Effective identity management is crucial to enterprise security, enablement, and — ultimately — success. But despite its importance, business leaders outside the IT and security space often have only a surface-level understanding of identity security.
It's a complex topic, and establishing a firm grasp on the nuances of access, governance, entitlements, and permissions can be difficult and confusing. Even more challenging is understanding how to protect on-premises solutions, cloud environments, and multitenant software-as-a-service (SaaS) tools. Third-party risk management (TPRM) is critical, and vetting potential new vendors — especially security vendors — requires knowing what questions to ask and what red flags to look for.
Why Evaluate Vendors and Suppliers?
Most vendor evaluations focus on the supplier's technical and functional prowess. While these are important considerations, they cannot be the lone decision-making criteria for a successful long-term partnership and outcome. It's important to comprehensively evaluate a vendor beyond its technical capabilities alone.
For example, long-term viability is imperative for security vendors. An effective identity security solution must be integrated across all environments and protect tens (if not hundreds) of thousands of identities. You need to know whether the company will still be around in two years — or five, or ten. Switching security providers is tricky, which means choosing a financially stable and viable partner is a serious consideration.
It's also important to look at the company's history of technical innovation — not only at what it is doing now. A company might have technology that looks intriguing now, but does it have a history of adapting quickly to new trends, or does it regularly lag behind?
Perhaps most critical, what is the supplier's level of risk? Has it been breached recently? If so, how did it respond? No chief information security officer (CISO) or chief information officer (CIO) wants to be held responsible for a breach that costs millions of dollars and damages the brand.
Questions to Ask Potential Vendors
Before you do business with a new vendor, you need to ask questions to assess the non-technical capabilities that could impact your company's risk.
First, assess the vendor's financial health. This could mean asking for audited financials and reviewing the company's funding and ownership model. A poorly structured company can be a serious red flag. This process can also help gauge the company's priorities; for example, what percentage of employees are in forward-thinking areas like R&D or solutions architecture? It's also a good idea to get a sense of the business culture, as a disgruntled employee with access to a privileged identity has the potential to cause significant damage. You also want to look at its service level agreements (SLAs) and contracts to get a sense of how it operates and interacts with clients.
Next, consider its existing (and past) customers and whether they can provide positive references. Statistics like Net Promoter Score (NPS) and Customer Satisfaction Score (CSAT) can reveal how clients feel about the company's service, and its customer retention rate will tell you how long they tend to stick around. Ask why companies tend to leave. Poor service and security concerns are red flags.
All these things factor into a vendor's health and security, but it's also important to look directly at its security and compliance status. Ask for its security certifications and data residency — does it primarily use on-premises or cloud solutions? How many cloud solutions? Where does it get security support? In-house or from a third party? How does it align with data privacy regulations such as the General Data Protection Regulation (GDPR) and California Privacy Rights Act (CPRA)? Is it SOC 2 compliant or ISO 27001 certified? These answers won't necessarily give you the full picture, but they can provide a valuable glimpse into how the vendor approaches security — and how likely it is that your identity security could be compromised.
The Name of the Game Is Limiting Risk
With third-party attacks continuing to rise, today's businesses need to be sure they are limiting third-party risk from the moment they begin considering new vendors and partners.
An inadequate security program adds up to a lot of potential risk for your company. Organizations bringing on new security vendors must be ruthless in their evaluations. Ensuring new vendors are in good financial standing, foster a strong company culture, and have a thoughtful and cautious approach to security is one of the most important ways to limit the risk your business is exposed to. No one wants to be on the hook for a breach that costs their company millions of dollars (and the resulting reputational damage) because they settled for a vendor that was "good enough." Picking the right partner is a crucial element of a successful identity security program.
About the Author
As SailPoint's President of Worldwide Field Operations, Matt Mills brings over 30 years of experience in enterprise software and selling complex solutions, as well as a proven track record of leading high-growth sales organizations.
He most recently served as CEO of MapR, where he repositioned the company as an enterprise-class converged data platform, building out the sales team to keep pace with the company's growth. Prior to that, he spent 15 years at Oracle leading two divisions within the company's North American sales organization.