Ensure clear communication about the importance of the security update and engage with the relevant teams to understand any challenges they may be facing. Collaborate closely with the vendor team to develop an upgrade plan as soon as possible. If the vendor is uncooperative or resistant, proactively explore alternative providers.

I believe the resistance can be due to the fear of potential functionality issues post update, cause it is going to be a lot of work for both. However, security isn't negotiable so preparation is the only way ahead and get through together. A clause in the contract is always recommended but the prep-work with enough and required scenarios can help BAU.

The issue itself is self explanatory but we need to approach the Issue with unbiased thoughts. - First of all we need to understand why the vendor is resisting the security update. - After understanding the issue we need to help him understand the importance of the process. - Even though it’s not enough to be on same page then aggressive measures can be taken. In the conflict between a organisation and vendor. The approach should be collaborative instead of conflict. Vendors integral part of any process and we should understand the differences in the thought processes to draw any conclusions.

Document the security risks: Build a clear business case showing the specific vulnerabilities these missing updates expose, potential impact on organization (data breaches, compliance issues, etc.), and estimated costs of a security incident. Review contract and SLA: Check what security obligations the vendor has committed to. Many contracts require vendors to maintain reasonable security standards and provide timely updates. Consider these strategies: Escalate within the vendor organization to higher management. Engage your legal team to review options if the vendor is breaching security obligations. Propose a phased update approach if they're concerned about business disruption. Bring in a third-party security consultant to mediate.

Well, this may be that time, when you change the vendor and change/ update the ERP. This was one of the key advantages that Cloud brought to industry. Security in this day and age isn’t a matter of decision, it is a matter of very existence of businesses.

The security updates are very crucial and critical, however, they have to be deployed during downtime when business activities are not being done in the software system. Hence, when the security update is ready in the, We start take regular backups of the software system to make sure we have the data in case there is any issue of the system being in the older version. After that, we implement the security update in the development and quality environment and do testing to make sure that the security update is working fine and it does not break the existing system. Then we work with business and schedule a downtime when we can implement the security update and we do smoke testing and implement the changes in the production system.

I would dare to say that, today, 100% of the suppliers we work with are completely aligned with the strict requirements that our company has established in terms of information security. This is a reflection of the commitment we have to ensuring that our processes and data are protected against any threat.

To address a supplier's resistance to security updates for an ERP platform, start by understanding their reasons, such as technical limitations or cost concerns, and clearly communicate the risks of not updating, like vulnerabilities to cyberattacks. Work collaboratively to negotiate solutions, possibly adjusting update schedules or offering additional support, and review contracts to ensure security commitments are formalized. If resistance persists, consider escalating the issue within the supplier's organization and explore technical alternatives or other suppliers that prioritize security, while ensuring compliance with relevant regulations.