Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can CISOs get past security vendor hype and make smart purchases?

Security vendor hype is a problem CISOs often have to deal with. Expert Mike O. Villegas discusses some ways to cut through the hype and make smart purchasing decisions.

CISOs have to make decisions about which vendors and products to use in their organization, but vendors aren't...

always straightforward in their explanations of their products and services. What advice do you have for making sense of vendor hype and their fear, uncertainty and doubt methods to choose the best security products for an organization?

There is no silver bullet for information security and compliance. Some vendor offerings are better than others, but all have limitations that will undoubtedly not be mentioned by the salesperson.

They praise the strength of its features, how it can increase productivity and scope, and the financial benefits realized if you implement their product. What they do not tell you is that the total cost of ownership (TCO) far exceeds the cost of the product or service. They don't tell you that if you add a new technology, a simple API would be required to allow for its integration. They provide studies that prove there would not be a significant impact to performance, availability, increased storage and memory, and TCO. Is that lying? Or is that vendor hype?

Either way, they both result in the same unexpected budget overruns, performance hits, dissatisfaction or worse -- noncompliance or inadequate protection of corporate assets.

Vendors must make a living just like the rest of us. They will do anything within reason for a sale. A good salesperson will do everything in his power to convince you that his company's product can satisfy a need you might have, whether you realize it or not. We can't blame them for that; but if they extend the truth of their products or services beyond their capabilities, then that is clearly vendor hype.

The following steps can help minimize the chance of being a victim of security vendor hype:

  • Identify the need for a vendor product based on risk -- Risk can be measured by either security risk or compliance risk. Determine the proper level of protection necessary to secure mission-critical data and applications. Identify compliance requirements based on industry, regulations and laws, such as the Payment Card Industry Data Security Standard, the National Institute of Standards and Technology SP 800-53, HIPAA and so on.
  • Do not buy a security product on your own -- Never pay retail price. Negotiate a price that fits your budget and that still meets your need. Obtain management buy-in for procuring the product or service.
  • Perform more than one proof of concept (POC) in your environment -- A POC can never cover all the requirements and the entire scope of a production environment -- by its very nature, a POC takes shortcuts. This is acceptable for a POC, but not as the basis for a production environment implementation. Test more than one vendor product using the same selection criteria.
  • Functional POC testing -- At best, a POC can be a functional test, since it's typically not performed in the production environment. However, the POC should also identify and test for functions and features that it does not perform. This aids in sizing the scope of control the product encompasses and reduces the risk of getting frustrated if the product is not functioning as you anticipated.
  • Calculate the total cost of ownership -- The formula for TCO includes a junction of total cost of technology (TCT), total cost of risk and total cost of maintenance. Do not just consider the cost of the service or tool (i.e., TCT).
  • Don't listen to the fear, uncertainty and doubt (FUD) -- FUD can be used as an attention-getter, but not for prolonged justification of the procurement of vendor products and services.
  • Actively participate in the POC -- Commit to the level of need or willingness to engage. The vendor needs to see that the product addresses business issues; otherwise, you may be perceived as not being authentic and being a waste of time.
  • Review key success metrics -- It doesn't need to be perfect to have value. Address the core business issues and ensure you can show value on the key success metrics you define within your POC scope.
  • Vendor references -- Vendor references should be for comparable customers in size, complexity and, preferably, industry. Calls to the customer should not include the vendor, so that, as much as possible, candid conversations can ensue.
  • Schedule procurements at EOQ or EOM -- Salespeople have sales quotas at end-of-quarter and end-of-month. Schedule procurements to leverage better deals for the product or service selected.

Lastly, do not waste a vendor's time if you do not have any intention of purchasing their product or service. We all know that management, at times, requires multiple bids when, in fact, you already know what product you want. That said, become familiar with your information security needs for protection and compliance. Research what products have the capabilities that will satisfy your needs, and work within your budget to identify those vendor solutions to POC. These steps will allow you to sift through the security vendor hype and focus on making the right selection.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn whether hyper-converged infrastructures are over-hyped by vendors

Find out how to cut through the vendor hype of records management software

Discover when not to renew a vendor contract

This was last published in February 2017

Dig Deeper on Security vendor mergers and acquisitions

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What strategies do you use to get through vendor hype?
Cancel
Mike makes a great point about vendors using FUD (fear, uncertainty and doubt). Sometimes it's valid though. Companies with a mature security posture have accessed their risk to understand what assets are most important and how vulnerable they are. Then they can CHOOSE what risks are acceptable and which ones need to be remediated or mitigated. This decision could result in investing in new technology or better utilizing the technology they've already got.
Cancel

While I appreciate this article, I take exception to your characterization of the role a vendor’s sales person.  When you say "vendors aren't always straightforward in their explanations of their products and services" and that “A good salesperson will do everything in his power to convince you that his company's product can satisfy a need you might have” I feel as though you not only malign the efforts of many hardworking IT sales people, but also misunderstand and misstate the role of the sales person.

The role of a good sales person is to be the most authentic voice understanding the vendor’s capability and the customers’ needs.  It has been my experience that when mistakes and misalignment's occur, they often occur because the buyer has failed fully engage in the early discovery and scoping of the project.

A part of this misalignment often occurs because some buyers pay little attention to the early call with vendors, rather than focusing on qualifying the vendor.  

Often buyers attempt to negotiate pricing for services that have not yet been identified, as in “if your product is expensive, you can forget about”. When I hear this I often wonder what product are they talking about and what is expensive?

To my way of thinking, the best way for organizations to find the best vendor fit is to fully engage the vendor, unpack all of the vendor’s capabilities, fully understand how these capabilities fit within your organization and then work with the sales person on a price that is commensurate with the service being purchased.

A good process is a joint effort, and not an adversarial one. 


Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close