It can happen to anyone, including me, at any time: you have had a good, even great relationship with your cybersecurity services, managed IT services, or other vendors for an extended period of time. They have always been engaged and attentive — until they no longer are. Suddenly, it takes them a lot longer to return your calls, and your questions and concerns hang there, unanswered.
Perhaps the vendor is increasingly late for scheduled appointments or is always busy. Or maybe they claim, with increasing frequency, that they have to back out of an agreed-upon appointment because of a “scheduling conflict.” Regardless of the specifics, you begin to cringe at the prospect of their phone calls or emails because you know it will likely be another no-show excuse. We’ve all been through this — the vendor relationship that started with the best intentions. Then, when the warning signs begin to flash, we often hesitate to tell the vendor that we’re getting concerned until we need them for a major issue and the response is a failure.
As a business owner, what do you do?
First, take a deep breath and consider your options. Then, retrieve your contract (you know, the one you signed but probably never really looked at before) and reexamine the terms and conditions. Have you missed something in the fine print? If that is the case, have the courage to confess and see if you can set the relationship with your vendor back on track. But if that is not the case, and you determine that the fault is with the vendor, it is a different ballgame.
More digital tips
- Don’t ignore patches
- Cyber trickery: You would never fall for that … until you do
- Cloud computing offers promises — and pitfalls
- As inflation jumps, will your security suffer?
- Many businesses will never suspect this group as a potential cybersecurity threat
- Here are some best practices for protecting online accounts
One option, of course, is to drop the vendor. If they raise a stink, point out their lack of performance. That may be a viable course — unless it is a cybersecurity vendor. Because then you are in a tough place: if you drop the vendor, you may lose defenses and expose your systems to several threats, and you could suffer a breach with no one around to step in and plug it.
Fortunately, there are alternatives. One is to proceed methodically: instead of just dropping your vendor, contact them and ask for a copy of your contract, even if you have it on file. It is a shot across the bow and most vendors will understand that you are questioning the engagement. If they truly have skin in the game, the vendor will likely step up and try to improve their performance.
If they do not, it is time to look around for a replacement and learn from your earlier mistakes. Start by issuing a Request for Proposal and consider including your existing vendor in it. Their response will help to provide some insight into how you got to this place to begin with.
A good response to your RFP will lay out your operations and teams and highlight any weaknesses. And consider that your existing vendor is already a subject matter expert for your business, so let them provide a roadmap of what is needed. You may want to give them a second chance, and even if you decide against it, their RFP response can offer valuable insights for the replacement vendor.
And whether you make a switch to a new vendor or decide to stay with your existing one, you can take some steps to reinforce the relationship. First, add some terms to the contract, like a requirement for a periodic third-party audit. Having an external set of eyes can give you an early warning about any shortcomings.
Additional contract terms could include broadening the vendor supply chain to include a provider from a separate company — this way you will have a built-in backup in case your primary vendor fails again. Also, consider another kind of backup: requiring the vendor to provide training to someone from your company. That way you are not hanging in the wind if something goes wrong and your vendor cannot get someone in right away.
Once you have decided on a new vendor – or have redrafted an agreement with the old one – consider taking some additional steps to guard against another flameout. First, in addition to adding a requirement for third-party audits, review them when you receive them and pay attention to their recommendations. Then, get together with your vendor and be diligent about implementing the recommendations.
Also, schedule periodic get-togethers with your vendor and go through “what-if” scenarios — like what if my air conditioning fails and my sensitive electronic equipment starts to overheat; what if there’s a fire in the building and my primary data systems are destroyed; or what if someone within my organization decides to work with a hacker or becomes one, and penetrates my system from the inside? If your vendor does not have good answers for these and other questions, it is a red flag. Scouting out and vetting a new vendor is time-consuming, but at least you will not have to wait for a crisis to start looking for a replacement.
Carl Mazzanti is president of eMazzanti Technologies in Hoboken.