Security buying in five easy steps

My "Buying Security Products" process (available on my Web site) has been well received by midsized to large enterprises, but it's a detailed eight-step process that will get you the best price for the products you need to buy.

But for many SMBs, it's overkill. You don't need to know all the answers. You don't have the time to do a very detailed product evaluation on multiple vendors. And ultimately you are just trying to get the project taken care of so you can move onto the next task.

So I've gutted the big process and created an easy buying process for SMBs that will dramatically improve how you interact with your vendors, reduce your stress level and help you make better decisions.

1. Document the problem. What are you trying to do? Why? The first step is to write down what your goals are. Keep in mind you are not selecting products or even categories here. It could be something like "provide secure access to mobile personnel" or "reduce the amount of spam coming into my network." These should be generic statements that don't presuppose an answer. That's the value-added reseller's (VAR) job.
2. Decide your budget. Make sure you have both executive sponsorship and a pile of money set aside for the project. You'll be wasting your time and that of others if you don't do this. Keep the budget number to yourself.
3. Bring in two to three VARs. You should have at least two VARs with whom you have done business. Bring them in and tell them about your problem. If they don't already know, tell them about your network and existing security environment. Then tell them to leave and not to come back until they can solve the problem in the most cost-effective way. DO NOT TELL THEM YOUR BUDGET. But make it clear that you aren't trying to break the bank or re-architect your entire network.
4. Short-list vendors and evaluate products. When the VARs come back, you'll probably have two to three options. Make sure the price is in the ballpark. If not, then make them go back to the drawing board. If so, tell the VARs you want to do a live test on two offerings. They are responsible for setting up the boxes and getting them operational. Get them to do this for free, as they are getting paid a big percentage of the product sale. Make it clear that if the product doesn't solve the problem, the product and the VAR won't be chosen.
5. Negotiate and pull the trigger. Given that most SMBs are dealing with fairly mature offerings, both solutions will probably fit the bill. If so, then tell the vendors it's all about price now and that their initial pricing was way too high. "Way" is a relative term. If you are buying a product for $699, there won't be a lot of room. If it's $9,995, then there will be room. You'll see which one wants the deal more because they'll come in with the best price. Do another round of negotiating to make sure you aren't leaving any money on the table, and then pull the trigger and move on.

This is not brain surgery, but by controlling the procurement process you'll save money and reduce your own stress. You'll have VARs competing for your business and you'll be treated with the respect you deserve.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Reach him via email at mike.rothman@securityincite.com.

This tip originally appeared on SearchSMB.com.

Rate this Tip To rate tips, you must be a member of SearchSAP.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Top 10 SAP tips of 2007 Privacy and your offshore operations Managed security services: What's right for you? Nmap Technical Guide Data management podcast briefing: Trends in data governance, with Gwen Thomas Data destruction Effectively using vulnerability management data SAP Security Learning Guide Eliminating spam with SpamAssassin, DSPAM and ClamAV SAP authorizations SAP security Assigning roles to all users in a group On The Spot: Mario Linkies on SAP security SAP delivers Web services for GRC integration Oracle and SAP square off on application security SAP security: Special Report Security Metrics, chapter 6: 'Visualization' Podcast: SOA and Web services security for SAP and Oracle What is the process for resetting a DDIC password? Blocking a material type in Transaction MM01 SAP security What You Can Do Managed security services: What's right for you? Nmap Technical Guide Systems management checklist: Software upgrades Dealing with backup server instability Mobile policies: Secure your corporate data with acceptable use policies RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.