This article is part of the complete vendor management guide. For procurement outsourcing of IT category management specifically, see the relevant section in our procurement outsourcing guide.
Why IT Vendor Management Is Different
Three structural factors make IT vendor management distinct from every other spend category — and each requires a different response:
Higher Cybersecurity Stakes
Every technology vendor with system access is a potential security risk regardless of spend level. The NIST Cybersecurity Framework (CSF) is the US standard for the security controls that Tier 1 technology vendor due diligence should evaluate. A $30K IT support vendor with remote access to core infrastructure is a Tier 1 risk. See our
Licence-based or subscription-based contracts rather than deliverable-based. Different SLA dynamics — uptime SLAs, feature delivery commitments, support response tiers. Different data ownership provisions are required — data portability, deletion upon termination, and format of export must be explicitly negotiated in technology contracts.Different Contract Structure
Disputed Ownership
Who owns IT vendor relationships — IT, procurement, or the business unit — is often unresolved. This governance gap is what SaaS sprawl thrives in. When nobody owns the relationship, nobody tracks renewals, utilization, or compliance. The result is 250+ applications and 30–40% underutilization.
The SaaS Management Problem
The average mid-size company pays for 250+ SaaS applications and 30–40% are significantly underutilized. Managing SaaS requires four core capabilities running simultaneously:
Complete Subscription Inventory
A full inventory of all active SaaS subscriptions — sourced from IT, Finance, AP, and direct business unit discovery. Shadow IT means this list is always larger than anyone expects. Start with a data pull from AP and corporate card statements, not from IT's asset management system alone.
Utilization Data
License utilization by application — how many of the 500 seats you pay for are actively used? For most SaaS applications, this data is available via the vendor's admin portal. Unutilized licenses are pure waste — typical underutilization savings range from 15–30% of the SaaS budget.
Centralized Renewal Calendar
A single renewal calendar covering all SaaS subscriptions with 90-day and 30-day alerts. Our
A procurement policy routing new SaaS purchases through review before approval. This applies to subscriptions above a defined threshold — typically $500–$2,000/month. Below this threshold, a preferred vendor list and P-card with controls is more practical than a full approval workflow.Procurement Routing Policy
Security Due Diligence for IT Vendors by Tier
Any vendor failing to meet NIST CSF baseline controls should be classified Tier 1 risk regardless of spend level. Use our
| Requirement | Tier 1 | Tier 2 |
|---|---|---|
| SOC 2 Type II Report | ✓ Required (within 18 months) | Recommended |
| Security Questionnaire | ✓ Required | ✓ Required |
| Cyber Risk Rating (BitSight / SecurityScorecard) | ✓ Required | Optional |
| Breach Notification Obligations (contractual) | ✓ Required | ✓ Required |
| COI Including Cyber Liability | ✓ Required | ✓ Required |
| Data Processing Agreement | ✓ Required | ✓ Required |
IT Vendor Governance Model: Joint Ownership
Effective IT vendor management requires clear ownership across four functions — with a coordination mechanism that brings them together regularly. Without this structure, each party manages their slice without the integrated view needed for effective governance.
Procurement
Owns: commercial relationships and compliance. Contract negotiation, renewal management, vendor selection process, compliance documentation tracking, and spend visibility across the entire IT vendor base.
IT Security
Owns: security assessment. Security questionnaire review, SOC 2 evaluation, cyber risk rating monitoring, breach notification protocol, and security requirements definition for new vendor evaluations.
IT / ITAM
Owns: licence management. Application inventory, utilization tracking, licence optimization, renewal calendar maintenance, and software asset management across the SaaS portfolio.
Business Unit
Owns: performance accountability. Day-to-day vendor performance tracking, user adoption, SLA monitoring for their applications, and escalation of performance issues to procurement for contract enforcement.
The Coordination Mechanism
A regular IT vendor review meeting — monthly for Tier 1, quarterly for Tier 2 — that brings Procurement, IT Security, and ITAM together. This is where renewal decisions, risk alerts, and utilization data are reviewed together. Without this meeting, the governance model exists on paper but not in practice.
Frequently Asked Questions
Three factors make IT vendor management distinct: cybersecurity stakes are higher (every technology vendor with system access is a potential security risk), contract structures differ (licence-based or subscription-based with different SLA dynamics and data ownership provisions), and ownership is often disputed between IT, procurement, and the business unit — the governance gap that SaaS sprawl thrives in.
The average mid-size company pays for 250+ SaaS applications and 30–40% are significantly underutilized. Managing SaaS requires a complete inventory of all active subscriptions, utilization data, a centralized renewal calendar, and a procurement policy routing new SaaS purchases through review before approval.
For Tier 1 technology vendors: current SOC 2 Type II report (within 18 months), completed security questionnaire, cyber risk rating via BitSight or SecurityScorecard, and contractual breach notification obligations. For Tier 2: security questionnaire, COI including cyber liability, data processing agreement. All technology vendors should be evaluated against NIST Cybersecurity Framework baseline controls.
Effective IT vendor management requires joint ownership: Procurement owns commercial relationships and compliance. IT Security owns security assessment. IT/ITAM owns licence management. Business unit owns performance accountability. The coordination mechanism is a regular IT vendor review meeting — without this structure, each party manages their slice without the integrated view needed for effective governance.
Three steps: (1) Build a complete inventory from AP and corporate card statements. (2) Pull utilization data from admin portals — identify applications under 50% utilization. (3) Right-size licences before the next renewal, not at renewal. Most SaaS vendors will right-size mid-term to retain the relationship. Typical savings: 15–30% of the SaaS budget without eliminating any application.