Vendors Know You Too Well

January 15, 2022

2 min read

Sean Steele is co-founder and managing
partner at Infolock.

In This Article

Join Our Newsletter

Follow Us


Could you imagine walking into a car dealership without:

  • Knowing what type of vehicle you need
  • Having a budget in mind
  • Researching available models
  • Plans to test drive some options

What about buying on the spot because you’re getting a “great deal”? No way, right? Who would buy so recklessly?

But this approach – little or no planning, poor testing, bogus discounting from vendors – is how many organizations go about selecting new information security solutions.

There has to be a better way. And there is.

Technical Buyer Blues

Information security teams often do a poor job:

  • Utilizing the solutions they have
  • Assessing real business needs
  • Analyzing existing infrastructure
  • Researching and testing solutions
  • Preparing for ongoing operation, support, and maintenance

Technical buyers often base decisions on documents provided to them by vendors – not from first-hand experience.

Procurement Bad Habits

The first question procurement teams should ask is: “do we need another solution?”

The next question should be: “can’t we use something we already have?”

It’s their job to act like the conscience of the organization, pressing technical teams to answer tough questions.

Unfortunately, procurement teams typically do one thing: demand discounts from vendors. And when they get these “discounts” they claim they’ve saved the organization hundreds of thousands, perhaps millions, of dollars. Or, they exact some other concession:

  • Free training
  • Reduced cost professional services
  • Free “premium” technical support

None of these items are, or will ever be, free to the buyer; the costs are simply buried elsewhere.

And, no one is getting a great deal if they get the price down from $1M to $200k – if the solution isn’t needed – and if the final price was what the vendor knew they were going to end up at, all along. It’s just an inefficient, predictable dance.

Vendors to the Rescue!

Vendors know how technical buyers buy, and how procurement teams procure – and they play the system by:

  • Supplying “neutral” requirements scorecards and “independent” analyst reports (which are neither neutral nor independent)
  • Allowing months-long testing periods (when a few weeks suffice)
  • Approving massive discounts from MSRP

MSRP is often artificially inflated by vendors to allow for discounts of 50%, 60%, even 90% from “list price”. It’s a sham – but the procurement team can claim they’re getting an amazing deal, right?

Are we so numb to this tired old sales process that we can’t imagine a better, smarter, or more efficient way to buy?

Buying Better

Let’s commit to buying better through transparency, simplicity, speed, and trust.

Here’s our 8-step playbook:

  1. Upfront disclosure of existing vendor relationships
  2. Written technical needs, functional requirements, infrastructure constraints, initial and ongoing budget amounts
  3. Review of peers’ first-hand implementation experience, independent 3rd party research, and anonymized vendor responses to a uniform technical assessment questionnaire
  4. Procurement conflict-of-interest check, followed by vendor shortlist of three vendor solutions – ensuring all necessary purchasing paperwork is in place first
  5. Brief, time-limited technical “bake-off” test period in an as-close-to-Production-as-possible environment, utilizing a standard suite of test cases
  6. Technical scoring of the top two vendor solutions
  7. Demanding a “clear, complete, best, and final” proposal from both vendors that includes all fees upfront (activation, training, professional services, support, etc.)
  8. Final procurement award to the highest scoring vendor solution (and reseller)

Related Posts

Flip The Script: Let The Attackers “Win”
What does it look like when organizations do their data security and risk management homework upfront,

2 min read

April 5, 2023

Cybersecurity Is Dead — What Now?
We must stop insisting cybersecurity can "win" the war against cybercriminals, because we've already lost.

2 min read

March 10, 2023

4 In 4: 4 Insights From My First 4 Months At Infolock
After four months on the job at Infolock, I want to let prospective customers and employees know.

2 min read

April 7, 2021

Challenge The Status Quo
Quick fix technology solutions aren't a substaitute for hard work and careful planning.

2 min read

January 16, 2023

Data Breach Cynicism Takes Hold
In more than 20 years of working in the IT security industry, I’ve helped literally hundreds of companies

2 min read

November 14, 2022

Ciso, We Have A Problem
Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians,

2 min read

August 17, 2022

It’s The Data, Stupid!
Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place.

2 min read

June 26, 2022

Peak Vendor: Reclaiming Infosec Priorities And Budgets In The Age Of Big Marketing
I’m not sure when the bubble began. Three years ago? Five? Security needs

2 min read

May 3, 2023

Banishing The Backseat Drivers
If you’re in security, you know how

2 min read

March 30, 2022

Vendors Know You Too Well
Could you imagine walking into a car dealership without:

2 min read

January 15, 2022