tag:blogger.com,1999:blog-13756280.post8347514571328224051..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: 7 Tips to Get the Absolute Best Price from Security VendorsJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-13756280.post-66555637181384813772016-08-11T09:58:36.625-07:002016-08-11T09:58:36.625-07:00Thank YouThank YouAndynoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-56034295690896801152016-06-24T08:51:06.051-07:002016-06-24T08:51:06.051-07:00GREAT article and comments! Here are some thought...GREAT article and comments! Here are some thoughts from being successful on both sides of the table:<br /> - Margins tend to be dramatically different between services/SaaS sales & more conventional product sales.<br /> - The other strategy that I used while I was on the Customer side was to freeze maint costs for enterprise software purchases. Specifically, maint is often quoted at 20% of purchase cost annually, but trying to establish a cap can be beneficial in larger shops (particularly after you've negotiated the maintenance down).<br /> - Also, some VARs will operate on a cost-plus basis if they think there's enough revenue. Gartner published an excellent article & did multiple seminars about this back in the '90s (AFAIK may be publishing updates). BE CAREFUL - I've seen a vendor driven to bankruptcy w/this approach - BAD NEWS for the VAR and for the Customer.<br /> - Sometimes the VAR has incentive to sell *their* pro-services, so it's not uncommon for VARs to decline to bundle in a particular vendor's training, pro-services, etc, and they're HIGHLY unlikely to eat that "value add" out of their margins.<br /> - Finally, the ugliest way to lock-in the best price is a "most favored nation" clause. Not for the faint of heart, and you'd better have a FAT wallet. Here's an entertaining example from a previous life:<br />http://reporter.blogs.com/thresq/2010/03/directv-lawsuit-gets-hot-and-heavy-with-playboy.html<br />This is VERY difficult to achieve, but once it's been achieved there is literally no better guarantee that you're getting the best price.AL in Denvernoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-67464820494826879262016-05-23T10:24:25.172-07:002016-05-23T10:24:25.172-07:00Point #7 is not possible with a lot of security ve...Point #7 is not possible with a lot of security vendors out there. While margins may hit the numbers you talk about in this blog, don't count on getting that by going direct :). VAR's are how they keep their product in the market that also provide the necessary professional services (eliminate shelf-ware) that would constrain manufacturers by trying to support their products and services direct to the end user. Be fair in your negotiations with VAR products and services as their goal is to facilitate something that you cannot do yourself. We see a lot of manipulation and competitive situations where proposals are NOT apples to apples. My advice (yes I am a VAR) is to be clear as to what your expectations and requirements are, make sure your proposal includes them all, compare quotes line for line (if not clear, ASK where that line item is!), and make your decision. Not all VAR's are created equal and not all VAR's care after the sale. If they don't provide professional services, what value can a VAR add other than price? Think about it. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-83164456639868676782016-05-20T08:24:50.542-07:002016-05-20T08:24:50.542-07:00@kirschke value add, that's good man. I mean, ...@kirschke value add, that's good man. I mean, whether you're a customer or a vendor, the relationship must be viewed as a partnership. One needs help solving a security problem, and that's the job of the other. The industry can't just be box or service pushers with no content. It's important to remind people of that from time to time. And those who do well in this space, are those who make this their mission.<br /><br />Good to hear from ya!<br /><br /><br />@Anonymous maybe a way to expand upon the crowd-sourcing / bug bounty model?<br /><br />@Michael. Thank you for saying so! Nope. No gift cards yet! :) And please hit me up over email if you don't mind.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-72370487735167219352016-05-19T17:04:00.816-07:002016-05-19T17:04:00.816-07:00Jeremiah,
First of all I hope you were paid for t...Jeremiah,<br /><br />First of all I hope you were paid for this post, LOL or at least given gift cards from businesses all across America. This is something I think most organizations across the United States could use with all vendors not just security. As an serial entrepreneur and application security executive, I think this information is extremely helpful in changing how we engage, offer, deliver, advise and support our customers / potential customers. I'd love to get you involved with our organization as a board member. Check us out at www.appcurity.com. Please give me call when you get a minute so we can discuss in more detail my friend. Mike Sheppard 510.677.5606Anonymoushttps://www.blogger.com/profile/18125419607719173510noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-65704230274218145292016-05-19T15:41:05.333-07:002016-05-19T15:41:05.333-07:00To help control costs and get real world results, ...To help control costs and get real world results, I wish there was a way to unite white hat hackers (and honest hobby hackers) with companies that understand the threat of a motivated adversary. I know many computer scientists and very talented network admins that play hours of video games during the weekend. <br /><br />It would more fun and fulfilling to come into work on Monday and tell your coworker at your boring non-infosec job that you found yet another way to access an unnamed corporation's network that you have been hired to attack. The companies could pay a talented IT pro a few hundred dollars per month to apply their Kali Linux skills using the attack pattern of a long term motivated adversary. OSCP skills are not rocket science. <br /><br />BTW, if you have the time to set this idea up, I own the www.motivatedadversary.com domain.<br /><br /><br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14308086266587234072016-05-19T10:51:55.145-07:002016-05-19T10:51:55.145-07:00Jeremiah,
Great post! As someone that spent 15 ye...Jeremiah,<br /><br />Great post! As someone that spent 15 years on the buy side of the table and is now sitting on the sales side, it's enlightening to see this. I remember negotiating prices down using many of the techniques you mention here, even with you :)<br /><br />In my day to day work with my customers and prospects, I really strive to get a full understanding of their business, processes and vision. Having done the job that they are doing helps me with this tremendously. Any solid sales person in the VAR business should be negotiating in a transparent manner and should be informing them of these methods and working with them to makes sure they get the best price/value, etc. VALUE ADD is one of the most overused & abused terms IMO and posts like yours make me want to work even harder at providing that value :)<br /><br />Chriskirschkehttps://www.blogger.com/profile/16459631808997187565noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22858981634116724192016-05-18T13:01:13.967-07:002016-05-18T13:01:13.967-07:00@JamesCook My thoughts exactly! Except for the lau...@JamesCook My thoughts exactly! Except for the laugh... because dementia is not a laughing matter. Can you imagine how hard it must have been for him? Coming to consciousness one day and finding himself at a website he's never heard of, written by a prominent contributor in infosec who's name he doesn't recall coming across in 20 years? Rough day. <br /><br />@anonymous You have my sympathies. Know you're not alone. Jeff Freehttps://www.reddit.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-85126640945333162082016-05-18T10:44:57.312-07:002016-05-18T10:44:57.312-07:00LOL. He probably works at a VAR too. ;)LOL. He probably works at a VAR too. ;)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-70051231044052590252016-05-18T10:42:47.914-07:002016-05-18T10:42:47.914-07:00Love that @anonymous has never heard of you, yet h...Love that @anonymous has never heard of you, yet he's reading your blog... thanks for the laugh @anonymous James Cookhttps://www.blogger.com/profile/17133021487975972866noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24168604399342233812016-05-17T16:01:18.736-07:002016-05-17T16:01:18.736-07:00@Anonymous that's funny, I've been working...@Anonymous that's funny, I've been working in security for roughly the same time and probably have never heard of yours either. And if the customer has a strong relationship with their VAR as you say, maybe they can ask what their margin is. And finally, these numbers and statements has been my experience, and yours could easily be different. And granted, VAR margins can range from 2% - 30% or more, and I'll personally seen examples of each. In any case, the larger point of #7 still stands.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-15009582629947087652016-05-17T15:20:06.800-07:002016-05-17T15:20:06.800-07:00Jeremiah, that is good insight with the exception ...Jeremiah, that is good insight with the exception of #7. I can tell you for fact that "VAR's," even those that provide the most sought after value, do not get the margins you are claiming. By telling customers out there that they are paying a 30% premium goes a long way toward jeopardizing what may be a very solid relationship. What you are doing, on this specific point, is extremely irresponsible and unprofessional. I would love to hear where you are getting your information because it is false across the board. I have been in security for over 20 years, working with the same companies you mention in your bio and have never heard your name. Please, before making comments that could hurt relationships, do your homework and present factual information.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-30807772003287821552016-05-17T13:05:37.785-07:002016-05-17T13:05:37.785-07:00@joe S - you are working with the wrong VARS then....@joe S - you are working with the wrong VARS then. I work for a VAR and can tell you there are a lot of terrible ones out there that don't add any value. Thats the CDW model to just move product without relationships or problem understanding. The best VARS are the ones that also do professional services, and leverage those resources during the sales cycle. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-80248097444133995172016-05-17T12:53:51.544-07:002016-05-17T12:53:51.544-07:00I've yet to have a VAR provide me any value. T...I've yet to have a VAR provide me any value. They've never understood security issues enough to identify gaps, and even if you told them your gaps, their only help is recommending yet another tool from the Gartner upper quadrant.joe snoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44255580224882224042016-05-17T11:26:05.491-07:002016-05-17T11:26:05.491-07:00Posting anonymously because I happen to be in sale...Posting anonymously because I happen to be in sales.. <br /><br />All of those are very solid recommendations. The only one I would take exception to would be "asking for roadmap items". Taking money for a product that isn't complete can create a revenue recognition problem. The vendor can take the money and ship the gear, but they can't report it as revenue until the feature is complete which isn't likely going to happen before the end of quarter.. Just need to be aware of this as it could potentially be a stumbling point when the vendor rep tries to get the business to accept the terms of the deal.<br /><br />Adding to the "pitting one vendor vs another" strategy.. Please, for the love of God, make SURE that the competing solution has feature parity. I cannot tell you how many times I've heard "XYZ is half your cost.. why is that?" Well Mr/Ms Customer, the XYZ solution doesn't do 4 of the things that your engineering team listed as required features. I'm sure that XYZ is a fine product, but if you expect it to do these specific things, I suspect you'll be disappointed.Anonymousnoreply@blogger.com