Consortium for Information & Software Quality (CISQ)

How IT and Business Executives Can Work with the Vendor Management Office to Improve Software Outcomes

Tracie Berardi, Program Manager, CISQ 

To meet technology needs, many enterprise organizations outsource software development or purchase software or seats for SaaS solutions. Given the criticality of technology to the business, whether it’s software to sell products and fulfill orders, or mission-critical source code that flies airplanes, it is important to require software quality and security standards are met in the product. Some organizations are simply not aware that software quality standards can be put in contracts to achieve better outcomes, and others may place faith in suppliers. Still, IT glitches and security incidents occur, and maintenance costs are high. The purpose of this blog is to introduce the opportunity for IT and business executives to work with the vendor management office (VMO) to improve outcomes by leveraging software quality standards in contracts.

Two truths are emerging in IT vendor management:

1. CIOs should be leveraging the vendor management office to reduce risk
2. Vendor managers should be more proactive when working with IT to improve outcomes

So, what tools do vendor managers have in their toolbox to improve IT outcomes for the enterprise?

1. First is the contract for software development outsourcing. If a vendor is developing or maintaining source code on your behalf, make sure to include software quality standards in the contract stating the delivered code must meet these standards as industry best practice and any exceptions are noted for review before code is accepted.
2. Second is the contract for purchasing software or SaaS. Ask your vendor about their support for software quality standards and request evidence that the product meets or exceeds standards for quality and security. Your vendor may produce documents such as audit reports, dashboards, or certifications.
3. Third is the Service Level Agreement (SLA). SLAs for software development outsourcing are becoming common. In some cases, the SLAs involve development productivity targets measured by the amount of business functionality delivered compared to the effort expended. In other cases, the SLAs involve targets for the software quality attributes of an application such as security or maintainability. The source code is scanned at regular intervals with results shared with the organization. Incentives can be placed in the SLA to improve software quality over time.

Tip: CISQ has sample contract language for software development outsourcing to read and share with VMOs here.

ISG reports the average company spends over $18,500 per employee per year on IT services. CIOs, enterprise IT managers, and business executives should work with the VMO to implement these strategies to reduce risk and cost. Software and systems engineers are “shifting left” in the development lifecycle to focus on quality and security  earlier in development where it is less risky and expensive to address. Similarly, the vendor management team has an opportunity to “shift left” risk in IT outsourcing by setting requirements up front backed by industry standards.

What happens next? From our experience, three scenarios may occur when working with the VMO to introduce standards into contracts for the first time. The vendor manager may say...

1. “Oh, we weren’t aware of these standards, thank you” and puts the standards into contracts
2. “Oh, we weren’t aware of these standards” and then more subtly, “who are you to be telling me how to do my job?” 
3.  “I’ll do it, but it’s up to you to sort out the details” 

IT and vendor management must work together for this approach to be successful. Vendor management is responsible for negotiating a fair agreement with IT vendors based on price and services delivered. Sometimes, contracts are signed and not touched again until it is time for renewal. Including delivery requirements requires oversight by both parties in partnership with the vendor.

In the case of outsourced software development, the vendor will produce reports during client meetings or ahead of code delivery to show that software quality standards have been met or measured against. When purchasing software, the vendor manager will ask the supplier about their support for standards and request the product be verified ahead of purchase. Even if the vendor pushes back, you are doing your due diligence to reduce risk. We encourage you to discuss these items reasonably with suppliers and explain why standards are important to your business.