Educause '23: Vetting Third-Party Vendors Critical for Cybersecurity

Given the plethora of cyber threats targeting higher education in the U.S., university officials have to carefully vet third-party vendors before working with them to maintain and modernize their technology systems, according to a recent panel of IT officials.

The need to choose vendors carefully was a central topic at a Thursday panel at the annual Educause conference in Chicago, titled “One Giant Leap: How Strategic Partnerships Help Drive IT and Cybersecurity Strategies,” featuring David Seidl, vice president for IT and CIO at Miami University; Donna Kidwell, deputy CIO and chief information security and digital trust officer at Arizona State University; and Tina Thorstenson, vice president of Crowdstrike’s Industry Business Unit and former higher ed deputy CIO and CISO.

Seidl said he generally puts vendors in three categories: partners, those that have transactional relationships with universities, and threats to avoid.
“There are many who you have what I call a 'transactional' relationship with. You pay them money, they do the thing and send you the stuff, and maybe it’s positive or neutral, but that’s kind of where the relationship sits,” he said. “They’re not who you’re going to call on a bad day … they’re looking for the next thing they can sell you.”

As for the threats, he said it’s important to look out for vendors that have “egregious licensing terms” that change too often.

“There are active threats out there as well,” he said. “The more partners you have, the better your life and the organization will be. … We want to get rid of the threats. I am okay with transactions, [but] I love partners.”

Seidl said that when Miami University recently set out to modernize its ERP system, IT leaders spoke with several vendors, as well as others who had worked with them, to make a decision. He added that it’s important for officials and CIOs across the higher-ed landscape to consult one another about which vendors might work with the university’s needs and be communicative about responses to cyber threats, for example.

Seidl said it can also be a matter of “finding the right person” with a vendor organization to be a point of contact for those partnerships.

“If you can find organizations where it is the ethos of the organization [to help institutions] and they really want to do that, that makes a difference,” he said. “That is working to keep your customers online.”

When shopping for vendors to work with on major projects, such as migrating ERP systems and other network modernization efforts, Kidwell said it’s important to make sure that the goals of the university and the vendor are aligned. She said if officials can find ways to incentivize vendors to meet them in the middle, it’s possible to change the nature of relationships with vendors as well.

“It’s [about] being able to identify if that alignment is working now,” she said. “You’re able to go back and say, ‘Here are the sets of things that are important to me.’”