Ask the Expert

Negotiating an IT security budget for a data loss prevention tool

Our security department finally got the go-ahead from management to begin the process of purchasing a DLP product. We've gotten bids from a few vendors, but the product that seems to be the best fit with our systems is more expensive than the original estimate I (the CISO) gave management. How would you recommend trying to convince them to go for the more expensive product?

    Requires Free Membership to View

There are a few approaches I'd take in this negotiation over a data loss prevention (DLP) tool.

First, to honor the "no surprises rule" I have with my manager, I would explain the current facts, such as the bid received, its comparison to the original estimate and considerations as to why the bid was higher than originally thought.

Take a hard look at the total cost of ownership (TCO) for the DLP system of choice and compare the TCO to the other systems considered. It may actually be lower than the other products in the long run, though the initial price offered may obfuscate that fact. Be sure you have done this homework before meeting with management to discuss the higher cost estimate for the IT security budget.

Secondly, I'd go back to the vendor of your preferred DLP tool to explain that you want their product, and that it seems to be the best fit for the organization; however, you have a challenge with the price offered and would like to negotiate a lower price and/or other add-ons such as free training, extra support hours, longer license duration, etc. In some instances this may not have an impact on the initial price vs. estimate problem, but you can use this to show management the extra value added by the preferred DLP vendor. If it is a cash flow concern with your company, you can also approach the DLP vendor to see if they offer anything like a deferred payment plan.

Thirdly, to avoid this problem in the future, be sure to collect information early in the bidding processes relative to how the product is assessed by such organizations as Gartner in its Magic Quadrant, various product reviews and other places. These third-party reviews may be useful when making your case, too.

Lastly, help management understand the cost benefit of going with the more expensive product. Don't forget to include information such as costs the DLP system can help the company avoid, such as fines or general costs of the breach notification process. According to the Ponemon Institute's Cost of a Data Breach study, the cost is approximately $204 per record breached: Statistics like these can demonstrate the increased value offered by the preferred DLP.

Remember, management needs to explain these procurement decisions to their senior management, too, and as such, you need to provide them enough quality evidence to help them explain why they chose the higher-priced DLP system.

This was first published in April 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: