Our security department finally got the go-ahead from management to begin the process of purchasing a DLP product....
We've gotten bids from a few vendors, but the product that seems to be the best fit with our systems is more expensive than the original estimate I (the CISO) gave management. How would you recommend trying to convince them to go for the more expensive product?
There are a few approaches I'd take in this negotiation over a data loss prevention (DLP) tool.
First, to honor the "no surprises rule" I have with my manager, I would explain the current facts, such as the bid received, its comparison to the original estimate and considerations as to why the bid was higher than originally thought.
Take a hard look at the total cost of ownership (TCO) for the DLP system of choice and compare the TCO to the other systems considered. It may actually be lower than the other products in the long run, though the initial price offered may obfuscate that fact. Be sure you have done this homework before meeting with management to discuss the higher cost estimate for the IT security budget.
Secondly, I'd go back to the vendor of your preferred DLP tool to explain that you want their product, and that it seems to be the best fit for the organization; however, you have a challenge with the price offered and would like to negotiate a lower price and/or other add-ons such as free training, extra support hours, longer license duration, etc. In some instances this may not have an impact on the initial price vs. estimate problem, but you can use this to show management the extra value added by the preferred DLP vendor. If it is a cash flow concern with your company, you can also approach the DLP vendor to see if they offer anything like a deferred payment plan.
Thirdly, to avoid this problem in the future, be sure to collect information early in the bidding processes relative to how the product is assessed by such organizations as Gartner in its Magic Quadrant, various product reviews and other places. These third-party reviews may be useful when making your case, too.
Lastly, help management understand the cost benefit of going with the more expensive product. Don't forget to include information such as costs the DLP system can help the company avoid, such as fines or general costs of the breach notification process. According to the Ponemon Institute's Cost of a Data Breach study, the cost is approximately $204 per record breached: Statistics like these can demonstrate the increased value offered by the preferred DLP.
Remember, management needs to explain these procurement decisions to their senior management, too, and as such, you need to provide them enough quality evidence to help them explain why they chose the higher-priced DLP system.
Dig Deeper on Information security program management
Related Q&A from Ernie Hayden
In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video. Continue Reading
Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities. Continue Reading
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.