Spending Your 2012 IT Security Budget - Beware of Cheap

Spending Your 2012 IT Security Budget - Beware of Cheap, Look for Value

If you can't be good, be cheap - the battle cry of the second-rate vendor.  After spending 4 years as part of a world-class sales organization, I can tell you that with no uncertainty that I've seen some of my competitors do some absolutely insane things to compete.

When you've got a product that analysts and customer love, your competitors have to be creative to get the customer interested.  But let's be realistic, we've all had to do that at one point or another because if the best product always won the business life would be a lot more predictable.

Let's talk about cheap though.  As a buyer, how do you feel about a value proposition that just sounds too good to be true.  I of course assume you understand what a good value proposition is, and that there is always a trade-off between cost and benefit.  You can't get the next best thing since sliced bread for the cost of a loaf of bread... the economics just don't work out. 

This is why it sometimes puzzles me that otherwise intelligent people shop for too-good-to-be-true deals.  Allow me a segway to make a point.  Have you seen the advertisements on television for those "penny-auction" sites that promise you 99% off retail price on things like cars, iPads and other amazing deals? 

Sure, getting a $50,000 car for $100 sounds like a great idea, until you realize there's something terribly wrong.  You can't balance what you're paying with what you're getting - remember what your parents taught you?  You get what you pay for.  So that $100 steal of a deal probably isn't ...or you will never get it.

So let's move this closer into our world.  The world of the budget-stretched CISO, security professional is challenging.  You've got problems to solve, you are presented with pressing problems, and you just want to not have to spend your entire yearly budget on one single issue - so you look for good values.  Now this is where the dance gets interesting.

Someone, somewhere sets price at some level that depends on the amount of research & development it took to deliver the product, plus what is considered overhead built in.  It's like the little miracle pill you take that costs you $100 each - remember the years worth of research, patents, scientists and additional overhead that's required to make that pill before you complain about its cost.  The same goes for your security widgets. 

Let's assume you can't go without something - like a piece of software that helps you more efficiently test your software for security defects - and you need to buy it.  You'll first do some research to find what the analysts, your peers and general sentiment tells you the top 3 competitors are in the market-space. 

You'll then go test each of them and rank them in order of most to least effective.  Now this is where the game gets fun if you've ever done this before.  Each of these three will have a pricetag associated with them.  If you're nicely surprised, then the most effective is also the least expensive and you can simply move on.  This rarely happens by the way.  Most of the time, you're left playing the trade-off game.

What if the most expensive is also the best, and the least effective is also the cheapest?  How do you define the point at which you, the customer find value?  This is a difficult game, and I've got some great ideas on this topic too - but this conversation starts and ends with understanding that usually products and services have a reason for being more or less expensive. 

I don't want to over-generalize, just because something is more expensive it doesn't automatically make it better - that's why I advise you to do your research and testing... but as a rule a $50k car is better made than a $20k car.

How exactly do you find the point at which value is sufficient and cost is agreeable?  This requires you to have your needs defined ahead of time.  You'll have to have listed out your requirements for purchase, and then segmented them into must have versus nice-to-have along that nice 30/70 split which makes the things you need different from the things you want.  In the end, what you should be able to come up with is a mathematical way to understand when what you want, and what you'll pay balances.

Just remember to look out for those "buy now, one time only offer expiring soon" type of deals that appear way, way too good to be true.  An enterprise product that claims to do everything superbly but isn't rated very well by other experts and analysts and is half the price of every other competitor?  That's unlikely to be of very good value to you, unless of course you're just looking to check a box and move on. 

Come to think of it, that may not even work given the clauses these days in compliance requirements and laws that require you to do what is necessary and proper and the bare-minimum box-checking is not only becoming not fashionable, it can land you in the guilty lane in court.

I felt compelled to mention this as the Gartner Magic Quadrant for Dynamic Application Security Testing results putting us in the "Leaders" zone were released... and other vendors started to spin the "we're way behind the leaders, but we're visionaries" junk to keep you from avoiding them. 

Remember people, do your own research and know what you're getting, because sometimes as they say "if you can't be good, be cheap"... and you can't hang your enterprise security hat on that.

Cross-posted from Following the White Rabbit