Dealing with vendors who resist security updates: Are you prepared to tackle their pushback?

Determine the risk and impact the vendor poses to your supply chain, both from the perspective of using the vendor and choosing to not us the vendor. Review the access the vendor will have (will the vendor store, process or otherwise access company data) Verify what is include in contracts/agreements to determine the potential recourse. Review the reasoning and compensating controls the vendor supplies for why they cannot patch and how they are addressing the situation. From this analysis you should be able to determine overall risk and impact the vendor has on the organization. Then you can accept or mitigate the risk on your side, otherwise change vendors. Systems that are delicate to update should not be used = poorly designed systems.

- Ensure that security requirements, timely updates and patches, are clearly outlined in vendor contracts and SLA. - Include clauses in contracts that impose penalties for non-compliance with security update requirements. - Exercise your right to audit the vendor's security practices as outlined in your agreement. - Conduct regular audits of the vendor’s compliance with security update.

This is a very Tricky one, but an organization or entity must, tackle vendor pushback on security updates, educate vendors on the importance of updates, including real-world breach examples. Ensure contracts have security clauses and implement penalties for non-compliance. Hold regular meetings, conduct joint security reviews, and emphasize compliance requirements. Use automated update mechanisms, have an internal escalation path, and consider switching vendors if needed. Document all communications and actions for accountability and future reference.

Dealing with vendors who refuse to upgrade their security involves a balanced approach that includes clear communication, education, incentives, and enforcement. Establishing robust contractual agreements, providing help, and keeping open communication are all excellent ways to handle vendor resistance and assure compliance with security standards.

Prepare to tackle vendor pushback by assessing risks, understanding their concerns, clearly communicating the necessity of security updates, and negotiating mutually agreeable solutions that address both security and operational needs.

Do your homework first. Be prepared. Curate your approach and thinking. -Once we have our case we need to think how we will position this -We then need to map our thinking to the context of our audience Looks at the upside; -Generate a list of benefits. -Showcase how we will focus on the user journey -Don’t let users or their workflow be impacted Security should be about enablement, creating a condition of safety and be supportive to the business to gain adoption and create value.

Here's the thing about building a case: it's not just about the data, it's about tailoring your argument to the vendor's perspective and understanding their motivations. The "So What?" Factor (Again): Don't just list vulnerabilities, talk about the impact on their business. Could a breach at your company tarnish their reputation? Lead to lawsuits they're involved in? "Shared Risk" Framing: Emphasize that you're both in the same boat. A security incident affects both of you. This creates a shared interest in finding a solution. The "Carrot" Approach: Highlight the positive benefits of security updates. Can they lead to increased efficiency, better performance, or even new features that benefit both parties?

To address vendor resistance to security updates, build a strong, evidence-based case. Highlight past incidents where outdated systems led to breaches, emphasizing the direct and indirect costs incurred. Present data to show the mutual benefits of updated security measures, demonstrating that security is a critical business imperative, not just a technical issue. By framing security updates as essential for protecting both parties from significant harm, you underscore the shared responsibility and importance of maintaining robust security standards.

To address vendor resistance to security updates, build a strong case by presenting evidence of past incidents where outdated systems caused breaches, highlighting both direct and indirect costs. Show how updated security measures benefit both parties, framing security as a business imperative rather than just a technical issue. This approach emphasizes the mutual benefits and underscores the necessity of compliance, making it clear that maintaining security standards is crucial for both parties' success and protection.

Once you've assessed the risks, it's time to build a strong case for why security updates are non-negotiable. Gather evidence of past incidents where outdated systems led to breaches, emphasizing the direct and indirect costs incurred as a result. Present the data in a way that highlights the mutual benefits of maintaining updated security measures. Your goal is to demonstrate that security is not just a technical issue but a business imperative that affects both parties.

To handle vendors resisting security updates, clear communication is vital. Approach with empathy, acknowledging the disruptions updates can cause. Emphasize that security updates are a shared responsibility, using non-technical language to avoid confusion. Clearly outline the consequences of non-compliance, conveying that security is fundamental to your partnership's integrity and success. By framing security as a mutual priority, you can foster cooperation and ensure both parties understand its critical importance.

In my experience, an organization that's keen on security should always clearly state this in the Terms of Reference when getting into an agreement with a third party vendor. The terms of reference may reflect the content of the organization's security policies which all stakeholders need to comply with. The TORs are then translated to a contractual agreement which the vendor has to either agree to or not. Therefore, any vendor who tries to resist security updates after signing the contractual agreement breaches the agreement and should be subjected to the policy enforcement or penalty clauses contained in the contract.

Here the thing about clear communication with vendors: it's about the leverage you have and the relationship you build. The "So What?" Factor (Again): Don't just say "we need this patch." Explain the impact of the vulnerability on your business. Can it be exploited by a known attack? Does it violate a compliance requirement? This puts the issue in their court. The "Carrot and Stick" Approach: Highlight the benefits of patching (better security, improved performance). But also be clear about the consequences of inaction (potential contract termination, reputational damage). The "Escalation Ladder": Don't be afraid to go up the chain of command if needed. If the frontline support isn't helpful, reach out to a manager or executive sponsor.

When dealing with vendors resistant to security updates, clear communication is essential. Approach with empathy, acknowledging that updates can be disruptive. Emphasize security updates as a shared responsibility using non-technical language to avoid confusion. Ensure the vendor understands the consequences of non-compliance and convey that security is a fundamental aspect of your partnership. This approach helps foster understanding, align priorities, and underscore the importance of robust security practices in maintaining a strong business relationship.

Clear communication is key when dealing with resistant vendors. Approach the conversation with empathy, understanding that updates can be disruptive. However, emphasize the importance of security updates as a shared responsibility. Use language that is non-technical where possible to avoid confusion and ensure that the vendor understands the consequences of not adhering to security protocols. It's essential to convey the message that security is a foundational element of your partnership.

Voici quelques astuces que j'ai trouvées utiles pour négocier efficacement avec un fournisseur de logiciel et obtenir des clauses de mises à jour de la sécurité. Avant d'entamer les négociations, je prends le temps de bien comprendre mes besoins en matière de sécurité. Cela inclut la fréquence des mises à jour, les types de vulnérabilités que je veux voir corrigées rapidement, et les normes de sécurité auxquelles je veux que le fournisseur se conforme. Ensuite, je me renseigne sur le fournisseur, notamment sur sa réputation en matière de sécurité et sa capacité à fournir des mises à jour régulières. Je consulte les avis d'autres clients et les rapports de sécurité disponibles.

Asses the risk the business, and educate your business stakeholders. If they are persistent on this vendor then ensure legal terms protect your company and ensure you are not enabling the vendor for high risk or critical information assets. If they do, raise the risk assuming you have an already established and understood risk rating process across the entire business.

If resistance persists, enter into negotiations with the vendor. Be prepared to discuss terms that might make the process of implementing updates more palatable for them. This could include scheduling updates during off-peak hours or providing assistance with testing. However, remain firm on the necessity of the updates themselves. The negotiation should seek to find a compromise on how and when updates are applied, not whether they are applied.

Often product vendors by practice don't perform security testing/VAPT on minor releases/patches/ hotfixes and only on major releases/ version upgrades/ critical patches. While this practice may be common but it's a very risky practice, as orgs can suffer a security incident or breach due to a bug/vulnerability in the product. All updates need to be authenticated and liability terms need to be included accordingly in terms of capping and insurance. Alternatively, negotiate on reduced pricing and involve an inhouse team to perform security testing on the updates.

Here's the thing about negotiating with vendors: The "So What?" Factor (Again and Again): Don't just say "we need this fixed." Explain the impact of the vulnerability on YOUR business. Can it be exploited by a known attack? Does it violate a compliance requirement you're subject to? This puts the ball in their court. "Escalation Ladder": Don't be afraid to go up the chain of command. If frontline support isn't helpful, reach out to a manager or executive sponsor. Mentioning potential PR fallout or even legal action can get attention. The "Walking Away" Option: If the vendor refuses to budge, are you prepared to switch to a competitor? Having this option (and letting them know you have it) strengthens your negotiating position.

Here's the thing about contracts: the fine print matters, and enforcement isn't always straightforward. Read Before You Sign: Don't assume a standard contract covers everything. Look for specific clauses about patch timelines, vulnerability disclosure, and who's liable for a breach due to their product. "Force Majeure" Isn't a Get Out of Jail Free Card: Vendors may try to use this clause to avoid responsibility. Push back with legal counsel if needed, to make sure they're held accountable. Relationships Matter: A contract is a tool, not a weapon. Use it to build a partnership where both parties are incentivized to maintain security, not just point fingers at each other.

Voici la clause d'obligation de mise à jour, à inclure dans un contrat de logiciel, concernant la cybersécurité : Le contrat doit clairement stipuler l'obligation pour le fournisseur de logiciel de fournir régulièrement des mises à jour de sécurité. Cette clause doit préciser : - La fréquence minimale des mises à jour (par exemple, mensuelles ou trimestrielles) ; - Les délais d'application des correctifs critiques (par exemple, sous 24 à 48 heures pour les vulnérabilités critiques) ; - Le processus de notification au client des mises à jour disponibles.

To address vendor resistance to security updates, ensure your contracts mandate compliance with these updates. If resistance occurs, remind the vendor of their contractual obligations. Use the contract as a legal tool to enforce security standards, including penalties for non-compliance. This approach leverages formal agreements to ensure vendors take their security responsibilities seriously, underscoring the importance you place on protecting your data and systems. It highlights that security is non-negotiable and essential for maintaining your partnership.

Include clauses in vendor contracts that mandate compliance with security updates. If resistance occurs, remind the vendor of their contractual obligations, which can include penalties for non-compliance. Using the contract as a legal tool enforces security standards and emphasizes the importance of protecting your data and systems. This formal approach ensures vendors take their security responsibilities seriously and aligns their actions with your security requirements.

here's the thing about "alternative solutions": The "So What?" Factor (Again): Don't just say "we'll find someone else." Explain the impact of their non-compliance on YOUR business. Are they risking your ability to meet regulatory requirements? Could you lose customers or revenue because of them? This is what gets their attention. "Backup Vendor" Isn't Just a Threat: Actually have a plan B. Research alternatives, get quotes, and be ready to switch if necessary. This shows you're serious. The "Cost-Benefit" Analysis: Sometimes, a small compromise on your end (e.g., adjusting the timeline for updates) can be worth it to avoid the disruption of switching vendors. But make sure the compromise doesn't significantly increase your risk.

Here are some considerations when deciding to opt with alternative vendors in the security market to maintain an organization's ongoing security and compliance: 1- Construct a Transition Plan: Document current processes and dependencies, and train your team on alternative vendor products to ensure a smooth switch if needed. 2- Leverage Industry Networks: Participate in forums and seek peer reviews and recommendations to gather information on vendor performance and best practices. 3- Regular Security Audits: Engage third-party security firms for regular audits and conduct internal reviews to assess vendor performance and compliance, using the results to decide whether to continue with or switch vendors.

Clearly define compliance expectations in vendor contracts. Consider including penalties for non-compliance. Maintain a list of pre-vetted alternative vendors. These should be organizations that have passed your compliance criteria and offer similar services. This portfolio ensures that if a primary vendor becomes non-compliant or fails to meet your requirements, there are options readily available, significantly reducing downtime and impact on operations.

I think it is always a great idea to have an alternative plan for all of your vendors. They may be doing a great job now but leadership changes, companies are bought out, etc. When you have alternatives at the ready it allows you to quickly put pressure on the vendor and follow through with any threats you make to switch.

When dealing with vendors who resist security updates: 1. Explain risks and consequences 2. Emphasize compliance requirements 3. Offer support and resources 4. Collaborate on a timeline 5. Provide alternatives 6. Escalate if necessary 7. Review contracts and SLAs 8. Consider vendor replacement 9. Document everything 10. Foster a security culture By following these steps, you can effectively address vendor resistance to security updates, ensuring the security and integrity of your organization's systems and data.

Put it in your terms and conditions during PO and add it in their SLA, end of story. If it is not in writing it will be very tough negotiating with vendors.

I would recommend going beyond the expectation of security updates and patching from your vendors. The security practice at your vendors place has to be as strong as of yours, as a baseline. It should encompass patching/updates, configurations management, effective incident response, and open, fair and timely communication. The vendor should be as serious about the security of their own supply chain as you yourself are. Any lackadaisical approach may be very costly. Look beyond third party and regular updates.