Spending Your 2012 IT Security Budget - Beware of Cheap

Saturday, January 28, 2012

Rafal Los


Spending Your 2012 IT Security Budget - Beware of Cheap, Look for Value

If you can't be good, be cheap - the battle cry of the second-rate vendor.  After spending 4 years as part of a world-class sales organization, I can tell you that with no uncertainty that I've seen some of my competitors do some absolutely insane things to compete.

When you've got a product that analysts and customer love, your competitors have to be creative to get the customer interested.  But let's be realistic, we've all had to do that at one point or another because if the best product always won the business life would be a lot more predictable.

Let's talk about cheap though.  As a buyer, how do you feel about a value proposition that just sounds too good to be true.  I of course assume you understand what a good value proposition is, and that there is always a trade-off between cost and benefit.  You can't get the next best thing since sliced bread for the cost of a loaf of bread... the economics just don't work out. 

This is why it sometimes puzzles me that otherwise intelligent people shop for too-good-to-be-true deals.  Allow me a segway to make a point.  Have you seen the advertisements on television for those "penny-auction" sites that promise you 99% off retail price on things like cars, iPads and other amazing deals? 

Sure, getting a $50,000 car for $100 sounds like a great idea, until you realize there's something terribly wrong.  You can't balance what you're paying with what you're getting - remember what your parents taught you?  You get what you pay for.  So that $100 steal of a deal probably isn't ...or you will never get it.

So let's move this closer into our world.  The world of the budget-stretched CISO, security professional is challenging.  You've got problems to solve, you are presented with pressing problems, and you just want to not have to spend your entire yearly budget on one single issue - so you look for good values.  Now this is where the dance gets interesting.

Someone, somewhere sets price at some level that depends on the amount of research & development it took to deliver the product, plus what is considered overhead built in.  It's like the little miracle pill you take that costs you $100 each - remember the years worth of research, patents, scientists and additional overhead that's required to make that pill before you complain about its cost.  The same goes for your security widgets. 

Let's assume you can't go without something - like a piece of software that helps you more efficiently test your software for security defects - and you need to buy it.  You'll first do some research to find what the analysts, your peers and general sentiment tells you the top 3 competitors are in the market-space. 

You'll then go test each of them and rank them in order of most to least effective.  Now this is where the game gets fun if you've ever done this before.  Each of these three will have a pricetag associated with them.  If you're nicely surprised, then the most effective is also the least expensive and you can simply move on.  This rarely happens by the way.  Most of the time, you're left playing the trade-off game.

What if the most expensive is also the best, and the least effective is also the cheapest?  How do you define the point at which you, the customer find value?  This is a difficult game, and I've got some great ideas on this topic too - but this conversation starts and ends with understanding that usually products and services have a reason for being more or less expensive. 

I don't want to over-generalize, just because something is more expensive it doesn't automatically make it better - that's why I advise you to do your research and testing... but as a rule a $50k car is better made than a $20k car.

How exactly do you find the point at which value is sufficient and cost is agreeable?  This requires you to have your needs defined ahead of time.  You'll have to have listed out your requirements for purchase, and then segmented them into must have versus nice-to-have along that nice 30/70 split which makes the things you need different from the things you want.  In the end, what you should be able to come up with is a mathematical way to understand when what you want, and what you'll pay balances.

Just remember to look out for those "buy now, one time only offer expiring soon" type of deals that appear way, way too good to be true.  An enterprise product that claims to do everything superbly but isn't rated very well by other experts and analysts and is half the price of every other competitor?  That's unlikely to be of very good value to you, unless of course you're just looking to check a box and move on. 

Come to think of it, that may not even work given the clauses these days in compliance requirements and laws that require you to do what is necessary and proper and the bare-minimum box-checking is not only becoming not fashionable, it can land you in the guilty lane in court.

I felt compelled to mention this as the Gartner Magic Quadrant for Dynamic Application Security Testing results putting us in the "Leaders" zone were released... and other vendors started to spin the "we're way behind the leaders, but we're visionaries" junk to keep you from avoiding them. 

Remember people, do your own research and know what you're getting, because sometimes as they say "if you can't be good, be cheap"... and you can't hang your enterprise security hat on that.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Enterprise Security Management Budgets Marketing Chief Information Officer FUD CIO Security Solution vendors Rafal Los IT Security
Post Rating I Like this!
CP Constantine The problem here is that the allegory of "the 50K car is better quality than the 30K" car just doesn't hold water when applied to software (or even appliances, but we'll come back to that.)

The 50K car is better than the 30K car, because the 50K car likely contains 30K of base components at cost. IT pricing is far more arbitrary, there are no component costs for software (and as far as appliances go.. the cost of the hardware shipped rarely makes more than 10% of the total ticket price on a product). With software (which is what you're really paying for) there is no implicit correlation between quality and price, all overheads are malleable as a result of execution capability of the vendor. I could step through the details of comparing the cost of shipping a number of units of a car versus shipping a number of units of software, but I think they're quite self-stated; the point being is that, for an industry with no significant per-unit manufacturing costs, the correlation of price to quality doesn't hold water - to wit, there are absolutely no constraints on the far cheaper product being absolutely superior to the more expensive option. Obviously both cases happen, but spending more money is not an implicit indicator nor enabler of getting better results.
Rafal Los @CP: You're most of the way there. I don't necessarily think that more expensive is a guarantee of better - but look at quality. I'm not arguing against less expensive, I'm arguing against 'cheap' - there is a big difference.

Have you ever had one of those contracts with a vendor where they 'throw in' something for seemingly free, and it makes you wonder what the value of that 'free' thing really is? Or what about buying a service that is a third of the cost of a competing service ...what are you really getting - I'm simply urging people to do their homework and not jump at the 'cheaper is better for my budget' mental hurdle.

You are missing something though, R&D costs. Good software, even though there isn't a "component cost" has R&D costs and other 'hidden' costs the buyer generally doesn't see. The costs of solid testing, good research, top-notch employees (who generally don't work cheap!), US-based English-language support and on and on ... these aren't inexpensive and are indeed component costs.

Let's face it, if you run a business which is off-shore powered (aka "cheap labor") versus one that is built on home-grown senior-level talent the costs are wildly different, as is the service level.

CP Constantine Yeah, don't get me wrong, I'm not really arguing over the 'don't buy cheap' issue, more that the issue of quality has almost no bearing to price, and in same cases, can almost be an inverse indicator.

Software is absolutely free to be priced at what the market will bear, since there are practically zero per-unit manufacturing costs. R&D is a fixed expense to recoup. In short, if I make absolutely amazing software that everyone wants, I could ship a billion licenses at $5 apiece of pure profit after the first X licenses are solid. Meanwhile an application with an extremely limited market can fetch tens of thousands per license, and still be an absolute dog to work with (thanks to no significant competition). Aside from support operations, it's nigh-impossible for a software developer to "grow too fast" (in terms of number of units shipped) like is possible with hard-goods manufacturing.

If I'm making any kind of point, it's that finding the right product that fits the organization's needs and the skills of the people you have to operate and integrate it, should always be the first priority. Once those have been narrowed down, then by all means start selecting based on pricing and bundled services after that.

I think I'm just a little jaded with being told that the latest blinky box people give me to work "Must be the best there is", because it was more expensive than all the other options put together. Basically I'm just looking at the other end of the scale here.

(Alright, make up your own mismatched-car-for-the-task/users-abilities allegory here.)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked