Cybersecurity leaders renewed their concerns about overlapping cybersecurity solutions that lead to unnecessary costs and security risks. On August 10, 2022, Saryu Nayyar, CEO of Gurucul, said that cybersecurity professionals believe their companies are wasting money.
Gurucul’s June 2022 RSA Conference survey revealed that 43% of experts agree on the number one challenge in threat detection and remediation: an overabundance of tools. Nayyar adds that the issue is not resolved by cutting budgets but by spending prudently.
Responding to this trend, WithSecure claims to have recently introduced the industry’s first successful pay-as-you-go approach, a usage-based security fee structure. WithSecure provides solutions to managed security services providers (MSSPs), large financial institutions, manufacturers, and thousands of the world’s most advanced communications and technology providers.
Jay McBain, Chief Analyst at Canalys, told us that pay-as-you-go is already well-established in the security space. “It is a basic consumption model that charges either time/data subscriptions, usage, or value-based pricing. The hyper-scalers are at the point of per-second pay-as-you-go, and almost every as-a-service model has some version for the channel,” McBain said.
Andrew Neville, country manager for the US and Canada at WithSecure, explains that the company’s approach is unique because it combines endpoint protection, detection and response, vulnerability management, and cloud protection in a utility-based billing model.
How Using the Wrong Security Solutions Hurts Your Business
Using the wrong security solutions is not only a problem from a budget perspective — it also creates issues with visibility, errors, and misconfigurations. Verizon’s 2022 Data Breach Investigations Report said that errors and misconfiguration are the second-highest group of vectors responsible for breaches after web applications and email phishing.
Using outdated software, not keeping up with patches, having inadequate access controls, and running unnecessary services give threat actors more options for attacks and increase security risks.
Andrew Neville explained that pay-as-you-go solutions offered by the company are designed to end this set of problems. “Combining EPP (endpoint protection platform), EDR (endpoint detection and response), and vulnerability management alone covers many inefficiency issues,” Neville said.
Neville added that WithSecure’s vulnerability management solution also scans environments for out-of-date software, which can then be automatically updated by its endpoint protection software.
Security teams must connect a wide range of solutions to get visibility into their integral security architecture.
“Typically, you would connect these solutions via a SIEM (security information and event management) or threat management tool via API (application programming interface),” Neville explained.
But WithSecure’s way around visibility is different. Its solutions are already connected, and users can visualize all devices in a kill chain to make better decisions.
The Risks of Overlapping Security Solutions
Most enterprise consumers of security technology solutions are expected to pay annual subscriptions or licensing fees, which can be an excellent value for “power users” of a particular technology. But, according to IBM, when companies have too many solutions in place, budgets are not well spent, and security efficiency is affected.
In 2020, IBM found that using more than 50 security tools leads to less effective security responses. Even more concerning, organizations do not have a clear vision for common and emerging attacks but continue to invest and buy new solutions.
A Keysight survey from the same year warned that organizations were buying more tools to keep up with the increased rate of cyberattacks. The survey adds that the abundance of tools gives users overconfidence. Additionally, more than half (66%) of those surveyed admitted that their security solutions overlap in functionality.
According to Keysight, driven by a lack of knowledge of the security solutions functions, two-thirds of companies invest and operate with overlapping solutions — half of them do so by accident — with no improvements to their security posture. On average, organizations run from 25 to 49 security tools, which they source from up to 10 different vendors.
The question inevitably arises: If the industry has been aware of the severe risks that overlapping security solutions bring and is constantly balancing budgets versus security efficiency, why hasn’t there been an earlier shift and adoption of pay-as-you-go security solutions? McBain explains that the challenge that pay-as-you-go solutions face is to “break through the noise and clutter.”
“We estimate over 2,000 security firms now have an established channel program who are vying for MSP attention through a limited amount of watering holes,” McBain said.
According to McBain, when competing in a product category where the most significant player (Palo Alto) has around a 2% share, getting the message across the market is complicated.
Using a Single Pay-As-You-Go Model
WithSecure says they are out to “flip the script” on the industry’s usage-based security fee structure. The company has quietly been testing its model in North America and assures to have found an increase of 400% in partner opportunities. The service also reduced customer churn rate by 15%.
WithSecure says it has learned that customers using these new security models can save money, which they can relocate within their organization, such as staff training.
Neville explains that companies can save a lot by consolidating to one solution for vulnerability management, endpoint protection, detection and response, and cloud protection. “You save by not having to negotiate with multiple vendors and connect those solutions, and you don’t have to worry about application overlap,” Neville added.
One big concern with pay-as-you-go is knowing which solutions are needed, especially when the cybersecurity landscape has become so active with new attacks and new ransomware strains.
Neville says it is important to understand that at some point, there will be a type of malware traditional antivirus does not detect. In those cases, WithSecure recommends using AI-based behavioral analysis to detect if a machine is doing something it probably shouldn’t be doing and take action to reduce risk.
“Endpoint detection and response is one good way to stay ahead, but not a silver bullet. Having an incident response plan supported by experts is also very important as well as cyber insurance,” Neville said.
Bottom Line: Pay-As-You-Go Security Software
Whether pay-as-you-go cybersecurity is a new trend that will become the norm in the near future remains to be seen. One thing is sure: Companies with increasing security budgets that see no drop in attacks and security teams struggling to have clear visibility of their systems and decrease errors and misconfigurations must find a way out of overlapping and outdated security.