How to engage with suppliers to refine cyber security controls

Market engagement is a key part of any procurement process, and can be a great way of testing and refining requirements before tendering, as well as maximising outreach to promote a wider and more diverse supplier base.

These activities are particularly important for testing your cyber approach - especially if you are introducing new controls or standards requirements that are not common in your previous procurements.

There are lots of ways of running effective market engagement, including but not limited to:

  • Running workshops with existing suppliers - these workshops are an opportunity to discuss cyber security with your suppliers, assess their capability against potential cyber security controls (e.g. accreditations), and gather their feedback on your cyber security strategy.
  • Publishing a Prior Information Notice (PIN) and Early Engagement Notice - these are tools to notify the market of your intention to award a contract, which can lead to initiating discussions with potential suppliers.
  • Organising ‘Meet the Buyer Days’ - these events invite suppliers to find out what opportunities exist, and may be a chance to assess cyber security capabilities amongst local interested suppliers.
  • Running online consultations - feedback can be gathered through the above-mentioned events, or through a digital questionnaire. A digital questionnaire can help you reach a wider range of suppliers, thereby enhancing the fairness of the consultation process, and greater transparency, as the outcomes of the questionnaire can be published online. Sometimes after engaging with the market, you might realise that the market has a lower cyber maturity and struggles to fulfil your security requirements, hence you might want to consider ways of influencing the market to improve their cyber security capabilities.

Some of the ways you can do this include:

  • Exercising market clout: You can work together with colleagues from other councils to create the market clout to influence common vendors to adopt security practices that are appropriate for critical infrastructures. By working together with colleagues to set sector-wide requirements, security will become a competitive advantage for vendors rather than a compliance requirement.
  • Organising training or awareness events for the market: Following your engagement, you can point suppliers to free NCSC resources or invite them to training events or courses to develop their cyber surety awareness and improve arrangements. 
  • To familiarise yourself with effective evaluation tools and processes for understanding supplier risk and embedding cyber resilience in your supply chain, continue on to Tender guide.

While these resources are updated frequently, the threat landscape is constantly evolving with new risks and vulnerabilities. It is very important to always follow the most up-to-date guidance as given by the National Cyber Security Centre (NCSC) and other related government bodies.