Why you are probably pricing your security solution all wrong
Especially during my time at Gartner as an analyst, I heard many preposterous claims about TAM’s and IT security budgets and associated pricing strategies. Someone telling you that they supposedly sell to mid-sized enterprises, yet their solution comes with a minimum price tag of $500,000 just stretches believability. A few were exaggerating to fool the analyst but based on end user feedback and having seen pricing, there seemed to be a lot of confusion around what is realistic to ask.
My main observation is that in many cases the assumptions were based on what a vendor wanted to get, rather than what was realistic. Pricing in general was one of the biggest recurring topics, whether on the vendor, user or investor side, with data availability and information asymmetry a major source of friction for strategic planners on all sides.
As Security Budget is usually calculated as a percentage of IT budgets, we first need to get data on typical IT spend and budgets.
Average IT Spend
First off — comprehensive and precise data for IT budgets is not available. If you spend a bit of time reading the type of reports that are available, you will find that there are widely diverging estimates based on a vastly different set of assumptions and even definitions of what constitutes IT spend. One example I came across is that the reports rarely clarified if the data included staffing costs in the estimate or not. Sensible categorical data, e.g., granular breakdowns by company demographics, were also frequently unavailable. Lastly, many of the available data sources, especially free and OSINT, either have an implicit bias, e.g., vendor or industry reports, or a participant count too low to be statistically representative.
It would be fair to classify most of the available data as “anecdotal”. In our defence, the required information is unknowable. There is no single party or method to obtain reliable data. Nevertheless, as realists we are also pragmatists, and if we cannot achieve precision, we will aim for accuracy. After all, you do not need to know precisely by how much the temperature has dropped to decide whether to wear a coat — you need to know if it has gotten a bit colder or a lot colder.
Let’s take a look at some of the data is available. Computer Economics is a commercial research firm that has provided data on IT spending ratios and staffing metrics since 1979. Computer Economics publishes an annual report on IT spending ratio’s, usually quantified as a percentage of revenue.
One of the more comprehensive vendor reports I came across is the Flexeras State of Tech Spend report , with a healthy total participant count of 303. The implicit bias is that the participants are potential or active customers of the vendor, but it is a further data point we can include.
This dataset shows wide divergence in IT budget based on industry segment. One useful correlation is that both reports show a similar percentage for the financial services industry.
You can get the most recent report from Flexera here, but requires providing your details.
If you review some of the other available data, IT budgets appear to range from between 2.5% and 10%, with outliers in Tech approaching 20%.
Security Budgets
There are a lot of reports providing data on cyber security budgets, with a wide spread of data points.
IDC for example states that enterprises should spend 7%-10% of your IT budget on cyber security.
Another interesting report is CIO’s “2019 State of the CIO” survey . CIO asked 683 IT executives worldwide what percentage of their company’s total IT budget was represented by IT security. The mean response was 15%. Nearly one quarter of the organizations (23%) are devoting 20% or more of their IT budget to security.
Deloitte conducted a survey with financial services who state they spend an average of 10.9% of IT budget on cyber security. The report also provides useful granular breakdowns of where that spend is going.
Reviewing the available data, the typical range is dependant on industry and company size but ranges from between 5% to 20% on cyber security.
So how much can I get?
Let’s put all of this together:
- Average IT budget is between 2.5% and 10% of Annual Revenue, more typically between 5% and 7.5%.
- Average Security spend is between 5% and 20% of IT Budget, with 10% and 15% the average
We can now apply these assumptions to different Annual Revenue categories. We’re going to calculate the cyber security budgets for businesses with revenues of $50M to $500M:
Here are some basic conclusions from the findings:
- A mid-sized enterprise, basically any business with a revenue of less than $50 million per year, only has an average cyber security budget of between $250,000 and $375,000.
- Annual million-dollar cyber security budgets do not naturally occur until annual revenues of $200 to $400 Million, depending on what the business does.
Now, before you breathe a sigh of relief, thinking “That’s not too bad, I can work with $250K”, remember that this is not available budget. It usually already includes the foundational security components, endpoint protection, firewalls/UTM’s, and email security at the small and mid-sized segments, and SIEM, EDR, SOAR and whatever else a larger company has already deployed.
This becomes even more acute if you have an emerging product. At that point, you are at the back of the queue in terms of budget allocation. If there is no set allocated budget in a typical Information Security Management System, Risk Management or Regulatory framework, you’re either going to initially have to solve a very pressing problem for pocket change, rely on the estimated 5%-10% of enterprises that are early adopters, or grab budget from established markets. Hence Endpoint Detection and Response vendors adding Antivirus and Endpoint Protection (EPP) capabilities, or User Entity Behavior Analytics vendors adding more SIEM -like features.
If you solve a niche problem, or are complimentary to any additional technologies, for example Breach and Attack simulation which predicated on a user having security controls to test in the first place, you will have even less budget available.
All of this is important to consider when you work out which segment you can target and how to price your product. There is a point of unaffordability where, no matter how great or shiny your solution is, you will actually end up selling less. The question is often do you want to sell something 1000 times at 50,000, or 10,000 times at 15,000.
But most importantly, it is futile trying to sell to businesses that even if they wanted to, can’t afford your product.
Originally published at https://www.linkedin.com.
