top of page

Revisiting Purchasing Program Concerns

Purchasing programs are the elephant in the room of IT and Infosec and now that third party vendor risk and supply chain content is getting the attention it deserves, we should revisit a few points.


First, purchasing processes as a business risk has been solved for a LONG time. Like back in the 1970's. So nobody has an excuse for not having a good program with solid standards and practices in place. This also makes it quantifiable for KPI and KRI inclusion.


Second, not doing it correctly introduces risk in obvious and subtle ways. Obviously, because we don't want corruption in our purchasing practices, and subtly, because taking what we perceive to be short-cuts to avoid what we claim is an onerous purchasing process means we likely are not getting the best value for our money, and that's a shareholder and competitive advantage concern.


Third, any claim that the process is onerous and that we can't waste time going through needs analysis and vendor selection is a giant red flag regarding the IT and security program and the people managing it. If they aren't up to the task of managing a simple purchasing effort, can we be sure they are doing a good job with the operational IT and security business aspects? Resistance is expected, but the correct response should be business process optimization, not circumvention.


If the organization isn't following best purchasing practices, there is an unacknowledged risk there, and it should be addressed before it shows up as either a supply chain problem or an audit failure. Or an unexpected operational event.

4 views0 comments

Recent Posts

See All

And from the business perspective, how does it impact competitive advantage, which is a complex and difficult core business metric. No matter how we measure for competitive advantage and information

When reporting on patch levels for use in metrics as part of risk management there are two areas that are commonly dismissed which are worth additional consideration. We all know that we need to monit

Post: Blog2_Post
bottom of page