Improve your cyber security strategy by making the strategic sourcing process and cyber security vendor partners part of the planning discussions...early and often.
In the 2006 blockbuster Casino Royale, James Bond is once again trying to save the world. This time the villain, Le Chiffre, is a banker to the world's terrorists. Le Chiffre has found himself in a bit of a pickle as he lost most of his clients’ money. Before they find out, he must quickly replenish the funds. So he hosts a high stakes poker game in Montenegro, in which he can win back his money. The boss of MI6, "M", sends Bond, along with the beguiling and intriguing Vesper Lynd, to attend this game to prevent Le Chiffre from winning. A couple other key “players” in this story are: Felix (the CIA agent) and Mathis (the local government agent).
While we all think of James Bond as a Lone Ranger, like most of his thrilling adventures, he always has help. This is true in Casino Royale as well. Bond is understandably reluctant to receive it, let alone trust the people who offer it up. After all, the stakes of the game are high. The danger...even higher. Identities of all the players and people supporting those players are mysterious and almost always dangerous…even when the “would-be helpers” seem to want the same result as Bond. Bond has to be careful. Plus, there’s the whole not-loved-as-a-child backstory about Bond’s past (only the Daniel Craig 007 movies explore that backstory). Trust the wrong person and he could fail the mission or even be killed.
Maybe you and your team can relate to the story with respect to your cyber security strategy and execution, specifically with vendor partner selection...trust the wrong person and fail the mission. Or worse, a job loss and a huge hit to your professional reputation...making it hard to land on your feet in the aftermath.
So why let strangers like a Vesper, or a Felix, or a Mathis in on your cyber security strategy?
And how is the strategic sourcing of vendor partners a relevant context of cyber security strategy? Isn’t that a tactical thing that occurs after strategy?
WHY?
While the technical evaluation process of sourcing vendor partners is in fact a tactical exercise, thinking strategically about your business priorities informs such work. And part of that strategic thinking about cyber security is the consideration of questions like:
How does cyber security support our growth and operating plan?
What obligations of data protection have we extended out to customers, employees, partners, and the community?
What regulatory requirements apply?
What constraints do we face with the data, the budget, and the people inside our walls?
What are we good at with respect to managing cyber security?
What are we not good at with respect to managing cyber security?
What business do we want to be in? Meaning...how much of the work requires outsourcing to a firm and how much needs to remain in-house?
What are the influences and impact of our history with cyber security?
Do we have a good history and reputation?
Are we healing from a recent attack?
How bad would it be for our company growth and operating aspirations if we experienced a serious breach?
These (and likely other) considerations are all part of the strategy discussion, and yet they also carry significant implications from the strategic sourcing of vendor partners.
That means that the consideration of the right vendor partner(s) is paramount to executing against said strategy. Understanding specifically who and how they can serve in supporting the cyber strategy (and the broader company strategy) will help leadership make more informed decisions.
Furthermore, you don’t know what you don’t know. Good vendor partners can shine a light on such dark places. By design, they have a perspective you value but cannot achieve apart from them.
So do we invite prospective vendor partners behind the cyber security strategy curtain?
Uhmmmm, maybe. It depends. If we harken back to the Casino Royale story (admit it, you were wondering how that was going to be relevant again), Bond had 3 “field” helpers in his quest to defeat the evil Le Chiffre: Vesper, Felix, and Mathis.
Yes, we realize it’s only a movie...but why not bring some fun and warmth to an otherwise cold topic!
Does the sassy Vesper represent a vendor partner? Not really. She’s part of the team, albeit a reluctant one with an ice block of a chip on her shoulder. But if you haven’t seen it, that character alone is intriguing enough on its own merit to draw a viewer in to watch the whole movie.
How about Mathis? He’s not part of “the company”, but is willing to help. There just seems to be some sort of underlying agenda with him. Yes, he’s like a vendor. And he was invited into Bond’s plan early, even though Bond managed him closely. That paid off for Bond later.
And making such an invitation to prospective vendors can pay off for you as well. It’s ok for vendor partners to have agendas. Fortunately those agendas generally align, in spirit anyway, with your cyber security priorities. Manage their involvement with an open but secure approach. Foster trust building. Take advantage of their perspective by inviting them to contribute to the strategy.
But there’s one stranger that we haven’t covered yet...Felix. Where and how does he fit in? Or does he even fit in at all?
Find out in the sequel Strangers Inside 2…
...coming soon, to an inbox near you!
If the anticipation is killing you, you can read the sequel here.