Recently there has been massive upheaval in the IT Asset Management Industry. Executives of one company were sentenced to prison for illegal exports of e-waste. Another very large company, Arrow, just days ago has left the industry completely. After going on an acquisitions frenzy in 2014 where they consolidated about a half dozen of the nation’s largest ITAM vendors, they decided to get out of the ITAM business, leaving hundreds of companies without a service provider. To say that organizations are scrambling to find new qualified vendors is an understatement.
Many have criticized former Arrow clients for having one vendor, thereby having a single point of failure. They posit that if these companies had used a multi-vendor approach, they wouldn’t be scrambling to find a new vendor under so much pressure and duress. They have also criticized Gartner for recommending that it was best practice to use a sole source vendor in the first place. While I believe there are clients for whom multiple vendors make sense, I also don’t subscribe to a one-size-fits-all approach to ITAM vendor selection.
One issue that deserves continued respectful debate is the idea of sole source vs. multi-vendor solutions. For global companies, the multi-vendor approach makes good business sense. It also makes good sense from a regulatory perspective as data protection regulations abroad require specialized expertise. For the U.S. based mid-market companies that my company tends to service, I am opposed (generally) to multi-vendor solutions. As a business owner, it can present liability so high as not to be worth taking on the client. Let me share the story of why we fired our largest client about five years ago.
After being the sole source vendor to a healthcare client for almost 10 years, we were notified that the client would be moving to a 2-vendor system. Reclamere, because of our extensive security expertise, insurance, and certifications would get all data-containing devices. To save money, a local “e-cycler” would get all the scrap. We immediately began asking questions such as:
- Who will determine what devices are “data containing”?
- How will the materials be kept securely segregated?
- How will the inventory of materials taken by each vendor be verified against the inventory of materials the client directed to each vendor?
- In the event of a security incident, how would the client determine which vendor was responsible?
- In the event of a security incident, how would each vendor defend itself against false claims?
The client basically told us that we didn’t have to worry about any of that because they had it all under control. At the first pickup of material after the new vendor was brought on board, our driver saw data containing material in the pile of equipment designated as “non-data-containing” to be sent to the new vendor. Again, we were told not to worry about it and that the client was fine with the materials going to the new scrap vendor.
At this point, we requested meetings with our client to help create controls to reduce their risk and ours regarding data breaches of protected health information. To make a long story short, after repeated unsuccessful requests to meet and implement security controls, I had to make the painful and costly decision to notify the client that we would not be renewing their contract.
Assuring proper chain of custody practices, transparent documentation, sufficient insurance coverage, and robust security controls of a single vendor is time consuming and challenging. Doing this properly with multiple vendors is something that only the largest global companies can do.
While this seems like a cost-effective way to handle ITAM, the problems are many. In just this one example alone, there are many problems beyond just the ones listed here. Many organizations have less than perfect (or any) processes and procedures for equipment disposition. Aside from piling it up in a closet or on a dock, there are no controls. In many organizations, staff who have little to no IT knowledge might segregate the materials for each vendor, however they have no idea that certain equipment contains data.
The downfall of Arrow clearly demonstrates that there is no such thing as a “one size fits all” ITAM program, especially in the mid-size and smaller companies requiring ITAM services. It is crucial for companies who find themselves in need of a new vendor to take this time to evaluate their own procurement process. If their procurement program is solely based on the cheapest price, then it is only a matter of time before they experience a data breach or end up with another vendor leaving the market. If they decide to go the route of having multiple vendors, are the client’s own processes and procedures so bullet proof as to be able to determine which vendor is responsible when a security incident goes down?
While many ITAM service providers are hopping on the bandwagon of trying to scoop up the clients that Arrow left high and dry, as a business owner, I’d be lying if I tried to say we aren’t too. But I can say that any prospective client who wants to do a multi-vendor program with us better have a fully mature internal ITAM program of their own. Their program needs to have strict materials segregation controls and strong inventory management controls. Without those two things, I will have reservations about providing services to them.