Security buying in five easy steps

More on security buying Authentication points: SMB Buying Decisions Security VARs -- Buyer beware System management essentials

My "Buying Security Products" process (available on my Web site) has been well received by midsized to large enterprises, but it's a detailed eight-step process that will get you the best price for the products you need to buy.

But for many SMBs, it's overkill. You don't need to know all the answers. You don't have the time to do a very detailed product evaluation on multiple vendors. And ultimately you are just trying to get the project taken care of so you can move onto the next task.

So I've gutted the big process and created an easy buying process for SMBs that will dramatically improve how you interact with your vendors, reduce your stress level and help you make better decisions.

1. Document the problem. What are you trying to do? Why? The first step is to write down what your goals are. Keep in mind you are not selecting products or even categories here. It could be something like "provide secure access to mobile personnel" or "reduce the amount of spam coming into my network." These should be generic statements that don't presuppose an answer. That's the value-added reseller's (VAR) job.

2. Decide your budget. Make sure you have both executive sponsorship and a pile of money set aside for the project. You'll be wasting your time and that of others if you don't do this. Keep the budget number to yourself.

3. Bring in two to three VARs. You should have at least two VARs with whom you have done business. Bring them in and tell them about your problem. If they don't already know, tell them about your network and existing security environment. Then tell them to leave and not to come back until they can solve the problem in the most cost-effective way. DO NOT TELL THEM YOUR BUDGET. But make it clear that you aren't trying to break the bank or re-architect your entire network.

4. Short-list vendors and evaluate products. When the VARs come back, you'll probably have two to three options. Make sure the price is in the ballpark. If not, then make them go back to the drawing board. If so, tell the VARs you want to do a live test on two offerings. They are responsible for setting up the boxes and getting them operational. Get them to do this for free, as they are getting paid a big percentage of the product sale. Make it clear that if the product doesn't solve the problem, the product and the VAR won't be chosen.

5. Negotiate and pull the trigger. Given that most SMBs are dealing with fairly mature offerings, both solutions will probably fit the bill. If so, then tell the vendors it's all about price now and that their initial pricing was way too high. "Way" is a relative term. If you are buying a product for $699, there won't be a lot of room. If it's $9,995, then there will be room. You'll see which one wants the deal more because they'll come in with the best price. Do another round of negotiating to make sure you aren't leaving any money on the table, and then pull the trigger and move on.

This is not brain surgery, but by controlling the procurement process you'll save money and reduce your own stress. You'll have VARs competing for your business and you'll be treated with the respect you deserve.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Reach him via email at mike.rothman@securityincite.com.