When you’re looking to tackle a problem that is going to be solved outside of your organisation, the best advice I can give you is to make full use of your vendors. And by vendors, I mean anyone providing services or products, in particular when looking at cybersecurity.
Your vendors are experts in their particular fields and should, necessarily have a much deeper understanding of both the area and their products than you will. That’s no reflection on you or your abilities – you have broader concerns than the vendor in this scenario. With that in mind, when going forward to a vendor looking for a solution, don’t propose the solution. Go forward with a clear description of the problem you are looking for the vendor, or their products, to solve for you.
The better you can describe the problem, the better the solution is likely to be and the better you’ll be able to validate that the solution does, in fact, solve the problem for you. Let your vendor do more of the heavy lifting while also letting them understand your business more deeply. This is the start of a long-term partnership and that’s where the real value lies.
Don’t fall into the habit of detailing the solution in your RFx (Request For x, where x might be Information, Proposal or Quote) documents. An RFI or RFP should never have architecture diagrams in them unless they are describing your current environment. It’s highly likely that your understanding of a vendor’s product is likely behind where the product currently is (and where it’s going to be on the next release). That knowledge is also probably formed from an implementation that may or may not be optimal.
Don’t get me wrong, you are an expert in your space. It’s just your space is far broader than the vendor’s and as such, their knowledge will have depth and nuance that you don’t have, and shouldn’t have, time for.
Show your vendors the problem, let them ask questions. There will be hard questions in there, or at least, there should be. Let the vendors propose the solution and then test that solution against your business needs to make sure it solves them. Let the vendor do the heavy lifting then you’ll know you’ve got the best possible solution when it meets your needs.
I’ll write a separate post about requirements gathering and the pitfalls that emerge, particularly when stakeholders are engaged late in the day. Spoiler, they will produce requirements designed to derail or at least delay the process and they can be hard to spot.
0 thoughts on “Use Your Vendors”