top of page

Revisiting Purchasing Program Concerns

Purchasing programs are the elephant in the room of IT and Infosec and now that third party vendor risk and supply chain content is getting the attention it deserves, we should revisit a few points.


First, purchasing processes as a business risk has been solved for a LONG time. Like back in the 1970's. So nobody has an excuse for not having a good program with solid standards and practices in place. This also makes it quantifiable for KPI and KRI inclusion.


Second, not doing it correctly introduces risk in obvious and subtle ways. Obviously, because we don't want corruption in our purchasing practices, and subtly, because taking what we perceive to be short-cuts to avoid what we claim is an onerous purchasing process means we likely are not getting the best value for our money, and that's a shareholder and competitive advantage concern.


Third, any claim that the process is onerous and that we can't waste time going through needs analysis and vendor selection is a giant red flag regarding the IT and security program and the people managing it. If they aren't up to the task of managing a simple purchasing effort, can we be sure they are doing a good job with the operational IT and security business aspects? Resistance is expected, but the correct response should be business process optimization, not circumvention.


If the organization isn't following best purchasing practices, there is an unacknowledged risk there, and it should be addressed before it shows up as either a supply chain problem or an audit failure. Or an unexpected operational event.

3 views0 comments

Recent Posts

See All

Considering a merger? Here's a starting checklist for the cybersecurity components. An appropriate level of review now prevents surprises later. This is in addition to any IT considerations. Checklist

When reporting on patch levels for use in metrics as part of risk management there are two areas that are commonly dismissed which are worth additional consideration. We all know that we need to monit

You've landed in a top cyber security role -- CISO or otherwise titled -- the cyber-buck stops at your desk. Congratulations! What are your priorities? Hopefully, you have more than 30 days to get you

Post: Blog2_Post
bottom of page