Axioms For Your Next Vendor Fair Experience

In IT and cybersecurity we have almost as many trade shows as there are hotel rooms in Las Vegas. Our trade shows are industries of their own, with their own ecosystems and economies. Be they local, regional, national, international, or galactic nearly each one is guaranteed to offer a vendor fair as part of the proceedings.

The vendor fairs are unique beasts of their own as well. Each vendor works hard to attract their target buyers to their booth with some combination of inviting booth design, compelling demos, "invitation only" parties, and swag. Mountains of swag.

But not every vendor is created equal. To paraphrase some guy named Orwell, some of the vendors are more equal than the others. I've been both a buyer and a seller at a variety of these events, and I think you'll have a different view of them if you keep a few ideas in mind as you attend vendor fairs.

Features Masquerade As Products, and Products Pretend to be Solutions

The bigger the event the more likely you are to see companies that are really there to position themselves for a sale (whether they know it or admit it). Many vendors are really just selling a feature, not even a fully realized product. Many products are being sold as solutions, even though they can't solve an IT or cybersecurity problem on their own.

This isn't to say features aren't valuable. If we use the analogy of a pocket multi-tool, there are always some features on that tool that are fantastic: a knife blade, pliers, screw-driver, bottle opener and others. Just as often other features that just don't work well - cork screws, saw blades, and levels come to mind. But if you're purchasing just a singular feature, like the bottle opener - is that really going to provide you value? Is that going to be something you keep in your pocket at all times? Or is it just going to eventually get tossed in the trash because while you occasionally need a bottle opener it is just too much to carry around with your wallet, keys, and phone?

Our Perception of Features vs. Products Matures Over Time

About 25 years ago Microsoft sold their word processor primarily as a stand-alone purchase. These days they sell an entire office software suite as the lion's share of all Microsoft Word purchases. (I had to look it up, it seems they do sell the stand-alone SKU still) Similarly, we've seen the market for "point and shoot" digital cameras go to almost zero as our cell phones continue to include better and better cameras as built-in features - they've even supplanted the venerable home video camera (rest in peace VHS-C). But if we look at Generative AI as it exists today, how long do you think it will be before Microsoft offers Copilot as a feature of their base offerings instead of an add-on SKU? How long before these extremely interesting and effective ransomware decryption companies are purchased by the top five EDR providers and made part of their suites?

As a buyer of these solutions, you need to recognize and separate features from products from solutions and keep your wits about you as you investigate these vendors. Not recognizing that you're purchasing a "feature" is the number one cause of tools becoming "shelfware."

There Is a "People Cost" to Every Product

A mistake I see many IT and security buyers make is they somehow assume these products "run themselves." I'd estimate that this mistake is the number two cause of "shelfware" purchases. What are the demands on your employee's to get value from these products? How much time do they need to dedicate to training? How much time and effort to get it set up in the first place? How much custom documentation needs to be created for all the configuration choices? How many hours per day or week do they need to "pay attention" to it?

In my experience there is no such thing as a product (software or hardware) that runs completely autonomously. Sure, there are systems that run pretty much by themselves for a good long time - things like water heaters - but even those require at least annual maintenance and checkups. I've yet to see a piece of software that can boast so little need for administration or engineering support.

Products Aren't Solutions Until People Are Applied

This is the axiom I wish every IT and cybersecurity buyer had tattooed somewhere so they will see it daily. Every vendor at the vendor fair will claim that their hardware and/or software is a "solution." Ignoring that it may only be a feature and not even a product, there are a vanishingly small number of IT and cybersecurity vendors selling people-included solutions. These are usually grouped into categories such as MSP and MSSP. I'd even argue that most of the *aaS offerings are really <blank> as a Product. After all, do you get someone who configures all your systems from your Platform as a Service provider? How about your Infrastructure as a Service provider? Nope, you're left to administer and monitor those yourself, aren't you? There's no AI replacing your people doing that work is there?

If you recognize that most of what is on the show floor is either a feature or a product, you can begin to ask yourself some critical questions:

• Will this vendor's offering be just a feature by the time my first renewal rolls around? Crystal balls are very hard to keep working in my experience, and this question certainly requires one for an answer. Are you buying the next PKI feature, or are you buying the best hardware key product available? This is why you pay the fortune tellers at the analysis firms in my book.
• Will I ever be able to staff that product well enough to see consistent value? This is the "Erector vs. Lego" question. If you don't have the expertise for building with Erector, then perhaps you need to stick with Lego, even though you can only build the stuff pictured on the front of the box.
• If I'm going to need a solution provider to help me manage the product should I let my solution provider choose the tech stack themselves? This question separates the technologists from the strategists. Every time. I will argue every time that if a service provider can provide you the outcomes you need from a solution you're better off letting them bring the tech stack to provide those outcomes with. Service providers who offer to use any and every vendor's products for a given technology type - say an EDR technology for example - is compromising their own ability to support you well. So you can either choose a technology and then choose a service provider from smaller subset of possible providers, or you can simply choose a service provider who will bring the right tools for the job.

If these questions sound like compromises to you, you're right. Welcome to how we've built our industry today - rewarding those who create novel software or hardware while punishing the people who have to actually make all of that work in a singular secure environment. Looking at these vendors through this lens may take some of the rosy tinge off of their pitches, but it will help you make stronger buying decisions for your organization, and isn't that why you're attending the vendor fair in the first place?