May 11, 2020//Tony HowlettLast Updated: November 19, 2020
When evaluating a cybersecurity solution, there are many factors that come into play. Obviously features and functionality should come first. After all, a cheap solution that doesn’t properly solve the problem you’re trying to solve is no solution at all. But at the end of the day, we all have budgets and rarely cost no object. Once the product has been determined to fit your needs today and the ability to scale into the future (another important factor), you may end up with several options, with differing prices. And it’s important you understand the different pricing models for software these days in order to do a proper apples-to-apples comparison and ultimately make the right decision from a price/performance standpoint for the long term for your company. Here is an analysis of the main pricing models in the cybersecurity arena with some important aspects to consider about each.
In this analysis, we are eliminating cybersecurity MSSPs that combine a service with different software platforms which they license in bulk to provide an end-to-end solution that often covers multiple cybersecurity functions. An example of this would be an outsourced Security Operations Center (SOC) which might use several different monitoring and IDS software elements, combined with labor and facilities to do 24/7/365 monitoring. We are also not considering the pure service companies, such as a company that provides monitoring of your internal data, like a log monitoring service. In this, we will be considering only companies selling a single software platform, solving one area of cybersecurity for a more focused analysis.
This was the first software pricing model and it involves paying a fixed fee for a particular version of a product. In the “old days”, this might have been a boxed version of software with disks or DVDs delivered with the code on them. Nowadays, this is almost always delivered digitally but the concept is the same. You buy the license to the software and you get the rights to use it within limitations of the license agreement into perpetuity. The upside of this model is that you pay once and you “own” it. But, you don’t really own it, you just own a license to use it but effectively it’s the same thing. The nice thing about this is that your costs are upfront. However this is somewhat an illusion with most perpetual licenses for several reasons; first of all, if you want to upgrade to new features, you have to pay again, usually, this fee is similar to what you paid upfront. And most perpetual licenses these days come with maintenance fees, usually paid annually. These give you access to support, minor security upgrades, and bug fixes from the company. And since most software isn’t very useful without those things, you end up with the worst of both worlds; a larger upfront fee as well as ongoing fees which over time can add up to much more than your initial license purchase. Also, from an accounting standpoint; CFOs don’t like large upfront software purchases as these count as a capital expenditure (cap-ex) versus an operational expense (op-ex), and therefore must be amortized over multiple years rather than expensed in a single year.
Finally, this model is going out of fashion with most software companies and being offered less and less because software companies would get stuck with see-sawing revenue shifts, spiking when they offered an upgrade and dropping when they didn’t. That led to the current most popular software pricing model, Software as a Service or SaaS.
The SaaS model charges a recurring fee for access to the latest versions and usually includes support. This provides the software company with a more reliable revenue model as well as not having to release blockbuster upgrades to juice revenue. Features can be rolled out one by one as they are available. There are two main versions of SaaS licensing, cloud-only and all-inclusive licensing.
This is probably the most common SaaS model available out there. It offers a cloud version of the product that runs on the software company’s servers. The customer accesses it through the internet and usually pays for seat licenses, per user; common platforms include Salesforce or Microsoft 365. These work great for broad-based productivity or back-office functions where most customers will use the same features and little customization is required. It also frees the company from having to spend money on their own servers.
However, the downsides of this model are that there is typically only one version of the software available, the latest and greatest. If your company needs features or backwards compatibility that get eliminated, you are out of luck. You cannot choose to continue running the older version, you are upgraded along with everyone else. Also, there is no flexibility in where your server is deployed, in fact, usually, you do not have a “server” dedicated to your company but rather it is run across many servers run by the software company. Again, while this works great for many companies who don’t have specific needs, it doesn’t work as well for regulated industries or large enterprises who have specific configuration or locality needs such as those required under CJIS or GDPR. They may also want to control their upgrade schedules due to the need to train large workforces.
That’s where the all-inclusive SaaS model comes in. This model still gives you a version of the software to deploy, but in the way that you choose (i.e. on-prem or cloud). However, it’s priced all-inclusively just like SaaS so you get access to new upgrades, support, and other necessary services. This model works great for companies who want the predictable cost nature of SaaS but the flexibility of controlling the deployment of the software in the manner that makes the most sense for them. Full disclosure, this is the model that my company’s Vendor Privileged Access Management (VPAM) cybersecurity software uses.
Whatever model you choose, make sure you are on the lookout for gotchas in the form of extra charges for things like implementation, set up, professional services, and other necessary elements to make the software run effectively. Again, many companies will have a low upfront or annual fee which does not include any of those things. And while this may be fine for a relatively simple project such as a marketing analytics implementation; for larger, more complex installations, these additional fees can quickly add up to several years or more than the actual software cost. Also, these fees must be paid upfront, not over time. Some companies also charge extra for items like bandwidth usage and storage, especially if they are running on their cloud. When evaluating the pricing of cybersecurity solutions, it is best to take a Total Cost of Ownership (TCO) approach, where you take possible fees; licensing (whether upfront or ongoing), maintenance, support, implementation, and other possible upcharges to arrive at a total amortized cost over the length of the contract. Only then, can you truly compare vendors and make an informed decision on the right solution.
As you can see, there are several different pricing models in the cybersecurity software world. You have to evaluate which is the best for your company. However, the all-inclusive SaaS model gives you the maximum flexibility to deploy the software where it makes the most sense for your enterprise; in your company-owned data centers, in rented colo facilities, or even on software company leased servers. It also gives you the value for money over time (new features, security updates) and with the included professional services and consulting to get the fastest time to effective implementation.