Something I see get overlooked often in reviewing products, especially expensive security products, is support.   I’ve done hundreds of product reviews over the years and numerous benchmarking comparisons to find the best software/hardware for the job.  Early on I took for granted the type of support and the ease of access to qualified technical support staff, now it is my 2nd priority when investigating any product.  A lot of companies have descent products but fail to provide adequate support, and some companies are actually selling varying types of supports for their products so only customers that pay service premiums get quick and knowledgeable support.  It seems that support now means that you can email or call, if you’re lucky, a tier 1 or even 0 support person and they will search an internal knowledge base and provide you generic information.  Tier Zero support is basically a phone answering service, they will try and route your issue to the right department and have someone call you back, hopefully before you have lost too much business.

Now Tier 1 support, these guys are usually the ones that have a little knowledge, unfortunately that knowledge comes from searching databases and technical notes and putting you on hold while they go ask someone about the issue.  Both Tier 0 and 1 support can be very frustrating and time consuming to a customer with an issue, believe me I have spent countless hours on the phone with support people that knew less about the product than I did.  Don’t be surprised if your support calls are routed outside the country where they can also be language barriers, this is sometimes referred to as “Follow the Sun Support”.  Tier 1 supports main goal in most cases is to close the tickets as fast as possible so they can move on to the next case.

Tier 2, this is where the Tier 1 folks graduate to when they start to get an understanding of the product(s).  Don’t get me wrong, you can find some good support people at this level and they will be able to fix most common/known issues, but if they haven’t seen it before, they want to try and figure it out instead of escalating the issue.  This brings me to Tier 3 and the developers, which is where the serious issues end up, it usually takes an act of God to get to this level, which usually involves getting your Sales guy involved, because they still want to be able to try and sell you more products or at least get you to renew your (cough cough) support contracts.

To me, even more so, as I write this article and think about the countless wasted hours dealing with the lack of support from vendors, support and product functionality should be at the top of everyone’s list when reviewing products.  You really don’t want to wait to find out how support works for a product, because when you find out you really need it, it’s too late.  I have listed a few of my pet peeves below based of years of headaches and product troubleshooting so you will know what to expect.  I also included a short list of questions that everyone should ask any vendor prior to purchasing; some even have quick horror stories, if you like those.  As always, “Buyer Beware”.

A few of my pet peeves:

– Not being able to call support, this should be unacceptable for any enterprise level product.  Recently IBM-ISS did something I thought was impossible, they made their support even worse.  They added the dreaded Tier ZERO support; my first and last call to these guys was full of me trying to explain the product line to the person (In the Philippines) on the phone so they could take 30+ minutes to find out where to direct my “Business Impacting” issue.  So if you don’t want to be down for hours waiting for a phone call from support, you really should buy the Platinum support, but then make sure you include that in your up-front costing and annual costing for the product when compared to other products if the same class.

– Known issues, if I call another vendor and find out that an issue that I was having, was a “Known Issue”, but the fix was only provided to customers that noticed/experienced the issue, I will hit the roof.  If it’s a known issue, if should be in the knowledgebase and/or an email bulletin should have been sent out to the customers.

– Vendors that like to use their customers as unknowing Beta testers for their products.  I have seen this from several vendors, who will try and get you to test out special features or undocumented procedures on your production environments.  So be aware of this and make sure that you don’t accidentally end up on the bleeding edge of product testing for a vendor.

– Vendors support at various levels not wanting to escalate to the next level.  I have found that support people, regardless of the level, feel that it looks bad on them if they escalate your issue to the next level.  Don’t be afraid to ask for an issue to be escalated, give them a fair amount of time to investigate the issue, but sometimes the issue can quickly be resolved once it reaches the right level of support.

A few questions to ask prospective vendors:

–        What are the various levels of support that you offer?  Remember you get what you paid for.

–        How long has the product been around?  Don’t end up being a beta tester for a new product, no matter the number of bells and whistles.

–        Does support use the follow the Sun methodology?  Meaning, depending on the time of the call you may be routed to other countries?

–        Where is the support/call centers located?  For some government agencies this needs to be within the US.

–        What engineering and deployment support is provided?

–        Do they have a full-text searchable knowledgebase?  Is there a separate knowledgebase for internal support?

–        Where was the product developed?  One vendor I worked with, the product was developed in the Middle East and support was much better during evening hours.

–        For software that has signature based values, will you have access to what the signature is detecting and how?

–        How are upgrades handled?  Another of my favorite (cough cough) vendors, Imperva, releases upgrades to fix stability or other issues, but you cannot simply upgrade your product, you have to re-image and re-build the system or wait an additional 2-3 months to get a upgrade path.

–        Ask about SLAs and get copies so you know exactly what to expect.  If it’s not in writing, you didn’t buy it and can’t expect of demand it.

–        If you get an appliance with maintenance support, ask how that support is handled.  Some companies now out-source the hardware maintenance on their appliances and then you get the privilege of having to spend numerous hours working with some 3rd party company to get your appliance fixed.   One of my biggest frustrations of 2010 was working hard to get McAfee Vulnerability Manager Appliances, the old Foundstone devices, in place to replace an older technology.  The initial shipment had 2 appliances, one of which worked great out of the box, the second box was DOA, the problem here was that the hardware support was outsourced to Dell and they considered the delivery date of the product as the date the product was received by McAfee not the end-user/customer.  This led to 2+ weeks of trouble working with McAfee and Dell, to get the box replaced, first they send out a technician that replaced almost everything in the box, with refurbished parts no less, but left without verifying that this fixed the issue.  As a side note of how bad the outsourcing is getting, McAfee outsourced the hardware support to Dell, but Dell outsourced it to Unisys, so I was stuck dealing with 2 companies that I had done no business with and didn’t have any SLAs with.  In the end this was all resolved and the product really is great, but it did add a question to my list above.