Wisegate, which describes itself as "a private, practitioner-based IT research service for qualified senior technology professionals," has published a new report on how to manage product acquisition. It separates successful acquisition into three stages: managing vendor hype; managing security budget; and, finally, managing the ongoing relationship with the successful supplier.
The report is based on the practical experiences of a group of senior CISOs and presents 10 key recommendations – some of which contrast with common thinking. Unsurprisingly, one recommendation is to maximize any relationships that already exist. The surprising corollary, however, is that maybe it's not necessary to spend at all – maybe rationalization and updates are better than additional products.
Even more surprising is the suggestion that the best product may not be the best solution. A CISO from the health care industry explains that integration with his existing architecture is more important than buying the latest bells and whistles. What I don’t want, he explained, “is a bunch of disparate tools that don't integrate with each other and cause my cost-of-administration to go through the roof."
Some of the ten tips are exactly what might be expected: 'stay up to date on trends and technologies', and consult with colleagues. But there are more surprises – such as 'ask tough questions to get the right answer'. For example, a CISO from an industrial manufacturing company said that he asks the vendor, "When are you not good? What do you do worse than your competitor?" If you've done the research, he suggests, "you can gauge the honesty of the vendor’s reply."
Another surprise comes in budget management. "The practice that I've adopted", said one CISO, "is to avoid spending my whole security budget. When I follow this practice, the executives realize that I’ll only spend the money that I need." The result is that if an over-budget emergency does come up, she can go to the board for more money and "they’re going to trust that I really need it because I’m not just out buying the latest and greatest gadget.”
Buying the right product is only half the story. Once that has been done, the ongoing relationship with the supplier becomes vital. All products need support, and a good relationship with the supplier is the only way to get the best possible support. That, suggests the report, requires being firm but fair. This is summarized in the report by "Demand what you pay for, and say thank you when you get it", and work on that continuing vendor relationship, "but stay in charge, control and own it."
The final two tips, part of that ongoing relationship management, are to remember that "the best benefits are mutual benefits", and to "be reasonable with vendor gift policies." For the latter, where the consensus is to apply a dollar limit rather than and absolute exclusion, the suggestion is that "they should be neither fully accepted nor completely rejected."
“Security vendors are always trying to sell us the latest and greatest gadgets but I need solutions, not hype”, explained Candy Alexander, Wisegate member, and longtime CISO at several industry-leading companies, including Long Term Healthcare Partners. “By talking with my peers, through a convenient channel like Wisegate, I can sort through all the hot air to find the vendors that will work with my existing infrastructure, meet my budget requirements and have a demonstrated track record of solving problems versus creating new ones.”