This report is available only to Outsourcing Excellence/Cybersecurity members. For information on membership, please contact us Organizations run significant risks, both financial and operational, when they do not periodically assess the security risks vis-à-vis their strategic suppliers. Such an assessment requires an evaluation of suppliers’ criticality to determine whether they support critical businesses and/or are critical in terms of security, and accordingly conduct periodic risk assessments to ensure data-/evidence-driven decision-making. In this executive brief, Everest Group analysts provide best practices for a well-defined cyber risk management process across the supplier life cycle, incorporating best practices from industry standards such as ISO 27001-2, ISO 27036-2, and ISO 27701:2019. Note: Everest Group publishes Executive Briefs for senior executives from enterprises. These briefs address hot industry topics and particularly challenging issues of the day in an easy-to-digest format.

This ready-to-use category strategy template offers editable frameworks for internal assessment and detailed industry and market category overviews to assist category managers, procurement professionals, and CPOs in creating an informed category strategy for cybersecurity services. Cybersecurity services encompass cloud security, endpoint security, data security, IoT/OT security, application security, network security, Identity and Access Management (IAM), and Governance, Risk, and Compliance (GRC) in a commercial enterprise model. The goal of cybersecurity services is to defend the enterprise technology landscape, including devices, servers, connected systems, and user data and privacy, from both outside and inside threats. Category managers can customize this template with internal category information, such as spend, suppliers, and subcategory overview. They can also use the industry and market insights provided in this template to build a strong supply base understanding. A category strategy’s goal is to create an action plan for effective category management, and this template provides the requisite tools, frameworks, and information to create a robust strategy. Best-in-class procurement organizations effectively leverage such tools and techniques to drive continuous improvements in their categories. Scope All industries and geographies Category in focus: cybersecurity services Contents In this category strategy report, we offer comprehensive templates based on a four-step process to create a category strategy: Define internal needs: define category maturity and objectives, create a buyer profile to gauge the current supply base state and predict future demand, and conduct total cost modeling Understand the market: build industry and supply base understanding by evaluating aspects such as market trends, key suppliers, major delivery locations, pricing trends, performance benchmarks, and category risks Determine the sourcing strategy: decide between an in-house versus outsourced model for the category and identify best practices and value levers to drive category efficiency Create an action plan: identify and prioritize projects and drive them toward execution