Welcome Guest. | Log In | Register | Membership Benefits

For Security Pros, Building Vendor Relationships Is A Lesson In Diplomacy

Working with vendors is not always easy for security pros, but a good vendor relationship can make your job easier

May 14, 2010 | 05:14 PM | 

By John Sawyer, Contributing Writer

The blood is in the water and the sharks are circling. Recent reports show that IT security spending is up --and as the quarter comes to a close, security salespeople are flooding our inboxes and voicemail with sweet, syrupy messages trying to get a foot in the door.

As security professionals, we aren't always the best "front line" for fielding these calls. First and foremost, we're busy. Second, we're mostly technical people, and we want to talk technology without dealing with all of the high-level sales pitches. The non-technical issues need to be discussed, but what we really want to know is whether or not the product will solve our problem(s) effectively without putting too much additional load on our operational duties.

There are a few different ways to deal with security vendors to ensure that your company's best interests are being met -- and not just the salesperson's monthly quota. Being honest and up front about the problem you're trying to solve -- and your expectations of the solution -- is probably the most important step to developing a good relationship. These elements are critical in your RFP, so that you're not stuck wading through useless bids.

However, being open with security salespeople is not always easy. Personally, I've been on a few conference calls where the vendor seemed bent on pumping me for information about what vulnerability scanner, penetration testing tools, and IDS we use. It's a frustrating feeling, but in some of the cases, it led to a discussion of something I was genuinely interested in. In those situations, I had to set some ground rules about what I was willing to share.

Being up front and honest does not mean telling the vendor everything. It does mean giving them enough information about your environment so they can size the solution appropriately and suggest ways to integrate it with existing tools. Don't be afraid to say "no" to a vendor when they ask for too much information. If you're not convinced that a question is pertinent to the discussion, move on.

Similarly, be careful what you divulge. IT security is a sensitive area, and you don’t always know who's on the other end of the line. For cold calls that you're interested in, take a message and call the salesperson back. Try calling the main corporate number and ask to be forwarded to the salesperson who called you. Why? You want to be sure that you're really talking to the vendor -- and not an attacker trying to social-engineer you.

Security RFPs are a different beast altogether. Crafting a solid RFP is critical to a project's success -- and often goes horribly wrong when rushed. There have been numerous articles about RFPs over the year, but the information I've found most useful in the past has been from Lenny Zeltser's "Information Security Assessment RFP Cheat Sheet."

The first step is to decide whether you even need to go through an RFP process. For some organizations, especially small organizations, a less formal process might be easier. Depending on the technical expertise of the team members and their understanding of the technologies involved, the cheat sheet suggests starting with a request for information (RFI). If you go through the RFP process and don't understand the proposals that come back, you may have to do it again, or worse, you might buy in to the wrong solution.

The RFP should contain the relevant information about your environment so that vendors can make an accurate proposal. Be careful about providing sensitive information here, also. It's perfectly acceptable to ask for a non-disclosure agreement with vendors before you divulge the more sensitive details. The sensitivity of your business and network can also help determine if it's better to send your RFP to a large group of vendors or to a select a smaller group of handpicked vendors.

Security professionals don't always have kind words to say about vendors and salespeople, but creating a good working relationship with both can help make your life easier. Keep in mind that they have a job to do, too -- and that it's okay to say "no." Just be nice in how you say it -- you might just have to deal with that person for something your organization needs in the future.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Security Services Reports

report Using Service Providers To Manage DDoS Threats
When it comes to the battle against distributed denial-of-service attacks, you are not alone. With the increasing use of third-party service providers, your organization likely has a huge arsenal of bandwidth, technology and know-how at its disposal. The challenge is to effectively marshal those resources among your providers and integrate them with your own security measures into a strategic and comprehensive DDoS protection plan.

report Hosted Web Security Services: Block Malware Before Your Border
Security service providers are now delivering a wide range of packaged offerings, including Web content filtering, anti-malware, data leak prevention, and many other capabilities. How can your organization take advantage of these Web security services, and how can you choose the right provider? This Dark Reading Tech Center report offers a look at these services and some recommendations on how best to implement them.

report You've Got (Secure) Mail: Using Service Providers to Boost Protection
The SaaS market is still in its infancy, but hosted e-mail security firms are leading the way, thanks to ease of implementation and many obvious benefits. Still, these services are not without risks. In this Dark Reading Tech Center report, we'll discuss how to determine what mix of in-house and hosted email security makes sense for your organization.

Other reports from the Security Services Tech Center:

Related Content

Establishing a Formal Cyber Intelligence Capability
Organizations are realizing that advanced intelligence capabilities consistently deliver substantial cost savings - with proactive insights on true threats, the intelligence to avoid false alarms, and the system and application availability required to preserve revenues and customer loyalty. But achieving these benefits requires organizations to establish a formal cyber intelligence capability. Read this whitepaper to learn about a proven, repeatable process with clearly established steps for setting up an in-house cyber security intelligence operation.

DDoS Mitigation: Best Practices for a Rapidly Changing Threat Landscape
Although DDoS attacks have become a mainstay of hackers' arsenals, their profile has changed considerably in the past year, making them an even greater threat to companies that conduct business online. DDoS attacks are larger, stealthier, more targeted, and more sophisticated than ever. Get best practices to enable your organization to keep pace with DDoS attacks while minimizing impact on business operations.

2012 Cyber Crime Threats and Trends
Get the highlights of 2011 cyber security trends and how those trends and others might unfold in 2012. This report is a strategic complement to daily tactical intelligence reports and provides IT security and business operations with actionable and relevant decision support.

Using Hybrid Routing to Optimize DNS Resolution Performance and Reliability
To create a satisfactory end user experience, enterprises must ensure that DNS resolution is fast and reliable. Learn more about how using a hybrid routing solution can greatly maximize performance while minimizing latency-and address your business' specific needs along the way.

A Cost Analysis of Approaches To DDoS Protection.
All organizations with an online presence or dependence on Internet-based systems need to fortify their defenses against DDoS attacks. DDoS can cost an organization in tangible losses and in more subtle ways. Read this whitepaper for a deeper perspective on the cost benefits of a dedicated, cloud-based DDoS service over an in-house hardware solution or over-provisioning through your ISP.




Featured Webcasts
Featured Whitepapers
Featured Reports