Skip to main content
Advisory & Programmes

Recognising vendor-independent advice

Three behavioural tests you can use yourself to determine whether a security adviser is genuinely independent, or merely vendor-led in a neutral guise

Vendor-independent advice is advice in which the diagnosis of the problem is separate from the sale of a solution. The adviser first establishes what actually affects a specific organisation in its landscape and its way of working, and only then does a recommendation follow, which is sometimes a tool, sometimes no tool, and sometimes "do something else first". An adviser who earns revenue from the resale, implementation or licensing of the product they recommend cannot structurally take this position. The label "vendor-agnostic" or "vendor-neutral" says little about that. What matters is behaviour, and behaviour is testable before you sign a quotation.

How to determine for yourself whether an adviser is genuinely independent. The remainder of this piece works out three tests that assess the claim of independence on behaviour rather than marketing, and closes with the question that governs the purchasing decision: what you are left with in the relationship if the recommendation turns out to be something the adviser does not deliver themselves.

Why "vendor-agnostic" says nothing without a behavioural test

The Dutch advisory field is full of parties that call themselves independent. Resellers in a neutral guise, MSPs that recommend their own stack, boutiques with a single preferred supplier that recurs in every diagnosis. The problem is not that this exists. The problem is that the label excludes nothing. Any party that delivers security work can call itself agnostic, and no one stands on the other side of that claim with an assessment framework.

The usual reflex is then to look at the tool portfolio. How many suppliers does the firm carry? How many certifications across different products? That measures little. An adviser who carries fifteen tools can still recommend the same three to every client, because that is where the margin sits. An adviser who carries only two tools may have had hundreds of client situations in which they established that neither one fitted and advised accordingly. The number of logos on the partner page is a noise signal.

What does count is what happens at the three moments where independence proves itself or evaporates: at the diagnosis, at the recommendation, and at the outcome. ENISA repeatedly points, in its Threat Landscape, to the pattern where organisations buy tools that do not align with their specific risk profile, with the result that the telemetry is there but detection lags behind. That pattern is not a tool problem. It is a diagnosis problem that was solved with a tool, and that is where the difference sits that makes independence recognisable.

Which three tests show whether an adviser is genuinely independent?

The three tests work on behaviour you can already observe in a first conversation or a first assignment. None of the three asks for the adviser's internal documents. They are designed to be used as a buyer, not as an auditor.

The diagnostics-first test. Ask an open question about a current problem, without context on your preferred direction or the tools you already run. For example: "Our detection is lagging and we don't know whether that's down to the rules or the telemetry." What does the adviser do in the first five minutes? Do they probe further about your landscape, your ways of working, what is actually affected, and what the underlying issue is? Or do they arrive within three sentences at a product category and which brand they recommend there? An adviser who puts the diagnosis before the solution asks first. A vendor-led adviser recognises a keyword in your sentence and links it to their portfolio. The difference is immediately audible.

The interest test. Ask explicitly: "If you recommend something, what does your organisation earn from the implementation or resale of that advice?" An independent adviser can answer this easily. They name where they do have margin, licence income or an implementation relationship, and where they do not, at the moment you make a choice based on their advice. An adviser who ducks behind "we are independent" without answering the question gives the answer by doing so. This is one of the two behavioural tests that NEN explicitly names in its guidelines for independent audits and assessments: transparency about financial interests at the moment of the recommendation, not afterwards in the small print.

The departure test. Ask what remains once the assignment is finished, and who then owns the outcome. An independent adviser describes an organisation that can carry on by itself: your people, your policy, your architecture. They build alongside you until it stands and then leave. A vendor-led adviser describes an ongoing relationship through a platform, a managed service or a licence that has to be renewed each year, because that is their revenue model. That is not a reproach, it is a business model. But it determines where their interest lies in the direction of the advice, and therefore what they will see in your landscape.

These three tests relate to one another as a chain. If the first fails, the adviser does not diagnose before diving into a solution, then the other two are no longer relevant. If the second fails, the adviser cannot give a transparent answer about their interests, then the advice rests on loose ground, however sharp the diagnosis was. If the third fails, the adviser builds not an organisation but a dependency, then you have not been advised independently but taken on lock-in under a neutral flag.

What independence is not, and where the claim usually goes wrong

Independence is not the absence of tools. An adviser who carries no supplier at all, because they build everything themselves or only deliver reports, is as unsuitable for most assignments as a reseller who sells only one brand. Independence is that tools are a means to realise a capability, sometimes a necessary means, sometimes an opportunity, never the entry point of a relationship and never the primary goal. The question is not whether the adviser knows tools or even has a preference for some tools. The question is whether the order is right: problem, diagnosis, solution, and only then a choice that sometimes falls within, sometimes outside, their own portfolio.

Independence is also not the same as objectivity. An independent adviser has views, preferences and experiences that colour outcomes. That is as it should be, otherwise you are buying consulting expertise without a compass. What makes them independent is that those preferences arise from knowledge, experience, market insight and absorptive capacity, not from a resale portfolio. The Netherlands National Cyber Security Centre (NCSC) notes, in its guidance for procuring services, that the required separation between advice and delivery is intended to make interests recognisable, not to wash away expertise or opinion. An adviser without an opinion is not an independent adviser. Neither is an adviser with an opinion that happens always to arrive at their own revenue model.

The claim "vendor-agnostic" usually fails on the second of the three tests. The diagnosis looks thorough, the advice looks sensible, and only at the moment of the recommendation does it emerge that the adviser has an implementation relationship with precisely the supplier they recommend. That is not a conspiracy, it is how many advisory models work. What the buyer can do is not to change the world, but to enforce transparency at the moment the choice is made. Then they can weigh whether the advice holds up, or whether it is coloured by interest. Both are possible, and both are worth a conversation.

What this means for the purchasing decision

For the CISO who accounts internally for the choice of an adviser: the usable summary is that independence is not a label you buy, but behaviour you test in the first two conversations and in the first assignment. To the CFO and the board the message is more businesslike: an independent adviser does not cost more than a vendor-led adviser, they sometimes cost less, because they do not sell a solution you would not otherwise have bought. What they do cost is an honest diagnosis that sometimes says unwelcome things about what has to happen first. That is precisely the value, and it is precisely what becomes recognisable in advance through the three tests.

The logical next step is not to send out an RFP stating that the adviser must be "vendor-agnostic", because every party ticks that box. Instead, put the three tests into the first conversation. Ask a diagnosis question without context and watch what the adviser does in the first five minutes. Ask explicitly about interests at the moment of the recommendation. Ask what remains once they have gone. Three answers, and you have more information than a comparison of quotations gives you. Set your own situation against these three tests, and if an adviser ducks on any one of the three, you know the label does not cover what lies beneath.

Advisory & Programmes

Dit vraagstuk vertalen naar jouw organisatie.