Case Study - Unethical Vendor Discovery

Case Study Overview

Business	CONFIDENTIAL
Industry	Marketing
Location	Germany, USA, China, Japan
Challenge	As an industry leader, this high growth tech company couldn't get bigger companies as clients, due to high security and compliance requirements.
Solution	Build an Information Security Management System from scratch, and acquire the ISO 27001 certification in short time frame.

Context

Description of the company goes here. The CLIENT partnered with WIM Security, in order to build their information security program and satisfy related regulatory requirements. The project consisted of initial holistic business security and risk assessment, and continuous vCISO service.

Before hiring us, our CLIENT contracted with a vendor providing security related software. Their commitment was around $350000 during 3 years. We discovered that vendor’s sales representatives took advantage of our CLIENT, and let them spend ~4 times more than they should actually have.

We guided them to a reasonable solution and saved them at least $200000. The client negotiated a way out of contract with a threat of a lawsuit.

Problem #1 - No Knowledge from Experience

The key project owners and decision makers about this software integration were the VP Engineering and the CTO. At the time, they were both sure they’re knowledgable enough about information security.

The CTO had a great experience in Software Development, while the VP Engineering had respectful background in System Engineering. Definitely, tech-savvy people, which over the years turned into respectful managers and leaders.

They both knew what they wanted in terms of the end results.

“We just need to find an appropriate vendor, we’ll share our requirements, and let the vendor prescribe their appropriate solution. That kind of approach used to work for me in the past.”

Basically, they were trying to choose, who better to trust. The credibility factor was their main factor in decision making process, and that was their mistake. Additionally, we’re all subjective to cognitive biases. In this case, the overconfidence bias led these two brilliant executives into a trap.

Problem #2 - Unethical sales representatives

According to the contract, there was a 3 year commitment, where the cost in the first year was set to $118000. Even without the increase of the license number (which would certainly happen), that’s at least $354000 over 3 years.

Note: This was a software sold by a known vendor in Information Security industry, which the CLIENT purchased ~6 months before they hired WIM Security. It was a software for their production IT infrastructure.

We discovered the issue during our holistic security assessment for the CLIENT. A quick investigation lead us to understanding that the vendor’s sales representatives took advantage of our CLIENT.

They sold them at least $354000 worth of stuff, when an 4 time smaller investment would have done everything CLIENT really needed.

Solution

The way we usually start our engagement with new clients is by performing a holistic security assessment of the entire organization.

In this case, on the 3rd day of our assessment, we’ve discovered the recent spend on one vendor which, based on our experience, was quite higher than expected.

Note: What makes our assessments unique is that we don't only focus on the technical or physical security, but we also evaluate the business processes, finances, people, etc.

We raised this question in the interview with VP Engineering, trying to learn more about the software and the process of purchase. That lead us to an interview with the CTO. After a quick research, we understood that CLIENT was paying about 4 times more than they actually should have.

We guided them to a reasonable solution and helped them save at least 200K EUR in the following 2 years. The CLIENT managed to negotiate a way out of contract. It wasn’t an easy task, they even had to issue a threat of a lawsuit, but in the end, they succeeded.

As for our security assessment, we’ve continued our work, and successfully achieved all established objectives, in a short time frame. The cooperation with the CLIENT continued for 12 more months, where our primary used service was vCISO.

Lessons learned

If you don’t have competent and experienced people to help you make important decisions, you should not trust your gut. Instead, you should look for a trusted advisor in the related field.

No matter how knowledgeable and experienced you might be, we are all heavily influenced by cognitive biases, which influence our decisions. At WIM Security, we have a very sophisticated process which helps us detect and avoid cognitive biases.

In this case, the VP Engineering and the CTO were under influence of Overconfidence bias, also known as a “mother of all biases”.

Just because they were tech-savvy, they thought they can make good decisions related to cybersecurity, all by themselves. They paid the price, luckily, a small one, in this case.