Love them or hate them service providers are ubiquitous. I’d challenge any service provider nay-sayer to prove they don’t use any or have had no positive experiences using them. Treating service providers in the broadest sense, as 3rd party organizations that provide some level of service - do something on your behalf – it is genuinely difficult to avoid them. Casting a wide service provider net you must consider including companies like those offering shipping and courier services. This is a function most businesses wouldn’t even consider doing in-house because the service providers do it better, faster, and cheaper. Such is the purpose of a service provider. If you are familiar with the quality triangle (put very simply, “cost, speed, quality – pick two”) the job of the service provider is, within a narrow scope, to make that triangle bigger. They cheat the system of business by specializing in only one specific area. You can’t affordably perform domestic next day deliveries of your product with a driver in a truck, but you could for 1000 customers using 1000 drivers in 1000 trucks. Simple! Well, not exactly.
Whilst some in the logistics sector would throttle me for saying their business is easy, it’s also much harder in a lot of ways. I worked with one of the largest European logistics businesses and the level of innovation required to compete in what most would consider to be a simple and narrow space was amazing. Service providers, of all shapes are sizes, are often misunderstood and underappreciated but play an essential role in every corner of our business lives.
So come on Ridgley, what makes life so hard for these service providers?
In drafting this piece, I wrote a long list of specific pains service providers face. Having been a service provider, I went back through challenging every point. The fact is service providers aren’t that different in terms of the innards of the business… so putting my finger on the thing that sets service providers apart was difficult. But it comes down to this point:
A service provider takes the place of a function of your business that is seen by your customers as part of you rather than an associated third party.
By this I mean, the difference between what you might call a service provider and one you might call a supplier is that you can likely get resolution from a supplier issue, but when the service provider fails you must weather it as your own.
I admit this is all a bit fluffy, but it’s meandering towards my main point: the biggest job a service provider must do during its sales pitch is to get you, their customer, to commit to a leap of faith. They must sell trust. Not trust that their software works, or their apples taste nice, or their paint sticks well. But trust that their entire organization will deliver a high quality and lasting service to you as a crucial part of your customer’s experience.
In the modern world of B2B integration, these trust relationships often include transfer of precious goods, personally identifiable information of your consumers, medical records, intellectual property, customer lists and whatnot. Your service provider’s security and governance become part of your security and your governance, yet they are separate and all you have to control them is a service level agreement.
So how could you possibly trust an organization so critical to your success? What can you ask to weed out bad service providers? Are there any obvious alarm bells we should be listening out for?
Let’s assume you’re starting from scratch. You’ll do some basic research on offerings, try and see if you can find any indications of pricing and, no doubt, look at a shiny list of solutions offered whilst thinking they do something for everyone!
The biggest single method you have for validating the credentials of a service provider is speaking to a reference customer. A reference customer, especially one willing to talk and employs the same service you are interested in, is the single most valuable asset for a service provider. As such, service providers work extremely hard to form such relationships with some customers. While you must consider their reference with a dose of skepticism, it’s extremely unlikely you’ll be lied to.
Some specific tips then for assessing a potential service provider:
Ask for several relevant references. If the service provider has them then they clearly have a mature and stable offering. If they don’t and try to offer unrelated references, then you should wonder if you might be an early customer into an opportunist market solution.
Ask specific questions. If you’re receiving a 24-hour service, ask how big the team is that will be serving you. Service providers should be proud to share such numbers with prospects. If they are not, then they may be hiding numbers they know you won’t like.
Ask about break clauses. If the service provider fails to fulfill their commitment, is there a low-cost easy parting of ways? Agreeing to reasonable clauses is a strong sign of confidence from your service provider.
Be cautious over flexibility. One of the biggest failings in service providers is when they try to do too much. Service providers feed on industrializing their services and all the teams and processes underneath for all their customers. That is how they achieve high quality at lower cost – scale. It should be obvious in discussions if the flexibility you seek is built-in or easily accommodated or if you are just being fed fluffy yes’s. Flexibility on a customer by customer basis is extremely hard to scale and is normally the cause of ongoing issues where service providers struggle to cope with a building backlog of service customizations that are delivered by humans.
Be clear on measurement. It is important to have a solid service level agreement but you also need to be confident in how the service provider measures their performance. Resolving problems with a service provider is extremely difficult when there isn’t a clear statement of mutual measurement in place or where data used is unreliable.
Ask for proof. It can be tricky to assess service provider past performance when they legitimately refuse to share certain information. This quickly becomes a conversation over what is possible for them to share so you can validate. For instance, their compliance with certain standards. The service provider should be happy to provide certificates relating to required regulations and audit summaries. “That’s what you pay us for” is not a particularly good response, especially when they are providing you with an element of something that is preventative. When paying a service provider to manage a risk area or provide cybersecurity measures, they need to be able to prove to you that they are fulfilling their responsibilities. That way, in the event of a data breach, both organizations can look at what happened, and make a mutual call as to whether it was avoidable or not. Up front, your service provider needs to be able to prove to you that when the worst happens, they have your back!
So, is it even possible to completely trust a service provider? No, of course not. Trust, as with personal relationships, requires time and investment. It grows with each success and, likely, with each failure… and things will fail. The service provider sales rep’s job is to build your trust in them to deliver so that you take that leap of faith that they are the best way to achieve your goals. Your job is to question, and request proof. To go with them on a trust building journey; raise every doubt, challenge every suspicion and validate them as you would an internal team – because that’s what they’ll be to your customers!
Author: Russel Ridgley
Category: RSA Fundamentals, Blog Post
Keywords: Cybersecurity, Third Party Risk, Risk Management, Digital Risk Management, 3rd-Party Risk Management, Service Providers