By Magnus Boll, September 2018

InfoSec Procurement2020 InfoSec has a simple Mission Statement; Save our Clients Money

Primarily we do this by identifying products you don’t need to buy, or assisting you with choosing the ultimately best fitting product. When you do require additional technologies, I’d like to share some InfoSec Procurement Strategies for Minimizing your cost, Reducing your time and resource use, Maximizing value and Ensuring the best possible fit.

You may ask, and rightfully so; who are you to tell me how to procure? Well I have gained some perspective on the topic in my 30 years providing IT products and Solutions of which 20 years specifically in InfoSec. In this article I will share insights from the mind of a “Sales Guy”, -The guy that usually sits across the table pitching or perhaps negotiating with you. Check out this page for a bit more on who we are.

This article will conclude with a flowchart for a fool-proof method to maximize your “bang for the buck”, as well as minimize your organization’s time and resources.  You can skip ahead to the flowchart now, but I recommend reading the entire article.

Let’s begin with breaking the sales process into two categories: Vendor Initiated and Client Initiated.

Vendor Initiated Sales Process

When a Sales guy isn’t tied up with sales already in motion, he should be initiating new sales processes with clients. Some of the ways we do this are:

  • A quick call or email to inform about something new and exciting
  • An invitation to a seminar or demo
  • A call or visit to inquire about your requirements or concerns
  • A meeting request to introduce a product, service or person
  • An introduction to the vendor’s organization, services and products
  • An offer to evaluate a product in your environment

These are all examples of vendor initiated sales processes. You probably get these in droves on a daily basis.

We sales guys generally prefer initiating the process as it reduces competition, which in turn yields a higher profit margin.

Client Initiated Sales Process

When the client initiates the process, sales guys like me get excited because we are presented with an opportunity that we so far have no invested time in. It puts us in a different, more competitive mode, as the client initiated process usually involves heavier competition. Some examples are:

  • A call or email to inquire about a technology or a specific product
  • An informal request for pricing
  • A request for advice
  • A formal Request for Proposal
  • A formal Request for Quotation

The last two typically involve more competition, which forces us sales guys to be on our best game and sharpen our pencils.

Can you guess which of these is better for you? The answer is either. It doesn’t matter who initiates the process. Follow along and you’ll soon understand why.  First, let’s take a closer look at the Vendor Initiated Processes and you’ll gain an understanding of how we sales guys navigate.

The first five listed are all basically fishing. It’s just the bait that changes. We engage you in conversation in the hopes that you will show interest in something we say. If you do, we switch to inquiry mode. We want to find out what you already know and if you’ve looked at the product segment already. Have you narrowed down to any particular product? Has a budget been established? Now we go into pitch mode, explaining why our organization is the best suited to deliver the product and which brand or brands we think would be best suited.

Live evaluations in your environment are a different animal altogether. Sometimes this is called the “puppy-dog-sale”. You know the adorable little puppy that looks up at you with big brown eyes and before you know it, you’re sold.

Let’s say that the sales guy is pitching an IPS or perhaps a Zero-Day Attack Prevention appliance. Most will insist on deploying it in front of all your existing gateway security measures. This way it will light up like a pinball machine almost right away and start blocking all sorts of malicious traffic. Wow, look how many attacks it prevented in only five minutes! Looks like you narrowly escaped the breach of a decade! How have you survived through all these attacks for all this time you may wonder? Time for you to insist on deploying that sucker AFTER all your existing technology. This is when it gets interesting. Is it still detecting and blocking anything malicious? If it does it will be far fewer and further between, if any at all. Leave it for a week and see what it finds. Even if there is still malicious traffic making it through to the new puppy-dog, chances are it’s not applicable to your environment. Even if it is, you now know what your current gear isn’t able to mitigate and will thus be able to look at all possible ways to block it. Possibly there are far less costly methods than forking out the loot for that adorable little puppy.

-We can Assist with this-

InfoSec Procurement Strategies

Alright, this is when it starts to get interesting.  Pay attention because we’ll be covering some important points in regards to the Customer Initiated Sales Process. The first step is going to sound like the cart pulling the horse, but it will make sense soon.

Before initiating the process, decide which Dealer you want to do business with. I know I know…  You want to do business with the proponent that offers the best deal. How can you possibly know which that will be in advance? The answer is simple; whoever you want it to be. Makes no sense right? Here’s the reason: When a sales guy gets a whiff of a deal, his or her job is to qualify the opportunity. In other words, gauge the probability of it becoming a sale. If chances are deemed to be good, the sales guy connects with the manufacturer and tells them how loyal he is to them and that he has pitched their product to this potential customer. In turn the manufacturer rewards this loyalty by supporting him in this particular deal. A slight discount advantage, Manufacturer recommendation or perhaps an exclusive freebie add-on are some of the ways a manufacturer can help the dealer sales guy gain a competitive edge over any other proponents. Now you see why you may as well select your favourite dealer from the get-go.

Let’s assume you’ve identified a requirement for an IPS to augment your existing infrastructure. Next step is to determine who your favourite dealer is and let them catch a whiff of the deal by initiating the process using one of the first three approaches;

  • A call or email to inquire about a technology or a specific product
  • An informal request for pricing
  • A request for advice

Don’t have a favourite dealer or sales guy yet? Here’s how to identify one

InfoSec Procurement StrategiesAt this point, you have the requirement and hopefully budget. You’ve picked your sales guy / dealer and initiated the process. The sales guy will have “registered” the deal with a manufacturer (perhaps multiple).  What’s next? This is the crucial part. You have to do your own research. You have to determine for yourself, which brand and model is right for you. If you have an ethical sales guy, their advice is helpful in this process but in the end it’s up to you to ensure that the chosen product will meet your requirements and function well with the rest of your technology. You want this additional purchase to augment what you already have. Not overlap or even diminish it.

– We can Assist with this too –

Why not issue an RFP? Isn’t that a great way to get multiple manufacturers and dealers to provide alternatives? These are the reasons for recommending against an RFP:

  • Manufacturers will respond to any and all RFPs. Regardless of how poorly they meet your criteria, they will write their response to give the impression that it’s a perfect fit. This adds up to countless man-hours to qualify or disqualify responses.
  • Writing the RFP and structuring the process is a resource and time intensive task
  • More time and resources are consumed by initial Q&A
  • By the time you’ve narrowed down the top contenders, you’ve spent at the very least twice as much time and resources as if you’d just done the due diligence yourself to begin with.
  • Even if you provide the RFP to a handful of dealers, the manufacturers are performing the bulk of the work to write the responses. What you end up with is a competition between brands of which only ONE is the best suited for your requirement. This means that you will likely only have one, or perhaps a couple of proposals for the winning product.

Instead I recommend researching and determining the brand and model and then issue an RFQ for that specific product. The advantages of this approach are numerous:

  • RFQs are more competitive in nature due to the clear definition of the requirement
  • Sales guys hate all the work involved in RFPs while responding to an RFQ can be done in under an hour. You will receive more and higher quality responses.
  • Even if you know that your pre-chosen dealer will quote the lowest price on the product you can use the other quotes to negotiate the professional services, support or other line items on the quote.
  • The other quotes can also be leveraged to negotiate the product price. The rule of thumb is that the smaller the difference between the “chosen” proponents and their competitors price, the more room for additional discount. (Tell you what, if you can shave an additional $1000 off the total price, I’ll send you the PO before end of day.)

Do you REALLY need it?

InfoSec Utilization Audit
InfoSec Utilization Audit

Which should I pick?

InfoSec Product Selection Service
InfoSec Product Selection Service