You get daily phone calls and e-mails from vendors claiming that your organization's data is at terrible risk -- unless you buy their product. This best practices column provides seven ways to save you time and money while effectively managing vendor pitches.
Learn to say "no". You don't have to meet with every vendor who calls you with a new product or service. This may seem obvious, but a good salesman will be persistent in trying to get a face-to-face meeting, which may tempt you to agree just to be polite or get them off your back. However, this approach wastes your time and the vendor's -- what's more, spending time with unneeded vendors affects your organization's bottom line by keeping you from managing more pressing issues.
Set vendors straight. Sales folks are smart and don't like to take "no" for an answer. If they can't get a meeting with the people who are directly responsible for the area where their products fit, they may call around looking for a side door to get in to the organization. When you get a call from a vendor pitching a product that falls under another department's purview, refer them to the correct department head.
Prepare the vendor for the meeting. Tell vendors upfront about your needs and expectations. At a minimum, let them know where you are in the decision cycle, and confirm whether or not funding has been allocated for potential use of their products. Identify who on your team will attend the
Get your pre-meeting paperwork in order. Discussing the logistics for potentially deploying security products and services typically requires you to share details with vendors about your organization's networks, systems and procedures. Consider having your legal department draft a joint non-disclosure agreement (NDA) that gets signed by officers of both companies prior to the meeting. Having an NDA in place early in the process protects both parties, and may encourage vendors to share information on future product development plans. Don't underestimate the time it will take to get an NDA signed -- the legal folks at both companies may require multiple rounds of edits before they are ready to approve the agreement.
Prepare your team members via meeting invitation details. Your meeting invitation should include a two-sentence summary about the vendor and why you've invited them in for a chat. For example, "Acme Software is coming in to demonstrate their new security event management package, which correlates IDS alerts, firewall logs, vulnerability scans and syslogs. We are considering this product for use in the network operations center as part of the security monitoring upgrade project funded for 2005. The company's Web site is…"
Document the process. Assign someone from your team to take meeting minutes, including the names and contact information for all attendees, key points discussed and action items that need to be addressed after the meeting (i.e., unanswered questions from both sides). Circulate the meeting notes to all of the attendees from your organization shortly after the meeting.
Follow up with vendors and team members after the meeting. There are a number of tasks that you need to complete after the meeting ends. Ensure questions on both sides are answered and the information is distributed. Get feedback from the attendees -- Did the vendor's presentation make them want to proceed further? Did they note any items of special interest? Analyze the feedback and develop an outcome statement for the meeting, such as follow up meetings, product evaluations or "don't call us, we'll call you." Clearly communicate the outcome to the vendor in a timely fashion.
These best practices will go a long way to saving you time and frustration caused by unsolicited vendor calls. The bottom line: Understanding vendors' needs and making them understand those of your organization is key to developing a positive working relationship.
About the author
Al Berg, CISSP, is a technical director in the Corporate Information Security Department of a firm providing computer services to the financial services industry. Al has been in the information security industry for more than 10 years and has provided consulting services to major corporations and the U.S. Defense Department. Al has spoken at numerous industry conferences in the U.S. and Europe, and has published many articles on networking and security topics, including some in our sister publication Information Security magazine.
This was first published in December 2004