We put the IT in city®

CitySmart Blog

Thursday, September 29, 2016
Dave Mims, CEO

Dave MimsIn the midst of worrying about cybersecurity threats from viruses and hackers, it’s easy to overlook security risks from the way you manage vendors and contracts. You think, “Hey, I’m paying legitimate businesses to oversee my IT needs—and I’ve got a contract with them. What’s the worry?”

There’s plenty of worry, actually—especially if you haven’t evaluated your vendors or vendor management process in a while. Here are some tips and best practices to help you shore up this overlooked security risk.

1. Perform a vendor inventory.

It’s good to collect and centralize as much information about your vendors as you can. Make sure you’re clear on:

  • Total number of vendors.
  • What services those vendors provide. (Look for vendors that provide duplicate services.)
  • Where those vendors operate.
  • Total cost, frequency of payment, and predictable/unpredictable billing.
  • Contracts, support agreements, and warranties.

Just performing a simple inventory may surprise you. For example, you may find that a vendor is wildly unpredictable in their monthly billing or that a certain vendor hasn’t been living up to a support agreement.

2. Review all contracts.

This may seem like an obvious best practice but many aspects of contract review are often neglected in organizations. A contract should clearly spell out:

  • A Service Level Agreement that details services rendered.
  • Requirements for any technology-related project.
  • How a product customized to your city specifically helps solve a business problem.
  • Support that’s included in the price.

If you haven’t reviewed existing contracts in a long time, then take time to go through them. Look for gaps between what the contract says and the services you’re receiving. From this point forward, make sure (in addition to your city attorney) that you have a business stakeholder and an experienced technology professional evaluate all new vendor contracts.

3. Renegotiate contracts, if possible.

After reviewing your contracts, you may notice some anomalies. Perhaps you’re getting way overcharged for a service. Maybe one vendor hasn’t upgraded their software or service model for many years. If you have doubts about any particular service, then shop around. You may just find that a cheaper and/or higher quality service exists that would benefit your city. If you still want to keep a vendor, then you may be able to leverage market knowledge to renegotiate your pricing or get the vendor to provide more services.

4. Overhaul your vendor evaluation process.

We wrote a post about IT procurement a few years ago that covers the following best practices:

  • Spend time defining what you need. (Also known as “requirements.”)
  • Shop around and know your industry. (This helps you benchmark pricing and services.)
  • Know your government pricing. (No need to pay full price, right?)
  • Don’t just settle on lowest price. (Many cities still evaluate IT in terms of pure cost, which is a big mistake.)
  • Look out for indirect costs. (For example, some vendors claim to provide 24/7 support or an easy installation—but the fine print says otherwise.)

During an RFP or RFI process, follow a series of steps that help you select the best vendor. Business stakeholders and IT professionals need to work together to evaluate all aspects of a vendor for financial stability, the ability to deliver quality services, the relevancy of the solution, and pricing. Bad vendors will lead to possible security risks.

5. Hire IT professionals to manage vendors.

Once vendors are vetted, paid, and serving you, you need a third party with a deep knowledge of information technology to oversee vendors. Busy, non-technical city staff can easily overlook issues with vendors such as security concerns, performance problems, and adherence to a contract. And even the best technology vendors often have difficulty working with non-technical staff about major issues. IT professionals will be able to communicate with vendors more efficiently while also warding off major problems and security risks.

By following these steps, you will make a lot of progress toward eliminating security risks related to vendors and their contracts. Going through these steps is also a great exercise in transparency, finding potential cost savings, and ensuring higher quality services at your city.

Questions about managing your technology vendors? Reach out to us today.