Case Study Overview
Business CONFIDENTIAL
Industry Marketing
Location Germany, USA, China, Japan
Challenge As an industry leader, this high growth tech company couldn't get bigger companies as clients, due to high security and compliance requirements.
Solution Build an Information Security Management System from scratch, and acquire the ISO 27001 certification in short time frame.

Context

The client partnered with WIM Security to build their information security program and satisfy related regulatory requirements. The project consisted of an initial holistic business security and risk assessment, and continuous vCISO service.

Before hiring us, our client contracted with a vendor providing security-related software. Their commitment was around $350,000 over 3 years. We discovered that the vendor’s sales representatives took advantage of our client and led them to spend approximately 4 times more than they should have.

We guided them to a reasonable solution and saved them at least $200,000. The client negotiated their way out of the contract with a threat of a lawsuit.

Problem #1 - Lack of Domain-Specific Expertise

The key project owners and decision makers for this software integration were the VP of Engineering and the CTO. At the time, they were both confident they were knowledgeable enough about information security.

The CTO had extensive experience in Software Development, while the VP of Engineering had a respected background in System Engineering. They were definitely tech-savvy people who over the years had become respected managers and leaders.

They both knew what they wanted in terms of the end results.

“We just need to find an appropriate vendor, we’ll share our requirements, and let the vendor prescribe their appropriate solution. That kind of approach used to work for me in the past.”

Basically, they were trying to choose whom to trust. Credibility was their main criterion in the decision-making process, and that was their mistake. Additionally, we’re all subject to cognitive biases. In this case, the overconfidence bias led these two brilliant executives into a trap.

Problem #2 - Unethical sales representatives

According to the contract, there was a 3-year commitment, where the cost in the first year was set to $118,000. Even without an increase in the number of licenses (which would certainly happen), that’s at least $354,000 over 3 years.

Note: This was software sold by a known vendor in the information security industry, which the client purchased approximately 6 months before they hired WIM Security. It was software for their production IT infrastructure.

We discovered the issue during our holistic security assessment for the client. A quick investigation led us to understand that the vendor’s sales representatives had taken advantage of our client.

They sold them at least $354,000 worth of products, when an investment 4 times smaller would have fulfilled everything the client really needed.

Solution

The way we usually start our engagement with new clients is by performing a holistic security assessment of the entire organization.

In this case, on the 3rd day of our assessment, we discovered the recent spending on one vendor which, based on our experience, was significantly higher than expected.

Note: What makes our assessments unique is that we don't focus solely on technical or physical security, but we also evaluate business processes, finances, people, etc.

We raised this question in the interview with the VP of Engineering, trying to learn more about the software and the purchase process. That led us to an interview with the CTO. After quick research, we understood that the client was paying about 4 times more than they actually should have.

We guided them to a reasonable solution and helped them save at least 200K EUR in the following 2 years. The client managed to negotiate their way out of the contract. It wasn’t an easy task; they even had to issue a threat of a lawsuit, but in the end, they succeeded.

As for our security assessment, we continued our work and successfully achieved all established objectives in a short timeframe. The cooperation with the client continued for 12 more months, where our primary service was vCISO.

Lessons learned

If you don’t have competent and experienced people to help you make important decisions, you should not trust your gut. Instead, you should look for a trusted advisor in the related field.

No matter how knowledgeable and experienced you might be, we are all heavily influenced by cognitive biases that affect our decisions. At WIM Security, we have a very sophisticated process that helps us detect and avoid cognitive biases.

In this case, the VP of Engineering and the CTO were under the influence of the Overconfidence bias, also known as the “mother of all biases.”

Just because they were tech-savvy, they thought they could make good decisions related to cybersecurity all by themselves. They paid the price—luckily, a small one in this case.