Supplier Risk: The Captive Customer Experience
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP
October 17, 2011

Business leaders may select a supplier due to frustration with internal services. That decision may or may not be in the best interests of the company. This article provides practical advice for improving service and identifying the true risks and costs associated with a supplier relationship.

Technology and Security Operations
Technology and security divisions are often comprised of a collection of disparate teams. The separation arises from a sophisticated approach to IT infrastructure governance, the need for layered security controls and an increasing number of laws, regulations and contractual obligations. The processes necessary to design, implement and maintain technology increase as an company grows in size and complexity.

Business "Must Haves"
A business unit strives for efficiency to deliver quality products and services before the competition. The ultimate goal is to generate as much revenue as possible. Suppliers are utilized when internal service is unavailable, inefficient or cumbersome. Inefficient services consume resources unnecessarily and impact the bottom line. Cumbersome services are slow to deliver and may be bound in layers of bureaucratic process. Finally, business units need reliable services to meet customer needs and expectations. Business leaders must research alternatives when internal services do not meet their needs.

Supplier Risks and Costs
The costs of managing a supplier relationship may not be worth it. Start by considering internal systems and personnel left idle or under capacity. Supplier contracts must be written, negotiated and maintained. A supplier may not have adequate controls in place to protect data from disclosure, modification or interruption. Therefore, the risk associated with storing data outside the company must be monitored via security assessments and scans. Remediation must be tracked to closure when findings are identified. That activity consumes resources and must be taken into account when considering the true cost of supplier services.

The Best Interests of the Company
Address these challenges and constraints by evaluating internal processes and costs. Conduct Voice of the Customer surveys and in-person meetings to learn where the pain points lie. Develop action plans and/or projects to address internal customer feedback.

Develop a process to evaluate why a supplier has been selected and whether that is in the best interests of the company. Considerations should include whether the service is available internally, sensitivity of the data, business continuity requirements and cost benefit analysis. Take into account the expenses associated with managing the supplier relationship. Also consider whether it makes good business sense to establish the service internally. Repeat this evaluation annually.

This approach will reduce the need for suppliers by improving internal services. The risks and costs of each supplier relationship will be addressed by the evaluation process.

Treat business units with the same care and consideration as an external customer. Business leaders are not captive customers. Suppliers offer a viable alternative.

About the author: Gideon T. Rasmussen is a Charlotte-based Information Security Manager with over 15 years experience in corporate and military organizations. His website is The opinions expressed here are those of Gideon Rasmussen and do not necessarily represent those of his current or past employers.

Originally published by RiskCenter (October, 2011)