Problem solve Get help with specific problems with your technologies, process and projects.

Negotiating an IT security budget for a data loss prevention tool

If your enterprise is considering a DLP purchase, read this expert response for advice on getting the information security budget to buy the best product possible.

Our security department finally got the go-ahead from management to begin the process of purchasing a DLP product....

We've gotten bids from a few vendors, but the product that seems to be the best fit with our systems is more expensive than the original estimate I (the CISO) gave management. How would you recommend trying to convince them to go for the more expensive product?

There are a few approaches I'd take in this negotiation over a data loss prevention (DLP) tool.

First, to honor the "no surprises rule" I have with my manager, I would explain the current facts, such as the bid received, its comparison to the original estimate and considerations as to why the bid was higher than originally thought.

Take a hard look at the total cost of ownership (TCO) for the DLP system of choice and compare the TCO to the other systems considered. It may actually be lower than the other products in the long run, though the initial price offered may obfuscate that fact. Be sure you have done this homework before meeting with management to discuss the higher cost estimate for the IT security budget.

Secondly, I'd go back to the vendor of your preferred DLP tool to explain that you want their product, and that it seems to be the best fit for the organization; however, you have a challenge with the price offered and would like to negotiate a lower price and/or other add-ons such as free training, extra support hours, longer license duration, etc. In some instances this may not have an impact on the initial price vs. estimate problem, but you can use this to show management the extra value added by the preferred DLP vendor. If it is a cash flow concern with your company, you can also approach the DLP vendor to see if they offer anything like a deferred payment plan.

Thirdly, to avoid this problem in the future, be sure to collect information early in the bidding processes relative to how the product is assessed by such organizations as Gartner in its Magic Quadrant, various product reviews and other places. These third-party reviews may be useful when making your case, too.

Lastly, help management understand the cost benefit of going with the more expensive product. Don't forget to include information such as costs the DLP system can help the company avoid, such as fines or general costs of the breach notification process. According to the Ponemon Institute's Cost of a Data Breach study, the cost is approximately $204 per record breached: Statistics like these can demonstrate the increased value offered by the preferred DLP.

Remember, management needs to explain these procurement decisions to their senior management, too, and as such, you need to provide them enough quality evidence to help them explain why they chose the higher-priced DLP system.

This was last published in April 2010

Dig Deeper on Information security program management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.