Security for All Sizes: How Big Are Your Vendors?

There are some amazing ideas out there in vendorland, but not all ideas are backed by the same kinds of companies. This impacts how those ideas, those vendor products, will fare in your environment.

Of course, I’m going to sort vendors into three size categories: small, medium, and large. How they intersect with customers that are small, medium, and large will also come into play. Here goes!

Small vendor, small customer: Small customers tend to also mean “small budgets”, so they’ll go with a small vendor if it looks like it can *almost* deliver the performance of a more expensive product from a bigger vendor. If it can match the big guy or beat it, even better. Price is king in the initial purchase decision. After that, there’s a good chance that the small company gets some excellent tech support – it’s likely that the entire development team is also taking turns fielding support calls. Now, there may be features that never get implemented and the product may never stretch to cover additional areas or integrate with other products, but in a best case, it’ll be a stout little mountain pony that gets the job done.

Small vendor, medium customer: Maybe someone heard good things about the small vendor and wanted to try it out in a bigger environment. Here, there’s an expectation that it will play well with other apps and systems. While the small customer may have re-done some things about its environment to accommodate its budget-friendly solution, the medium sized customer will not have that much flexibility, as it’s likely other systems are dependent upon things staying exactly as they are for them to function. If that vendor’s product can’t fit into the bigger environment, it’s out. There’s also the consideration of scalability. Is there a management dashboard for the product? Does it integrate with syslog? What are the upper limits of the vendor’s software and/or hardware? How many widgets are needed to make all this work, and will all those widgets work with each other?

Small vendor, large customer: Is this vendor on the list of approved vendors? If not, will it still be around after that process is completed? For the large customer, the vendor has to be something that looks to be capable of being around for the long run. Large customers don’t like having to buy a different solution in the middle of a system lifecycle because the vendor went out of business. Can the vendor provide follow-the-sun coverage? Can the vendor produce features that are required for specific customer environments? How big is that dev team, anyway? The product may be amazing and best in its class, but if it can’t scale its internal resources to meet the demands of the large customer, it’s not even a consideration as they choose products.

Medium vendor, small customer: This vendor may still be budget-friendly, but it’s unlikely that any special requests from the small company are going to be incorporated by the vendor unless other companies are asking for them. It’s also likely that the small company may have enough for the initial purchase, but might decide to not renew support until there’s a major outage – meaning that small company may be using an unpatched version of that gear because it is forced to accept the risk due to budget concerns.

Medium vendor, medium customer: The vendor is no longer small, but an up-and-coming firm that’s maybe ready for prime time. If so, maybe it “dropped its pants” in purchase negotiations in order to break into a larger tier of customers. Your firm, possibly with a handful of other firms, is commanding all the attention of this vendor – until it can land a larger customer. The good news is that it may very well answer all your questions about integration and interoperability. The bad news is that it may possibly be peaking out at this point and won’t be able to mature its product properly to keep up with your business.

Medium vendor, large customer: This can happen from time to time… and it’s usually to get leverage on a larger vendor during contract renewal negotiations. If it performs well enough to not only beat the big guys at their own game, but also well enough to justify a purchasing decision that can ruin the discounts the firm may be getting on other gear from that bigger vendor, then it’s a keeper. If that happens, the medium vendor may be poised to get a lot bigger, but it will also be pounded with requests from that large customer to develop features that take it beyond being a cool tool and into becoming an enterprise solution. This might break the medium vendor if it can’t keep up with the demands from its biggest customer – as those demands may well mean leaving behind the founders of the company and their culture.

Large vendor, small customer: What I said for the medium vendor/small customer applies here as well, with even more emphasis on the small customer’s lack of voice and likelihood of coasting along with unpatched gear. The big vendor always has a bigger customer, and that’s the one that’s going to dictate how development team hours are allocated.

Large vendor, medium customer: Nobody ever got fired for buying the large vendor, but they do cost a lot for support, don’t they? Is this where, in order to have the features and power of the large vendor’s gear that the medium company has to contemplate outsourcing in order to keep a handle on costs? It doesn’t matter if it was a small company that got big or a big company that stayed big – the costs will increase. At the same time, your firm may as well be a small firm as regards its ability to leverage new features. So, yes, it does everything you might need it to do now, but that may well be that.

Large vendor, large customer: Here’s where the large vendor meets its match in terms of demands for scalability and support and new features. The challenge to the large vendor is whether or not it’s able to move quickly enough to deliver to those demands. It’s a large firm, itself, and can’t move as quickly as it used to do. It’s also got so many customers that it’s inevitable that when it releases a new feature, it’s bound to break something, somewhere. Maybe that medium-sized vendor can deliver a solution that won’t break things for its largest customer, but there are no sure things if your firm is one of a vendor’s largest customers. Test carefully and upgrader beware…

So, just as most of you suspected, those great little apps you see in the tiny booths on the fringes of the security conferences may stay in those tiny booths or eventually vanish. It breaks my heart, but I’ve even seen some firms that had medium-sized booths fade from the scene. They might keep a small and dedicated group of customers, but they’re also victims of how those customers themselves might fade away. Once a company can rise above the churn of the violent waters where small and medium sized companies swim, it risks becoming a dinosaur that can’t adapt itself to changing long-term trends. Just let someone who did IT from 20+ years ago get to talking about Banyan Vines, OS/2, Sun Microsystems, Digital, and Novell, and you’ll realize that no firm is so big that it can’t crumble away.

At least with the bigger companies, you have a better shot at getting a complete product lifecycle before they totally fade from the scene…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.