Public sector buyers want to act on the mandate to work with smaller, agile, specialist suppliers. But security concerns can make it tempting to stick with larger incumbents.
The spread of public sector procurement spend is fragmenting, with the SME share at a six-year high. This shift means buyers have more organisations to onboard and evaluate.
With limited time and resources, buyers must answer one golden question about every organisation they consider: “Can this company be trusted with our sensitive data?” No organisation can spend months auditing their suppliers, except in the most extremely security-sensitive scenarios.
It creates a temptation to stick with incumbents, particularly on sensitive contracts, where the perceived risk of working with a new supplier may be higher. That caution comes at a cost, by missing out on partners who bring new capabilities, greater levels of agility, and faster innovation to the table.
Alongside the standard set of commercial checks – compliance, delivery capability, cash flow – information security requires deeper scrutiny, as that’s typically where the risks are highest. Regardless of their size and tenure, any supplier with access to sensitive data or systems could be responsible for a highly damaging security breach.
In a security context, establishing trust in the supply chain needs to be treated as an operational problem.
Given the limited resources available to them, buyers typically rely on well-established security certifications. These include ISO 27001 to assess a supplier’s information security effectiveness, ISO 9001 for quality management systems, and the National Cyber Security Centre’s (NCSC’s) Cyber Essentials schemes. However, these only give a limited picture. Our view at UP3 is that buyers should expect more and should feel entitled to ask for it.
The gap between certification and culture
For most public sector buyers, industry certifications create a filter for organisations that take security seriously. But a certificate proves that documentation and tested controls exist, and nothing more.
There are plenty of organisations that hold every badge and yet have questionable security in practice. And AI is making it easier for companies to generate the paperwork needed to tick the box that a standard demands.
When a convincing paper trail is cheap to produce, buyers need to understand more to fully understand a potential new supplier.
How UP3 goes beyond the standards
The culture behind policy and procedures is more important. At UP3, we see compliance against standards as offering a real opportunity to drive high standards in the business, rather than treating them as box-ticking exercises.
In line with ISO standards, we have an internal audit regime with independent checks to ensure documented procedures are being followed in practice. Many organisations of our size typically outsource this to another firm – treating audit as just a cost of business rather than a fundamental way of working.
We resource it entirely in-house, with people from across the business cross-checking other departments. The function is genuinely internal and empowered. It instils the understanding that our procedures are to be followed, not filed away on a dusty shelf.
Using ServiceNow to run it all, policies and procedures are accessible to all team members, with the day-to-day management and maintenance sitting in the same place.
There’s also the question of the people running the process. With overall oversight, as Chief Operating Officer at UP3, I bring a career’s worth of experience in cyber and national security. We also have an unusually high number of security-cleared personnel for an organisation of our size – resulting in a security-conscious culture.
How to stress test a supplier on security standards
If a buyer has the resources to enquire beyond the certifications, one interesting test can be how an organisation answers the question: “How many security incidents have you had in the last five years?” A reply of “zero” should be treated as a warning sign.
Minor incidents happen in every organisation, and most are inconsequential. But an organisation with a proactive security culture will be able to share how it records, investigates, and tracks every incident. It’s the same logic as health and safety: the firms that take it most seriously always log near misses, not just what they are obliged to report.
Buyers should feel entitled to speak to someone in the prospective supplier’s leadership team. They should speak openly about how security operates, discussing how the policies and procedures behind the certifications work in practice.
At UP3, we take an open approach to this – if a prospect asks to see documents, we share them with redactions where needed. A refusal of “we can't show you that, it's sensitive” is a red flag.
Why new standards strengthen supplier due diligence
The landscape is shifting, in a good way. Cyber Essentials continues to evolve and is far more stringent than when first launched by the NCSC in 2014. Cyber Essentials Plus is becoming a far more demanding and meaningful standard, with the latest “Danzell” question set in particular putting more emphasis on effective vulnerability management.
The relatively new Defence Cyber Certification is a framework for assessing the cyber resilience of organisations in the defence supply chain. Taking a risk-based approach, the more sensitive the contract, the higher the standard required. While its focus is on defence supply chain partners, we feel the model should be adopted far more widely.
A common framework for understanding risk and a common, stringent, assessment methodology that could be carried out once and referenced across defence and public sector organisations, would surely bring significant efficiencies and higher standards. It would replace the inconsistent, checkbox-style due diligence that has been too easy to pass for too long.
Demand a higher bar from suppliers
Size isn’t a proxy for trust. Under current frameworks, buyers take a degree of risk with every supplier they engage, large or small. The company's size is the wrong variable to focus on – instead, it is whether an organisation lives by the standards or merely holds the certification.
We welcome greater rigour. Public sector buyers should feel empowered to hold every potential supplier to a higher bar than today's frameworks require.
If you’re a public sector buyer weighing up a supplier – us or anyone else – talk to the people who run their security and ask to see the policies and evidence for yourself. We would be glad to have that conversation.