The opinions expressed herein are my own.
Vendor Standardized List of Questions
-
Who is this product for? Who is this product tailored, destined and built for/to? What is the specific use case and market segment that this product adheres to?
-
What specific problems is your solution trying to solve? What are the specific use cases that this product responds to? Will this product be adequate for a use case such as mine?
-
How many years of experience do you have in offering this solution? How do you communicate best practices of product/service and facilitate peer-to-peer knowledge sharing? How do accounts participate in product/service development and roadmap?
-
What type of sale are you performing: product/service based on subscription and/or stale-value price? How is the subscription calculated: per device, per segment, per user, etc.; is it time-based? How much does it cost (estimate) for our specific use case and account?
-
What type of contract and licensing are based on the current subscription model? To what extent can you (Vendor) provide a customized contract for our account? How do you help accounts measure and prove Return on Investment (ROI) of your technology?
-
What does that mean: can you explain all concepts that this product/service supports? Can you enumerate all acronyms and standards that this product/service follows/adheres to? Can you provide marketing datasheet values (laboratory) and internal datasheet values (estimate and based on support cases)? Are there any restrictions or caveats on the performance figures?
-
What are the proprietary features that are specific to this product/service? Are the features only related to this product/service, or are they used on other products/services from you? How often are there new releases/features of the product/service? How do you promote account adoption of new releases?
-
Are there any license-enforced hardware/software limits besides base subscription? What is the software/hardware security protection around this product/service; is it based on license? How to activate the product/service; how does the activation process works?
-
Are there any caveats about combinations of other products/services for specific use cases from our account and features that we want to leverage? What are the known limitations of the product/service? What are the unpublished and internal (reported) limitations that are about to be published or worked on, that are related to our use cases?
-
Is the product/service scalable to my use case and account? Will the product/service integrate with existing systems and can we customize it to our liking?
-
What support and guidance does the vendor provide to my business during the patching/updating process? Are patches and updates provided and installed automatically by the vendor? Am I expected to obtain and install those patches/updates? How do you notify the account when patches/updates are available or have been automatically applied?
-
Do you require remote access into the product/service to support it? Do you require remote access to be always active? What steps are taken to secure remote access?
-
What monitoring for data breaches and suspicious activities do you provide? How and when do you notify me if there is a breach? If I experience fines/penalties, do you offer support and protection? Do you provide insurance to cover data breaches related to the product/service? Do you assist with notification of the accounts in the event of a data breach when the product/service is the cause? If yes to the previous question: to what degree do you assist with notification? Cover the cost, send the notifications, provide credit monitoring for the accounts impacted?
-
If you are a privately held company, what are your company’s yearly financials and funding plans? What percentage of your annual revenue is invested in R&D for this product/service? How does your company differentiate in the market?
-
Can you provide historical and previous path of the product/service; especially, if product/service was acquired from another company? Can you showcase and explain the current feature/development/patch/support roadmap for this specific product/service? How frequent are products/services updated and are accounts informed of any changes?
-
Can you give figures of adherence by other accounts regarding this product/service? Can you explain the real-world exposure of this product/service and impact it has on your current accounts?
-
Who is your competition? What is the current market state regarding the market segment your product/service belongs to? What accolades and/or recognition does your product/service have?
-
Does your product/service include Customer Success delivery contract? How will your Customer Success team help us meet our goals? Can we obtain references and see case studies similar to our use case? Will we have a Customer Success engineer dedicated to our account? Does your team have experience with a business like ours and understand our needs?
-
Does your product/service include Technical Assistance Center support contract? What are your support hours working time (and time zone) and is the support global? How is your support department structured? If applicable, do you provide Hands & Eyes support for on-site location (if applicable)?
-
Does your product/service include Professional Services consulting contract? What are the resources allocated to our account (project/improvement)? How is your consulting department structured? How long does it take and how much does it cost to set up a proof of concept (PoC)? What are the accounts with the largest actual deployments? Can we talk to other accounts with a deployment of the same size as our use case?
-
Does your product/service have a dedicated Business Unit development team allocated to it? Does your product/service have a dedicated Service Delivery management team? Does your product/service adhere to any quality assurance: functional, non-functional, availability, scalability, security? What quality management processes do you have in place to ensure consistency of quality and meeting deadlines? What features does your product/service provide for data analysis and data metrics?
- Can you showcase and demonstrate the work relationship and work done for an example of a current account? Please answer the following questions:
- Did the account achieve their goals by acquiring/subscribing to your product/service? Do you feel that the account achieved the goals?
- What do you think it should have been different about the project and/or relationship with the account? If you could have changed one thing, what would it have been?
- How long did it take before you and the account both saw results? Did you and the account stay on the pre-stipulated schedule?
- How did you know when you succeeded at what was promised?
- Did the account understand the product/service and did you understand the account needs?
- When was there friction and disagreement between you and the account, during the use and implementation of the product/service, and how well did you handle conflict-resolution?
- What is the average response time to the account’s questions or requests?
- What was the average feedback score given by the account in regards to support, consulting and customer success? What is the type of feedback used (Net Promoter Score (NPS), Customer Satisfaction Survey (CSAT), Customer Effort Score (CES), Post-Purchase Survey (PPS), Product Development Survey (PDS), Usability Surveys (UX))? What is the type of questions posed (customer satisfaction, product use, customer demographics, future actions, multiple-choice (MCQ), open-ended, etc.)?
-
What were the other products/services the account considered from your portfolio and from the competition?
-
How good is your partner program? If an account were to partner with you, who would be their key contact within your company? How do you allow the account’s engineers/personnel to overcome the product/service skill/knowledge gap and the skill/knowledge related to the segment where the product/service is inserted in? Do you offer assistance with deployment or training for personnel?
-
How do you perform risk management in your organization? How is the product/service included in the equation? How will you protect our account and usage of product/service from risk? How will you ensure the availability, confidentiality and integrity of my systems and services connected to the product/service while testing is being performed by you? What is the availability percentage (three/four/five 9’s)?
-
Does your organization have a security program? If so, what standards and guidelines does it follow? Does your information security and privacy program cover all operations, services and systems that process sensitive data? Who is responsible for managing your information security and privacy program? What controls do you employ as part of your information security and privacy program? Please provide a link to your public information security and/or privacy policy. Are there any additional details you would like to provide about your information security and privacy program?
-
How much of the threat surface targeting the business segment and segments of the product/service is your organization aware of? How do you respond to such threats? Does your organization have security incident handling/response and/or security requests regarding the product/service?
-
How do you store the Personal Identifiable Information (PII) and Personal Card Information (PCI) of the accounts and how do you store information regarding the product/service operation? How do you ingest and process that data? Is encryption used in any stage? Is the service and/or the product able to adhere to Zero Trust Architecture (ZTA)? How does the product/service peer with SaaS/PaaS/IaaS providers?
-
Which Security Compliance certifications does your product/service have? What account industry-specific security compliance control and standard does your product/service allow the account to comply with?
-
Does the product/service have a component that requires a datacenter and remote service from your side? Do you review physical and environmental risks regarding both datacenter and equipment residing in it? Do you have procedures in place for business continuity in the event that datacenter is inaccessible? Do you have a written policy for physical security requirements for the datacenter? What data center providers do you use if any? How many data centers store sensitive data? What countries are data centers located in? Are there any additional details you would like to provide about your physical and data center security program?
- What is the policy and publication time regarding security incidents and/or vulnerabilities regarding the product/service? Do you have a bug bounty program or other way to report vulnerabilities? Do you employ external penetration testing firms and/or have internal penetration testing team to perform testing against the product/service?