Procurement

In this month's SearchSMB piece, i delve into buying security products - but with the view towards SMB customers. The 8 step process outlined in the Buying Security Products eBook (here) is pretty detailed and designed for enterprise customers. But most SMB folks don't need that level of detail - SO I streamlined the process to make sure it was applicable. Check it out and again, if any of my RSS readers want the eBook - just send me a note.

http://searchsmb.techtarget.com/tip/0,289483,sid44_gci1222538,00.html

 

I'm a big fan of case studies and references during the procurment process. For end users, understanding how someone else is using the technology to solve a problem that you may have is instructive. That is, when the case study is done right. So when I saw a feature in NetworkWorld that said they were going to highlight 40 end-users and what they are doing with networking and security, I was ready to suit up and get some perspectives from these All-Stars.

The game was called on the basis of mediocrity. You can read it for yourself here.

I'm sure these are all wonderful people that are doing good work to protect their environments. But what good is a 50-100 word paragraph within the context of a case study? Not a hell of a lot. Putting myself in a typical NWW reader's shoes, these snippets are not valuable in the least. I see one sentence on what the problem is, one sentence on the vendor that provided a solution, and a quote from the "all-star." How do I use that information to make myself better or to learn something?

I get that NWW has limited space, and they have a lot of PR people hounding them all day (and probably all night) about all the cool references they can provide for vendors, whose technology had made these users into all-start. It feels like NWW took the easy road, as opposed to the useful road. How hard could it be? PR person supplies case study. Reporter maybe calls the reference to confirm. They write a paragraph and move onto the next one.

What I'd like to see is a more detailed treatment of one (or maybe two) environments. Where you get a feel for what they are doing in their entirety, not just one very constrained problem that allows the reporter to mention a product. Network Computing does this and calls it The Centerfold (here). They provide a map of the network and list all of the products in use (or most of them anyway).

The centerfolds are outstanding and useful. The All-Stars are not. Again, it's a shame that NWW couldn't derive much useful information from talking to 40 enterprise customers, who are clearly on the leading edge of deploying security technology.

 

I'm very happy for my blogging buddy Michael Farnum, who is leaving security management-land to join the wild, woolly world of the reseller community. In this post (here), Michael goes through his personal selection criteria on what was important to him and why ultimately he decided to go with Accuvant.

All of these are good thoughts, and he seems to be going into the situation with his eyes open. I hope. So not to be Mr. Wet Blanket because I know a lot of people who are very happy being a pre-sales engineer for a VAR, but let me point out the reality of a couple of things Michael will have to deal with.

And of course, I think these tips are applicable to more than just Michael, or else I would have just sent him a note.

1. You've got a number - Whether you are in pre-sales or carry the bag yourself, ultimately you have a number. That number is based upon the margin you bring into the organization. And you are expected to get to that number because it pays your salary. That may create issues with "high pressure sales" and selling what pays high margin, as opposed to what the client needs.
   
   
2. SPIFs and promotions - Vendors (especially one's that are breaking into the channel) tend to make it attractive to sell their box. There are lots of kick-backs (I mean incentives) and promotions to move the boxes. At time, they can be hard to pass up. In the past I've used fancy trips, Rolex's, and cold hard cash. I wasn't playing with the ethics of the reseller, I was trying to create urgency in the community to move boxes.
   
   
3. Pressure from corporate - Pressure to push one product or another will happen. It happens in every organization. Of course, some more than others. But be wary of it and learn how to deal with it.

So what's the best way to prosper and thrive in this kind of environment?

Rule #1: Do the right thing for the customer. ALWAYS. Yes there will be pressures and you may be able to make more money in the short term by pushing something with a good SPIF, but you will have to support it and if you want to sell anything to that customer again, you better do right by them.

Rule #2: Tell them the truth. If the customer is on the verge of doing something stupid, tell them. You may lose the sale because there will always be someone that will take the money, but that person will remember what you said and work with you the next time. That is if their head is still attached to their body. The users I've worked with don't want yes men. They get enough of that out of the vendors trying to move their wares. The resellers job is to help them make the best decisions.

Rule #3: Pick a few products and learn them back and forth. You'll never be as deep as the vendor's sales rep, and you can't possibly know everything about every product on the line card. But you want to be known as a specialist in a few products. The go to guy for a few hot categories. Then other folks within the organization will lean on you for expertise and you have a chance to move up the ranks.

Rule #4: Cut your losses. Referring to my third point - if you pick the wrong product to get deep on (and it will happen), don't go down with the ship. If the post-sales support is crap, or they get bought by a big company that is going to screw things up (like most of them do), then find an alternative and find it quick.

Rule #5: See Rule #1. Remember that your loyalty is to the customer. Not the vendor and not even to your own organization. There are a billion resellers out there and as you develop a loyal and profitable customer base they will follow you wherever you go.

And finally, have fun. Some days suck. You will lose deals. You will miss your number. But if you aren't having fun, then find something else to do. Life is too short.

Good luck amigo, I hope this helps, even a little.

 

I've written pretty extensively on vendor rankings from analysts and how and why they should be used by end users. Here is a smattering of stuff:

• MQ does matter - even if G doesn't think so (here)
• The joke of analysts' vendor rankings (here)

But something that Chris Harrington of InfoSecPodcast wrote earlier this week fills a hole in my documented position. Basically Chris' post (here) overlays all of that procurement blather that I spout above with the customer size segmentation filter. Huh? OK, I'm talking in tongues again.

Chris' point, and it's a very good one, is that a magic quadrant is built for the LARGE ENTERPRISE. That's who Gartner hangs out with and that's where they get their information (besides vendors that is). The folks that are MQ Leaders have done a good job selling high-ticket items to large companies with big budgets.

What if you are a mid-sized company, that is looking for a small-ticket item, and you have very little budget? Then you'd be like 90% of the world and the MQ would be TOTALLY IRRELEVANT to you. Chris' friend is pretty much like a lot of the folks I run across every day. The conversation goes pretty much like this:

Him: "But they aren't in the Leader Quadrant."
Me: "So what? Why do you care who sells a lot into the enterprise? That's not you."
Him: "Because I care. My CIO used to work for a big company and he believes in the MQ."
Me: "Then he's an idiot."

The conversation usually ends right about there, but the point is the same. When you are buying a security product, the vendor rankings can be a useful guidepost to define a short list, BUT ONLY if you look like the analyst's typical customer. If not, then best case you are wasting your time. Worse case, you are buying something that you don't need and likely spending way more than you need to.

While I'm on the topic, Thomas at Matasano questioned the usefulness of "joke" post (here), given most analyst work is not "statistically relevant." So let me clarify things a bit more. My point is that both Gartner and Forrester make you want to believe that they are talking to thousands of end users and developing these positions. But they aren't. And if they are just answering an inquiry - that is fine.

BUT if they are using that data to place vendors on a chart, it's a problem. The chart by the virtue of it being a chart indicates a QUANTITATIVE analysis. But the underlying information to develop the chart is in fact QUALITATIVE. That's my issue.

If they want to do a ranking of vendors based on what they hear, that is fine. But if they place them on a chart (where vendors will inevitably get out the ruler and measure the distance between the dots), then there needs to be more quantitative rigor to the analysis.

That's my story and I'm sticking to it.

 

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 13. Link here and then you'll need to scroll down a bit because they didn't add an anchor for this specific post.

There has been a lot of M&A activity in the security space of late. With EMC buying RSA and Secure Computing acquiring CipherTrust, I'm sure there is a lot of angst in the end user community about the impact of these mergers on the only thing that's important -- you and the security of your environment.

M&A in the security space (actually all of technology for that matter) is a fact of life. So grinding your teeth about it will only make your dentist happy. But there are a set of activities that end users can undertake, once a key vendor is acquired, that will help.

The reason I even bring this up is an article I found in Information Security Mag from May of 2006 that seems like it must have been lost for four or five years (or possibly misdated). It's been a long time since I've seen Axent and Platinum Technology used as an example in anything. This article talks about the potential impact of mergers on customers and the conclusions are pretty close to reality.

From my perspective, very few deals actually are in the customer's best interest. Deals are driven by economics, and, inevitably, the integration causes the acquired company to lose momentum both on the distribution/sales side as well as in improving the product. When I was on the vendor side, we would joke that your second happiest day is when your biggest competitor gets acquired. That gives you at least six months of runway to do damage and take share as they look internally and focus on integration.

Of course, the happiest day is when you get acquired. But at that point, you are more likely thinking about your new big house or fancy sports car than about your customers.

So, a key vendor of yours gets acquired, what do you do? I mapped out my thoughts in this post from April, but let me summarize quickly.

1. Do nothing at first -- Just because a deal is announced doesn't mean it's going to close (remember Check Point/Sourcefire?). So until the deal actually closes, it's business as usual.
2. Call a meeting -- Within a week or two of the deal closing, call a meeting with the surviving entity. Hopefully you'll know who your account rep is at that point. You'll want to ask three questions.
   
   • How does my product (the one that was bought) fit into your strategy?
   • Is my account team changing?
   • What is the 18 month product roadmap?

Listen very carefully to the answers, because you should have a gut feel at the end of the meeting whether the integration is going to be a train wreck. Based on what you learn, then you'll have two more decisions to make.

1. Look at how to do more business -- so if you are happy with the products, account team and roadmap -- you should be seeing if there are other opportunities to do business with the vendor. This would be a good thing.
2. Look for Plan B -- if the answers are no good, then start talking to competitors immediately. Most will be very willing to defer costs until your existing contract/maintenance expire, in order to displace a competitor.

In either case, DO NOT be the victim here. You are driving your security strategy, and if you don't like what you hear from the vendor, throw them under the bus. It's not like you've got any vested interest or political capital tied up with the new guy. Blame the merger and move on. There is another 750 other security companies ready, willing and able to sell you stuff.

The folks at TechTarget were kind enough to let me republish my posts
at the Expert Answer Center here. This post first appeared on July 12.
Link here.

As I discussed yesterday, I've spend a lot of time helping end users buy security products more effectively. Inevitably the customers want a recommendation on what product they should buy. Most are chagrined when I tell them that I won't do that. I can certainly provide some perspective on who are the market leaders, based on lots of criteria. But I won't recommend a product for them. That's their job, because it's their ass that's on the line if the decision is wrong. You can't outsource the decision, not if you like your job anyway.

But not all of the analysts out there think this way. The business of ranking vendors is a big one. Whether you want to call it a Magic Quadrant, a Wave, market sizing, or anything else -- these are all fundamentally the same. They strive to generate a generic answer to what is the best product, based upon some arbitrary criteria.

Here's the problem. Your environment isn't generic, is it? If you look exactly like companies of similar size in similar businesses, then what is your differentiation? Why are you different? There are definitely similarities between businesses based on size and industry, but each organization has their own strategic imperatives, culture, threshold for pain and budgets. You cannot generically decide what products will potentially be best.

And even worse, as pointed out by looking at James Governor's post on MQ sample sizes and this Forrester post, you see that these opinions are based on a very small sample sizes. Help me understand how Forrester decides market leadership based upon talking to seven vendors and 10 users? Gartner at least "talks" to a hundred or so users. But this is not statistically significant stuff, let's be clear about that.

Sure Gartner and the others field lots of inbound calls, but rankings are based on specific quantitative criteria based upon qualitative conversations. So it all gets back to opinion. They are making it up. Which is OK, but only if you trust the analyst.

As for me, I don't trust anyone. Sure, it's a personality quirk, but if my career was on the line, I'd be real careful about using these tools as key arbiters of the decision.

I recommend you use an MQ or a Wave or any other chart as a guidepost. Do your own research and potentially validate your findings relative to the analyst chart. But don't allow the chart to dictate your short list. There are a lot of vendors that don't even get on the >chart or are poorly ranked because they don't (or can't) play the game. That doesn't mean those vendors wouldn't be the best fit for what you< need to do.

But what annoys me the most is that these analysts agree with me on how and when to use a chart. They don't want the responsibility. I ranted about that on my personal blog. The problem is that customers don't get it and until they do, these
vendor rankings will be much more important then they should be.

 

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 11. Link here.

One of the things I find most entertaining about my job is helping end users buy security products. It is amazing that so many sophisticated technicians have such a hard time buying the products. I guess I shouldn't be surprised because many of the folks that drive the purchase process end up as managers after starting their career on the technical side.

It was a post I saw on Arbor Network's blog that got me thinking about this topic again. Carlos Morales makes the point that pretty much everyone hates request for proposals (RFP). They waste time and resources, request a feature list that no vendor can meet, and usually involve a ridiculously aggressive deadline. I agree that, ultimately, RFPs very rarely help the purchase process.

BUT, what he's forgetting is that RFPs have nothing to do with streamlining the purchase process and very little to do with trying to save money. It's all about covering someone's ass. There, I said it. Pure and simple, RFPs are used to cover the respective asses of the folks that buy things for larger companies and government entities.

I suppose that's a pretty cynical position to take, but it's true. As Carlos points out, there are ways to buy products that wouldn't require doing a formal RFP. In fact, I published an eBook on that very topic. It's available for those that sign up for my daily newsletter or email me. I lay out a multi-step process to buy a product, which may or may not involve an RFP, that can be tailored to what you need to buy and what process your organization requires.

Thanks to Carlos for making a number of very relevant points here, but ultimately it doesn't matter. We'll still see RFPs and probably more of them. As long as folks have an ass to cover, they'll continue to use the RFP process (and magic quadrants and other analyst hocus pocus -- but that's a discussion for another day) to be able to point the finger at someone else. And when the stuff hits the fan, you can only hope you still have a finger to point.

Getting back to Dark Reading's Top 10 IT Security Myths (link here), lets take a look at the next two.

Myth #3: Vendors Have Your Best Interests in Mind (link here)

The primary goal of a security company -- like most other companies -- is to make money.

You would think this one is totally self-evident, but it's not. I can't tell you how many folks I talk to that really believe their security vendor is trying to help them. Well, to be fair, they are. But when it comes down to it, "help" is a funny word. If help means they can sell their product, then they are all for help.

But at the end of the day, let's be clear that the role of the sales person (and the SE and the support person) is to feed their family. And they feed their family by selling stuff to folks like YOU.

The best IT sales people I've met do truly believe they are helping their customers, which is a good thing. But again, remember they don't get paid until you buy something. And it's their job to convince you that you need to buy what they are selling right now.

I think most of the rest of their explanation is crap. Vendor's don't try to create more complexity for you. Though many do trade on fear. Fact is, more "constructive" positioning of security technology has failed miserably during the years. Security is like insurance, you buy it because you have to, not because you want to. That hasn't changed in 15 years.

I also don't believe that most end users "manage their vendors." I haven't seen that. Some users know how to buy stuff, but they are in the minority. Most react to a certain mandate, incident or something else that creates a buying catalyst. Then they buy whoever comes in the door first with something that will solve the problem.

I give this myth-buster an A, but once again I think they are exactly right but have a hard time telling the readers why.

Myth #4: Seperate Physical, Electronic Security (link here)

But the vendors that sell you physical security systems and those that sell IT security have little to no overlap. Organizationally, physical security is often handled by the facilities department, while computer security is IT's domain.

It is true that in most cases physical security and IT security reside within different organizations. It's also true that most attacks involve both trying to compromise the physical, as a way to access the electronic.

But I don't buy that you need to attach the two at the hip to be effective. The disciplines are very different and the only link I really see is training. Your receptionists need to be able to detect social engineering attacks meant to provide the bad guys access to your facilities. If those folks can adequately block those attacks, then you cut off a HUGE part of your electronic vulnerability. If not, then you are open season for bad guys.

But are there tools that help people leverage the two? Not really. Do you need them? Again, not really. I tend to subscribe to the school of thought that if it was important, someone would have already thought of it. In fact, lots of people have thought of things that are just not important. 800 security companies proves that every day. Both of these disciplines (physical and electronic access control) have been around long enough that if it was a good idea to integrate the two, customers would have bought it. To date, they haven't.

Maybe I'm being naive here, but I have not had one person ask me when physical and electronic security are going to be merged. Maybe I don't hang out with enough physical security folks, but still. I just don't there there is enough leverage to warrant what would require an archtectural overhaul of either electronic or physical.

This one gets a D.

Two more tomorrow...

I'm a pretty black and white type of guy. Very little gray. It is what it is, and there is no use trying to paint it differently. That trait came in very handy when I was on the marketing side and my job was to paint the competition in the worst possible light. My job was to give the field as much information as I could about why customers shouldn't do business with the other guys.

You see, if you could villify the competition and convince the customers they were of questionable integrity, the deal would be ours to lose. Of course, you never want to go into a deal mud-slinging, but inevitably it happens. Market spaces in the technology industry are so crowded and differentiation so elusive that you look for anything that gives you an advantage.

Even if it's something the competitor has no control over. Given the real outrage about the NSA snooping Internet traffic, you figure someone had to be caught in the crossfire. That someone is Narus' Networks, the folks that provided the hardware to monitor the traffic on big network pipes. In this post, Darknet adds some pithy comments about some work that Wired (link here) did to uncover Narus' involvement in the situation. I don't know for sure that these guys have taken a black eye about being publicly mixed up in the mess, but I presume they have.

How do I know? Because if I was competing against them, that's the first thing I would do. To be clear, I can't see anything that Narus did as being wrong. They sold their product to carriers. The quote from the Wired article says it all:

"Narus has little control over how its products are used after they're sold. For example, although its lawful-intercept application has a sophisticated system for making sure the surveillance complies with the terms of a warrant, it's up to the operator whether to type those terms into the system, says Bannerman."

Most companies have little control over how their product is actually used. This guy from Narus closes the article with this quote: "Many of our customers have built their own applications. We have no idea what they do." Sorry, I don't believe that. Even hush hush military installations need support from time to time. And then you figure out what is going on. Sure, if you are selling software development tools you have no idea what the customer is doing or building. But to say you don't know how a customer is using your box to sniff 10 Gbps networks rings fallow.

But that's not the point. The point is that the customer is caught in the middle. When competitors start slinging the mud, then the customer has to figure out what's right and wrong in a whirlwind of speculation. So I thought I'd give some guidelines based on my experience. Hopefully it will make it easier to wade through the crap.

1. No mudslinging - Early on in the procurement process, make it very clear to all participants that you will be very intolerant of mud-slinging. This doesn't mean it won't happen, but the reality is that the great sales folks know how to de-position the competition in a positive way. The crappy ones rely on the old "well they just suck."
   
   
2. Figure out if it matters - As you go through the technical evaluation, the vendor in question may fall out of the race. Then it's a non-issue, no?
   
   
3. Do your homework - Ultimately if you are pulling the trigger on a purchase, then your ass is on the line. Believe me, the competition will get their points across, so you'll know about these allegations. If they concern you, check them out. I'm not saying to go on a witch hunt. But if you hate surprises as much as I do, you better do your diligence before buying.
   
   
4. Go with your gut - I'm a big fan of following my instincts. If the idea of doing business with someone turns your stomach, then don't. Make sure you've done your homework to substantiate your concerns, but then pick the other guy and don't look back.
   

But I do feel for some of these vendors that take headshots for stupid things their customers do. You spend a bunch of time spinning something that you had no hand in creating. I have no issue cleaning up my own mess (and I made plenty of those), but to have to spend days cleaning up someone else's made my ears steam.

My rule of thumb is the vendors should not be held responsible, AS LONG AS THEY AREN'T HELPING. That's where you need to draw the line. Period. If they provide a technical resource helping to configure equipment to do something that anyone could see is ethically questionable, then I wouldn't do business with them. It's as simple as that. See, black and white.

For example, lets say you were in the email security space and one of your competitors also sells an outbound email gateway. Right, a spam cannon. Is there anything wrong with that? In concept no. But if that vendor sent a technical resource to go configure 3 high-end ($50k) boxes in some guy's garage to send outbound mail, I'd have a problem with that. What do you think the guy is doing with the boxes?

So as a customer, you need to wade through all the crap to figure out what the best solution is for your company. Sometimes these intangibles don't matter. Other times they do. But if you do your homework and stay true to your gut, you'll be just fine.

Everytime I hear myself saying the same thing more than a few times, I figure I probably should write it down. Within the next day or two, my next appearance on Martin McKeay's Network Security Podcast and next week a tech tip for SearchSecurity underscore the same topic, the trade-off that every security professional must make every single day.

That's the trade-off between enhanced security and friction. Why don't I just say cost/benefit? Basically I think it's pretty much impossible to really quantify security. I know a lot of people spend a lot of time trying to figure out security ROI. There are vendors that put dashboards in place and end users that need to spend a bunch of time generating spreadsheets to justify buying something.

Unfortunately, they are making it up. So let's say you have a problem. What does it cost? First you concoct some numbers about real loss expentency. Are machines fried and need to be replaced? Then there is the cost of the time to fix all of the issues. These are pretty easy to determine and a start.

But those numbers don't really get the attention of senior management. They don't care. What they are worried about is appearing on the front page of the Wall Street Journal. That gets their attention. Whether it's compliance related or privacy related, executives typically sign off on expenses to avoid those kinds of issues.

There is no return on investment for that, is there?

I'm a fan of giving the executives what they want. So you, as the security practioner, should know what you want to buy. Maybe it's identity management, maybe it's NAC, maybe it's encryption or database security. You should have a working architecture or "future state" of what your infrastructure should look like.

The real art of what you do is to figure out how to get there. A lot of it involves robbing Peter to pay Paul over time. You want to attach to strategic initiatives (like outsourcing HR or a new ecommerce system) and build in some new security oriented gear into those projects. When the price tag for these projects is in the 10s of millions, no one is going to miss the $500k you spend on security.

You also want to take advantage of budget line items, like compliance. Most big companies have specific money set aside to keep the executives out of jail. So figure out what of your strategic security stuff can be wedged into the compliance budget. Is identity management or log management strictly for compliance? Of course not, but you can make the case that these offerings are critical for those efforts. Any you get your money.

So here comes the trade-off. It's hard enough to get money for the things you really need. So you've got to decide what stuff you are not going to do. No one I know gets to do everything. There are always choices to be made.

You need to get a feel for the incremental increase in security for a specific investment. That must be weighed against the friction the additional security introduces. Friction can reflect hard costs (like buying something or operating it) or impacted user experience. And don't minimize the user experience hit. Executives get grumpy when they can't do what they want, when they want to do it, from whatever location they choose. Ultimately you need to decide if it's worth it.

The other thing I'll tell you is that most likely you'll be wrong. You'll get nailed by something that you decided wasn't worth the money. But that's OK. Not even Ted Williams batted 1.000. But if you keep the future state in mind and have a plan to get there, you'll get nailed much less frequently. And ultimately that's the point.