Purchasing Managed Security Services: Strategies for Client References

There's a scarcity of customers using managed security services who are willing to talk to others about their experiences. Here's how to work with your vendor(s) to leverage their customers' experiences and hard-won wisdom.

If you’ve purchased, or are planning to purchase, managed security services, requesting client references is essential. Like any major service procurement, the opportunity for direct conversation with a current client provides great insight into how the service provider delivers services and addresses obstacles. However, there are some unique challenges and opportunities with client references in the security services market. Having been in the security services market for nearly 20 years, I want to share a few key strategies when requesting and engaging client references from security service providers.

Scarce Resource
First, the challenge: Security client references are scarce. Many clients simply don’t want to be a reference. This position is driven by the concern they would be revealing information about their security strategy, which could be used against them. Given recent supply chain attacks, this apprehension and caution are understandable.

Client reluctance can result in security service providers not having a deep list of shareable references. With a limited supply of client references, security service providers take different tactics. Some providers may offer generic profiles of clients (industry, size, etc.) rather than specific information. Others may provide fewer than the requested number of references.

It is also not unusual for service providers to withhold contact information until they’ve been down selected or are negotiating a contract. This enables the provider to use their limited references at the most beneficial time to avoid overuse. So, if your acquisition strategy includes requesting three or more client references with full contact information, be prepared for incomplete responses.

Rather than requesting a high number of references, and receiving a reduced response from the provider, here's a successful strategy I’ve seen applied. First, request in the initial RFI/RFP for the provider to include four or more reference profiles, without contact information. Then, state that if down selected, the enterprise (not the provider) will choose two of those profiles to become references. The service provider will be required to deliver the contact information for the two selected references.

Handled this way, the service provider is then able to include more client profiles, without the risk of using a significant portion of their actual client references. The requesting enterprise receives an increased number of client profiles, which provides a broader view of the service provider’s delivery in the market. And since the requestor reserves the right to choose which client profiles become references, this enables cases to be selected that more closely align with their needs. Finally, the requestor’s right to select the references also reduces the possibility that client profiles and case studies have been subject to embellishment, which has been known to happen in sales documents.

Shared Responsibility
When engaging service providers, security becomes a shared responsibility. Multiple parties can have a hand in the management, monitoring, and protection of resources. To ensure the complexity of multiple parties doesn’t introduce control gaps, it is extremely important to define (and document!) which entity is responsible for each control. Speaking with a current client of your potential security service provider offers a unique opportunity to understand how the responsibilities were defined, and the governance implemented. Get beyond the standard questions of whether they have met their service-level agreements. To gain a deeper understanding into the service provider’s approach, consider questions such as:

  • Have there been any instances where the service provider demonstrated a lack of ownership in responsibilities?
  • Does the client reference have any feedback as to which responsibilities could have been better defined with the provider?
  • Which governance strategies have been effective with managing the service provider?

This is where you truly get insight into whether the service provider approaches a client’s business as a partner rather than as just a vendor.

Negotiation Opportunity
Remember how I said security client references are scarce? This is a challenge for service providers because they need references to offer validation to potential new customers. Their need creates an opportunity for you. If your organization is willing to be a reference, you have something the service provider wants. This is a valuable negotiating tool many organizations don’t even consider as they work through a service agreement.

Let me be clear about one thing. You are not committing to be a good reference, just a reference. Whether your experience is good or bad, you’re committing to make yourself available to speak with prospective clients. If you’re having a great experience, share that with a prospect. If your experience was not positive, the reality is they won’t ask you to speak with a potential client.

Some organizations have a policy prohibiting being a client reference for vendors. Make sure you know your organization’s policy before you enter into these discussions.

Client references are a valuable tool for validating a service provider’s claims and capabilities. They also provide an important opportunity to hear directly how a service provider navigates the complexities of the shared responsibilities required for security management. The scarcity of security references also creates an opportunity for those willing to consider being a reference to others. As you navigate your potential security service provider relationships, make sure client references are included in your due diligence.