The best analogy I can make to buying security products is buying a car. 10-15% of the public really knows how to buy a car, and the sales people at the dealer shudder when these folks walk in. These buyers know the tricks and establish their credibility immediately. They are educated, know what they want to buy, and know what they will pay. They also understand there are lots of alternatives (they don’t fall in love with the car or the dealer), so if they can’t get the terms they want, they’ll go elsewhere. There is no question as to who is controlling the sales process for these buyers.
The other 85% are like lambs being led to slaughter. They probably don’t know what they need to buy, and they certainly aren’t in a position to understand one vendor’s rhetoric versus another’s. So they take the sales reps at face value and in many cases are trying to buy something to get the project off of their desk, as opposed to buying the right thing to meet the business objective. That’s how you end up with shelf-ware – purchased software (or equipment) that never gets deployed.
There are caveats to this process (as there always are). Obviously there are times when a full-blown procurement doesn’t make sense, like in the event of some type of outbreak or situation when you need something fixed YESTERDAY. Don’t be silly. Just go buy something and pay the idiot tax. Hopefully it will be something you can leverage for a while, but if not, oh well. Much better to be up and operational, then trying to squeeze a few shekels out of a vendor when your network is under attack.
Additionally, depending on the size of your company, you’ll have a different threshold regarding when you want to go through a rigorous procurement process. If you are a huge company, buying a $50,000 piece of equipment may be a rounding error, so just go get it. But if you are a bit smaller, $50k is a big nut - so you need to choose wisely since your job is on the line.
So that is the first rule: Your situation is different. Don’t accept some generic crap from a vendor or reseller about how every company is doing this, so you should be too. You need to resist the pull of the bandwagon. Sure, there are lots of similarities between industries and companies of a specific size. But every organization has different goals, tactics and thresholds for pretty much everything. So every organization must go through the process to figure out which solution is right for them.
This is a good segue into explaining the process:
- Step 1: Clean Your Own House – It’s your responsibility, as the buyer, to know what you need to buy and why you are buying it. Vendors will try to create a buying catalyst when they contact you, but that is like pushing on a string. To buy something correctly, you’ve got to have a budget and an approved project AHEAD of time.
- Step 2: Assemble the “Team” – If you are lucky enough to have resources, you want to assemble a team to drive the project. You’ll need a leader (someone who ultimately accepts accountability for the success of the project) and probably a technical team to do the actual evaluation. If you are really big, then you'll have someone in procurement to help as well. Those folks have a great job, they make vendors cry every day. That must be a lot of fun.
- Step 3: Educate – An educated buyer is the best buyer (whether the vendors admit this or not). So this step in the process is to give you (and maybe your project team) a broad understanding of the problem you are trying to solve and some best practices for how to solve it. The objective is not to learn 100% of what you need to know, that would take too long. It’s to get to maybe 75% knowledge and a pretty good understanding of what you don’t know. Done correctly, you can shave weeks off of your project timeframe.
- Step 4: Engage – At this point, you know what you need to buy and you have a good understanding of the industry, so you can now approach vendors and/or resellers to start the actual procurement process. As we dive down into Step 4, a major topic will be developing the long list. This is where you also consider doing a formal RFI/RFP process, if your organization requires that kind of documentation.
- Step 5: The Bake-off – Depending on the amount of lab resources (and the criticality of the project), you’ll want to test a few of the products on the long list. Probably not all of them, but more than 2 and less than 10. I know, resources are precious, why test more than 2? Well, you’ll have to wait for Step 5 to learn the detail.
- Step 6: The Short-list – Most people think the short list is determined before the bake-off. Well, think again. Vendors make the short list if the lab evaluation shows that their product will meet your requirements. Again, you want to have at least 2 vendors on the short list at this point, and then you can have some fun during negotiation.
- Step 7: Negotiation – Ah, my favorite part of the whole process. If you’ve done the job right, you have at least 2 vendors that can get the job done, so now you pit them against each other and watch the fireworks. Artfully done, you can save 50% off the initial bids because at this point, the vendors have invested enough in the deal that they don’t want to lose.
- Step 8: Selection – As much fun as it is to see 2 (or more) vendors locked in a death struggle, eventually you’ll need to make a decision. With the correct process in place, the selection is easy. You’ll feel very good about one of the vendors and you’ll get the deal done. The other vendor(s) will be disappointed at the end of the process, but that’s life in the big city. As long as YOU feel good about the purchase, you’ve done your job.