Buying security is not the same as buying a commodity, specific product or service
Last year saw an increase of 78% in the number of supply chain attacks, as criminals used the vulnerable SMEs working with larger enterprises to infiltrate some of the world’s biggest organisations and launch significant ransomware, invoice fraud and data breach attacks. So why are so many businesses still treating security like just another conventional transaction in their contracts?
Although some forward-thinking Procurement organisations are increasingly adopting collaborative agreements with suppliers, many businesses still transact far too frequently to account for proper security standards each time. Unfortunately, in a world of ever-increasing cybersecurity threats, this kind of transactional, arms-length approach lacks the due diligence needed to keep the wider business safe from cyberattacks. While vendors and partners who have not invested in proper cybersecurity measures will often offer lower costs, the significant increase in vulnerability and risk to the purchasing organisation must be understood to make buying decisions with confidence.
To succeed in such a challenging environment, procurement teams require long term, collaborative relationships with their vendors and partners to ensure that security is understood, appropriately valued, properly negotiated for and ultimately, realised.
Why is cybersecurity currently overlooked in contracting?
Establishing a new partnership or vendor relationship for your firm is normally the culmination of weeks and months of negotiation which is all too often met with an audible sound of relief. Trying to structure, negotiate and draft that magical agreement on how both parties will work for the foreseeable future is a test of everyone’s patience and resolve.
It requires an exploration of a wide-ranging number of “what if” scenarios as well as the escape routes that we build in to cover ourselves for any mistakes and oversights, the ever-present “termination of convenience” clauses. However, if we run too quickly for our exits or at least threaten to do so, what looks like a 2-year contract could easily translate into little more than a 60-day acquaintance.
In extreme cases, over-reliance on the comfort blanket of termination clauses may cause a supplier to conclude that it is their fiduciary duty not to invest in any relationship with a client where it took longer than 60 days to make a positive return. This is even more apparent when it comes to security. Even for partners and vendors who connect directly to your corporate network, have access to your customer data or sensitive intellectual property, manually monitoring their cyber threats and vulnerabilities can be a resource-intensive task. If cybersecurity standards are not clearly prioritised in the contracting process, the effort required is simply too much for the return guaranteed.
This way of working exposes both parties to high degrees of risk. For procurement teams wanting to contract for security, it’s therefore essential to clearly prioritise the desire for a longer-term partnership over the clever wording of the contract. Once a commitment to work together based on a set of agreeable mutual value-creating outcomes is established, the arguments for innovation and investment are then obvious to all parties involved. Make no mistake, innovation is a critical part of success in the constantly changing world of cyber security and risk.
What does best practice contracting for security look like?
We fully understand that most companies recognise that their suppliers are essential to helping them reduce costs, increase quality and drive innovation but when contracting, the defaults to adversarial mindsets and transactional approaches are unlikely to deliver beyond much short-term objectives. Medium and longer-term goals will most likely be lost or at the very least marginalised.
In an environment where cyberattacks in the supply chain are increasingly common, maintaining cybersecurity standards must be a central focus of any contract - it is not a short-term negotiable “nice to have”, it is a long-term “must have” for both parties to avoid data breaches, business disruption, fraud and more.
At Darkbeam, we’re helping Procurement teams to automate and streamline their security evaluations and simplify their supply chain risk mitigation processes. Get in touch today to find out more, or check out next week’s blog in this series, where we’ll be sharing a framework to establish a new security approach with your partners and suppliers.