I sat in a meeting one time and there were very senior level people in the room, from both sides mine the vendor and the client side. And the discussion was about the particular security appliances, software, and services that the client needed. There was all kinds of back and forth and answering questions by my side to the client. It dragged on for about two hours. There was a lot to cover. And I can honestly say at the end of that meeting we were no closer to getting what the customer needed than before.
Why was that? Because no one bothered to find out what the client really wanted. What results were they trying to accomplish? Where did they want to be in six months or two years? What is their timetable? There was all of this talk about prices, speeds, feeds, technical capabilities, service agreements, and more prices. But no one ever bothered to ask the client what he wanted to accomplish.
It took a second meeting where I was able to get the client to express his real desires and objectives. Once this happened we could figure out the rest. Many times in client meetings I would have to force the issue stop the client and ask them. What are you trying to accomplish? This would completely change the tone and regain focus.
Know What Results You Want
You as the executive of firm demand results, and you want to see these results from your suppliers and vendors, quickly and succinctly. But this is not always the case. Here are the five questions you should be asking every cybersecurity vendor and they should be able to answer:
- Will this solution make me more secure after it is implemented? How?
- What specific metrics can I use to quantify what my results will be?
- How much more secure will this solution be in 6 months, 1 year, 2, and 3 years?
- What will this solution accomplish, and how does it fit in with my goals?
- What will be my payoff in hard dollars vs what I am doing now or with another vendor?
At the end of the first meeting, you should be able to either know these pieces of information or have them on their way to you by the following day.
Knowing What You Want
It is incumbent upon you to be able to communicate to the vendor what your goals are. You too must be succinct and clear about what you want to accomplish in order for the vendor to be able to get there for you. You should be able to spell out exactly what you need from a point of view of your results right from the beginning. Five things the vendor or supplier should know from you:
- My current security posture laid out for them.
- My current security policies in black and white.
- What I want to accomplish with my security plan.
- What kind of payoff I expect to see in a particular security solution.
- How I want my security posture to look in the future.
These pieces of information will help your vendor or supplier give you what you are looking for. Putting this requirement on your vendor or supplier from the beginning will shorten the exchange radically and keep you on track to getting what you really need, and that is a stronger security posture. The vendor is always going to follow your lead. If you start out this way they will then know how to deal with you.