Could you imagine walking into a car dealership without:
- Knowing what type of vehicle you need
- Having a budget in mind
- Researching available models
- Plans to test drive some options
What about buying on the spot because you’re getting a “great deal”?
No way, right? Who would buy so recklessly?
But this approach – little or no planning, poor testing, bogus discounting from vendors – is how many organizations go about selecting new information security solutions.
There has to be a better way. And there is.
Technical Buyer Blues
Information security teams often do a poor job:
- Utilizing the solutions they have
- Assessing real business needs
- Analyzing existing infrastructure
- Researching and testing solutions
- Preparing for ongoing operation, support, and maintenance
Technical buyers often base decisions on documents provided to them by vendors – not from first-hand experience.
Procurement Bad Habits
The first question procurement teams should ask is: “do we need another solution?”
The next question should be: “can’t we use something we already have?”
It’s their job to act like the conscience of the organization, pressing technical teams to answer tough questions.
Unfortunately, procurement teams typically do one thing: demand discounts from vendors. And when they get these “discounts” they claim they’ve saved the organization hundreds of thousands, perhaps millions, of dollars. Or, they exact some other concession:
- Free training
- Reduced cost professional services
- Free “premium” technical support
None of these items are, or will ever be, free to the buyer; the costs are simply buried elsewhere.
And, no one is getting a great deal if they get the price down from $1M to $200k – if the solution isn’t needed – and if the final price was what the vendor knew they were going to end up at, all along. It’s just an inefficient, predictable dance.
Vendors to the Rescue!
Vendors know how technical buyers buy, and how procurement teams procure – and they play the system by:
- Supplying “neutral” requirements scorecards and “independent” analyst reports (which are neither neutral nor independent)
- Allowing months-long testing periods (when a few weeks suffice)
- Approving massive discounts from MSRP
MSRP is often artificially inflated by vendors to allow for discounts of 50%, 60%, even 90% from “list price”. It’s a sham – but the procurement team can claim they’re getting an amazing deal, right?
Are we so numb to this tired old sales process that we can’t imagine a better, smarter, or more efficient way to buy?
Let’s commit to buying better through transparency, simplicity, speed, and trust.
Here’s our 8-step playbook:
- Upfront disclosure of existing vendor relationships
- Written technical needs, functional requirements, infrastructure constraints, initial and ongoing budget amounts
- Review of peers’ first-hand implementation experience, independent 3rd party research, and anonymized vendor responses to a uniform technical assessment questionnaire
- Procurement conflict-of-interest check, followed by vendor shortlist of three vendor solutions – ensuring all necessary purchasing paperwork is in place first
- Brief, time-limited technical “bake-off” test period in an as-close-to-Production-as-possible environment, utilizing a standard suite of test cases
- Technical scoring of the top two vendor solutions
- Demanding a “clear, complete, best, and final” proposal from both vendors that includes all fees upfront (activation, training, professional services, support, etc.)
- Final procurement award to the highest scoring vendor solution (and reseller)
And, no shenanigans with 11th-hour counteroffers. Make the right choice and stick with it!
Sean Steele is a co-founder and managing partner of Infolock. He has his CISSP, CISA, and CRISC certifications, and thinks everyone should know how to tie a nail knot in 30 mph winds.
- Data Breach Cynicism Takes Hold
- CISO, We Have a Problem
- The Four Do’s of DLP
- The Demise of Symantec?
- Drowning in Data?
- Vendors Know You Too Well
- Banishing the Backseat Drivers
- Throw a New Year's Curveball
- Managed DLP Services
- “It’s the Data, Stupid!”
- Peak Vendor: Reclaiming InfoSec Priorities and Budgets in the Age of Big Marketing