WEBVTT

00:00:00.000 --> 00:00:03.620
Today on our Tech for Business podcast, we're

00:00:03.620 --> 00:00:07.660
joined by Kyle, our president and CEO, and Todd,

00:00:07.980 --> 00:00:11.640
our COO and CISO to talk about the importance

00:00:11.640 --> 00:00:17.239
of vetting your vendors. So obviously we're going

00:00:17.239 --> 00:00:19.899
to start with the why. Why is this important?

00:00:20.339 --> 00:00:23.140
I think it highlights a lot of the lens that

00:00:23.140 --> 00:00:26.600
we select, who we bring to solutions to our customers

00:00:26.600 --> 00:00:29.640
as we look at. different solutions that are out

00:00:29.640 --> 00:00:32.719
there, because there's a number of them. We have

00:00:32.719 --> 00:00:35.399
to go through the process of understanding and

00:00:35.399 --> 00:00:39.340
say, is there value here for our customers? And

00:00:39.340 --> 00:00:44.579
can we leverage aggregation of CIT's customer

00:00:44.579 --> 00:00:48.780
base as far as the number of customers, our expertise

00:00:48.780 --> 00:00:52.039
that we can invest into training and fractalization

00:00:52.039 --> 00:00:54.579
of the services to those customers to help them

00:00:54.579 --> 00:00:58.320
deploy it? is that overall value there that actually

00:00:58.320 --> 00:01:01.159
solves true business needs for our customer sides

00:01:01.159 --> 00:01:04.159
is really quite simply where we look at is we

00:01:04.159 --> 00:01:07.239
look for the use case. And it's important, I

00:01:07.239 --> 00:01:10.980
think, to look at most of our customers fall

00:01:10.980 --> 00:01:16.439
into the small to mid space with it. And a lot

00:01:16.439 --> 00:01:19.260
of the solutions that we bring to the table are

00:01:19.260 --> 00:01:21.840
around the area where it doesn't make sense for

00:01:21.840 --> 00:01:23.680
them to hire a full -time employee, but they

00:01:23.680 --> 00:01:27.120
definitely have a need for for the solution and

00:01:27.120 --> 00:01:29.439
they need to have those like the enterprises

00:01:29.439 --> 00:01:31.420
do, but they're not going to have the staff of

00:01:31.420 --> 00:01:34.980
an enterprise. So we look to fill that gap, both

00:01:34.980 --> 00:01:39.840
from integration and support and service. So,

00:01:40.060 --> 00:01:42.780
Todd, can you go into a little bit more detail

00:01:42.780 --> 00:01:48.040
about maybe the risks of not just us, but businesses

00:01:48.040 --> 00:01:52.459
not doing their research or doing their due diligence

00:01:52.459 --> 00:01:56.390
when choosing a vendor to work with? Yeah, I

00:01:56.390 --> 00:01:59.909
sure can. I'm just sorry. The reason why I kind

00:01:59.909 --> 00:02:01.709
of paused is because I was thinking about it

00:02:01.709 --> 00:02:04.829
and says, do I do I start with the typical I'm

00:02:04.829 --> 00:02:07.049
going to scare you kind of concept, which is

00:02:07.049 --> 00:02:09.129
not my intent. I don't want to get into the fear

00:02:09.129 --> 00:02:11.069
and certainty and doubt. But but just kind of

00:02:11.069 --> 00:02:13.050
think about this for a second. I can I can share

00:02:13.050 --> 00:02:15.030
a link that's got a bunch of statistics on it.

00:02:15.389 --> 00:02:18.229
But I think the stat I saw the other day was

00:02:18.229 --> 00:02:21.849
98 percent of companies. work with somebody that's

00:02:21.849 --> 00:02:25.030
had some sort of security event. And so just

00:02:25.030 --> 00:02:27.629
think about that. I mean, you're almost certainly

00:02:27.629 --> 00:02:30.110
working with a vendor who has had a security

00:02:30.110 --> 00:02:32.590
event at one point or another. It's kind of interesting

00:02:32.590 --> 00:02:34.289
from our perspective, as I want to say it was

00:02:34.289 --> 00:02:35.789
three, four years ago, where we're going, okay,

00:02:35.889 --> 00:02:38.569
well, we think this wave is coming at us where

00:02:38.569 --> 00:02:41.110
the threat and the risks have extended beyond

00:02:41.110 --> 00:02:43.469
our walls, and it's come from the partners that

00:02:43.469 --> 00:02:45.810
we're working with. And not only did that wave

00:02:45.810 --> 00:02:48.530
come, it came crashing over the flood barrier,

00:02:48.530 --> 00:02:52.159
if you will. And so, you know, just kind of thinking

00:02:52.159 --> 00:02:55.360
about what's introduced is if you don't have

00:02:55.360 --> 00:02:58.319
a formal way of evaluating your vendors that

00:02:58.319 --> 00:02:59.879
you're working with, your partners, et cetera,

00:03:00.340 --> 00:03:01.800
you're essentially, for all intents and purposes,

00:03:02.039 --> 00:03:04.240
you're just automatically inheriting any risk

00:03:04.240 --> 00:03:06.060
that they may present to your organization. That

00:03:06.060 --> 00:03:07.939
could be financial, it could be reputational,

00:03:07.939 --> 00:03:10.319
et cetera. And so just kind of thinking about

00:03:10.319 --> 00:03:13.300
that as why it's important is if you haven't

00:03:13.300 --> 00:03:15.979
paid attention, you're potentially in for a world

00:03:15.979 --> 00:03:18.759
of hurt. Now, when it comes to regulatory industries,

00:03:18.919 --> 00:03:20.620
so your banking, your finance, those types of

00:03:20.620 --> 00:03:24.860
things, their policies are all written and required

00:03:24.860 --> 00:03:27.560
that your security program needs to be as good,

00:03:27.639 --> 00:03:29.780
I'm sorry, your partner's security policies need

00:03:29.780 --> 00:03:32.280
to be at least as secure as your own. So again,

00:03:32.419 --> 00:03:35.319
kind of going down that path, you expand on the

00:03:35.319 --> 00:03:37.599
risks that are associated with businesses. And

00:03:37.599 --> 00:03:39.960
so that's just one of the key areas that I would

00:03:39.960 --> 00:03:43.240
at least start the conversation with. Well, so

00:03:43.580 --> 00:03:45.979
I know we don't want to scare people. So maybe

00:03:45.979 --> 00:03:49.800
let's talk a little bit about the positives of

00:03:49.800 --> 00:03:53.180
the benefits of doing your due diligence. I know

00:03:53.180 --> 00:03:55.659
we had a different podcast where we talked about

00:03:55.659 --> 00:03:59.680
building those partnerships. So how does going

00:03:59.680 --> 00:04:03.060
through this process set you up for a better

00:04:03.060 --> 00:04:07.590
partnership later? Yeah, I mean one of the things

00:04:07.590 --> 00:04:10.969
that we do at CIT and this would be just to me

00:04:10.969 --> 00:04:12.650
and be part of your vendor management, but as

00:04:12.650 --> 00:04:14.330
you're going through the onboarding process,

00:04:14.389 --> 00:04:16.769
you should be kind of looking for things that

00:04:16.769 --> 00:04:18.910
would stand out to you. Is this a good organization

00:04:18.910 --> 00:04:22.470
we want to work with? To me, I'm going to have

00:04:22.470 --> 00:04:24.850
a little bit of a security slant on this. So

00:04:24.850 --> 00:04:27.189
I'm going to naturally gravitate to, let's look

00:04:27.189 --> 00:04:29.089
through your security controls. Are they what

00:04:29.089 --> 00:04:31.930
I would expect there to be? So if they are, you

00:04:31.930 --> 00:04:33.730
automatically start getting a good warm fuzzy,

00:04:33.750 --> 00:04:36.350
if you will. It could be anything like, for example,

00:04:36.730 --> 00:04:38.629
I tend to like working with organizations that

00:04:38.629 --> 00:04:40.930
have put the time and energy into becoming compliant

00:04:40.930 --> 00:04:44.750
with GDPR or some of the more maybe progressive

00:04:44.750 --> 00:04:48.040
ones like the Californias. requirements and whatnot

00:04:48.040 --> 00:04:49.860
because it means that they've taken the time

00:04:49.860 --> 00:04:52.160
to make sure they're doing the blocking and tackling

00:04:52.160 --> 00:04:54.920
of cybersecurity. And so it makes me think they

00:04:54.920 --> 00:04:56.839
care enough to make sure that everything's shorn

00:04:56.839 --> 00:04:59.180
up. Now granted the vast majority of the reasons

00:04:59.180 --> 00:05:01.860
why they do that is financially driven, right?

00:05:01.860 --> 00:05:03.500
They want to make money in order to do business

00:05:03.500 --> 00:05:05.240
with certain organizations they need to do this.

00:05:05.540 --> 00:05:07.639
The other thing that we do a lot of is we like

00:05:07.639 --> 00:05:09.420
looking for references as we're working with

00:05:09.420 --> 00:05:11.680
partners. So if there's a great big critical

00:05:11.680 --> 00:05:14.639
vendor, if you will, we will go through the vetting

00:05:14.639 --> 00:05:17.470
process and it's great to hear probably a little

00:05:17.470 --> 00:05:19.410
tip on how people do this, but it's great to

00:05:19.410 --> 00:05:21.810
hear when you talk to other C level organizations

00:05:21.810 --> 00:05:25.449
that this company did not put me at risk or this

00:05:25.449 --> 00:05:29.329
company allowed me to solve XYZ problem. Yeah,

00:05:29.329 --> 00:05:32.949
Kyle, maybe you can give us continuing with the

00:05:32.949 --> 00:05:36.370
benefits. When you are looking at your own company

00:05:36.370 --> 00:05:39.829
and planning 10 years out that strategic planning,

00:05:40.509 --> 00:05:43.610
you know, how do you choose a vendor that's going

00:05:43.610 --> 00:05:46.740
to grow with you? What are those questions that

00:05:46.740 --> 00:05:49.560
you're asking to make sure they're on the same

00:05:49.560 --> 00:05:53.360
track as you? Does that make sense? Yeah, it

00:05:53.360 --> 00:05:56.439
does. I mean, a lot of it is just, again, falls

00:05:56.439 --> 00:06:00.500
back to the kind of the supply and demand. Part

00:06:00.500 --> 00:06:05.560
of it is, are they solving evolving needs that

00:06:05.560 --> 00:06:08.459
are starting to show up in our customer side?

00:06:08.680 --> 00:06:11.620
So when you meet with the customers, you hear

00:06:11.620 --> 00:06:15.000
their their concerns, you hear their pain points

00:06:15.000 --> 00:06:18.920
or their wants and objectives of what they're

00:06:18.920 --> 00:06:22.699
trying to accomplish for, which then puts us

00:06:22.699 --> 00:06:26.459
in a similar track where we're looking to how

00:06:26.459 --> 00:06:30.399
are we going to solve those challenges. Quite

00:06:30.399 --> 00:06:32.980
often than not, we're already experiencing ourselves.

00:06:33.339 --> 00:06:35.639
We're in the same position as our customers.

00:06:35.639 --> 00:06:39.220
In many cases, it works out. So as we look to

00:06:39.220 --> 00:06:43.800
solve CITs, areas where for our SOC 2 or our

00:06:43.800 --> 00:06:45.839
compliance, or as we're changing these things,

00:06:45.839 --> 00:06:48.819
we look for solutions that not only benefit and

00:06:48.819 --> 00:06:51.439
solve our sides, but something we can use to

00:06:51.439 --> 00:06:53.980
solve for our customers. So we're a customer

00:06:53.980 --> 00:06:57.199
and a partner of those of those vendors, which

00:06:57.199 --> 00:07:01.040
kind of allows us to also put our, our, our money

00:07:01.040 --> 00:07:03.980
where our mouth is and say, we trusted ourselves,

00:07:03.980 --> 00:07:06.180
you know, we, it's not that we vended it for

00:07:06.180 --> 00:07:08.060
ourselves, we trusted for ourselves, we feel

00:07:08.060 --> 00:07:11.100
much better, we experienced being a customer

00:07:11.100 --> 00:07:16.139
first, or our customers had to experience inside

00:07:16.139 --> 00:07:18.579
of it. And if, if it didn't go up for us, then

00:07:18.579 --> 00:07:20.540
we're not going to be probably real excited about

00:07:20.540 --> 00:07:23.339
extending that side. But if the supply is there

00:07:23.339 --> 00:07:25.420
in those things, the way technology works, it

00:07:25.420 --> 00:07:28.319
tends to have a long run rate side. But we want

00:07:28.319 --> 00:07:30.860
to look at their whole solution portfolio, how

00:07:30.860 --> 00:07:34.519
their position does it, does it, is it, is it

00:07:34.519 --> 00:07:36.879
easy to support? Do they have good support? You

00:07:36.879 --> 00:07:41.350
know, we want to know that If ourselves or our

00:07:41.350 --> 00:07:43.689
customers are having an issue side, how good

00:07:43.689 --> 00:07:47.170
or responsive are they? Are they something that

00:07:47.170 --> 00:07:50.350
we feel that we can work with them to get resolved?

00:07:50.970 --> 00:07:52.709
Those are all key things. We don't think of those

00:07:52.709 --> 00:07:55.490
checkboxes and it's a little bit of like Todd's

00:07:55.490 --> 00:08:00.889
lens on the security side to know that. They

00:08:00.889 --> 00:08:03.310
obviously have an understanding of the importance.

00:08:03.370 --> 00:08:05.910
If you feel those key areas size that they have

00:08:05.910 --> 00:08:08.670
good support, they're responsive, their solutions

00:08:08.670 --> 00:08:12.189
are evolving in those things that they have a

00:08:12.189 --> 00:08:16.589
culture that is aligned right for growth and

00:08:16.589 --> 00:08:19.629
alignment for us to grow together with. Yeah.

00:08:20.269 --> 00:08:23.709
So when businesses are going through this process,

00:08:23.790 --> 00:08:27.069
they probably have a checklist. What are common

00:08:27.389 --> 00:08:30.930
that are missed on that checklist. You know,

00:08:31.050 --> 00:08:33.850
I think security is a big one. They know to ask

00:08:33.850 --> 00:08:37.970
about data, privacy is probably one that's on

00:08:37.970 --> 00:08:41.750
the list. What's not on that list? Yeah, I'm

00:08:41.750 --> 00:08:45.289
struggling with it because the reason being is

00:08:45.289 --> 00:08:48.009
we've gone through this for years and vendor

00:08:48.009 --> 00:08:50.950
management doesn't work through me, but our processes

00:08:50.950 --> 00:08:54.940
has been very... evolutionary so as things change

00:08:54.940 --> 00:08:57.299
and we find oh that was a problem we just add

00:08:57.299 --> 00:08:59.320
it and we've been doing that for so many years

00:08:59.320 --> 00:09:01.580
I don't even look at it any longer going you

00:09:01.580 --> 00:09:04.320
know what the big aha is I would say to me at

00:09:04.320 --> 00:09:06.480
this point one of the larger things that that

00:09:06.480 --> 00:09:10.139
I find is problematic for us is when we're doing

00:09:10.139 --> 00:09:12.799
the process the what are we doing why are we

00:09:12.799 --> 00:09:14.919
bringing this tool on and what why is it what

00:09:14.919 --> 00:09:17.080
is it doing for the organization that does not

00:09:17.080 --> 00:09:19.720
always move all the way through the organization

00:09:19.720 --> 00:09:23.039
so I'll just say myself as an individual is bringing

00:09:23.039 --> 00:09:25.919
on a tool I find that's got to fit. I communicate

00:09:25.919 --> 00:09:29.240
with our management team. And then sometimes

00:09:29.240 --> 00:09:31.820
that's the extent of how it works its way through

00:09:31.820 --> 00:09:33.720
the organization where it should get down to

00:09:33.720 --> 00:09:35.700
the next layer and the next layer below that.

00:09:36.259 --> 00:09:38.039
I would say that is by far one of the larger

00:09:38.039 --> 00:09:42.100
ones. But generally speaking, I'm going with

00:09:42.100 --> 00:09:44.360
making sure that when you go through this process,

00:09:44.480 --> 00:09:46.200
you kind of, in my opinion, you should have a

00:09:46.200 --> 00:09:47.840
team that works through it. So we have built

00:09:47.840 --> 00:09:50.590
the checklist for our And things that you should

00:09:50.590 --> 00:09:53.210
just naturally have in that process is what does

00:09:53.210 --> 00:09:54.889
procurement look like? Obviously, you should

00:09:54.889 --> 00:09:57.649
have legal and compliance included. Both of those

00:09:57.649 --> 00:09:59.710
report to me. So again, they seem pretty obvious

00:09:59.710 --> 00:10:02.789
to me. And sort of security. Finance is another

00:10:02.789 --> 00:10:04.870
one that should be in there. And I don't know

00:10:04.870 --> 00:10:07.809
how frequently organizations ensure that there

00:10:07.809 --> 00:10:10.889
is a... a strong financial backing of the partner

00:10:10.889 --> 00:10:12.309
you're working with. And again, this may depend

00:10:12.309 --> 00:10:15.470
on how critical that tool or that partner is

00:10:15.470 --> 00:10:17.950
going to be. If it's going to be your main accounting

00:10:17.950 --> 00:10:19.330
system, you're going to want to make sure that

00:10:19.330 --> 00:10:21.129
they're in it for the long haul and not going

00:10:21.129 --> 00:10:23.769
to disappear next week. Those would probably

00:10:23.769 --> 00:10:25.610
be a little more obvious, but that's where my

00:10:25.610 --> 00:10:28.110
brain goes with the start. Yeah, I would only

00:10:28.110 --> 00:10:29.889
add to that. I mean, I think on the financial

00:10:29.889 --> 00:10:33.230
side is not only that, are they going to be acquired?

00:10:34.919 --> 00:10:38.279
Because that changes the culture more often than

00:10:38.279 --> 00:10:41.820
not. And that's usually where we've seen existing

00:10:41.820 --> 00:10:47.399
partners change is with the change in the owner.

00:10:47.600 --> 00:10:51.679
If it goes from a founder level visionary to

00:10:51.679 --> 00:10:56.080
a private equity owned side of it, it can shift

00:10:56.080 --> 00:10:59.080
the quality and the future of the products. So

00:10:59.080 --> 00:11:02.549
you need to kind of gauge that. Sometimes you

00:11:02.549 --> 00:11:04.169
still go into it just knowing that that's the

00:11:04.169 --> 00:11:07.210
case. It depends how early you're on with that

00:11:07.210 --> 00:11:09.269
particular product, too. You know, a bit earlier

00:11:09.269 --> 00:11:12.470
in the side, you're going to ride a wave of growth

00:11:12.470 --> 00:11:15.070
that's probably got a lot of demand. At some

00:11:15.070 --> 00:11:17.210
point, they're going to be going to sell, but

00:11:17.210 --> 00:11:18.909
you have to probably know what's coming, you

00:11:18.909 --> 00:11:20.710
know, and then you just stay connected to those

00:11:20.710 --> 00:11:22.730
things. And it's not always bad, but it's just

00:11:22.730 --> 00:11:27.169
something that it's a potential risk to the long

00:11:27.169 --> 00:11:30.559
term when you use your tenure. yardstick, you

00:11:30.559 --> 00:11:34.019
know, it may impact that. The other side is how

00:11:34.019 --> 00:11:35.720
they handle account management. Are we going

00:11:35.720 --> 00:11:38.460
to get a named account or have somebody to manage

00:11:38.460 --> 00:11:40.980
it? Especially on a key vendor side, I mean,

00:11:40.980 --> 00:11:43.059
it can make a big difference. You know, like

00:11:43.059 --> 00:11:46.139
when we talked with Mike Eternal at the podcast

00:11:46.139 --> 00:11:48.000
and brought him on side of it, again, he's a

00:11:48.000 --> 00:11:50.500
good example of having a good representative

00:11:50.500 --> 00:11:54.100
from those vendors that engages in our vendor

00:11:54.100 --> 00:11:56.700
management group and engages into our sales team.

00:11:58.360 --> 00:12:00.940
even into our leadership side of that and making

00:12:00.940 --> 00:12:04.259
us aware of changes and what's coming on their

00:12:04.259 --> 00:12:06.820
side of it makes a big difference. You know,

00:12:07.039 --> 00:12:10.580
it's the same way we handle with our customer

00:12:10.580 --> 00:12:13.860
sides. It's tough to be trying to read and have

00:12:13.860 --> 00:12:16.240
to search it out on your own. It's good to have

00:12:16.240 --> 00:12:18.120
a relationship. Somebody starts to understand,

00:12:18.360 --> 00:12:20.700
hey, this is, CIT is really good at this. I think

00:12:20.700 --> 00:12:23.100
we can refer sides of it. We know what their

00:12:23.100 --> 00:12:27.180
capabilities are. It's mutually good. understanding

00:12:27.180 --> 00:12:31.039
their approach to that can really make a big

00:12:31.039 --> 00:12:33.960
difference of how much that that vendor partnership

00:12:33.960 --> 00:12:36.299
between us and that vendor really flourishes.

00:12:36.919 --> 00:12:39.600
Yeah, you mentioned culture, which I think is

00:12:39.600 --> 00:12:42.740
an interesting thing to dig into because that

00:12:42.740 --> 00:12:44.620
again, when we're talking about this checklist,

00:12:45.220 --> 00:12:47.860
that's maybe not always on the checklist is what

00:12:47.860 --> 00:12:50.240
is the culture of the company I'm going to be

00:12:50.240 --> 00:12:54.620
working with. So how do you get a sense of what

00:12:54.620 --> 00:12:57.919
their company culture is and how it's going to

00:12:57.919 --> 00:13:02.019
work with. Or is that a checklist question? Probably

00:13:02.019 --> 00:13:05.840
is. But I mean, I think it's it's I don't know

00:13:05.840 --> 00:13:07.399
if organic is the right way to do it. I mean,

00:13:07.399 --> 00:13:09.919
I think it really comes from the conversations

00:13:09.919 --> 00:13:13.159
and in your discovery process going through.

00:13:13.259 --> 00:13:15.120
You get a feel for it, just like you do on most

00:13:15.120 --> 00:13:17.580
sides of it. And sometimes you ask a little probing

00:13:17.580 --> 00:13:20.720
questions and understand, you know, what what

00:13:20.720 --> 00:13:23.639
they do for company, you know, outings, what

00:13:23.840 --> 00:13:26.639
Where do they work at? Are they fully remote?

00:13:26.860 --> 00:13:33.259
Or do they have a Google -less, open environment?

00:13:34.000 --> 00:13:37.279
You get different responses to those sides. Where

00:13:37.279 --> 00:13:41.100
are you located at? We have vendors that are

00:13:41.100 --> 00:13:43.179
located all over the world at this point that

00:13:43.179 --> 00:13:46.120
come into play. So you get different sides of

00:13:46.120 --> 00:13:48.600
that. So you can build a pretty good picture

00:13:48.600 --> 00:13:51.740
of what it looks like. And in some cases, we...

00:13:51.879 --> 00:13:55.059
As it grows more, we can get on certain advisory

00:13:55.059 --> 00:13:56.919
committees or other sides of those sites where

00:13:56.919 --> 00:13:59.860
we're even closer. We actually visit and other

00:13:59.860 --> 00:14:02.559
ones you have conferences. You start to learn.

00:14:04.200 --> 00:14:06.460
It's more of just some through the discovery

00:14:06.460 --> 00:14:09.059
side of it. And you can do some social media

00:14:09.059 --> 00:14:11.320
review and stuff and get an idea of that to get

00:14:11.320 --> 00:14:15.460
a little better read on it too. But it's usually

00:14:15.460 --> 00:14:17.759
just of interactions. At least it is for me.

00:14:18.279 --> 00:14:20.860
Yeah, and I wouldn't say it's necessarily a critical

00:14:20.860 --> 00:14:23.519
thing for every scenario. Say, for example, if

00:14:23.519 --> 00:14:25.659
you get into a vendor that's very commoditized,

00:14:25.679 --> 00:14:28.120
or you're getting into a price competition, and

00:14:28.120 --> 00:14:30.259
that's one of the large pieces, it's probably

00:14:30.259 --> 00:14:32.799
not nearly as critical because those ones you

00:14:32.799 --> 00:14:35.120
can relatively easily switch if you need to.

00:14:35.399 --> 00:14:38.279
But when they are critical ones, where I would

00:14:38.279 --> 00:14:39.779
go with it again, as I mentioned it a little

00:14:39.779 --> 00:14:42.559
bit further, a little bit ago was... Going back

00:14:42.559 --> 00:14:44.899
to referrals, if you can get referrals and start

00:14:44.899 --> 00:14:46.899
to have those deeper conversations, you get a

00:14:46.899 --> 00:14:49.820
really quick sense of what those companies are

00:14:49.820 --> 00:14:52.700
to work with. You don't usually get raving fans

00:14:52.700 --> 00:14:55.899
from ones that have poorer cultures. That's fair.

00:14:56.860 --> 00:15:00.320
Yeah. Referral is a great way to go. We kind

00:15:00.320 --> 00:15:02.100
of went on a journey with this conversation,

00:15:02.100 --> 00:15:05.639
but I do like to give some practical advice on

00:15:05.639 --> 00:15:10.059
these podcasts. So Todd, you did mention... There

00:15:10.059 --> 00:15:14.019
are two different groups of businesses, there's

00:15:14.019 --> 00:15:16.059
more than that, but we're gonna break them down

00:15:16.059 --> 00:15:17.659
into two different. You've got ones who have

00:15:17.659 --> 00:15:20.759
compliance and ones who don't. So when you're

00:15:20.759 --> 00:15:24.279
doing that vendor due diligence, do you think

00:15:24.279 --> 00:15:28.279
it's easier to come from a place that has compliance

00:15:28.279 --> 00:15:32.019
requirements, or does that make it more difficult

00:15:32.019 --> 00:15:39.059
to do this process? Both. The reason why I'll

00:15:39.059 --> 00:15:42.100
say both is I think the structure of coming from

00:15:42.100 --> 00:15:44.960
compliance makes the process defined, and because

00:15:44.960 --> 00:15:46.759
it's defined, you practice it, and the more you

00:15:46.759 --> 00:15:48.279
practice it, the better you get at it, the easier

00:15:48.279 --> 00:15:51.840
it gets, and so forth. The downside is you actually

00:15:51.840 --> 00:15:54.159
have to do the work, right? So for example, if

00:15:54.159 --> 00:15:55.799
you're talking to a vendor and you come back

00:15:55.799 --> 00:15:58.559
and say, I want to see your SOC 2 Type 2 report,

00:15:59.039 --> 00:16:02.200
you'll get it. And just getting it is not what

00:16:02.200 --> 00:16:04.120
you're typically doing when you're going through

00:16:04.120 --> 00:16:06.179
the vendor due diligence. The due diligence part

00:16:06.179 --> 00:16:09.240
is actually exactly that, right? And that means

00:16:09.240 --> 00:16:12.379
I have to read the document and say, is this

00:16:12.379 --> 00:16:16.279
what I expected? Does the disaster recovery plan

00:16:16.279 --> 00:16:18.919
match my expectations? So that part of it is

00:16:18.919 --> 00:16:21.690
a lot more work, because if you... you're not

00:16:21.690 --> 00:16:23.549
formal, you may go, yep, I got the checklist.

00:16:23.769 --> 00:16:25.769
The fact that they have a SOC 2 audit is probably

00:16:25.769 --> 00:16:27.870
sufficient. Put it in the folder, move on. That

00:16:27.870 --> 00:16:30.610
part would be really, really easy. But you're

00:16:30.610 --> 00:16:33.230
doing it the right way, if you will. And sorry,

00:16:33.350 --> 00:16:36.009
I come from a compliance industry. So I think

00:16:36.009 --> 00:16:38.710
it is important to do it the proper way and check

00:16:38.710 --> 00:16:40.769
the boxes and make sure that you actually did

00:16:40.769 --> 00:16:43.549
the due diligence of the whole process and making

00:16:43.549 --> 00:16:45.669
sure that you're reading the documentation. So

00:16:45.669 --> 00:16:49.549
for those... Not in a compliance and kind of

00:16:49.549 --> 00:16:53.129
don't know what to ask What is some advice you

00:16:53.129 --> 00:16:56.330
would give them about you need? These are my

00:16:56.330 --> 00:16:59.250
top three things you should be asking for at

00:16:59.250 --> 00:17:03.090
that table Yeah, so that we kind of covered a

00:17:03.090 --> 00:17:05.849
few of those already I mean if you are not in

00:17:05.849 --> 00:17:07.509
a compliance industry the first place I would

00:17:07.509 --> 00:17:10.250
start is is the fiscal aspect right making sure

00:17:10.250 --> 00:17:12.470
that it's a It's a solvent company. It's gonna

00:17:12.470 --> 00:17:14.130
be around for the long haul those kinds of things

00:17:14.130 --> 00:17:16.750
is where I would start Again being a security

00:17:16.750 --> 00:17:20.130
guy that I am. I will want to know what those

00:17:20.130 --> 00:17:21.970
safeguards are What are the controls that are

00:17:21.970 --> 00:17:24.130
in place? And so then the things I'm going to

00:17:24.130 --> 00:17:27.109
start to ask for are Hopefully most organizations

00:17:27.109 --> 00:17:29.089
have a little bit But as I kind of started out

00:17:29.089 --> 00:17:31.269
this and I didn't want to scare anybody if if

00:17:31.269 --> 00:17:34.509
you know that most Vendors have had some sort

00:17:34.509 --> 00:17:36.970
of security event. You probably want to know

00:17:36.970 --> 00:17:39.009
how did that happen? What did you do about it?

00:17:39.009 --> 00:17:43.250
How has it gotten better? We like to use a vendor

00:17:43.250 --> 00:17:45.900
of ours that we work with For Kata, if it matters.

00:17:46.299 --> 00:17:49.480
And they had gotten significantly better after

00:17:49.480 --> 00:17:51.880
their security event and they documented it.

00:17:52.000 --> 00:17:53.819
We did X, Y, and Z, and here's how we're going

00:17:53.819 --> 00:17:56.279
to keep this from happening in the future. Getting

00:17:56.279 --> 00:17:58.559
that type of information is incredibly critical.

00:17:58.559 --> 00:18:01.160
Now, I wouldn't go into the due diligence process

00:18:01.160 --> 00:18:02.680
saying, did you ever have an event and what did

00:18:02.680 --> 00:18:04.720
you do about it? I probably wouldn't start there.

00:18:05.099 --> 00:18:08.359
But if you can get some of those additional documentation,

00:18:08.420 --> 00:18:10.500
whether it's ISO, SOC 2, et cetera, if you can

00:18:10.500 --> 00:18:12.480
get that and you start requesting that information,

00:18:12.500 --> 00:18:15.180
it will be very well. outlined and they'll start

00:18:15.180 --> 00:18:16.980
to tell you what they're doing to make sure that

00:18:16.980 --> 00:18:20.519
they're secure. Yeah, I think, I think it's,

00:18:20.519 --> 00:18:23.220
it's, it's good rationale to recognize that if

00:18:23.220 --> 00:18:25.579
a lot of the other check boxes are done, like

00:18:25.579 --> 00:18:28.599
Todd's point, most of those, and especially if

00:18:28.599 --> 00:18:31.240
they showed professionalisms and due diligence

00:18:31.240 --> 00:18:33.140
on how they're accurate, they're, they're probably

00:18:33.140 --> 00:18:36.440
a far better secured company at this point than,

00:18:36.940 --> 00:18:38.640
than they would ever be because it's kind of

00:18:38.640 --> 00:18:40.420
heightened attention versus a company who has

00:18:40.420 --> 00:18:43.190
not ever experienced. So you do have to kind

00:18:43.190 --> 00:18:46.529
of weigh that into some of your conclusions that

00:18:46.529 --> 00:18:49.890
it wouldn't necessarily past problem doesn't

00:18:49.890 --> 00:18:52.710
necessarily rule them out, you know, that that

00:18:52.710 --> 00:18:55.029
can make them more attractive in some regards.

00:18:55.089 --> 00:18:57.369
So you do have to take that in consideration,

00:18:57.390 --> 00:19:00.170
I think. I think if there was one question I

00:19:00.170 --> 00:19:02.690
was going to ask, it would say it would be. Can

00:19:02.690 --> 00:19:05.329
you send me your due diligence package? And that

00:19:05.329 --> 00:19:07.630
can be fairly broad, because they will give you

00:19:07.630 --> 00:19:09.569
exactly what their standard package is, and you

00:19:09.569 --> 00:19:12.130
don't have to be very mature or formal in it.

00:19:12.349 --> 00:19:14.029
They will send you what they have. Now, if you

00:19:14.029 --> 00:19:15.390
feel like there's things missing, you can certainly

00:19:15.390 --> 00:19:17.750
go back and ask for more. But that would be one

00:19:17.750 --> 00:19:19.710
simple question that'll get you the majority

00:19:19.710 --> 00:19:22.789
of the way of where you're going to go. So Todd

00:19:22.789 --> 00:19:25.309
did a great job kind of covering it. Kyle, is

00:19:25.309 --> 00:19:30.139
there anything you would add to those must? ask

00:19:30.139 --> 00:19:33.779
questions in that vendor due diligence. I mean,

00:19:33.779 --> 00:19:36.259
I think we really covered it. I mean, I think,

00:19:37.079 --> 00:19:39.019
you know, first and foremost, it's got it's got

00:19:39.019 --> 00:19:41.980
to solve the right solutions, got to check the

00:19:41.980 --> 00:19:44.099
boxes for the solution that you're solving. I

00:19:44.099 --> 00:19:48.119
mean, that's that's obviously step one. They

00:19:48.119 --> 00:19:50.759
have a they have a solution to the problem. And

00:19:50.759 --> 00:19:53.480
then it's, you know, is it a good company? Is

00:19:53.480 --> 00:19:57.099
it a solid company? And does it align and fit

00:19:57.099 --> 00:20:00.970
the way that The way we look at it versus standalone

00:20:00.970 --> 00:20:04.230
company, we have some other criteria about being

00:20:04.230 --> 00:20:06.509
able to support multiple companies within their

00:20:06.509 --> 00:20:09.329
platform and be their vendor side of it. So we

00:20:09.329 --> 00:20:12.430
have certain other check boxes that we need to

00:20:12.430 --> 00:20:15.529
do to make sure that it's conducive for multi

00:20:15.529 --> 00:20:19.690
-tenancy and a managed partner management. But,

00:20:19.710 --> 00:20:22.769
you know, if you are an MSP, that would be obviously

00:20:22.769 --> 00:20:25.519
some of those things. We have other things that

00:20:25.519 --> 00:20:27.900
want to tie into our SSO and all the other side

00:20:27.900 --> 00:20:30.420
makes our compliance plugins. Those are all benefits.

00:20:30.619 --> 00:20:32.859
You know, it doesn't rule. There's put stuff

00:20:32.859 --> 00:20:36.400
in the plus columns, you know, on there. But

00:20:36.400 --> 00:20:38.740
yeah, I mean, the big the big ones solve the

00:20:38.740 --> 00:20:41.140
need. Are they financially viable? Are they secure?

00:20:41.380 --> 00:20:44.200
I mean, I think, you know, if you get by those

00:20:44.200 --> 00:20:46.180
criteria, then you're then you're nearing down

00:20:46.180 --> 00:20:48.059
to the rest of the other things I just talked

00:20:48.059 --> 00:20:50.859
about on. things that go on the plus column,

00:20:50.900 --> 00:20:52.599
things that go on the negative. So if you're

00:20:52.599 --> 00:20:54.460
comparing multiple solutions, you can kind of

00:20:54.460 --> 00:20:58.680
weigh it out and figure out which one's the best

00:20:58.680 --> 00:21:03.019
route to go. I want to ask about how often do

00:21:03.019 --> 00:21:05.839
you re -evaluate a vendor? So you've signed them

00:21:05.839 --> 00:21:08.619
on, they're with you. Is this a yearly process?

00:21:08.819 --> 00:21:12.220
Is it daily? What does it look like to continue

00:21:12.220 --> 00:21:17.339
this process? I was going to go, before we wrap

00:21:17.339 --> 00:21:21.740
up. Again, I do think it will depend on how critical

00:21:21.740 --> 00:21:25.680
vendor they are for you. So some of them may

00:21:25.680 --> 00:21:27.420
be pretty straightforward. What they're providing

00:21:27.420 --> 00:21:29.640
is pretty standard and you don't have to worry

00:21:29.640 --> 00:21:31.720
about it. But if it's a critical vendor, I would

00:21:31.720 --> 00:21:34.839
be doing it at least annually. Ideally, it would

00:21:34.839 --> 00:21:37.240
be potentially more frequently. So I'll just

00:21:37.240 --> 00:21:39.700
use an accounting package as a one that's pretty

00:21:39.700 --> 00:21:42.160
standard and there's probably not a lot of change

00:21:42.160 --> 00:21:44.819
year over year. So annually is probably sufficient.

00:21:45.539 --> 00:21:48.279
However, there may be other tools that are out

00:21:48.279 --> 00:21:50.759
there and whether it's a security tool or a core

00:21:50.759 --> 00:21:53.059
business app in the organization, where there

00:21:53.059 --> 00:21:54.980
are things that are changing on a fairly regular

00:21:54.980 --> 00:21:57.500
basis, whether they're doing acquisitions, they're

00:21:57.500 --> 00:21:59.799
adding new features, getting a sense of what

00:21:59.799 --> 00:22:01.660
the roadmap looks like and how it's going to

00:22:01.660 --> 00:22:04.500
solve business problems may drive or change your

00:22:04.500 --> 00:22:06.380
direction where you want to have those conversations

00:22:06.380 --> 00:22:09.019
more frequently. So depending on that organization,

00:22:09.880 --> 00:22:12.400
maybe quarterly, it may be as often as monthly.

00:22:12.480 --> 00:22:14.599
We have patients with some of our vendors every

00:22:14.599 --> 00:22:16.819
single month. And I think that they're extremely

00:22:16.819 --> 00:22:19.700
well worth our time to do so. But to answer the

00:22:19.700 --> 00:22:21.380
question directly, I would say at least annually

00:22:21.380 --> 00:22:23.640
for anybody that you consider to be a critical

00:22:23.640 --> 00:22:28.220
vendor. Yeah. Yeah. I would, I would. I mean,

00:22:28.799 --> 00:22:30.640
you mentioned the comment at daily. I mean, obviously

00:22:30.640 --> 00:22:33.839
if there's erosion of problems, it's exonite

00:22:33.839 --> 00:22:36.400
those things, but more of the nodded aligns to

00:22:36.400 --> 00:22:38.480
our contractual obligation side of those. And

00:22:38.480 --> 00:22:41.200
then just, you know, It is a little bit of the

00:22:41.200 --> 00:22:44.240
daily interactions of how it's going to kind

00:22:44.240 --> 00:22:47.119
of evaluate it, as well as, again, the support

00:22:47.119 --> 00:22:48.880
and how well the product's working. You know,

00:22:48.920 --> 00:22:50.900
if we're having a lot of support challenges,

00:22:50.980 --> 00:22:54.680
other sides on it, we may pivot into another

00:22:54.680 --> 00:22:58.460
direction and find an alternative solution. Yeah,

00:22:58.759 --> 00:23:02.240
definitely. Anything else that we didn't cover?

00:23:02.440 --> 00:23:05.019
I don't want to make too big of a deal out of

00:23:05.019 --> 00:23:07.500
it, but you can probably tell where I am coming

00:23:07.500 --> 00:23:10.619
from. I do think it's important to do your due

00:23:10.619 --> 00:23:14.079
diligence. As I mentioned, if you're not paying

00:23:14.079 --> 00:23:16.319
any kind of attention whatsoever, you're just

00:23:16.319 --> 00:23:18.359
automatically inheriting all the risks that go

00:23:18.359 --> 00:23:20.579
by the fact that you just didn't do anything.

00:23:20.859 --> 00:23:23.539
So you got to at least ask the question. So if

00:23:23.539 --> 00:23:26.799
you don't have a program, I would recommend getting

00:23:26.799 --> 00:23:28.759
at least a little bit of one. And like I said,

00:23:28.759 --> 00:23:31.480
you can start real, real small and just do conversations

00:23:31.480 --> 00:23:33.849
like Can you send me the due diligence package

00:23:33.849 --> 00:23:35.910
for this year? So even if you haven't done it

00:23:35.910 --> 00:23:38.009
in previous years, you could start there immediately

00:23:38.009 --> 00:23:40.309
and say, again, it's your top two vendors and

00:23:40.309 --> 00:23:42.410
say, send me your due diligence package, and

00:23:42.410 --> 00:23:44.329
then you can start to sort through it and see

00:23:44.329 --> 00:23:46.890
what your legal obligations are. Do you have

00:23:46.890 --> 00:23:49.750
contract concerns that are in there? Whatever.

00:23:49.849 --> 00:23:51.569
But I would start somewhere if you don't have

00:23:51.569 --> 00:23:57.529
one. That's all right. Yeah. Perfect. Nice. It's

00:23:57.529 --> 00:24:01.220
like a great place to rack. Thank you Beth for

00:24:01.220 --> 00:24:03.940
joining us today. If you enjoyed this topic,

00:24:04.079 --> 00:24:07.160
please let us know. Like, subscribe, or reach

00:24:07.160 --> 00:24:12.200
out to us at info at cit -net .com or head out

00:24:12.200 --> 00:24:17.599
to our website cit -net .com slash podcast. We'll

00:24:17.599 --> 00:24:19.759
be back next week with an all new episode.