Implicit trust: How much confidence do you have in your vendors?

Recent significant incidents at technology vendors left thousands of companies scrambling to recover and resume operations. It’s a wake-up call for customers and the industry alike about implicit trust. Customers often place significant faith in their vendors, sometimes for many years, without verification—but global technology companies are susceptible to disruptions to their operations and services. Customers need to reconsider the implicit trust, assurance and confidence they place in the companies they work with because an issue at a company that supports day-to-day operations could be devastating.

Until recently, a wide-scale, cross-industry issue had not occurred that affected immediate operational capabilities across sectors. Therefore, many companies put a tremendous amount of blind confidence in their vendors, including giving them elevated access to files and key systems. Unfortunately, customers may not have thought enough about what the impact of a misstep at a vendor means for their business. Many companies just didn’t think a significant outage from an enterprise-grade service provider could happen to them, until it did. Moving forward, the relationship with vendors warrants a change.

Outsourcing and working with third-party providers is only projected to grow in the future. It’s a proven solution to resolve resource and staffing gaps, quickly scale resources up and down as needed, and control personnel costs. Companies need to trust who they work with, but implicit trust of third parties should have limits, and those relationships should be periodically assessed. This includes ensuring that expectations set between the company and third-party providers are being met while risks in vendor-reliant processes are appropriately managed.

Vendors vs. service providers

Simply put, there is a difference between a vendor and a true service provider. Most vendors seek to sell a product and then transition to the next potential customer; many do not consider the customer’s business or the implications of a potential service disruption. Alternatively, a service provider seeks to provide value and cultivate long-term relationships with customers that extend beyond the initial sale. They invest back in their customers and do not believe the work ends once the initial product is sold.

Customers need to reevaluate the trust they place in their third parties and recognize that service providers and vendors should have different levels of accessibility to their business. In parallel, third parties need to acknowledge and address the potential impact of service disruptions on their customers, or risk losing out to competitors that demonstrate a deeper level of commitment to safeguarding customers’ operations.

Trust challenges within the digital supply chain

As companies rely more heavily on technology to drive business processes and success, the digital supply chain has reached a critical mass where vendors have often become an integral part of operations. Therefore, customers need to look at technology vendors the same way they do other critical service providers, and replace transactional interactions with more strategic partnerships.

Just as an auto manufacturer must closely scrutinize a parts provider and an airline must oversee those responsible for servicing planes, all companies should closely monitor digital vendors that are critical to their day-to-day business operations.

Companies need to trust the providers that support their key functions—those parties have access to critical systems and, in some cases, intellectual property. However, the level of trust needs to be appropriate, with guidelines and processes in place to address issues that could result in downtime. For example, a company could line up secondary or backup providers to step in if an incident arises with their primary provider.

More than business interruptions

Following recent outages, regulators sanctioned many companies for having no plan or an insufficient plan in place when critical technology systems are compromised. These incidents have provided ideal use cases for regulators to demonstrate the need for resilience in the digital supply chain.

In addition to prompting regulatory challenges, outages within a third party can result in reputational damage and a lack of user and customer confidence for a company. All these challenges underscore the importance of establishing clear expectations of providers, aligning access to the minimum level required, and having defined and tested plans in place to respond to incidents.

Implicit trust beyond technology vendors

Determining the level of trust and access companies give third parties is a conversation that should extend beyond technology vendors or providers. For example, these considerations could encompass outsourced finance, human resources and procurement personnel. Any external parties that contribute to the success of the business need to be provided a certain level of trust to perform their responsibilities, but that trust must be regularly evaluated and adjusted when necessary.

What to do differently

Every company has different goals, needs and risk tolerances—from both a regulatory and an operational perspective. However, providers need a deep understanding of their customers’ business practices and operational requirements and should be present beyond the sale to help prevent and resolve any issues.

No matter the size of the provider, companies need to ask the hard questions: How operationally secure are their preventive mechanisms? Are updates made in a controlled and safe manner that aligns with our risk tolerance for impact to business operations? What is their process if an outage occurs to help our company get business operations back up and running in a secure manner?

In addition, companies must confirm vendors are adhering to contractual obligations, and take legal action if necessary.

Companies need to respond to the recent public and global incidents by defining the vendors supporting their critical business processes, revising expectations for those relationships as necessary and becoming better prepared to respond to potential incidents.

Resiliency and relationships

Ultimately, to minimize the level of risk to the business and overall operations, organizations should establish clear expectations of third parties and ensure the parties’ capabilities align with those expectations. This starts with identifying all third-party relationships, assessing vendor reliance and resiliency, and determining the potential for business disruption if a third party’s services become unavailable.

Vendors need to think more about building relationships rather than focusing on just the product sale. Conversely, customers need to concentrate on understanding the implicit trust they bestow on their key providers and ensure that vendors continuously earn that trust through collaboration and responsiveness. With this mindset, the two parties can establish a stronger understanding and build a plan to help mitigate future risks.

The takeaway

Organizations need to require vendors to understand their business practices and operational needs rather than viewing them as just another potential sale, and embrace third parties that take the opportunity to become a true service provider.

Many third parties play a pivotal role in the digital supply chain and require a certain level of implicit trust from their customers to provide the optimal level of service and value. However, for them to provide these benefits, the relationship must be built on the proper level of collaboration, trust and mutual understanding of business practices by both parties. When that relationship is strong, it can increase overall confidence in ongoing business agreements, mitigate risks and reduce potential downtime.

Another widespread incident or outage is inevitable, but companies that focus on maintaining relationships with the correct balance of trusted service providers will be better equipped to take the necessary steps to limit its effects or, ideally, avoid them entirely.