Security's Everyman

Security's Everyman

Wednesday, December 17, 2008

Let the throw down begin!

Today Alan Shimel took me out to the wood shed and spanked me! So all in the spirit of good fun we're gonna go toe to toe and work this out.

My job here is to manage the security program. Part of my responsibilities are to evaluate products and make recommendations based upon the defined requirements and the ability of a product to meet those requirements. My CIO's job is to manage the entire IT organization and make sure that what we do matches up with the business requirements of the company. He does not evaluate and recommend products. If a sales persons goes to him he sends them the the appropriate department to talk to the SME.

Alan asks "But also who dropped dead and made Andy the single point of contact?"
Andy answers "My CIO made me that point of contact (although he is still living). At least until we are ready to move forward and his input is required.That does make me a gate keeper of sorts but only because that how we do things here."

Alan asks "Is Andy not only making the technical decisions but the business and financial ones as well?
Andy answers "No, I'm not making the business and financial decisions but I do have significant input into the role of security in the business. That is what Security Managers do. They are given information regarding business needs, goals and requirements and they make decisions and recommendations based upon them.

Alan asks "Is Andy the person signing the checks?"
Andy answers "Again, No. I do work within a budget and also part of my job is to ensure that we are spending our budget dollars wisely. So, that's kinda like saying what checks get signed.

Alan says "Here is what I have preached to sales people for years. It is imperative that they multi-thread into an account. Knowing the Andy's of the world is not enough to get the deal done. A good sales person should have relationships with people up and down the organization, including the ability to pick up the phone and speak to the CIO (especially if it is not some Fortune 100 type company). Does Andy really relish his role as the gatekeeper? Is it an ego thing?"
Andy replies "I understand Alan's point about having multiple levels of contact within a company because there are lots of people out there who will give you the run around instead of being honest and telling you the truth. Especially people in technology because many of them are just not good with people. I think that if you are getting the run around then going up the ladder is a fine plan, but if you have been given multiple valid reasons why this is not the time to move forward and you still try to push forward then you have issues. If I was in sales and really needed to make a sale I surely wouldn't waste my time trying to sell to a company that has (I'll say it once again) already given multiple valid reasons why this is not the time to move forward. I'd focus on a sale that I had a chance to make. Not to mention that having relationships also means that you maintain them at ALL levels. Do you really think that you are gaining anything by pushing when you have been told to wait? Is it beneficial to damage a relationship to make one sale? The security community is a small and often tight group of people. I'm amazed that almost everywhere I go I run into someone that knows someone else that I know. You make make a sale here while damaging a relationship but what about the next time we cross paths? The chances are VERY good that it will happen.

Here's a little story that recently happened to me. I was at a conference and was introduced to someone by a friend. That person happened to work for a company in Atlanta and we exchanged cards. After the conference I was contacted by that person to talk about their product. I met her for lunch along with 2 others from the company. All 3 of them had worked together along with the friend who introduced us. We're sitting in a restaurant and one of the says "Does any one know where so and so works now?" I said "Yeah, she's my vendor x rep". She had also worked with them. Then a few days later I get an email from another vendor rep who said "You remember the rep that I wanted to introduce you to from Vendor Y? Well, he told me that his wife had lunch with you the other day." She was the one from the first company. It's a small, small security world.

Alan says: "This salesperson was doing her job. She was not getting anywhere with Andy to her satisfaction and was multi-threading into the account. She could have been more up front with Andy about it, but my feeling is that anytime a security admin or manager "forbids" you from talking to other people in the organization they are overstepping their bounds and sending a message that this is not yet at the level of a real opportunity.
Andy replies: "Alan may have been reading another blog here because I can't find anywhere in there where I "forbid" her from anything. Maybe he's just drawing a conclusion. Kinda like the sales person concluded that I was only putting her off because I didn't want to bother with her or be honest with her. I also question his definition of what her job is. Her job is to sell product. That means that she finds potential clients (me), find out what my needs are, determine what her product can do to meet those needs and convince me that her solution is the best one for my needs. Her job is not to try and make a sale to someone whose job is not to manage security for the company. You don't go to the CMO to sell accounting software. If this were a small company where the CIO has more input in these decisions it would be different.

Come with me on a little journey. What if she had convinced him to buy her product? Well, that would only happen in one of a couple of ways. First, he decided to make the decision on his own not knowing what the business requirements for this product are. He has no business being CIO. Second, he comes to me and tells me that he wants it and asks for my input. I tell him we don't need it at the moment, there are more pressing projects and I haven't decided on a vendor. He still buys it. He has no business being CIO. So we now have a product that we don't currently need, may not meet all of our requirements, may not be the best fit or the best value for us and I have another piece to force into my security program.
Who wins?
Not me. I've now got another product forced on me and I am learning that my input and opinion are not really valuable to the company so why not move on.
Not my CIO. He has lost my respect and possibly my services. Now he has to find someone else to come in and learn the environment, business and everything else.
Not my company. They just spend a lot of money that wasn't necessary and may not meet their needs.
Not the sales person. She has damaged relationships with a potential customer down the road.
Not the vendor. They have now sold a product that if it doesn't do as expected or doesn't meet the business requirements will only cause the customer to have a bad taste in their mouth.
All of this could have been avoided if the sales person simply chose to wait until next year when a "real" decision could be made.

One last thing and then I'll stop.
Alan said: "I really think it is more about Andy's ego than any real threat."
Andy replies: I can assure you that my ego was the least of the things that were hurt. At least from a "who does he think he is?" perspective. I must admit that it was a little bruised because by going "over my head" he basically said "I know that Andy has already spent lots of time and effort telling me all of the reasons why this wouldn't happen this year but I think he is lying to me so I'm going to go to the CIO and try to sell him my product." Maybe I'm over reacting a little here but I did tell her why I wanted her to wait and she still thought I was giving her the run around.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.