In the last installment of this 2-part blog, we used the story from the movie Casino Royale to color up the value of inviting strangers into your cyber security strategy...and how strategic sourcing of vendor partners is relevant in that effort.
Our hero (James Bond, aka you) was out to defeat the villain (the evil Le Chiffre, aka the evil hackers) in a high stakes poker game. Bond had sidekicks (Vesper, Mathis, and Felix, aka the helpers).
Vesper, although a stranger, was part of “the company”. So we bounced her from this story.
As for Mathis, we addressed his role as a fun illustration representing the strategic partner that is a cyber security vendor and how to make that play part of your strategy.
So what’s the focus in this sequel?
Better yet, WHO is the other stranger to let into the cyber security strategy? Well, we’ve all slept since the original post. And there’s only one helper character left anyway...
Felix.
Quick refresher, Felix is the CIA agent who was also at the poker table trying to bankrupt Le Chiffre at the table. But he wasn’t having much luck. He was on fumes with respect to chips. Realizing that he wasn’t going to be successful directly beating the bad guy, he knew Bond could.
There’s a scene where Felix makes himself known to Bond after James loses all his chips in the first round (and is stonewalled by Vesper to reup with more funds). Bond has lost his cool and decides to take a steak knife and just kill Le Chiffre. Understandable even though dangerous and reckless.
Fortunately, Felix intercepts Bond and reasons with him, advising him on the merits of sticking with the original plan. He even offers to stake him with the necessary funds to get back in the game.
Bond is trying to do the right thing to end the bad guy but gets emotional and looks to end it any way possible.
It was the good counsel of Felix, and James listening to him, that made it possible to get the best outcome...a clean win bankrupting the evil Le Chiffre. That quickly led to the end of Le Chiffre at the hands of his terrorist clients.
Ok, so it’s just a movie. We obviously don’t have a death wish for your vendor partners or even evil hackers.
But the story makes for a nice parallel illustration about the importance of objective counsel when the stakes are extremely high.
Before we move into more about that, note: the perspective we cover in this blog does in some way promote Seprio’s strategic sourcing and vendor management advisory services. And we are not ashamed of that. We believe in what we do and why we do it because we’ve seen and shared in the fantastic outcomes of which our Clients achieve in protecting their priorities by working with us...especially when the stakes are so high.
Felix can be your internal sourcing person/team, or Seprio person/team, or another competent third party. Even if you choose not to use Seprio, still choose to use a competent third party to advise you in sourcing your cyber security vendors.
Ok so WHY is it important to invite an objective advisor stranger into your cyber security strategy early and often?
Complexity. Let’s take a look at a recent cyber security vendor sourcing project. The project was real. But in an effort to protect the innocent, the fictitious name of the company is BrandX. James Bond, the CIO @ BrandX had a lot to consider in this sourcing project.
It was a renewal. The current vendor was a viable player, but renewal time is an excellent time to consider alternatives. At the very least, you can validate the value and merits of a “keeper” vendor partner. But it can feel overwhelming and uncomfortable to consider other vendors. Nonetheless, a renewal, while functionally must work through the same process, is unique from sourcing a net new vendor. There’s relationships. There’s history. There’s active service. There’s the comfort of familiarity. There’s the opposite of that in the cost and pain to change.
The pricing had layers. We all know this is pretty common. But that doesn’t change the fact that every deal is unique. When you’ve seen one, you’ve seen one. In this case, not only were there different numbers for different features, some they already had, others they needed but didn’t have, and still others were of the “nice-to-have” variety. To complicate matters in this particular deal, they were staring at a 49% manufacturer “price-at-the-pump” increase.
No competition. They had not introduced competition because the relationship was good. Look, that’s good! Nonetheless, competition is the best and most responsible way to test/validate the good. Without it, you have very little leverage.
Multiple live agreements. There were multiple, smaller agreements in place with different terms and expiration dates. This is something that can provide you with some leverage. But it does complicate things.
Unfavorable legal terms. The proposed agreement terms favored the partner more than the business. And that wasn’t easy to sort through with multiple people involved on the deal inside the organization. A specific example that often comes up in cybersecurity is cyber insurance and the indemnification from a cap on liability costs...that, in this case, was not fairly constructed for the business.
Cost of a breach. Cyber security is obviously mission critical. While the cost per incident globally is reportedly north of $8MM PER INCIDENT, the cost of the stain on the reputation runs much deeper than money.
Objectivity. We all know that the stakes are big. So choosing a cyber security vendor partner may make it more difficult than any other tech vendor decisions.
While this perspective is not likely news to you, choosing a third party (one that effectively may be a stranger to you and your team) to manage the sourcing of said vendor partner (including agreement negotiations on your behalf) seems like the opposite of the safe choice.
Conventional wisdom says to keep things like that “in-house”...where you can maintain control, where decision-making can be protected, where only you and your team truly know the vulnerabilities of the business.
But even in, especially in, such high stakes vendor sourcing, the personal professional stakes are also higher. The decisions around such vendor choices come with a higher level of personal professional visibility and accountability.
That thereby creates a higher probability of emotional influence. And emotional influence is the villain of objectivity. This is deeper than bias. Bias is the result of this kind of emotional influence mindset. While bias is not always bad, it is in reality rarely good.
Look, the primary reason businesses choose a third party technology company specializing in cyber security tech is because they have the expertise. They are in a position to be more objective about vulnerabilities. They are specialists that see things you cannot see...in most cases simply because of the view from your seat of running the business.
While unusual, a third party negotiator delivers the same type of objectivity in the sourcing of cyber security vendors. Choosing such a stranger, a specialist with a unique blend of expertise about cyber security contract language, market pricing, and security priorities affords you the space necessary to make the most informed vendor decision.
Ok so HOW do we invite an objective advisor stranger into the cyber security strategy?
Ensure you have the right sourcing support. If your organization has an internal sourcing department, ask yourself if they have the skillset and experience to handle strategic-level cybersecurity contracting. If they do not, then consider whether a sourcing advisory firm is the better choice.
In Bond movies over the years, Felix is often played by different actors, making him more of an institution than an individual. You can have the same thing from a good sourcing advisory firm who likely has different personnel with different experiences and skillsets, allowing them to better be able to handle your distinct and varying projects.
Like cyber security, this is first about reputation. Make time to select 3 “stranger” advisory firms to evaluate. Vet them not just for experience but expertise in working enterprise, mission-critical vendor sourcing. How much of that work is cyber security? Do their stories match up with their Clients’ versions of the stories? The goal here is to evaluate strangers, one of whom will break through as the right, trustworthy, independent partner.
Make sure the advisory firm has a process for managing the sourcing project including…
A systematic, consistent approach to communication that works for your team - this may mean virtual meetings, in-person meetings, and/or emails
A discovery process for collecting all the necessary information up front
A strategy that outlines your priorities (not just requirements) and the expected milestones necessary to achieving them
A project summary report that reports the outcomes at the conclusion of the project - this is more than just a recap, but it serves as a valuable tool for reflection during the relationship with the vendor and upon renewal time
Start 90 days early. Seriously, you cannot begin too early when getting help in this way. If your go-live date for implementation is within the next 12 months, start immediately. Why? We all know time is a valuable resource. But the value is exponentially higher the earlier you use it in mission-critical vendor decisions.
The dangers of short timelines are many including, but certainly not limited to: missing important details, taking shortcuts, and paying too much. Most of all, short timelines equal decisions under duress. Don’t we all have enough of that all ready?! In the end, that puts the business, the mission, the data, the people, and your livelihood all in grave danger.
It doesn’t have to be that way... start early.
Remove yourself. And by “yourself” we mean anyone with an employee number. Not easy, but definitely simple. Removing yourself from direct negotiations with the vendors creates space for you and your team to be more objective, and creates an environment where your participation is not diluted, but, rather, far more impactful.
And remember, you still own all the seats on this ride. You are still the final decision-maker. Removing yourself makes for the best outcome...every time.
So what happened with the complex deal referenced earlier in this post?
Well, even though Seprio was introduced into this project later than recommended, there was still enough time to make a better deal. The final price was $2MM under budget (thwarting the 49% “price-at-the-pump” increase, and then some). The terms were simplified and “fairified”. And Bond managed to collect additional services and 160 hours in Consulting Support, at no additional cost.
BrandX’s CEO said, “You hit a grand slam.”
So that’s a wrap on WHY and HOW it’s a good thing to let a stranger inside your cyber security strategy.
If you and your team have a mission critical cyber security vendor sourcing project coming up, or already in play, do yourself a favor and at least have a conversation with our Chief Client Advocate, David Dvorak. Click here to connect with him.
Oh and if you haven’t seen Casino Royale, it is highly entertaining. Grab some popcorn and enjoy the show!
Until next time...