Buying products or services is either the best or the worst part of being a security professional. In any kind...
of competitive market -- like information security -- the competition is brutal and the vendors will bend (dare I say, break) the truth in order to get the sale.
I get a little frustrated when I hear about organizations dropping six figures on a product they've never tested, or when they spend seven figures on a product that gathers dust on the shelf. Even in this day of multi-billion-dollar behemoths, it turns my stomach to see outrageous sums squandered because neither technologists nor business managers understand how to buy enterprise security products.
Sometimes these sales cycles align with what customers want to accomplish, but most often, they don't. So my process is built around the security manager's needs, to make sure an organization buys the right product, at the right time, for the right price.
- Step 1: Lay the foundation -- It's the buyer's responsibility to know what he or she needs to buy and why. Vendors will try to create a buying catalyst when they contact a potential customer, but that is like pushing on a string. To buy something correctly, a security team needs to have a budget and an approved project ahead of time. The key to being able to secure funding for these projects is to relate them to business requirements.
- Step 2: Assemble the "team" -- If you are lucky enough to have resources, assemble a team to drive the project. The effort will need a leader (someone who ultimately accepts accountability for the success of the project) and probably a technical lead or group to conduct the actual evaluation.
- Step 3: Educate -- An educated buyer is the best buyer, whether the vendors admit this or not. So this step is to give buyers a broad understanding of the problem they are trying to solve and some best practices for how to solve it. The objective is not to learn everything about the issues involved, which would take too long, but to have enough knowledge to ask the right questions. There are many good resources on the Internet, including many on SearchSecurity.com that can provide the requisite background to get started.
- Step 4: Engage -- At this point, a security manager can approach vendors and/or resellers to start the actual procurement process. An organization will want to develop a long list of suppliers. The long list is set the of providers that "may" be able to meet the requirements you defined in Step 1. One way to define the short list is to consider doing a formal RFI/RFP process, since that will allow the vendors to self-select whether they believe they can meet your needs.
- Step 5: The bake-off -- Depending on the amount of lab resources and the criticality of the project, test a few of the products on the long list -- probably not all of them, but more than two. Although it's not practical to do a production deployment of the products, you want to set up a testing scenario that both exercises the product you are evaluating and ensures they meet the requirements of your project. Pay special attention to the claims that vendors make to validate that they are not stretching the truth on points that are critical to your project's success.
- Step 6: The short list -- Most people think the short list is determined before the bake-off. Well, think again. Vendors make the short list if the lab evaluation shows that their products will meet your requirements and solve your business problem. Again, there should be at least two vendors on the short list.. You don't really want to restrict the short list at this point, because the more parties you have to negotiate with, the more likely you are to get what you need at the price you want.
- Step 7: Negotiation -- Ah, my favorite part of the process. If a company has done the job right, it will have at least two vendors that can get the job done, and can now pit them against each other and watch the fireworks. Artfully done, you can save 50% off the initial bids because at this point, the vendors have invested enough in the deal that they don't want to lose it. Basically you play each vendor against the other(s). Since each can meet the requirement, you have the power in the negotiation. Don't be afraid to walk away and go the next provider.
- Step 8: Selection – As much fun as it is to see vendors locked in a death struggle, eventually you'll need to make a decision. With the correct process in place, the selection is easy. Then the fun parts starts, which is making it work. The good news is that if for some reason the vendor you pick doesn't work out, you have a bunch of other short listed vendors that would be happy to jump in and take over.
This process will not work in every case. If an organization is an early adopter type and there is only one vendor that can meet its needs, then it has no leverage. Likewise, there are times where politics trumps functionality and the best price.
But in most cases, when a security team is looking to solve a business problem in the most expedient and cost-effective way, following these eight steps can help it achieve its goals and avoid costly mistakes.
About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.