ROI, TTV at Light Speed for Security InvestmentsAnirban Banerjee
The way we sell security is convoluted. Existing legacy security vendors nickel and dime customers and sell the slices of their solution. The customer wants to solve a problem, not a portion of the problem. The customers want to achieve 100% PCI, SOX, SOC2, NIST, FFIEC compliance yesterday, not reach 50% and then say well we tried, need more time. Enterprises are looking to solve security problems and show ROI (Return On Investment) and TTV (Time To Value) quickly. The C level is breathing down the necks of CISOs, GRC leads, VPs of IT and asking – what is the effect of the budgetary spend from last year? When enterprises are presented with the current pick this or pick that type of solutions they have to make trade offs between budget, effort to implement, timing of purchase and solving the security problem. This makes no sense. How are CISOs supposed to secure enterprises if the TTV and ROI is a long drawn complicated process? In this article we will talk about why UTM type models for a specific security area – Privileged Access Management (PAM) makes sense and how it can help reduce the ROI and TTV time periods.
Yes, its broken
Consider the legacy players in the PAM market – Irrespective of the vertical every legacy player is in they are all selling solutions slice by slice. You want password vaulting – here is a box. You want session management – here is a box. You want session recording – here is a box. You get the idea.
Why is this bad? This model is flawed because a customer ends up paying five times over for the same server and the same user for the various “features” that are needed in order to solve the PAM problem. The customer wants to make sure that all privileged accounts are secured. They want to make sure when someone accesses a privileged account to patch a system or something else, the session is recorded. The customer wants to prevent insider threats so wants to prevent misuse of the session. All these use cases fall under the same umbrella for PAM – why then do we continue to suffer and agree to buy products that are sliced and diced to maximise confusion and create artificially high pricing?
A very simple example. Call up any PAM vendor in the market today and ask the following question: hey, how many products will I need and how much will it cost to layer PAM on 100 servers and 10 users? The conversation will take more than 15 minutes and you will most probably not have pricing numbers. This is the reality. The question we asked is very simple but the instant reaction of most entrenched vendors is to maximise ARPU by bleeding the customer to death. The customer now has an artificial choice: Do I layer PAM on my servers to solve the problem and put every other project on hold because of this expense or do I just buy a portion of the product and get something in.
The price itself is not the problem. In fact most of the times you will not be able to calculate a clean per unit license fee. The pricing quotes from a lot of companies are messy. The reason being these companies have not evolved their sales quoting mechanism with time. They are still stuck on skews, tightly associated with numbers of users, numbers of servers, how many installations, how many admins, how many.., how many.., how many…. Pricing should be straightforward and value to the customer should be maximised.
What needs to be fixed
Pricing and skews are only part of the equation. Another major issue is professional services. In most cases enterprises who choose security solutions like PAM are often shown how complete the product is and how flexible it is. Then immediately they are hit in the face with professional services. How does this make sense?
If an enterprise is going to pay 3X for every server and user, it is unfair to expect an enterprise to bend over backwards and scrape out funds for a deployment project. If you as a vendor are selling software to your client do you think its fair to charge someone to get your software going? If the answer to that is yes – you are part of the old guard. Your software should be simple and flexible enough to take care of the most common scenarios and you should be willing to help your customer launch your product internally asap – not – slap with professional services. Professional services makes sense if there is something non standard inside an organisation which needs to be integrated into your software. However, most time professional services are forced on enterprises for simple deployment of the product. Enterprises should push back against this type of a bone headed model.
Let us fix it
Showing quick ROI and TTV is critical for security deployments like PAM. One good way to help customers is to make sure that they can easily install your product. If they need to read through 70 pages of an installation manual – that is a big FAIL. If your customer needs 3-4 weeks to wait for boxes that you need to ship – that is a big FAIL. If your customer needs to involve more than 5 people in the installation process – that is a big FAIL. Security vendors, especially in the PAM vertical need to help their customers get going in a week or less.
A UTM Model makes sense for PAM because of the various types of point products that vendors are currently selling to enterprises. Case in point, to do PAM right you need a couple of things. PAM is not a one shot solution – you can’t install one single piece of software that magically takes care of everything. Instead in the current market vendors are selling password vaults, session monitoring, session management, secrets management and more – all as separate pieces, in an appliance format.
Furthermore, going the UTM way also simplifies the deployment experience. This improves time to show ROI. For most legacy vendors supplying PAM solutions it takes months to install their products and get up top speed. It can even take up to a year when you have professional services organisations involved. Simplicity and efficiency are the key mantras to live by. Enterprises should be able to show deployed solutions, happy users and security controls live and good to go in weeks not months. A UTM model plays well to this perspective.
Going the UTM way also simplifies the ROI and TTV timelines. More companies are going to prefer the SaaS based UTM model to deploy and use PAM because its easier to show ROI – Okta anyone?. In case you need assistance to craft your Privileged Access Management strategy, please feel free to get in touch with us at Onion ID.