Benefits of a comprehensive cybersecurity procurement process

Cybersecurity is a critical concern for organizations, independent of their sizes, operating industries or ecosystems. As potential threats are growing globally, so too does the cybersecurity market. A challenge that purchasers of cybersecurity products face is a need for more transparency. The cybersecurity market currently has around 7000 vendors; the global cybersecurity market is expected to reach $348.26 billion by 2027, growing at a CAGR of 9.9% from 2020 to 2027. (Source: Allied Market Research). This goes hand-in-hand with the analysis of Cybersecurity Ventures, which shows that 55% of organizations increased their cybersecurity spending in 2021 (Source: Cybersecurity Ventures). However, in the same year, 43% of breaches involved a third-party vendor vulnerability (Source: Verizon Data Breach Investigations Report). Having that in mind, it’s even more stunning that the global consulting company Deloitte found in a recent study that 59% of companies do not have a formal cybersecurity procurement process.

Being part of a company’s overall security strategy, an effective cybersecurity procurement plays an integral role in safeguarding a company. It is responsible for acquiring a well-fitting stack of services and technologies in the first place and regularly evaluating suppliers and re-new contractual conditions (e.g. to factor in new regulations) to help ensure that the organization’s security measures remain effective and relevant. This article will explore the importance and characteristics of a comprehensive procurement process.

Why is it important?

It is possible to identify, by looking at the market figures presented in the introduction, that there is potential for commercial improvement as inefficient markets usually provide negotiation opportunities. To reap these, you need a structured approach, as structure helps to bring efficiency, effectiveness and, in the case of cybersecurity, also the reduction of potential breaches. A cybersecurity procurement process exactly tackles all three aspects due to various reasons. It helps to acquire the needed technology and service stack to implement the cybersecurity measures that were (previously) defined in the company’s security strategy (cross-reference ISMS article). With a defined process in place, the acquisition is based on specific criteria. Thus, the selection of vendors happens in a structured and transparent manner, which helps with both the creation of competition and adherence to compliance. Competition is only possible if you have an overview of relevant requirements for comparable offerings by providers. Adherence to compliance regulations gets easier based on the level of structure in the procurement process and the level of transparency regarding vendor selection. That’s especially necessary in the case of “Public Tenders”, where Bosch CyberCompare also can help.

We often get asked how much money we can save with a formal cybersecurity procurement process. Unfortunately, there is no single equation answer to this question, as the amount of money saved will vary depending on the size and nature of the organization, the type of security measures implemented, and the severity of the threats faced. However, purchasing cybersecurity has the same dynamics as purchasing other goods and services, which is that competition always helps to find solutions optimized in terms of quality and price.

Now what are the characteristics of a comprehensive procurement process?

The basis for most procurement processes should be a risk assessment of your organization, as it gives transparency about the risks you face and the controls that need to be implemented. Based on that, you can define a service and technology stack to realize these controls. Depending on your industry and the characteristics of the market, there might be regulations and laws that need to be factored in additionally, like the IT-SicherheitsGesetz in Germany, which applies for so-called “Critical Infrastructure (CRITIS)”. More prominent companies usually have an ISMS (Information Security Management System) based on a risk assessment methodology.

Conducting a formal tender process is another crucial part of procuring cybersecurity solutions. In addition, a tender process can help organizations:

1. Compare the cost and value of different security solutions to determine the best overall commercial offering for the organization.

2. Evaluate the security features and capabilities of different technology solutions and compare them against industry standards and best practices. All to ensure that they meet the organization’s specific security requirements. [Link zu Stev Technology Artikel]

3. Ensure that all potential providers have a clear understanding of the organization’s security requirements to provide accurate and complete proposals.

4. Evaluate the qualifications and experience of potential providers to ensure that they have the technical expertise to deliver the security solutions required. This should include evaluating a vendor’s security practices, track record, and references.

5. Negotiate specific security requirements in contracts with vendors to ensure that the vendor is accountable for delivering secure services and products. This should include breach reporting and liability for security incidents.

6. Ensure that procurement processes are transparent and fair to avoid conflicts of interest and to ensure that the organization selects the best solution.

Common mistakes that you’d like to avoid in your procurement process:

Like most business endeavors, it starts with defining clear objectives and requirements. Especially in the cybersecurity landscape, which can be difficult to understand even for IT professionals due to an ever-evolving landscape, it’s even more important to have these defined to avoid overspending or procuring solutions that do not effectively address the organization’s security threats.

Focusing solely on cost can result in procuring solutions with poor security features or capabilities, increasing the risk of a security breach and higher costs for incident

response and recovery. Therefore, our recommendation is to always follow a value-based approach by evaluating the solution’s total cost of ownership (TCO). This naturally comes with a second benefit, as you automatically factor in the onboarding costs, like implementation in the existing landscape (systems, processes) and employee training, as well as ongoing costs, such as maintenance, upgrades, and support.

What fits now might not fit in future, as the threat landscape is continuously evolving. Thus, looking at a solution’s scalability and future-proof nature is also essential. Compare it to your organization’s growth plans and identify technological and commercial obstacles. It’s better to negotiate requirements before signing the contract to get a complete fit rather than a partial fit that requires additional expenditure later to rectify issues not ironed out at the start.

In conclusion, a comprehensive cybersecurity procurement process is crucial to an organization’s overall security. It helps to find the right technology and service partners at reasonable commercial conditions. However, conducting a formal tender can take time and effort. Still, it can help organizations make informed decisions about their security investments and ensure that they procure solutions that meet their specific needs and requirements. We at Bosch CyberCompare specialize in conducting such tenders, as we support organizations by making cybersecurity purchasing more efficient and thus maximizing the return of a company’s security budget.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.