Langford, to a point, agrees adding that there must be a more open relationship between both parties. “Up-front consultancy and honesty is key; a vendor who tells me that their solution won’t work until I have fixed my own internal issues is going to get my money and more importantly my trust in the long term over one that is simply pushing me to sign on the dotted line. Always build a relationship with a vendor first. Get to know them and allow them to get to know you. See what else they are doing with other clients, and speak to them. How are they selling to you? Are they simply pushing to make the numbers or do they actually want to partner with you over the long haul and help you fix your problems?”
Malik says it ultimately comes to full-featured, fully functioning products that integrate with legacy equipment quickly and easily. “The final aspect is communication, finding out what the customer likes about the product, what can be improved, and taking that feedback on board.”
CISOs must sweat the assets
Shelfware is not inevitable, and it can be reduced or even eliminated by some proactive and surprisingly simple first steps.
Infosec professionals believe it comes down to a more controlled acquisition process, sweating the products you already have -- and getting the basics right before acquiring new solutions. “First, leverage the products that have the broadest of capabilities, something that can give breadth of coverage,” says Malik. “This will help get a lay of the land and understand the challenging areas which can then be focussed on more specifically. Don’t try to boil the ocean, but start from critical assets. Finally, the best way is to experiment with the product and network with peers to see how they have deployed capabilities. Security doesn’t need to be a complex offering -- often it boils down to doing the basics well and consistently.”
Langford says: “Focus on process, and people first. These two things can get you a long way towards your goals, sometimes far enough to not require further investment. Only when you understand your prices, how your organisation and people operate, and where you need technology support should that investment be made.”
Malik, finally, adds that CISOs and other IT decision makers should be questioning why a purchase is made, obtain stakeholder support early and develop a 30/60/90 plan, as well as have a deployment plan “fully fleshed out prior to purchasing.” He stresses, too, the importance of decommissioning old technology, verifying product capabilities and research.
Sign up for Computerworld eNewsletters.