Spend Matters welcomes another guest post from Jon Winsett of NPI, a spend management consultancy focused on eliminating overspending on IT, telecom and shipping.
Information security in the enterprise has become pervasive, multi-faceted, and – for some – overwhelmingly complex to manage. In the past, IT security comprised a small cluster of solutions and processes, generally focused on application, network, and end-point protection. Today, it encompasses much more – database, storage, content, and device solutions, just to name a few.
Growing demand, the continual emergence of new players (and M&A combinations regularly changing the vendor landscape), and the commoditization of “traditional” security solutions (for example, firewalls) have added to the complexity of managing this sub-category of IT spend. Enterprises are investing more than ever in security. According to research firm Gartner, companies worldwide are expected to spend $67.2 billion in 2013 and are projected to spend $86 billion by 2016.
The potential for overspending is alarmingly high. Companies routinely overpay for all facets of IT security - and will continue to do so unless they avoid the following seven mistakes:
- Not taking a holistic view of IT supplier management. Many enterprises fail to leverage demand and security vendor relationships across the business. In an IT category that is constantly growing and changing, this forfeiture of leverage equates to higher costs.
- Entering myopic vendor agreements. In IT security, one-year deals have become all too common. This is often because the technology is new, there is a fear of commitment, or CIOs and IT purchasing groups are simply taking an “autopilot” approach to renewals. Regardless, these shortsighted contracts often take valuable discounts off the table.
- Failure to benchmark VAR pricing and value-add. Security is a VAR business; rarely do vendors sell direct. Buyers rarely benchmark VAR pricing and terms to see which VARs get/give the best discounts and which offer best professional services and support.
- Over/under-investing in support. The degree of support required for different pieces of the IT security puzzle varies. For firewalls, many enterprises require access to higher-level support resources. On the other hand, 24/7 support for multi-factor authentication and proxy cache security is rarely needed.
- Lack of competitive pressure on incumbents. Vendors like Cisco and Checkpoint have done a good job of entrenching themselves in the enterprise IT infrastructure – with little incentive to offer competitive pricing, discounts, and terms during renewals.
- Navigating new areas of IT security, like mobile device management, unguided. Most enterprises are inexperienced with policy development, platform and vendor selection, and contract negotiations within this vendor category.
- Buying the bundle. As vendors acquire and expand new security offerings, bundled IT security solutions have become common. But are companies paying for more than they need, or more than what they would pay à la carte? In some cases, yes.
The security landscape has changed. Businesses that continue to have a transactional view of security sourcing—and handle vendor negotiations and management as they always have—will be targets for overspending.