Regulatory compliance offers security vendors a tremendous opportunity to hitch their sales pitch to something that has a dedicated budget. As a result we see many vendors touting compliance as a feature, even if all they do is provide a report that (possibly, maybe with a bit of massaging) can be used to document compliance.

But while vendors tout their ability to make you compliant they often forget to be compliant themselves! Many regulated industries require that companies use vendors who follow best practices and have proven compliance to certain regulations. A security architect participating in our Security and Information Protection research commented "Our internal requirements say that anybody who delivers services for us has a SAS 70, yet when we speak with a lot of vendors they do not understand what a SAS 70 is or why it is necessary. They don't have those docs or auditing functions in place. It makes it very difficult for us to purchase a product if they do not have those capabilities in place."

Beyond SAS 70, many companies require that their vendors undergo regular internal and external audits, that they have published and enforced security and privacy policies and that they comply with privacy regulations such as GLBA, HIPAA or FERPA. 

As an IT executive you should ask your vendors to provide you with assurances that they are compliant with the regulations that affect you. Make it a requirement of RFPs and MSAs. Vendors should look at the industries they serve and implement compliance programs and audit reports as a competitive differentiator.