Optimizing IT Operations with Effective Vendor Management

Welcome to the Hitchhiker’s Guide to it, brought to you by Device42. On this show, we explore the ins and outs of modern IT management and the infinite expanse of its universe. So buckle up and get ready to explore the ever changing landscape of modern IT management.

Michelle Dawn Mooney

Hello and welcome to The Hitchhiker’s Guide to It, where we dive into the latest trends and best practices shaping the world of information technology. I’m your host, Michelle Dawn Mooney, and today we are tackling a critical topic how effective vendor management not only optimizes IT operations, but also ensures compliance, security, and visibility into your systems. As regulatory pressure rise and digital threats increase, gaining full visibility into vendor contracts and managing third party Relationships is more important now than ever. This episode will provide practical insights to help you protect your IT environments, improve audits, and streamline software maintenance while staying compliant. I want to introduce you to our guest today. Scott Bickley is advisory practice lead at Info-tech Research Group. Scott, thank you so much for being with me today.

Scott Bickley

Thank you. Thanks for having me.

Michelle Dawn Mooney

Looking forward to the conversation. Before we dive in, can I ask you to give us a brief bio if you can, please?

Scott Bickley

Sure. I’ll try to keep it brief. I didn’t start out in it. I started out actually in the steel industry, um, uh, back on the East Coast, um, and did a lot of different operational and quality assurance roles. Uh, but it set the foundation for me in business. Um, moved out to the West coast, uh, where my wife’s from the Bay area and kind of made the transition into the tech world. Um, and then basically took on various roles in different, uh, project management, quality assurance roles and, uh, Lucent, uh, in the networking days of DSL kind of moving into contract manufacturing, and then eventually moved to Nevada and, uh, worked for Amazon.com for a couple of years in technology procurement and overall fulfillment center procurement. Um, and then in the regulated gaming space for the about 13 years before joining Info-tech research group. Um, joined Infotech about nine years ago, started up our contract review practice. Um, that has then led into building out our practice around it, vendor management. Um, and, uh, me and the initial team kind of built the first generation of that. Uh, and then basically said, we need to level this up. Um, brought in a couple of analysts, uh, Phil Bodie and Steve Jeffrey, to bring it up to world class levels. And we’ve expanded the team since then, and we’ve just kind of been on this ride for almost a decade now in this space.

Michelle Dawn Mooney

And it’s an interesting ride. I’m sure a lot of changes and things happening very rapidly. And I want to get into the knowledge that you have with the topic at hand, vendor management and effective vendor management. So let’s start here. Can you share your insights on how vendor management has evolved across the industry, particularly in helping organizations address challenges related to compliance, security, and, of course, operational efficiency?

Scott Bickley

Yeah, it’s interesting because you typically don’t, you know, historically haven’t seen vendor management in the IT space, so to speak. It’s been mostly on like a direct materials side of the house. It might be called supplier relationship management as opposed to vendor management. Vendor vendor management is kind of an IT term. Um and over the past ten plus years, probably closer to 15 to 20 years with the emergence of cloud, with the emergence of, you know, being able to contract with third parties to get work done. You’ve seen this shift from building out big data centers, investing in hardware and networking equipment and server equipment and people to run all of this and these large IT teams to really kind of shifting spend to third parties, you know, whether it be cloud for infrastructure services or application services. And so this wholesale shift is now added in a whole layer of third parties that you didn’t really deal with in the past. And the same goes on the services side with outsourcing and managed services providers. So you’ve had kind of a wholesale shift 180 degrees from where we were 15 years ago to where we are today. So now you’re getting as much or more work done through third parties than you are your own staff. So that has impacts, because every time you go forward and take a service that you were managing in-house, you had complete control over that product, over that service. From a security perspective, from a compliance perspective, you could really kind of control the guardrails and and where information went, where it was stored, how it was managed. And now you’re putting that information in the hands of other people. So you have to change your business practices for how you safeguard that data, how you secure it, how you’re going to actually hold those vendors accountable and be able to check and understand that they’re doing what they should be doing with that information.

Michelle Dawn Mooney

I want to dive a little deeper there. You know, talking about the changes in vendor management. Let’s talk about that with particularly growing focus on compliance and security, which, you know, we kind of touched on in the previous question. But let’s go a little deeper and talk to me about the challenges that companies are facing today when it comes to those things in particular.

Scott Bickley

Well, if you take take security and compliance a little, take them a separate issue. Security. Every day goes by you hear about a different breach. It seems that every day that goes by, nothing’s really impermeable. If someone wants to, you know, infiltrate your system, they can find a way technologically to to get in. It seems like. So you have emerging standards and constantly moving standards, whether it’s your sock controls or your ISO standards around the type of security program you’re going to put in place the technology standards themselves for how you may encrypt data, or how you may partition or allocate roles and privileges and secure access that way. Um, and then all the different firewalls and different technology solutions you can layer in. So you’ve got people, process and technology all around security. Um, and vendor management kind of is going to let the CISO run that show and let the chief security officer dictate what they need to do to protect the environment. And the vendor manager or that vendor manager function is going to help facilitate that with the vendors and ensure that you’re getting the evidence of these audits. You’re validating that you’ve got the right insurances in place, you’ve got the right controls in place, um, and helping just be a liaison to the security team in that regard.

Scott Bickley

But security is going to really own that and drive it themselves. Um, more than not, on the compliance side, you really kind of have an emerging group over in the GRC or the governance risk compliance world and enterprise risk management as well. Um, and so those functions are becoming more and more formalized. And you’ve got frameworks for and sets of controls that need to be taken into account. Again, they’re going to drive that. And vendor management is going to really facilitate and help you make sure information flows and, and that you’re checking the boxes on these things that are dictated by either enterprise risk or security. But there’s a lot of other risks that come into play with, with these vendors that those two functions don’t really cover. Right. So there’s there’s financial risk. There’s reputational risk, operational and strategic risks. Those are things that the vendor management function is really going to be focusing more on and have more hands on the wheel, if you will. Um, but security and compliance, uh, integrated into pretty much every contract that you’re looking at today, every service. Um, and it’s something that, you know, I would say vendor management is more the gatekeeper to make sure that what those security and compliance teams are looking for actually gets actioned in the agreements.

Michelle Dawn Mooney

Right? So what strategies then, do you recommend for organizations looking to optimize IT operations through effective vendor management while ensuring compliance, security and cost control?

Scott Bickley

One of the things we say is vendor management is a little bit different for everyone. You know, we’ve really got kind of six pillars that we look across, or rather five pillars. Um, when you’re looking at the contract, the vendor relationship, you might be looking at vendor performance management. Um, you may be looking at risk management from a vendor perspective. There’s a lot of different facets that you can attack vendor management from. Some ideally will want to look at all of those and bring them all together. Um, but sometimes you’re just saying, hey, we’ve got a pain point with one of these. Let’s go attack the pain point and see if we can make some progress. We’re not able to fund a fund a full vendor management office or a full vendor management initiative. Um, what we would like to say is instead of reacting to those pain points, which unfortunately is kind of, you know, how things happen most of the time, you want to take a strategic approach and really focus in at the relationship management layer. Um, you know, everything that you’re going to be able to move the needle on in a substantial manner is going to be based on your vendor relationships. Um, so using vendor management to drive innovation and proper utilization of those vendor resources and focusing on the vendors that have the largest impact to your organization. We’ve got a, you know, as any analyst firm will have we have our two by two model that kind of breaks out, you know, what are your commodity vendors? What are your strategic vendors? What are your operational vendors? You know, we want to focus on those that are high operational impact and strategic impact to our organization, because we’re going to have limited resources to throw at this.

Scott Bickley

We’d love to say we’re going to manage all the vendors the same way. Hold them all to the same criteria. But many vendors and, you know, vendors, some vendors are going to be more important than others. And so we want to make sure that we focus on the right ones. And I’d say the the last thing is, is that before you can look outside, you have to look inside. I mean, we hear that spoken a lot in different, you know, kind of different paradigms. But, um, it’s really important that you have the right people leading this initiative because you’re going to be pulling together leadership across multiple functions within the company, and you’re going to have to be influencing people, and you’re going to be working from that position of influence versus authority. Um, and so really being able to highlight what the critical few things are that you need to focus on and how you can kind of move the needle forward and get the resources you need to to focus on those things is what’s going to be critical to success. And, um, that’s probably one of the most overlooked aspects when when organizations are trying to start up their vendor management initiatives is they’re, you know, they’re taking someone that’s already got a job, maybe throwing another hat and saying, hey, you’re going to do this too. Um, and tactically you can do some things that way, but strategically you’re going to need to have at least that right? Initial person that has facilitation skills, influence skills and kind of can see the big picture.

Michelle Dawn Mooney

And as you touched on, it’s really important to have the right people in play with what we’re talking about here. You’ve got tons of experience. So in your experience with dealing with all of that, how can companies get the most value out of their vendor relationships while maintaining compliance and protecting their IT environments from security risks, as we talked about?

Scott Bickley

So yeah, I think, you know, again, it comes down to the relational level. Um, what do you do to orient your vendor into your organization? How do you bring them in and enable them to be successful? Um, a lot of times we say, well, here’s a contract, you know, let’s just make sure we’re doing what the contract says, but the contract can’t document everything. Um, so you kind of want to be able to develop the means of communication to make it easy for each of you to do business with each other and utilize tools like scorecards and things like two way scorecards, where you’re going to help each other understand these things that you’re doing are causing us pain. They’re preventing us from being able to to meet the contractual needs or even what you need from us outside of the contract. Um, let’s have honest conversation about those things and see if we can come up with ways to to remediate them. Um, you’re also really going to want to look at just basic things like market intelligence. Um, and uh, what we call business alignment meetings, typically called qbrs, but they may not be quarterly. So we call them business alignment meetings. And again, having relationships at different levels, having meeting cadences at those levels, those tools, you know, kind of are the soft side of vendor management.

Scott Bickley

But that’s really what paves the path forward for you to get all of the stuff done that fits neatly on a on a spreadsheet or neatly in a contract. Um, we, you know, as an analyst, I would love to say anything in a spreadsheet and a contract, and I can just kind of plug and play and make these things happen and work. Vendors don’t work that way. Their people, their personalities, they have, you know, business interests and things they’re trying to do. They’re going to have resource limitations for what they can. They can provide for our organization. So we have to work with them to understand what can you do for us and under what capacity and under what circumstances. And then we also have to be able to hold them accountable, you know, when we have mutually agreeable expectations going into an agreement and a contract, how can we kind of quantitatively and constructively score you on those and hold you accountable if if you’re not doing what you need to be doing, you know, do we have escalation processes? Do we have dispute resolution resolution processes where we can bring those issues to bear? And actually, you know, go down a constructive path and get things back on track?

Michelle Dawn Mooney

I want to touch on one of the big pain points that you discussed earlier. How do vendor management and cybersecurity concerns intersect? Particularly as we’ve seen such an increase with digital threats? Why is it so critical for organizations to have full visibility into their vendors and contracts?

Scott Bickley

Yeah, I mean, that’s a great question. And it it even goes broader than just security. Um, typically what you might see in the past is you’ll have a sourcing group negotiate a contract. Um, you know, maybe they have input from the business or a few stakeholders, but all of a sudden this contract gets signed in the organization and it gets tossed over the wall. Um, and someone has to take it and live with it. And they have to implement these processes. They have to work within the parameters that were negotiated or just not negotiated. Um, and that could include security requirements. Uh, and when you’re looking at security specifically, do you have standards that that vendor is going to be held accountable to, that you can audit to them from a controls perspective. Do they have to show you annually or periodically an attestation that they meet certain SOC control requirements? Are they going to provide you indemnification and or the right limitation of liability? If there’s a breach and we look at CrowdStrike that just happened and, you know, Delta is going to sue them because they had, you know, $500 million in damage damages. Um, well, you know, someone signed that contract that said you get what the contract minimum is or the contract maximum is, which is whatever you’ve paid into the service or some multiple thereof. Certainly much less than the pain they experienced in their minds. Um, but do you have those provisions, uh, adequately negotiated? Do you have cyber insurance requirements that, you know, add you as an added insured so that if there is a breach and, you know, they did follow all their procedures, but they were still breached, you have some type of compensation, you can try and make things whole.

Scott Bickley

And while you’re doing that, you know, maybe provide your end users some type of, you know, credit controls or, or some types of checks, some something to make sure that you’re not bearing the brunt of this financially as well as, you know, reputationally. Um, and all of those things are kind of the contractual side of it, but you really want to look at, you know, on the front end. Let’s do some due diligence on this company, you know, do they have a history of litigation in different areas? Do they have a history of breaches? Uh, how are they with their customers? Do they have a good reputation overall? What do they look like financially? Um, sometimes if you’re a sloppy financial organization, that’s going to lead to sloppiness elsewhere. Maybe in security. Um, so we want to look at certain ratios. We want to look at things to make sure you’re financially viable and you’re healthy. You’re not, you know, getting close to insolvency, where you might be taking desperate measures just to stay afloat. So all of these things outside of the core controls, you know, they’re all going to tie into security. Um, you know, from, you know, both their, their technical, uh, commitments as well as, you know, what kind of organization they are and the values they’re built on.

Michelle Dawn Mooney

And the goal really to be proactive, to get ahead of this before something like that happens and you’re not so happy with things that you may have signed. So with that said, yeah, what are some red flags that organizations should watch out for when negotiating or maybe renewing vendor contracts? Are there specific contract terms or clauses that could pose compliance or security risks down the road?

Scott Bickley

Yeah, yeah. Well, um, I mean, I would say even before looking at at the vendor on that and we’ll definitely talk about that. But look, internally, what are your own processes allow you to do within your organization? Are you built to be proactive internally? Um, do you have a look ahead for what agreements are going to be coming up for renewal and when? One of the biggest gotcha clauses out there is what we call an auto renewal clause. And it basically says if you want to, if you don’t do anything, this contract will auto renew for another year or another multiple year term unless you give us notice. And that notice typically would be 30 days before expiration. But I’ve seen just yesterday I read a contract that said you have to give us notice six months before, and I’m looking at this contract and I’m like, is this a product that requires a six month notice to to exit out of? And it’s like, no, not at all. Well, I can’t tell you how many times I’m on a phone call with a client who’s, you know, gotten an invoice from from a vendor who said you defaulted into auto renewal. And no, we’re not letting you out of it. They’re basically saying, do we have a way out of this? Um, that’s a big gotcha. Um, but internally in your organization, are you given the time to actually do this stuff proactively and take and do the due diligence upfront, both when you’re sourcing these vendors initially and then when you’re managing them on an ongoing basis.

Scott Bickley

Um, we’ll see. A lot of times, sometimes your vendor just might not be acting in good faith. Right? Um, they’re going to, you know, kind of give you, uh, wait to give you the quote for the renewal until the last minute and, and have you play beat the clock, so to speak. And, and, uh, you see VMware doing that a lot with, with clients these days. And it’s kind of like a take it or leave it type of term. Well, the client’s thinking, if I don’t execute on this, I’m going to be without support or I’m going to be without my service because technically I’m going over the due date. Those types of tactics are are predatory, and they’re meant to apply pressure on you to to act and react, not take your time and fight what you should be fighting. Um, you know, we call that running out the clock. Um, you’ll see terms that, you know, are renewals that just lack price protections or uplift protections on renewals. So you come into a renewal and all of a sudden you’re looking at a 60% price increase. And increase. And it’s like, how is that even reasonable? I, you know, you know, we didn’t have terms negotiated, but we would think we’d see 5% or 10% and you’re seeing 60%.

Scott Bickley

Um, so really having those protections built into the contract and making sure that they follow you across renewals or that you renegotiate them at the renewal at the point of renewal, you can’t necessarily preserve the best terms forever in perpetuity. At some point, you’re going to kind of roll off and then you have some decision points to make, but you can certainly protect. I like to say when you’re doing a new deal, try to get that initial term and terms protecting your renewals to give you a ten year visibility, if possible, if you can do that. I mean, that’s about as good as you can expect. Um, if you if you can get somewhere between 5 and 10, then, you know, you’re, you’re kind of a BC student there. And if you’re not doing anything, then you’re failing my course. Right? You’re just setting yourself up for for pain down the line. Um, you know, and then and then oftentimes it’s like if you’re talking about service provider agreements, we’re really looking at like just not seeing the governance layer built into the contract. So one of my colleagues, Tricia Kent, um, you know, she has what she calls this house of engagement, right? And it’s like, let’s map out where these relationships need to happen. And let’s understand when we work together in the cadence. And then, yeah, we’ll have in the contract escalation provisions and dispute resolution provisions if they’re needed.

Scott Bickley

And what we always tell people on our team is if you have to go to the contract, you’re in trouble already because you have not developed the relationships to go out and try and solve problems. Um, you know, in an amicable and a business like manner without having to necessarily go to the paper. Once you’re going to the paper, you’re in trouble. Um, because now it becomes more of a legal type of an issue than it is a business issue. Um, most agreements come through vendor paper. Uh, we really encourage, uh, organizations to invest in creating your own templates for things like statements of work. Um, you know, you know, some areas are going to have to take devendra’s paper. You know, you’re doing SaaS agreements and things like that. Very rare that you’re going to be able to push your own SaaS agreement onto a vendor. But in the services space, there’s a lot of tier two, tier three or boutique type consultancies. They’re going to be flexible. They want your business. They’re trying to grow their organizations. Um, if you’re coming to them with a fair set of terms and conditions, they’re probably going to be amenable to looking at that or maybe negotiating your paper versus theirs. Some of the contracts I see in it space, they look like someone just like, I don’t even know, like ChatGPT would do a better job.

Scott Bickley

The lawyers that drafted these things. Um, and then a lot of times they’re just predatory right there. They know exactly what they’re doing. They know what terms they’re leaving out. The hardest contract to review is the ones that’s missing key terms, because you have to remember, these things should be in here and they’re not in here. Um, I just had one come across my desk that I’ll be looking at next week. And I’m like, oh, this is going to take me twice as long to review as the page count would indicate because of everything I see is not there. Um, those are, you know, I could go on for days on this one. Uh, just because we see so much opportunity on the contract side. The other thing I would say, though, is, um, one of the things you really want to look at, especially when you’re dealing with services agreements, is how you’re going to handle termination. Um, and if you can have a termination for convenience clause, um, even if it costs you something to terminate that agreement for convenience. Um, it’s better than being stuck in a multiyear agreement that’s costing you a ton of money, and you’re not getting the value or the deliverables that you need out of it. So, um, again, that could be a whole nother podcast. Probably. Yeah. But, uh, yeah, lots of lots of landmines to look at contractually.

Michelle Dawn Mooney

Yeah. I really I was thinking the same thing. We probably need a full podcast just to talk about that. And I think we’ve all fallen victim to the auto renewal, but it’s a lot different when you’re talking about a TV subscription service versus a large company that’s going to pay a lot of money. If that renewal comes and goes without knowledge and it’s a little too late. So overall, as we’re wrapping up here, you know, getting the best out of vendor management. So for IT leaders looking to improve their vendor management approach, particularly with a focus on what we discussed compliance security, operational efficiency. What initial steps would you recommend. Where do we.

Speaker4

Start?

Scott Bickley

I think the first question is where are you feeling the pain? Why do you feel a need to invest in this space? And one of the things that I wanted to touch on earlier was, you know, CIOs are probably some of the busiest executives on the planet. They’ve got competing priorities. They’re all chasing the AI hype cycle. They’ve got, you know, security issues, data and analytics. You know, all of these things are sucking their their limited budgets up. Um, and, you know, not one of them is really top of top of mind saying we need vendor management. That’s key to to it. Um, but it is, uh, and so what we want to do is say, where’s your pain? And let’s show you how vendor management can help you improve in those areas. Um, and scope that out. Um, you need to think about your operating model. Um, you know, are you a centralized company or are you decentralized or are you something hybrid? Um, what can we do to run you through a maturity assessment and say, what? What are you doing? Sometimes CIOs will be amazed when they look at the fact that no one is tracking those renewals. You know, how can I just assume that was being done? That’s blocking and tackling.

Scott Bickley

Why isn’t anyone doing that? Um, we haven’t built a function to do that. Um, you know, and who is kind of the facilitator in that group? Um, that’s, that’s going to help you, you know, just like you have a chief of staff or you have a head of product or project person that’s kind of pulling together your projects. Well, who’s pulling together the vendors that are going to have to make those projects successful? Um, and so that’s where, you know, we say you don’t need to start off. And it used to be the term VMO vendor management office. You don’t have to start off building a VMO, but bring in a couple of really solid resources that can help you focus on the strategic vendors in your organization that you need, that you depend on for success, and start building out your roadmap there. Um, and then once you start seeing the benefits from that, you can figure out how you want to expand and grow on that. But it’s really about the organization and about kind of how you want to make what you’re already doing more successful.

Michelle Dawn Mooney

Any final thoughts here as we wrap up, Scott?

Scott Bickley

Um, just, you know, top of mind in my world is, um, you know, more and more of your business is going to be going out to third parties. And and it’s not just managing those third parties, it’s managing their vendors as well. Fourth party risk. And then we call it fourth party risk because it goes on and on and on. But you’re putting the crown jewels of your company in the hands of third parties and, um, you know, you you don’t even want to go with trust but verify, right? There is no trust, right? You have to build trust. Um, and so having a vendor management function that can help you perform the due diligence on the front end, um, help you build the guardrails and the program to manage those vendors and build meaningful relationships that you get the business outcomes you’re looking for. That is probably the most underinvested in capability right now. And at Infotech, we’re kind of hoping to push that forward and have that be something that becomes top of mind, um, much faster than it has been historically.

Michelle Dawn Mooney

And if people have any questions, they want more resources. Where can they go? Where can they reach out?

Scott Bickley

So definitely feel free to reach out to me on LinkedIn. Scott Bickley, um, you know, but, uh, you can contact us at Infotech. Com um, you know, we’d love to talk to you about, uh, your needs across vendor management as well as anything it related, um, from a research and advisory perspective. And our kind of kind of motto is practical research that helps you solve problems.

Michelle Dawn Mooney

Perfect. That is going to do it for this episode of The Hitchhiker’s Guide to it, brought to you by Device42 and a big thank you to Scott Bickley, Advisory Practice Lead at Info-tech Research Group. Thank you, Scott, for your time. As you said, we could go on and on with just 1 or 2 of those questions, but appreciate your time today. Thank you for being here.

Scott Bickley

Thanks for having me. It’s been.

Speaker4

Great.

Michelle Dawn Mooney

I want to thank all of you for tuning in and listening to the podcast. If you enjoyed this episode and would like to hear more conversations like the one you heard today, please be sure to subscribe to the podcast. And for more information about how Device42 can help you gain visibility into your IT infrastructure and enhance compliance and secure your environments, be sure to visit their website. I’m your host, Michelle Mooney. Thanks for joining us again. We hope to connect with you on another podcast soon.