Printable View
I don't know how many of you in the AO community have enough pull at your respective companies to be involved in medium to enterprise level purchasing decisions, but it you have any insight I would appreciate it.
What are the things that you think are essential to factor into a purchasing decision or to consider when selecting a product or vendor or making a purchase?
Wow, that's a broad question. I think it's more appropriate to consider what the process is that an organization goes through...the things to consider are going to vary widely depending on what you are looking to purchase, or contract, or obtain and *why* you need (or feel you need) said product/service.
For example, a previous client had been handling email content filtering in-house with their enterprise sysadmins and a pair of *nix bridgehead servers running a slightly older version of TrendMicro's offering…InterScan, I think. The company was on an outsourcing kick…they do a really good job of finding precious substances under the ground, not providing IT support, etc. you know the story. So they chose to outsource their email content filtering to a managed security service firm. The issues surrounding this change that were identified by the PM included:
- Outsourcer’s solution did not have the flexibility or granularity that their TrendMicro software offered
- Cost effectiveness of the outsourced solution was MUCH better than the dedicated in-house resource
- The comprehensive package of having a view on the big picture from the outsource provider, being able to identify large scale events that are impacting not just their email, but other companies and clients, etc. was more inline with the company’s security and business goals
So in this situation, even thought they lose a level of control and flexibility, they gain from not having to manage the resource themselves, and have a better insight to what may be happening outside their networks but is impacting them.
This is a single, crude example but the point stands. You need to consider some of the obvious points: who is the vendor, what is their reputation for support after sale, and what do other companies think of them. SANS offers some good insight into this area with their What Works web casts. I usually don’t have the time to bother with sitting through the presentations, but these are always based on real companies that have gone through this process, and what their post-transaction feelings about it are.
I work for a large company, and I can tell you without doubt that there is only one factor when making these kinds of decisions:
Price.
Though we wish it were otherwise, wee invariably end up buying the cheaper software regardless of differences in capabilities. Sad but true.
Price is a big factor of course. In a fact you have to justify it.
If you're asking that on the Internet, and your resources permit, you presumably need to consult professional risk management. There is only one member that I know of that has experience in professional security risk management and that's catch.Quote:
Originally posted here by tonybradley
I don't know how many of you in the AO community have enough pull at your respective companies to be involved in medium to enterprise level purchasing decisions, but it you have any insight I would appreciate it.
What are the things that you think are essential to factor into a purchasing decision or to consider when selecting a product or vendor or making a purchase?
I know this much. One of my clients received a $23 million dollar loan last year from a big oil and gas investor. Before that loan committee granted it to them. The committee wanted proof of implemented risk management. I had another client who received a grant for a large sum of money as well. They wanted risk management, internal auditing and whatnot.
I don’t know if you carry that kind of pull, but even smaller businesses consult risk management. It’s just smart practice.
But since you mentioned security, you might want to refer to the NCSC-TG-004-88 on risk management. It’s a little different.