To IT professionals, the word security generally evokes operational-type thoughts. For instance, there’s a need for physical security of the data itself. And there’s software-controlled access to the secure network. Then there’s security to control access to the organization’s order entry and financial systems and to the underlying databases. Now, with the proliferation of Web-based systems, Internet firewall security has become a growing concern. Regardless of the setting, security is a major control issue facing not only today’s IT managers, but everyone else as well.
Although the security function is staffed internally, the tools we use, for the most part, are rarely homegrown. To build the security infrastructure, IT managers go outside to license software, purchase or lease hardware, and contract for consulting services. But there’s always a contract involved – yours or the vendor’s. From a deal management perspective, contracting for security is like any other technology acquisition: You must make sure you get what you pay for.
In the rush to build a security infrastructure, don’t forget about the rights and obligations of the contract. You must take the time to do it right. Don’t get caught with contract “gotchas” that come back to haunt your organization after the deal is done. Contract problems during the relationship take time away from other activities and can cost you significant bottom-line dollars, along with some career embarrassment. And the fixes are seldom easy.
The list of ugly contracting possibilities is much longer than this column. But it’s important to focus on some of the more potentially problematic areas. Think of the following as a checklist to prevent any “gotchas” in security contracting. You can use it to level the negotiating field.
When the contract involves security software, watch for the following things:
- The license should be perpetual, irrevocable and of sufficient scope to cover your entire organization.
- The vendor should guarantee that the software will perform according to the published specifications for at least a year. If it doesn’t, the vendor should fix it at no charge. Or, if it can’t be fixed, the vendor should refund your money and “make you whole” for the expenses you incurred related to its software.
- Maintenance should include enhancements (minor improvements and bug fixes) and upgrades.
- Insist on the right to install and test the software before paying the majority of the money specified in the deal. There’s nothing like testing in your own environment to make sure you’re getting what you think you’re paying for.
When the contract involves consulting services, watch for the following things:
- Make sure the consultant is fully qualified. Check references, and interview staffers assigned to your site.
- Make sure the consultant’s responsibilities and expected results are carefully documented in the contract.
- Make your payments based on the consultant’s achievement of acceptable results, not on the passage of time.
- Provide for frequent project status meetings.
- Make sure you own all of the consultant’s deliverables.
- Make sure there’s a confidentiality agreement in place between you and the consultant.
When the contract involves hardware, watch for the following things:
- Secure the right to test the hardware in your own environment before final payment.
- Check the vendor’s warranty carefully, and understand what’s included (such as parts or labor) and for how long.
- Make sure the configuration ordered is complete. Get the vendor to warrant that it has included all the necessary components. This helps avoid unexpected charges for additional equipment.
- Get a firm delivery date, and hold the vendor accountable with remedies if it fails to deliver on time.
In short, no matter how great your hurry to plug some hole in your security plan, always remember to make sure there’s a well-thought- out contract. These guidelines will get you closer to a safe and “secure” agreement – and closer to getting what you think you’re paying for.
JOE AUER is president of International Computer Negotiations Inc. (www.dobetterdeals.com), a Winter Park, Fla., consultancy that educates users on high-tech procurement. ICN sponsors CAUCUS: The Association of High Tech Acquisition Professionals. Contact him at email@example.com.
Copyright by Computerworld, Inc., 500 Old Connecticut Path, Framingham, MA 01701. Reprinted by permission of Computerworld.