Negotiating an IT security budget for a data loss prevention tool

Negotiating an IT security budget for a data loss prevention tool

Our security department finally got the go-ahead from management to begin the process of purchasing a DLP product. We've gotten bids from a few vendors, but the product that seems to be the best fit with our systems is more expensive than the original estimate I (the CISO) gave management. How would you recommend trying to convince them to go for the more expensive product?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

There are a few approaches I'd take in this negotiation over a data loss prevention (DLP) tool.

First, to honor the "no surprises rule" I have with my manager, I would explain the current facts, such as the bid received, its comparison to the original estimate and considerations as to why the bid was higher than originally thought.

Take a hard look at the total cost of ownership (TCO) for the DLP system of choice and compare the TCO to the other systems considered. It may actually be lower than the other products in the long run, though the initial price offered may obfuscate that fact. Be sure you have done this homework before meeting with management to discuss the higher cost estimate for the IT security budget.

Secondly, I'd go back to the vendor of your preferred DLP tool to explain that you want their product, and that it seems to be the best fit for the organization; however, you have a challenge with the price offered and would like to negotiate a lower price and/or other add-ons such as free training, extra support hours, longer license duration, etc. In some instances this may not have an impact on the initial price vs. estimate problem, but you can use this to show management the extra value added by the preferred DLP vendor. If it is a cash flow concern with your company, you can also approach the DLP vendor to see if they offer anything like a deferred payment plan.

Thirdly, to avoid this problem in the future, be sure to collect information early in the bidding processes relative to how the product is assessed by such organizations as Gartner in its Magic Quadrant, various product reviews and other places. These third-party reviews may be useful when making your case, too.

Lastly, help management understand the cost benefit of going with the more expensive product. Don't forget to include information such as costs the DLP system can help the company avoid, such as fines or general costs of the breach notification process. According to the Ponemon Institute's Cost of a Data Breach study, the cost is approximately $204 per record breached: Statistics like these can demonstrate the increased value offered by the preferred DLP.

Remember, management needs to explain these procurement decisions to their senior management, too, and as such, you need to provide them enough quality evidence to help them explain why they chose the higher-priced DLP system.

This was first published in April 2010

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top