The Centauri Step, Governance and IT Security

Supplier Relationships | The Centauri Step, Governance and IT Security

Supplier Relations

Marion Mellor

We can’t say it enough! Security helps you get to know the solutions you buy and keep track of their development.

Build trust

The secret in any negotiation? Human relations. Any project can succeed or fail because of human relations. In a safety review, you are not there to waste your supplier’s time, but to ensure mutual input.

  1. You have defined a security requirement level applicable to your entire organization,
  2. Your service providers/suppliers must be able to meet these requirements (otherwise they are useless!).
  3. Regular safety reviews are a way to remind you of these requirements, to educate you and to maintain cordial relations with your suppliers!

MY EXPERIENCE: It’s all about the relationship. Very often I am asked questions that have nothing to do with security. A service provider asks me “Who can I turn to for an application contract? “How is the billing going? “Who is my contact in Purchasing? “etc. But the simple fact that your RiskAssessor is having regular conversations with your suppliers ensures that the relationship is going well.

Confidence is like abs: you have to maintain it!

When you launch a security questionnaire, avoid sending it as a package of compliance tools to be filled out.

It will always be preferable to present and explain the approach: simply to be able to establish a rating of the security maturity of all your suppliers in order to identify areas for improvement.


Always plan a 15 to 30 minute telephone conversation beforehand to “take the temperature” and explain the company’s approach. Your supplier will surely be more sensitive to this than to a dry Excel table with 75 questions in English (if you have not adapted your model to 25 questions as I recommended in thearticle “Which Security Questionnaire to choose? )…


Taking the time is gaining time!

We’re not living in Minority Report(yet), but rather in Santa Claus is a Scumbag… So “it depends”: the humans in front of you probably have a unique situation, different from most of their competitors.

In my experience, the average supplier review takes 5 days to complete (i.e. 40 hours), but some can take much less time.

Trying to keep in touch with each supplier is not a waste of time, on the contrary: it allows a more detailed analysis of the answers and a better targeting of the company’s needs.

PROOF In one year, with this “Contact” method, I was able to carry out 100 supplier reviews. That is, for each one, the negotiation of each contract (sometimes it goes quickly; sometimes it is more sportive) and at least one conversation with each supplier (sometimes 10).

TO AVOID Send 5 reminder emails without contacting the supplier directly. This is a “Compliance” approach that encourages procrastination on the part of the supplier.


Basically, Security is a bit like the International Space Station: a lot of tools and preparation, and then essentially relying on humans!


Let’s get to work…