1. Define specific security standards: Ensure compliance with recognized frameworks (e.g., NIST). 2. Outline data protection responsibilities: Clarify encryption, storage, and handling practices. 3. Mandate regular security audits: Specify audit frequency and vendor cooperation. 4. Include breach notification requirements: Set timelines and responsibilities for reporting incidents.

It's a whole different story if you are in a company that operates as part of a group of companies! I suggest: 1. Define securiity benchmarks and responsibilities to set expectations & encourage accountability 2. Focus on building a strong working relationship with your internal IT provider. And focus on shared goals like resilience/compliance etc. 3. Have regular alignment meetings and make use of shared security initiatives 4. Try to play the game using higher level policies like group-policies or steering commitees to ensure adherance

During vendor contract renegotiations, I learned the importance of being proactive about cybersecurity clauses. In one instance, a supplier's weak security led to a near-breach in my organization. Since then, I always involve the legal and IT teams early in negotiations to define clear expectations. We prioritize clauses on data protection, regular security audits, incident reporting, and compliance with frameworks like ISO 27001. Reviewing their previous security incidents and ensuring liability for breaches are also non-negotiable. This approach not only strengthens security but sets a precedent for accountability.

Not to forget to include clauses for vulnerability disclosure as well as breach notification timelines. A vendor that discloses actively-exploited vulnerabilities and compensating controls even before hotfixes are out provides more assurance than another that keeps the vulnerabilities under wraps until the hotfixes are available. History of a number of past supply chain breaches alluded to lack of timely disclosure as the reason customers are breached. The breach could have been avoidable for many customers if disclosure had allowed mitigation measures to be under-taken ahead of time and therefore minimised the window of exposure.

Regular security audits are critical in today’s evolving threat landscape. They ensure compliance with standards, uncover vulnerabilities, and bolster defenses against emerging threats. These audits provide actionable insights into gaps in policies, processes, and technologies, enabling organizations to mitigate risks proactively. By fostering a culture of continuous improvement, audits not only strengthen resilience but also build trust with stakeholders. Cybersecurity isn’t a one-time effort; it’s an ongoing commitment. Insist on regular audits—they are the cornerstone of a robust and adaptive security posture.