the warranties you paid for are worthless. 

In chapter 4, the book does a good job of showing how to score vendors.  It details how you can create questionnaires and use the data to assist in your selection.  The chapter stresses that after all of the data is scored, weighted and sorted; you should not expect to find a vendor with a normalized score of 100%.  More writes that if you do a good job of creating the right questions on the questionnaire, you will seldom see a vendor higher than the 80-90% range. 

A good point the book makes in chapter 5 on testing, is that when a vendor requires you to sign an NDA prior to testing; such a request is a fundamental mark of mistrust.  If the vendor is unwilling to negotiate the NDA, it may be worth replacing them with a vendor who is more willing to work with you.

After you have done all of the dirty work of a vendor selection, the book closes with a few pages on how to avoid vendor manipulation.  It is not unusual for vendor to fudge the information they provide you with, which will skew the results in their favor.

Another point to consider in the vendor selection process is that vendors benefit greatly from lock-in.  The harder they can make it for you to move to another vendor, the more likely they are to get annual renewals.

Selecting a vendor is not a trivial process, and it not intuitive to many organizations.  Given the breadth of the topic, the book is a great place to start your work on this important process. 

The book doesn’t claim to be an all-inclusive resource for the topic.  And at 80 pages, one should not expect it to be.

But for those looking to a highly tactical guide to start them on the road to vendor assessments, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors is a most helpful book to start with.




































Josh More




Ben Rothke

Senior Information Security Manager, Tapad

risk management critical infrastructure

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community