Get started Bring yourself up to speed with our introductory content.

How should enterprises start the vendor management process?

The security vendor management process can be tricky, especially at the beginning when deciding what to buy and from whom. Expert Mike O. Villegas has some advice.

My organization is considering making new security purchases, but we have a limited budget and we're wary of getting caught up in vendor hype and falling victim to the "shiny object syndrome." Should my organization have basic guidelines for security purchasing and vendor procurement? What questions should our CISO ask before meeting with and vetting potential vendors, and are there common pitfalls we should avoid?

CISOs are bombarded several times a day by vendors that claim to have the answer to all their problems. Some vendors are so relentless that even if theirs is the superior product, the CISO would rather not hear from them again. The challenge is what to purchase and from whom.

Once you know what product you need -- SIEM, FIM, NGFW, WAF, antivirus, antimalware, DLP, and the list is ever expanding -- start the security vendor management process by selecting the players.

Identify the players: Reliable sources for finding potential vendors are the Gartner Magic Quadrant or Forrester Wave. Who are the players in the space you are interested in? Look at the upper right-hand quadrant and read up on their attributes. Don't just pick the least expensive -- although sometimes open source may be the right choice.

Short list: Pick a short list of players that have favorable ratings. If you are connected with other CISOs, pick up the phone and ask them for their opinion.

Proof of concept: Once you have identified a short list, the next step in the security vendor management process is to call the vendors and set up a proof of concept (POC). Review marketing collateral for appropriateness and perform a cursory company background assessment. Schedule a vendor presentation and invite subject matter experts (SMEs). The POC will cost some money for the enterprise since it requires internal resources to test the product. Make sure you have a non-disclosure agreement drawn up and develop a selection criteria based on features, platform (appliance or software), resource and skills required, and cost. Rate all the products using the same selection criteria so they have an equal footing.

The POC should not be tested using live data or in production. But you still have to assess the impact to your environment by considering:

  • The expected events per second in the POC tested environment and estimate what it would be in production;
  • The logging activity and how much storage it would require;
  • Whether the logging activity would be in-line or out-of-line and its respective effect on latency in production;
  • If the package requires agents on target devices, determine the footprint of the agent, latency, performance or accessibility issues to production; and
  • If special training, skills or SME resources are required, whether you need to hire from outside your organization, or if they will be provided by the vendor or another professional services firms.

Reference calls: All vendors must provide references. Pick those references that are similar to your environment and industry. Request that only you and the reference caller be on the call -- not the vendor. Make sure the reference does not have a conflict of interest with the vendor. Ask the reference what the driver was for looking for a vendor product. How long have they had the product? What other products did they look at? POC? Why did they choose this one? Were they satisfied with the POC engineer? Was he knowledgeable and responsive? Did they spend a lot of time making it run in their environment? Now that they have had time with product, what doesn't it do that they would have liked to have seen? Do they believe the cost was fair and worthy of the product value?

Cost: Cost should not be the primary factor for selecting a product. Cost is relative but all prices are negotiable with the vendor. Never pay list price. See if the package can be bundled with other products from the same vendor. Hold off for month-end, quarter-end or year-end to decide, if possible. Vendors have sales goals that you can use to leverage cost, but don't waste the vendor's time if you have no intention of buying. If the cost difference between vendors is not close, determine if the functionality outweighs the cost delta. If the cost is greater than your budget, determine if the estimated ROI outweighs the cost delta. Share the cost with the information security, network, IT, development groups, audit, risk management and compliance teams, and see if they can also use the product. If the product is software, consider downloading to save on taxes.

Executive Management buy-in: No one likes surprises, including management. Don't inform executive management what the product will cost until the end of your negotiations with the vendor. Keep track of your budget and never let the vendor know what it is. Keep management informed of the vendor management process negotiations. Get legal buy-in on the product. This helps management feel comfortable with the purchase. Also get IT buy-in on the product. Always show executive management you performed due diligence in your selection. Once negotiations have been completed, show the list price versus actual cost of product. Make your management look good and ultimately you will look good too. Pretend this is your company and you are making the decision to buy. Would you?

Contract negotiations: Have someone in the legal department help you with contract negotiations. Make sure the contract has Terms and Conditions for the POC and the purchase. Review the license agreement, maintenance costs and renewals. Sometimes, after all the time spent on the POC, one or both legal departments (yours and the vendors) may not agree and it may result in no sale. Most of the time, contract negotiations are mutually agreeable. Make sure there is a termination clause -- For Cause or For Non-Cause. The contract should have a bilateral Limitation of Liability clause and a Right to Audit clause. If code or software is involved, consider escrow clauses and, of course, non-disclosure clauses.

Don't buy a Cadillac if a Chevy pickup truck will do. Select the right product, not the best. The best product is sometimes the most expensive, but given your business model, budget and need, the right product is your goal. Make sure the selected product is scalable as your company grows. There may be other factors given your industry, your business culture and the skill set in your staff, but you should buy what you need and not necessarily what you want.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out whether security funds should be dedicated to hiring or buying tools and what spending strategies will help enterprises the most

Check out some third-party vendor management security best practices

This was last published in November 2015

Dig Deeper on Security vendor mergers and acquisitions