Security shouldn’t cost extra

Written by Aoife AndersonTines

Published on December 22, 2021

This article was posted more than 18 months ago.

Security is top of mind in boardrooms around the world these days.

With security incidents on front pages, new, critical vulnerabilities being discovered every week in widely used software, and attackers becoming more sophisticated year on year, leaders are inevitably spending more money to reduce their organization’s risk. So, whether you’re buying or selling enterprise software, pricing is always a primary consideration.

Security vendors are known for over-relying on FUD (Fear, Uncertainty, and Doubt) tactics, over-emphasizing the importance of security or marketing themselves and their solutions as heroes or silver bullets that will solve all of your security problems. The security-FUD trend is crossing over to enterprise software too. Software vendors are becoming over-reliant on their customers' security policies to charge more than they otherwise could, simply because security features aren’t decoupled from value-adding features.

The idealistic goal of any enterprise tool should be to enable its customers to operate more effectively and efficiently. But don’t assume all vendors altruistically place consequences ahead of cost or that whatever software and plan you choose will include fundamental features to help protect your environment. This is rarely the case.

Rinse and repeat 

Once a customer starts looking to enable or use certain features, surcharges typically begin adding up. This is normal for software - most customers end up paying more to access certain features that are critical to their end goal. However, security features should not be included in this. To avoid unexpected invoices, it's up to security leaders, or procurement teams working on their behalf, to do their due diligence before signing on the dotted line to ensure their pricing package covers this type of nonnegotiable functionality.

Legacy vendors are still trying to extract maximum profit from features that should be table stakes. The most common of these is single-sign-on (SSO), a “mechanism for outsourcing the authentication for your website (or other product) to a third-party identity provider, such as Google, Azure AD, Okta, PingFederate, etc."

SSO makes it easier for the customer to use a single, company-wide secure sign-in experience, requires fewer login-related help desk calls, makes it faster for customers to adopt new applications, and can also help support consistent security policies across all applications. Similarly, two-factor authentication, data backups, data deletion, and user activity logs are important features for enterprise products from a security standpoint. Features like SSO can no longer be considered a "luxury" or a "nice to have" made available only to enterprise customers on a premium tier, but for many tools, you'll have to drop more dollars to access them.

Disincentivizing good security practices when you know it will harm your users is both harmful and unethical; there is no real defense. Furthermore, it suggests there are very few additional valuable services worth paying for in the vendor’s premium pricing tiers that can be decoupled from security features. Where security features don't cost a vendor more to implement, security shouldn't cost the customer extra.

At Tines, we recognize a feature like SSO is critical to the success of a security team, so we've made it a standard feature across our plans, free and paid, for the simple reason that we want all of our customers to implement best security practices when using our platform. When a security feature is as vital to a two-person startup as a 200,000-person enterprise, vendors should consider including it as standard.

How to avoid hidden extras 

To help you ask the right questions when you start exploring software solutions, here are some pricing points that should be considered from the outset:

  • Do security features cost extra?

  • Will a specialist be required to help you deploy and maintain the tool?

  • Is there an API available for free?

  • Is there any additional cost for bespoke connections/integrations?

  • What is the charge for additional support/training?

  • Is SSO available for free?

  • Do you log user activity such as sign-ins? Can these logs be exported for free?

Protecting your organization is a costly and time-consuming process. In order to make sure that your software investments pay off, it's essential to understand both initial and ongoing costs involved; otherwise, any shortcomings will likely reveal themselves down the line when things go wrong!

At Tines, our philosophy is to charge where we add value – automating your team's workflows. As a result, our pricing is designed to be simple, predictable, and transparent.  

Built by you,
powered by Tines

Already have an account? Log in.