How to buy security products: Eight steps to not losing your shirt

I get a little frustrated when I hear about organizations dropping six figures on a product they've never tested, or when they spend seven figures on a product that gathers dust on the shelf. Even in this day of multi-billion-dollar behemoths, it turns my stomach to see outrageous sums squandered because neither technologists nor business managers understand how to buy enterprise security products.

For more information: In this expert Q&A, Mike Rothman offers guidelines for buying an intrusion detection (IDS) device. Joel Snyder discusses the benefits of using a security information management product. Joel Dubin unveils what factors should be considered when purchasing an authentication product.

I've outlined an eight-step strategy for how to buy security products, which is designed to return control of the buying process to the security pro. Sales professionals are trained to seize control of the process and convince their prospects that they need what the vendor is selling. Reps do their best to lead the prospective customer through a structured sales cycle to achieve that goal.

Sometimes these sales cycles align with what customers want to accomplish, but most often, they don't. So my process is built around the security manager's needs, to make sure an organization buys the right product, at the right time, for the right price.

• Step 1: Lay the foundation -- It's the buyer's responsibility to know what he or she needs to buy and why. Vendors will try to create a buying catalyst when they contact a potential customer, but that is like pushing on a string. To buy something correctly, a security team needs to have a budget and an approved project ahead of time. The key to being able to secure funding for these projects is to relate them to business requirements.
• Step 2: Assemble the "team" -- If you are lucky enough to have resources, assemble a team to drive the project. The effort will need a leader (someone who ultimately accepts accountability for the success of the project) and probably a technical lead or group to conduct the actual evaluation.
• Step 3: Educate -- An educated buyer is the best buyer, whether the vendors admit this or not. So this step is to give buyers a broad understanding of the problem they are trying to solve and some best practices for how to solve it. The objective is not to learn everything about the issues involved, which would take too long, but to have enough knowledge to ask the right questions. There are many good resources on the Internet, including many on SearchSecurity.com that can provide the requisite background to get started.
• Step 4: Engage -- At this point, a security manager can approach vendors and/or resellers to start the actual procurement process. An organization will want to develop a long list of suppliers. The long list is set the of providers that "may" be able to meet the requirements you defined in Step 1. One way to define the short list is to consider doing a formal RFI/RFP process, since that will allow the vendors to self-select whether they believe they can meet your needs.
• Step 5: The bake-off -- Depending on the amount of lab resources and the criticality of the project, test a few of the products on the long list -- probably not all of them, but more than two. Although it's not practical to do a production deployment of the products, you want to set up a testing scenario that both exercises the product you are evaluating and ensures they meet the requirements of your project. Pay special attention to the claims that vendors make to validate that they are not stretching the truth on points that are critical to your project's success.
• Step 6: The short list -- Most people think the short list is determined before the bake-off. Well, think again. Vendors make the short list if the lab evaluation shows that their products will meet your requirements and solve your business problem. Again, there should be at least two vendors on the short list.. You don't really want to restrict the short list at this point, because the more parties you have to negotiate with, the more likely you are to get what you need at the price you want.
• Step 7: Negotiation -- Ah, my favorite part of the process. If a company has done the job right, it will have at least two vendors that can get the job done, and can now pit them against each other and watch the fireworks. Artfully done, you can save 50% off the initial bids because at this point, the vendors have invested enough in the deal that they don't want to lose it. Basically you play each vendor against the other(s). Since each can meet the requirement, you have the power in the negotiation. Don't be afraid to walk away and go the next provider.
• Step 8: Selection – As much fun as it is to see vendors locked in a death struggle, eventually you'll need to make a decision. With the correct process in place, the selection is easy. Then the fun parts starts, which is making it work. The good news is that if for some reason the vendor you pick doesn't work out, you have a bunch of other short listed vendors that would be happy to jump in and take over.

This process will not work in every case. If an organization is an early adopter type and there is only one vendor that can meet its needs, then it has no leverage. Likewise, there are times where politics trumps functionality and the best price.

But in most cases, when a security team is looking to solve a business problem in the most expedient and cost-effective way, following these eight steps can help it achieve its goals and avoid costly mistakes.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Microsoft WIL: How to take control of data integrity levels Screencast: Penetration testing with Metasploit Microsoft PatchGuard: Locking down the kernel, or locking out security? How to lock down instant messaging in the enterprise Employee-owned handhelds: Security and network policy considerations Worst practices: Exposing IAM blunders Screencast: Nessus Phased NAC deployment for compliance and policy enforcement BitLocker: Windows data protection with whole-disk encryption? Screencast: Opening up the Network Security Toolkit Management Support for Information Security E-discovery management: How IT should interact with the legal team IT GRC: Combining disciplines for better enterprise security Security Wire Weekly: Shrinking IT security budgets Are there security management products that can track compliance objectives? What are the benefits of 'in-the-cloud' network security services? Tech vendors team up for secure software development Adjusting a network security strategy when the business plans change Data breaches, compliance drive intellectual property protection Security Metrics: Replacing Fear, Uncertainty, and Doubt How to get the most out of a SIM Negotiating with Security Vendors Enterprise security in 2008: Building trust into the application development process Will Web application security vendor mergers present better opportunities for buyers? Can a vendor be convinced to add security to its application development process? Testing security of apps could put pressure on vendors Podcast: Security360 -- Industry Consolidation Microsoft users sticking with third-party security vendors Savvy hackers take the hardware approach Perspectives PatchGuard hurts host-based IPS, vendor says Vendors acknowledge NAC-NAP roadmap limits RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary snake oil  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.