Security

CRM solutions don't often include IT details, but they should


Even though IT is integral in implementing any form of full-scale Customer Relationship Management (CRM) solution, IT departments at opposing companies rarely have anything resembling a synergistic relationship.  The reason, of course, is that IT is most often not the customer.  We act more as a conduit for business solutions.  But by taking a closer look at how our vendor relationships are managed, we can find areas where process improvement is possible.

I was at a hospital last week to assist a vendor with a new system installation when the topic of server patch management arose.  Given that patch management is an area of focus for our company, we prefer to deploy critical OS security updates in a short timeframe following their official release.  This isn’t a topic that we typically debate with our software vendors.  We just do it in the name of security and work through any unintended consequences afterward.  It’s amazing how quickly company processes change after the network is brought down by something like the SQL slammer worm.

But the sensitivity of the medical system being installed in this case meant that consultation with the vendor about OS patches was the smart thing to do.  As it turned out, the vendor was very particular about which Microsoft patches could be installed.  Thorough testing is performed by the vendor for each released patch and, once passed, is placed on the approved list.  Here is the rub – we have to contact them for each patch to find out if it is approved.  How impractical is that, and how can the process be enhanced?

The vendor’s process for patch deployment places the onus on the customer, but holds the leash on which patches they will support.  A vendor maintained centralized patch management solution, such as Microsoft’s WSUS, would be my first preference.  The solution would involve publishing the approved security patch on a management server, and then “pushing” it to customer servers over a VPN or SSL connection, and always at a time that is documented as after customer business hours.  The only servers managed in this way would be servers specifically maintained by the vendor.  If such an elaborate system is not feasible, then at the very least the vendor should shoulder the responsibility of emailing the approved patches to a designated customer email route.

The above situation involved a seller and a customer, but the focus was never on interaction with the customer’s IT department.  The focus was on the relationship with the department receiving the medical computer system and the hospital as an entity.  This is how most implementations are carried out, and this is as it should be.  The IT department will not use the new system; just facilitate the infrastructure for its use.  But that doesn’t mean some forethought shouldn’t be placed on the relationship between the vendor’s IT staff and the customer’s IT staff.

I should note that the vendor in the example is a large and very capable company that we conduct a significant amount of business with.  I should also note that in most project deployments carried out with the vendor, it seems as if it is the first contact their IT department has had with us.  For instance, it is always necessary to point out that we have a branch-to-branch VPN configured for remote support purposes, and we require all servers on the network to be a member server in our domain.

Detailed records should be kept about a customer’s information network and support architecture as much as they should be kept about their supply chain model.  A total customer profile within a CRM solution should absolutely include IT details.  Not only does this result in a more favorable comfort level and rapport with the customer, it also produces smoother installations and more successful problem resolutions. 

1 comments
MikeGall
MikeGall

I work as an IT admin for a cancer center, this scenario is commonplace. Eg. one vendor I deal with has used a flat file system as their database since the product first appeared over 10 years ago, this is a system that generates around 1TB of data a year, read you don't want to have to read linarly through this list. In practice they recommend taking data offline so that you never have more than 200GB or so live at any time. That translates into about 2 mths which isn't enough for a course of treatment and later review. They use solaris, but still don't have a server that they recommend, instead you are supposed to use a workstation as your "server". They don't post a list of patches to install at all, you are expected to just leave it alone because it is a FDA controlled device. Heck they just started using Solaris 10 this year, up until then they were still on Solaris 8. Another vendor won't let you put any .Net framework past 1.1 on your workstations because it breaks their app. Well their app is one of a dozen or so in use on these workstations, what if one of the other vendors moves their products to a more recent version of the .Net framework? Are we supposed to purchase a second computer for everyone and run the cabling so that this one vendor can continue to live in the year 2000? In my opinion the FDA is the worst thing that ever happened to healthcare IT. When ever you ask for change from a vendor they hide behind the FDA requirements rather than testing to see if the solution works, their arguement is this is the way it was approved so this is the way it is deployed, even if their is over a hundred security updates that have come out in the mean time.

Editor's Picks