OPINION
Avoiding Internal and External IT Scams

The topic of IT scams, both those done to IT folks and those done by IT folks, has come up several times in conversations over the last month. Since internal audit organizations are receiving massive increases in funding, staffing and provisioning, I thought it would be good to review some of the more interesting IT scams so that you too will know some of the things that likely will be found in a large number of firms.

For example, a few years ago I met with a CIO of a multinational firm who was incredibly angry at Microsoft (Nasdaq: MSFT). He had been asked to come to Microsoft as the company's guest. After meeting with the Microsoft executives, he was taken to the Microsoft store and allowed to buy up to a preset amount of Microsoft products at employee discount.

This CIO, coming from a massive multinational firm, felt that he should have been treated by Microsoft as the other enterprise vendors treat him, flying him around in corporate jets, putting him up in the best hotels, wining and dining him at the best restaurants, taking him to private boxes at major sporting events, and generally providing a nice "gift" to compensate him for his time. That was the way he expected to be treated, so he was incensed that Microsoft did not afford him the same level of "courtesy."

The "gift" tactic, I learned later, can reach amazing levels. In a story told to me a couple of weeks ago, a CIO who was a moderate golfer was invited to a major golf event by a large vendor. At the end of the event, he drove home in the brand new Mercedes Benz he had "won." The company he worked for had very strict gift rules, but evidently these rules did not apply to contests. Even so, the repercussions among the CIO's staff were clear: The CIO's staff knew he hadn't actually "won" anything.

Giving the Vendor the Business

So with all of the rules out there, how does a company get around those rules to favor a generous vendor with business? A few years ago, I watched an analyst on a massive database bid translate a government account's needs into a benchmark that would, independently, identify the best vendor for the job. This kind of analysis is often a requirement in large companies and in governments that need to show that objective, independent analysis occurs prior to letting the bid go to the winning vendor. But it can be a real problem if, by the time it comes to analysis, you've already decided which vendor you want to win the bid. Clearly, that was the problem in this case.

After the analyst completed a great deal of work, a recommended winner was picked -- the first of three vendors -- and the government shop was not happy. The government -- not the U.S. government, incidentally -- indicated that the weightings must have been wrong and asked that the analysis be redone. We did redo the analysis and, surprise, the second of the three vendors was now the preferred supplier. The government account was still upset and told us that this was not what they wanted at all, and candidly said that what they wanted was vendor number three to win. We then had to start with that vendor and back through the process so we could show how we "objectively" got to the result they wanted.

I was very pleased that I was just observing this fiasco instead of participating in it. I was convinced that if it was ever found out how the analysis was done, somebody was going to spend some quality time staying at a government facility. Of course, the most common approach to this sort of scam is to "sole source," which means that you claim that only the vendor you want has the solution you need. But that tactic has a history of backfiring, so I wouldn't recommend it.

Vendors Giving You 'The Business'

Vendors clearly have ethical issues as well. One is quality. I've been trained as both an ISO quality and Baldrige Award auditor. For a company that wants to get the ISO quality certification or win the Baldrige Award, the common practice is to create a second set of "books." These documents, which are very detailed, showcase an impressive quality process and exist on every manager's desk during the audit process. The managers are expected to be able to explain just how these processes and policies are used every day. The only problem is that these processes aren't actually used at all. The entire effort is done simply to pass the test.

If you wonder why a vendor who is either certified as having high quality or actually wins a quality award is still sending you poor-quality products, this scam tactic might be the reason.

In recent years, I remember a very large vendor's CEO being asked if his company actually used his current set of products. His response: "No." He had a choice. He either could deploy his products internally or provide them to his clients, and he didn't have the bandwidth to do both. To me, this made little sense because the deployment teams and the development teams were in different groups, much like they would be in any company, so there should have been no either-or argument.

The rationale was that the IT department was required to justify any expense, including the deployment of new products that the company itself developed. I knew, from experience, that even at cost the firm's own products could not be justified in this way, and I thought that the more likely reason the CEO chose not to use his own products internally. I've often wondered that if a company can't justify the use of their own products, even at cost, then how can it possibly argue the financial benefits of those products to prospective and existing clients?

I've since concluded that any vendor tour should include a look at what the vendor has deployed itself. If the product I'm interested in is not deployed internally, then it is likely better that I pass on it too.

Services Vendors Looking for Money

I ran into something the other day with Linux that I've seen happen with client-server computing and Microsoft platform products. This scenario happens where the services vendor comes in, provides a low-ball price to outsource, and then, at the end of the year, you find you actually have expended more funds than when you were staffed internally.

In the most recent example that I've seen of this scam, the services vendor comes in and, within a few days, establishes that the existing suppliers -- in this case, Microsoft and Dell -- are not responsive to a critical problem. The new vendor then attempts to justify a massive unplanned desktop migration to Linux and succeeds in getting the account and turning it into a very lucrative annuity.

The company that employed this tactic poisoned the relationships between the client and the prior providers to a degree that I had not seen before. But by manipulating the players, the firm was able to convince the client company that they had no choice but to migrate to Linux. It was an amazing display of creativity, and just goes to show that in any negotiation you want to make sure the negotiator's interests and yours are the same. In this case, it was in the best interest of the services vendor that things go south, and it shouldn't be a surprise that this was the result.

So what should you take away from this? If you are taking inappropriate gifts, people will resent them and will share stories like the ones I've shared here. Demanding royal treatment from any vendor could backfire on you. If you want to stack the deck in favor of any one vendor, just remember how many careers have ended quickly by doing this. Make sure your vendor internally holds its own products in high regard and, where appropriate, deploys current versions. Also, never have someone negotiate on your behalf unless you're certain that there isn't a conflict of interest.

Until next week, remember things tend to end better if you think first and then act.