What’s Wrong with “Cheap”?  When It Comes To Genuine Cybersecurity —Absolutely Nothing.

If you’re shopping for enterprise cyber security, you’ve probably discovered an unfortunate fact: it can be monstrously expensive.  

“Cutting edge” kit often soars above the million-dollar mark, and companies often spend tens-of-millions on security every year, some even spend hundreds of millions.  

Well, here’s some great news: in the world of cybersecurity, more expensive does not equal better. Even the companies who can afford monstrously expensive security tools, such as Yahoo and JP Mor-gan-Chase, get hacked. In other words, there is little correlation between dollars spent and the likeli-hood of getting hacked.

If that’s the case, why do organizations pay so much for network security packages? As way of explana-tion, let us introduce a classic economics phenomena: The Veblen Effect.

Why Understanding The Veblen Effect Can Save You Money

People assume that expensive things are better. When looking at a row of identical products, many consumers will snag the option that’s a buck or two more expensive as a form of quality assurance. Because this is a well-known phenomenon in economics, though, some companies abuse this tendency by increasing the prices of their products. Because people will dish out a little extra money for the “quality” option, the company is rewarded with both higher sales and higher profit margins.

Of course, there is a limit to the Veblen Effect; people only buy the quality option if it still falls into a perceived reasonable price range. That’s why, in general, similar products all have prices within a few dollars of each other. Go to the grocery store and take a look at the one-liter sodas, for example. The name-brands (Coke, Pepsi) will be a little more expensive than the off-brands, but they themselves will cost roughly the same amount of money.

But what if the product isn’t something with an easily-determined perceived value, like a soda, but something with potentially unlimited value, like the security of your private network and customer data? Security companies can set exorbitant prices because people lack a sense of how much reliable network security should cost, and will then default to buying the most expensive security package their budget will allow. This is the Veblen Effect in action.

So, let’s look at what happens to those who fall victim to the Veblen Effect when shopping for cybersecurity.

Cybersecurity: The Expensive Option

You fell victim to the Veblen Effect and are looking to dish out top-dollar for your cybersecurity package. Your money will get you security experts, the latest security solutions, and will let you outsource to an MSSP for extra security support, if you like.  Maybe you picked up a non-heuristic sandboxing kit, with a $1 million-plus price tag, it’s got to be worth it, right?  At this point, you should have top-notch perimeter controls, experts exhaustively analyzing your log data, threat intelligence with EDR and sandboxing/emulation capabilities, you name it.  You’ve also taken a huge cut out of your annual budget.

Feeling secure yet?  Let’s look at other organizations who chose the expensive network secu-rity option.

Who Else Chose the Expensive Option?

Plenty of organizations, particularly large ones with some money to throw around, chose the expensive option. Target, Yahoo, JP Morgan-Chase, Sony, the United States Department of Defense, and Adobe, to name a few, designated millions of dollars every year to their security budgets. JP Morgan Chase, the largest bank in the United States, was spending an incredible $250 million per year on security operations when they were breached in 2014.

In fact, none of these companies were protected by their expensive security solutions nor their experts.  Between 2013 and 2015, each of these companies (and many more) suffered massive data breaches, collectively exposing the private data of over a billion (yes, billion) unsuspecting customers (and citizens, in the case of the US DoD). 

Of course, all of these organizations buckled down on security after the hacks, in an attempt to prevent further damage and embarrassment.  While we can’t be sure how much they’re spending now, you can safely bet it isn’t less.

What’s The Bottom Line?  

We see customers choosing vendors based on their marketing spend and the quality of the sales team. These guys show up in their shiny suits showcasing their latest wares, as opposed to the quality of the technology or service they deliver. To give you some examples of what we have experienced recently:

We saw a customer spending USD $1m/annum on their threat intelligence feed terminate their contract in favor of a free open source feed because they realised the aggregated open source threat feed delivered better and higher fidelity detection. $1 million to free with better detection outcomes — that helps the bottom line.

We saw two customers test their big brand expensive EDR solutions after they had purchased it, only to realise they didn’t work as well as they had been promised during the sales pro-cess. 

Both customers tested the solution against several malware samples we supplied them and only less than half of the samples were detected in their lab environment. How many organi-zations do you think have the maturity to test their EDR solutions before they purchase it? You can be sure they will not be renewing those subscriptions come next year.

We saw a customer purchase a NextGen firewall only to realise their previous NextGen Firewall had better detection and management capability than their new vendor who spends 1/3 of their revenue on marketing every year.

We hope these examples are a wake-up call and help you approach your next security purchase with eyes wide open and with a healthy dose of skepticism when the next sleek security sales guy comes knocking. 

And, if you don't do anything else, test before you buy and don’t fall for the impressive pre-canned demo – it never works like that in real life.


On 2017-06-29

Privacy Statement | Terms of Use