The process of onboarding these vendors is far from straightforward. It requires a meticulous approach, combining technical evaluation, due diligence, and strategic alignment to ensure seamless integration and optimal security outcomes.
2. Execweb Ambassadors
Kenneth Foster Bradley Schaufenbuel
VP of IT Governance, Risk
& Compliance (Fleetcor)
Steve Zalewski
Ex-CISO (Levi Strauss)
CISO (Paychex)
David B. Cross
VP & CIO (Oracle)
Rick Doten
VP Information
Security (Centene)
Discussion Panelists
3. Overview
This is a Q&A compilation of a webinar organized by Execweb on
the topic: Unlocking the Secrets of Enterprise Cybersecurity
Vendor Onboarding. This guide empowers CISOs and vendors
with essential knowledge and strategies for vendor onboarding.
CISOs can gain insights on effort levels, preferred vendors, and
brand impact, streamlining the process and ensuring trusted
solutions. Vendors can learn about CISO priorities, address
concerns, and foster successful partnerships.
4. Topics of Discussion
Buying a POC vs Buying a solution
Role of Vendors in the onboarding process
Hiring a well-established vs a start-up
Brand image of vendor and its impact
Going with the preferred seller for fast onboarding
23
01
07
12
17
5. What is the level of effort
required for onboarding a new
vendor and does it differ between
buying a solution vs conducting a
proof-of-concept (POC)?
Question 1
1
6. Rick Doten
VP Information Security (Centene)
Whether it's a POC or a purchase, we still need to go through a service
design. This involves defining the budget, including human resources,
and creating a timeline.
A project manager is assigned, and it goes to a steering committee for
approval at the end of the quarter. Implementation can take a long
time, even a POC installation can take up to a year, due to engagement
from different groups within the company.
Then there are variables such as budget allocation i.e., can this thing
wait till the next year? Sometimes the process may go dark for a while
and then resurface, requiring a rush to finish it up. That's the reality.
The onboarding process, whether for a POC or a
purchase, involves service design, budgeting, timeline
creation, and stakeholder engagement flexibility.
2
7. Bradley Schaufenbuel
CISO (Paychex)
The procurement process varies significantly based on the vendor's
interaction, including factors such as the markup in the contract and the
speed at which they pass our vendor security review. The duration can
range from a few weeks to several months depending on the level of
access and data involved in the process.
If the POC doesn't have to interface with production systems and
sensitive data, we can get it through a lot quicker. However, what's
crucial in our organization is internal alignment.
With a large IT department of 2200 individuals, implementing a security
product involves aligning resources across multiple teams, which can
take time. The vendor has no control over this aspect.
If the POC doesn't have to interface with production
systems and sensitive data, we can get it through a lot
quicker.
3
8. Steve Zalewski
Ex-CISO (Lev
i Strauss)
If no money crosses hands, we can bring the company relatively quickly
simply by signing the NDA.
When we start talking about the money, then the formal process kicks
in. 3-9 months to get through the process, depending upon the
skillfulness I have and the redlines put in paperwork by the vendor.
The more redlines a vendor puts in, the more time it will to get it
approved by the legal. So the vendors who are reluctant to accept what
I offer and put redlines in the document have to wait anywhere between
2 to 4 months.
The onboarding process can be expedited by signing an
NDA, but when money gets involved, it results in
extended approval times.
4
9. David B. Cross
VP & CIO (Oracle)
Building upon Steve's points, there are two key considerations in
differentiating a POC from a full implementation: whether it is in a test
environment or a production environment, as this affects the pace of
progress.
Additionally, the average time for onboarding a new vendor falls within
the three to six-month timeframe due to factors such as evaluating the
architecture, ensuring compliance, and addressing overall
implementation complexities.
While a three-month timeframe might be overly optimistic, a realistic
estimate would be around six months.
Implementation pace varies based on the environment
and onboarding new vendors or products takes three to
six months, considering various factors.
5
10. Kenneth Foster
VP of IT Governance, Risk & Compl
iance (Fleetcor)
Alignment between the security team and the vendor is crucial, as
security personnel often lack the necessary permissions to freely install
software or make changes to their systems.
Regardless of whether the POC is conducted in a non-production or
production environment, it still poses security risks so there is not much
difference for me when it comes to implementing POCs.
Security permissions restrict software installation and
system changes, making the implementation of POCs
similar regardless of the environment.
6
11. How can vendors proactively
streamline the onboarding process
for CISOs, ensuring a swift and
seamless experience?
Question 2
7
12. Rick Doten
VP Information Security (Centene)
Vendors need to understand that gaining the support of the CISO or
other high-level executives may not be effective.
These executives are often part of a committee that evaluates and
approves new services or solutions. The end-users will make the final
decision. If they find value in the product or service, they will advocate
for it and drive adoption within the organization.
Thus, vendors should prioritize reaching out to product users and
gathering their support.
Vendors should prioritize end-user support to drive
adoption within organizations, rather than relying solely
on high-level executives.
8
13. David B. Cross
VP & CIO (Oracle)
Having comprehensive documentation is essential to address the
concerns of various stakeholders, such as compliance and audit teams,
corporate architecture personnel, and others.
By providing a comprehensive package of documentation that answers
anticipated questions, the onboarding and decision-making process can
be streamlined, minimizing the need for back-and-forth
communication.
Comprehensive documentation addresses stakeholder
concerns, streamlines the onboarding process, and
minimizes the need for extensive communication.
9
14. Bradley Schaufenbuel
CISO (Paychex)
It is crucial for vendors to invest time in understanding the onboarding
process. Many vendors overlook this step and end up facing unexpected
phases.
By familiarizing themselves with the process from the beginning,
vendors can avoid surprises and have a clear understanding of what
they will go through.
Understand the onboarding process to avoid unexpected
phases and gain a clear understanding of what they will
encounter.
10
15. Steve Zalewski
Ex-CISO (Lev
i Strauss)
It's important to note that engaging in POC doesn't automatically imply
an immediate purchase. Often, a POC is conducted to evaluate and
validate a solution before considering it for the following year's budget.
The purpose is to assess factors such as cost, business process impact,
and potential challenges.
Procurement process is typically faster than the CISO's decision-
making process, which involves aligning various stakeholders and
assessing reputational risks for both parties involved.
A POC doesn't guarantee an immediate purchase, as
vendors should recognize the longer decision-making
process and involvement of stakeholders.
11
16. What are the differences in the
procurement process when hiring
a well-established vendor
compared to a start-up?
Question 3
12
17. Rick Doten
VP Information Security (Centene)
When it comes to risk assessment in vendor selection, there are several
factors to consider.
Firstly, the vendor's long-term viability is evaluated, ensuring they have
the capacity to support the organization's needs. Secondly, scalability
is important, as the vendor should be capable of growing alongside the
organization without compromising service quality. Thirdly, the risk of
them being acquired as certain acquisitions may lead to conflicts or
restrictions in contractual agreements.
A thorough risk assessment is also conducted, which may involve
requesting source code escrow for contingency purposes.
While the process remains the same, we get more
meticulous with gauging new firms' scalability, viability,
and risk of them getting acquired.
13
18. Bradley Schaufenbuel
CISO (Paychex)
We evaluate whether they have the necessary financial resources to
provide support not only in the present but also in the future, such as a
year or three years down the line.
This is less of a concern when working with major cybersecurity
companies, as their financial status is publicly traded and can be
reviewed with ease.
In contrast, startups often lack sufficient financial data for us to assess
their viability. This discrepancy in financial resources and track record is
a significant factor we consider when evaluating vendors.
Viability is a key consideration in our risk management
process, with a particular focus on startups that may face
challenges in proving long-term support capabilities.
14
19. David B. Cross
VP & CIO (Oracle)
On the other hand, larger vendors with a strong market presence often
have established documentation and protocols in place. The
procurement and risk assessment processes differ in these cases due
to the varying levels of familiarity and available documentation.
While startups require more scrutiny and assessment, well-established
vendors may already have a more extensive track record and
documented security measures, impacting the evaluation process
accordingly.
Third-party assessment tools help evaluate the risks of
smaller companies, while established vendors have
documented security measures.
15
20. Steve Zalewski
Ex-CISO (Lev
i Strauss)
Young companies may offer more affordable solutions, even if they
come with certain risks. As a vendor, understanding that your size can
be seen as both a strength and a weakness is important.
Tailoring your pricing and risk considerations accordingly can help meet
the needs of cost-conscious organizations. Furthermore, organizations
often turn to young companies to explore alternative approaches and
tap into emerging capabilities.
For these and similar other reasons, sometimes we are more willing to
work with an emerging start-up than an established vendor.
Engaging with young companies can offer cost-effective
solutions and allow us to leverage their unique strengths
to address specific challenges.
16
21. What factors influence the
brand image of a vendor and
what is its importance when
deciding to work with a vendor?
Question 4
17
22. Kenneth Foster
VP of IT Governance, Risk & Compl
iance (Fleetcor)
As a CISO, I prioritize trust in real-world experiences and the
recommendations of professionals within my network over relying
solely on industry reports or evaluations.
The opinions and firsthand experiences of trusted individuals hold more
weight than brand recognition or industry accolades. Reputation is
paramount in the cybersecurity community, and even the most highly
acclaimed products can be overlooked if they have garnered a negative
perception among our network.
I prioritize real-world experiences and trusted
recommendations from my network over industry
reports.
18
23. Rick Doten
VP Information Security (Centene)
When it comes to industry reports like Gartner, they hold little value for
me personally. I rely on real-world examples and feedback from actual
users or trusted sources who have hands-on experience with the
products or services.
The brand name itself carries minimal weight compared to the actual
quality of the tool and the people supporting it. I'm not interested in
buying a name; I'm interested in investing in a tool that aligns with my
business needs and has a reliable support system behind it.
The strength of the relationship with a vendor is of
utmost importance.
19
24. David B. Cross
VP & CIO (Oracle)
Industry reports provide valuable perspectives that can help broaden
our understanding of vendors and their offerings. However, it's
important to remember that this is just one piece of the puzzle.
The second aspect is the input and experiences of our internal team
members who are stakeholders in the decision. Their firsthand
experiences, both within our current company and from previous
organizations, help us understand the practical implications of working
with specific vendors.
Lastly, peer recommendations and experiences also play a crucial role
to reach a decision.
I prefer leveraging industry reports, internal team input,
and peer recommendations to build a perception of
vendors' brand image.
20
25. Steve Zalewski
Ex-CISO (Lev
i Strauss)
With the increasing number of vendors vying for our attention, the
traditional POC process has become less prevalent. Instead,
relationships play a more crucial role in our decision-making.
When we have a specific need, we turn to our peers who have recently
deployed similar solutions. Their positive experiences with certain
vendors can quickly propel those vendors into the final selection stage,
even without them actively participating in a competitive POC process.
Reputation and word-of-mouth have become vital factors in vendor
selection. In some cases, I may even rely on third-party assessments if
the vendor has already been pre-qualified through trusted
recommendations.
CISOs rely more on trusted peer recommendations than
traditional POC processes for vendor onboarding.
21
26. Bradley Schaufenbuel
CISO (Paychex)
Brand recognition does have some significance in the decision-making
process, especially when communicating to the executive team and
board.
When introducing a new vendor or solution, having a well-known brand
name can provide a level of credibility and familiarity that eases the
concerns of key stakeholders. A recognized brand name often carries a
sense of trust and can help alleviate potential skepticism or doubts.
Brand recognition carries significance in the decision-
making process, providing credibility, familiarity, and
trust when introducing new vendors to key stakeholders.
22
27. How common is it to utilize
preferred resellers to expedite
the on-boarding process?
Question 5
23
28. Rick Doten
VP Information Security (Centene)
While utilizing preferred resellers can sometimes streamline the
onboarding process, the involvement of the IT group in tasks such as
system setup, credential management, server design, and port
configuration can still be a significant factor that determines the overall
efficiency of onboarding, potentially outweighing the benefits of using a
preferred reseller.
It depends!
24
29. Steve Zalewski
Ex-CISO (Lev
i Strauss)
Having a single point of contact for procurement and legal matters is
increasingly becoming a strategic approach, as companies often lack
sufficient resources in those areas, and it expedites the deal closure
process.
Preferred vendors are sought after for smoother paperwork handling,
especially when understanding the procurement process and pre-
signed NDAs are already in place.
Additionally, being aware of deal sizes can be advantageous, as deals
under a certain threshold may bypass lengthy procurement or legal
processes, allowing for faster execution.
Preferred vendors streamline paperwork and expedite
deal closure.
25
30. David B. Cross
VP & CIO (Oracle)
The decision to utilize preferred vendors for onboarding depends on the
specific situation, as in the case of exploring a new specialized area or
technology where the internal team lacks experience.
In such instances, leveraging preferred vendors for additional
Professional Services or system integration can be an optimal choice to
ensure smooth deployment and implementation
Yes, if I feel that the internal team lacks audit abilities.
26