Tuesday, May 17, 2016

7 Tips to Get the Absolute Best Price from Security Vendors

Security budgets are always extremely tight, so it’s smart to get the absolute best price possible from your security vendors. Never ever pay full price, or even take the first quote vendors give you. That price just sets the stage and it’s best to think of it as the ‘dummy price,’ so don’t pay it! I’ve spent nearly two decades sitting at the price negotiation table in the security industry and seen all manner of techniques customers use successfully to win discounts, and more people should use them. Customers, even small ones, can exercise a ton of leverage over their security vendors if they only knew how. And, more often than not, vendors themselves don’t really mind. It signals that a deal is likely to be made and to a vendor, that’s what’s most important.

While it’s common for large companies to have negotiations handled by a separate department, typically called ‘Procurement,’ many leave the responsibility to whomever is actually making the purchase. In either case, security practitioners can personally say, do, and offer things the procurement department can’t to help obtain the best possible price. Remember, security product margins can range anywhere from 40-60% or even higher. I’ve seen discounts well over 50% of the originally quoted price. Some vendors will even take a loss to win your business, depending on the size of your brand and the reference you’ll provide. 

Note: I’m not a big fan of this as you risk not being treated well as a customer long-term. The vendor may decide to drop you later because you’re unprofitable. So, allow vendors to make a profit, just not an obscene one.

Below you’ll find my ranked list of the most powerful negotiating techniques I’ve come across in the purchasing process, many of which are applicable beyond security purchases…

1. Negotiate Price at Quarter End / Year End
More than anything, businesses want financial predictability. They want to be able to plan out, with a high degree of accuracy, precisely how much business is expected to close at least two quarters into the future. Sales forecasting is largely a Sales department function. So when end of the quarter is just a few weeks away, and overall sales volume isn’t where it needs to be, the sales rep (and their bosses) scramble and make concessions to bridge the gap and hit their forecast. The larger the sales forecast gap, and the closer to quarter end, the more desperate they become and more open they’ll be to deep discounts or throwing in additional products / services to sweeten the pot.

Smart customers simply ask sales reps when their quarter or fiscal year ends, just after the vendor asks the customer what their budget range is. So, if you like the product, and you’re likely to buy it, let them know you’ll commit to the purchase in the current quarter, before the end, if they give you a good deal. Vendors will routinely knock 10-30% (or more) off the price, just with the ability to accurately forecast a deal closing. If the vendor is unwilling to work with you and the purchase isn’t urgent, let them know you’re more likely to purchase next quarter, which ads uncertainty to their forecast and they’ll have a decision to make. Rinse. Repeat.
2. Multi-Year Deals
As previously mentioned, businesses love predictability. For this reason, subscription-based businesses, like Software-as-a-Service, love predictable renewals rates. Security vendors know that just because you’re a customer this year, it doesn’t automatically mean you’ll be a customer next year — as the market is highly competitive. They know they’ll likely have to negotiate price with existing customers before the contract expires, which comes at a cost of time and sales forecast uncertainly. 

To reduce this uncertainly, subscription-based businesses will often give attractive discounts to customers willing to sign up for multi-year deals. Two to three year deals are typical, likely fetching a 5-10% discount, possibly more if you’re willing to pay up front, but we’ll explore this more in a moment. It’s also best to refrain from committing to more than three years for security purchases as it’s difficult to know what the business needs will be that far out, or how the product landscape may have changed in that time. 

3. Paying In Advance
For many security services, such as subscription SaaS products, you pay monthly or quarterly after services are rendered. For the security vendor’s finance department, that means they’re out some amount of money to service you before you pay them for those services. If you like a particular security service and plan to continue having it for a least another year, consider paying for a year or more in advance. For the vendor, having getting cash up front is often attractive and it takes payment uncertainty out of the equation, giving their business additional flexibility. Obviously, the bigger the deal, the better in terms of discounting. This method can win another 5-10% or so in discounts on its own. 

4. Customer Reference, Case Study, Gartner Reference
In InfoSec it’s extremely difficult to get customers to speak publicly, or even privately, about their experience with a given security product. When a customer does consent to speak, it’s incredibly powerful, and few things generate more business for security vendors than vocally happy customers. Customers should use this power to their advantage, especially if they really really like a security product and want to see the company do well.

To do this, customers can serve as a reference in a few different ways:

a. Private Reference – speaks to other customers
b. Public Reference, Individual – willing to do case studies, press, events, quotes, but as an individual versus the company
c. Public Reference – Company – the company is endorsing the product and brand, including a logo on the vendors website, slides, etc.  

All of this is good and even a non-contractual promise to be a reference can lead to great discounts. As a small warning, many organizations have policies regarding speaking on behalf of the company, so make sure to follow those. If you can find out if the security vendor is in the process of working with Gartner on the magic quadrant of their space, customers who are willing to be a positive reference in this time period are like gold. I’ve personally seen seriously deep discounts here, even free!

5. Ask for More Stuff, Not Always Price Discounts
Let’s say you’re asking for a discount, but for whatever reason the security vendor isn’t agreeable. This could be because they need to keep their average sales price (ASP) above a particular threshold so their business looks good to their board and investors. In these circumstances, you can instead ask for them to throw in things that are more easy for them to give away or commit to.

a. Extra subscription time, especially if full deployment will take a while.
b. Additional services or software licenses 
c. A better customer support package.
d. Free training.
d. Payment flexility. How and how often payment has to be made.
e. Product roadmap enhancements that’ll better serve you.

In many circumstances, security vendors will find the items on this list easier to give you than discounting the overall deal. You get more, but pay the same.

6. Find Out What Others Paid. Competitive Bids.
When entering pricing discussions, it’s always helpful to know what other customers paid as a point of reference. You may or may not be able to get the same deal as they did, but you want something in at least the general vicinity. There are a couple of ways to obtain this information.

a. Ask a colleague you personally know, who has already purchased a product you’re considering. What kind of deal did they get? 
b. Ask the vendors for customer references during the evaluation process, which is something all customers should do as a matter of course. Not only ask the reference what they liked and didn’t like about the product, but what they paid. 
c. Ask the vendor for their competitor’s pricing, and how they compare with it.  

In some cases, pricing information is considered confidential, but it doesn’t hurt to ask. Having this pricing research on hand greatly helps get you the best deal possible. 

Additionally, you’re probably considering between two or more comparable products to solve a particular security problem. If the products themselves are a toss up, meaning you’d be happy with either option, consider sharing the bids with the competing security vendors. No security vendors want to lose a competitive deal in the last stage simply because the competition slightly edged them on price. You’d be surprised how quickly vendors will knock off 5—10% as a take away from the competition.

7. Go Direct
Many customers have a preferred reseller, typically called Value Added Resellers (VARs), through which they make their security purchases. Among other things, VARs make vendor management much easier for customers. They’ll help identify security program gaps, document purchase requirements, product selection, answer questions, and more. For the value they add, VARs usually take a roughly 30% margin on each product sale. Then, of course, they can tack on additional dollars for consulting and implementation if there is a need.  The remaining 70% of the sale price goes to the security vendor.

Here’s the thing, the business of the VAR is in the first two letters — V.A…  VALUE. ADDED. If a VAR is not adding enough value, which is often the case, they’re justifiably not entitled to their 30%. And in these circumstances, the VAR can and should be bypassed to go direct to the security vendor where the customer can get a [30%] discount without costing the vendor anything. And, unless there is a good reason not to, get bids from 3 VARs so they’ll have to fight to get you the best deal – fight to win your business. Often VARs will cut into their own profit margin to land the deal.

There you have it. Seven ways to help maximize the purchasing power of the security budget. Good luck!


Anonymous said...

Posting anonymously because I happen to be in sales..

All of those are very solid recommendations. The only one I would take exception to would be "asking for roadmap items". Taking money for a product that isn't complete can create a revenue recognition problem. The vendor can take the money and ship the gear, but they can't report it as revenue until the feature is complete which isn't likely going to happen before the end of quarter.. Just need to be aware of this as it could potentially be a stumbling point when the vendor rep tries to get the business to accept the terms of the deal.

Adding to the "pitting one vendor vs another" strategy.. Please, for the love of God, make SURE that the competing solution has feature parity. I cannot tell you how many times I've heard "XYZ is half your cost.. why is that?" Well Mr/Ms Customer, the XYZ solution doesn't do 4 of the things that your engineering team listed as required features. I'm sure that XYZ is a fine product, but if you expect it to do these specific things, I suspect you'll be disappointed.

joe s said...

I've yet to have a VAR provide me any value. They've never understood security issues enough to identify gaps, and even if you told them your gaps, their only help is recommending yet another tool from the Gartner upper quadrant.

Anonymous said...

@joe S - you are working with the wrong VARS then. I work for a VAR and can tell you there are a lot of terrible ones out there that don't add any value. Thats the CDW model to just move product without relationships or problem understanding. The best VARS are the ones that also do professional services, and leverage those resources during the sales cycle.

Anonymous said...

Jeremiah, that is good insight with the exception of #7. I can tell you for fact that "VAR's," even those that provide the most sought after value, do not get the margins you are claiming. By telling customers out there that they are paying a 30% premium goes a long way toward jeopardizing what may be a very solid relationship. What you are doing, on this specific point, is extremely irresponsible and unprofessional. I would love to hear where you are getting your information because it is false across the board. I have been in security for over 20 years, working with the same companies you mention in your bio and have never heard your name. Please, before making comments that could hurt relationships, do your homework and present factual information.

Jeremiah Grossman said...

@Anonymous that's funny, I've been working in security for roughly the same time and probably have never heard of yours either. And if the customer has a strong relationship with their VAR as you say, maybe they can ask what their margin is. And finally, these numbers and statements has been my experience, and yours could easily be different. And granted, VAR margins can range from 2% - 30% or more, and I'll personally seen examples of each. In any case, the larger point of #7 still stands.

James Cook said...

Love that @anonymous has never heard of you, yet he's reading your blog... thanks for the laugh @anonymous

Jeremiah Grossman said...

LOL. He probably works at a VAR too. ;)

Jeff Free said...

@JamesCook My thoughts exactly! Except for the laugh... because dementia is not a laughing matter. Can you imagine how hard it must have been for him? Coming to consciousness one day and finding himself at a website he's never heard of, written by a prominent contributor in infosec who's name he doesn't recall coming across in 20 years? Rough day.

@anonymous You have my sympathies. Know you're not alone.

kirschke said...


Great post! As someone that spent 15 years on the buy side of the table and is now sitting on the sales side, it's enlightening to see this. I remember negotiating prices down using many of the techniques you mention here, even with you :)

In my day to day work with my customers and prospects, I really strive to get a full understanding of their business, processes and vision. Having done the job that they are doing helps me with this tremendously. Any solid sales person in the VAR business should be negotiating in a transparent manner and should be informing them of these methods and working with them to makes sure they get the best price/value, etc. VALUE ADD is one of the most overused & abused terms IMO and posts like yours make me want to work even harder at providing that value :)


Anonymous said...

To help control costs and get real world results, I wish there was a way to unite white hat hackers (and honest hobby hackers) with companies that understand the threat of a motivated adversary. I know many computer scientists and very talented network admins that play hours of video games during the weekend.

It would more fun and fulfilling to come into work on Monday and tell your coworker at your boring non-infosec job that you found yet another way to access an unnamed corporation's network that you have been hired to attack. The companies could pay a talented IT pro a few hundred dollars per month to apply their Kali Linux skills using the attack pattern of a long term motivated adversary. OSCP skills are not rocket science.

BTW, if you have the time to set this idea up, I own the www.motivatedadversary.com domain.

Unknown said...


First of all I hope you were paid for this post, LOL or at least given gift cards from businesses all across America. This is something I think most organizations across the United States could use with all vendors not just security. As an serial entrepreneur and application security executive, I think this information is extremely helpful in changing how we engage, offer, deliver, advise and support our customers / potential customers. I'd love to get you involved with our organization as a board member. Check us out at www.appcurity.com. Please give me call when you get a minute so we can discuss in more detail my friend. Mike Sheppard 510.677.5606

Jeremiah Grossman said...

@kirschke value add, that's good man. I mean, whether you're a customer or a vendor, the relationship must be viewed as a partnership. One needs help solving a security problem, and that's the job of the other. The industry can't just be box or service pushers with no content. It's important to remind people of that from time to time. And those who do well in this space, are those who make this their mission.

Good to hear from ya!

@Anonymous maybe a way to expand upon the crowd-sourcing / bug bounty model?

@Michael. Thank you for saying so! Nope. No gift cards yet! :) And please hit me up over email if you don't mind.

Anonymous said...

Point #7 is not possible with a lot of security vendors out there. While margins may hit the numbers you talk about in this blog, don't count on getting that by going direct :). VAR's are how they keep their product in the market that also provide the necessary professional services (eliminate shelf-ware) that would constrain manufacturers by trying to support their products and services direct to the end user. Be fair in your negotiations with VAR products and services as their goal is to facilitate something that you cannot do yourself. We see a lot of manipulation and competitive situations where proposals are NOT apples to apples. My advice (yes I am a VAR) is to be clear as to what your expectations and requirements are, make sure your proposal includes them all, compare quotes line for line (if not clear, ASK where that line item is!), and make your decision. Not all VAR's are created equal and not all VAR's care after the sale. If they don't provide professional services, what value can a VAR add other than price? Think about it.

AL in Denver said...

GREAT article and comments! Here are some thoughts from being successful on both sides of the table:
- Margins tend to be dramatically different between services/SaaS sales & more conventional product sales.
- The other strategy that I used while I was on the Customer side was to freeze maint costs for enterprise software purchases. Specifically, maint is often quoted at 20% of purchase cost annually, but trying to establish a cap can be beneficial in larger shops (particularly after you've negotiated the maintenance down).
- Also, some VARs will operate on a cost-plus basis if they think there's enough revenue. Gartner published an excellent article & did multiple seminars about this back in the '90s (AFAIK may be publishing updates). BE CAREFUL - I've seen a vendor driven to bankruptcy w/this approach - BAD NEWS for the VAR and for the Customer.
- Sometimes the VAR has incentive to sell *their* pro-services, so it's not uncommon for VARs to decline to bundle in a particular vendor's training, pro-services, etc, and they're HIGHLY unlikely to eat that "value add" out of their margins.
- Finally, the ugliest way to lock-in the best price is a "most favored nation" clause. Not for the faint of heart, and you'd better have a FAT wallet. Here's an entertaining example from a previous life:
This is VERY difficult to achieve, but once it's been achieved there is literally no better guarantee that you're getting the best price.

Andy said...

Thank You