Cybersecurity Vendor Selection: What Needs to Be in a Good Policy


Operating a company in the modern enterprise landscape requires a reliance, to some degree, on third-party vendors. It’s unavoidable. But the addition of each new vendor brings with it a certain amount of risk.

Starting small is key. Company leaders should work with their CISO or CSO to determine their minimum acceptable security standards, and use that as a baseline criteria, according to Gartner research director Mark Horvath. This should be done even before a request for proposal (RFP) or request for information (RFI) is written, Horvath said.

“Every organization will have a set of requirements which are informed by the relevant industry standards and the unique needs of the organization. These should be written as a policy long before any vendor inquiries are made, so that they can be addressed up front with the vendors. The goal is to avoid the problem of buying a product and then discovering later that it violates privacy or security policies in a way which hinders the business case for the purchase.”

Read more at ZDNet