Dean Porter at F-Secure argues the case for using pay-as-you-go business models for cyber-security services
When you go to a restaurant, the waiter doesn’t force you to buy a portion of soup every day for the next year. They simply serve the meal and the deal is concluded once the bill is settled. If you want more, just pay for it.
In cyber-security, we’re used to a very different situation. Despite the emphasis modern businesses place on agility and flexibility, many organisations are still signed up to contracts which lock them into service agreements for a long time. This is now changing.
The future of cyber-security lies in usage-based models in which companies are only charged for the services they use, rather than tied into rigid long-term contracts. When businesses choose this model, they are freed from the administrative work of ordering and renewals. There is no need for these bureaucratic tasks with usage-based security. Instead, you simply pay for what you use every month.
Usage-based agreements are commonplace when it comes to cloud storage or web hosting. They are even found in unexpected industries such as the construction sector, where heavy machinery can be hired and paid for depending on how much it is used. I believe that the cyber-security sector can benefit from adopting this new approach. Most importantly, so will customers.
The flexible future
We first started thinking about usage-based models in 2018 and found that customers were very interested in exploring the model, because modern businesses prioritise flexibility and simplicity when choosing a cyber-security solution.
The pandemic has only accelerated this demand. As the lockdown forced dramatic changes to every organisation’s working practice, they often sought to reduce fixed costs – which is where usage-based models can be not only useful, but reassuring. Companies that are worried about the effect of the current business environment on their bottom line need to be able to quickly reduce fixed costs at short notice.
The demand for flexibility and usage-based pricing during the pandemic was referred to in a recent Forrester report. This study found that businesses became frustrated when vendors could not – or would not – lower their license fees after an organisation’s usage of their services was reduced when staff went on furlough.
It’s easy to see how this could be perceived as a lack of support, eroding trust between client and vendor. It’s so easy to choose a new cyber-security provider, so failing to respond to a client’s needs is very unwise.
Likewise, the right support at the right time can boost the relationship between vendor and customer. Usage-based models have flexibility as a feature yet can also allow cyber-security providers to support their clients during tough times.
Serving up change
A payment structure based on usage is particularly useful for startups or companies that are experiencing a period of rapid growth or anticipating change. With a standard cyber-security contract, they would have to file an extension order for extra services if they smashed their growth targets. When payments are fixed, success is punished.
Organisations don’t have targets for using services: this means that they can be stuck paying for a contract that over-services them. Usage-based security meets the needs of growing businesses as well as those facing tougher times. They just pay for additional endpoints and services when needed – or cut back during slower periods.
But if plans are flexible enough to cope with changing circumstances, client and customer can grow together. Usage-based models can help to reduce costs in the good times, when unnecessary assistance can be dialed back. Yet they also allow security to be powered up during disasters or major incidents.
Outsource cyber-security to win
We’re expecting to see growing demand for usage-based models, particularly because the wider business world is moving towards flexible outsourced cyber-security solutions. Our research found that more than 70% of mid-market and enterprise companies already outsource at least some security operations to managed service providers (MSPs), with 60% of companies that engage in outsourcing regarding their provider as a key trusted security partner.
Outsourcing to MSPs gives organisations access to teams of experienced, well-trained security experts and is cheaper, faster and more flexible than employing an in-house team.
Usage-based models can boost the effectiveness of outsourcing, allowing organisations to procure the services they need at the right time. The threat landscape is ever-changing and so are the risk profiles of businesses. What is appropriate one year may no longer be relevant the next. Again, speed and agility are a key part of any organisation’s security posture so they should seek a cyber-security solution that can be easily adapted to the ever-changing nature of threats.
What to look for in a usage based model
When considering a usage-based model, it’s important to examine the contract and small print. An agreement should be flexible as a bare minimum, allowing the licensing baseline to be quickly changed. Make sure you know how long this takes, because the benefits of usage-based frameworks are reduced when an organisation needs to give one year’s notice to change services, rather than being able to do so more quickly. It’s also worth looking at whether unused license entitlements can be carried over once the contract period is ended.
If this new model sounds unfamiliar, it shouldn’t be. Consumers are already well-used to usage-based agreements, which are perhaps most commonly seen in mobile phone contracts. It’s time businesses started to get used to this model too.
Dean Porter is UK country manager, usiness Security at F-Secure
Main image courtesy of iSTockPhoto.com