Security builder & leader

Cloud Makes Security More Affordable for Smaller Companies

When this article was first written, cloud adoption was still emerging. The thesis that cloud's pay-per-use billing model would make enterprise security affordable for SMBs has been thoroughly validated. Converting capital expenditure to operating expenditure through metered services gave smaller companies access to security controls that were previously out of reach.

When I first wrote this article, cloud computing was still an emerging model that presented its share of risks that concerned cybersecurity professionals. At the same time, I saw that the cloud billing model offered a major security benefit to small and medium-sized businesses (SMBs) by making security more affordable for them. That thesis has played out even more dramatically than I expected.

Pricing Enterprise Security Products

Enterprise security products have historically been expensive. (I wrote earlier how vendors can use low price as a competitive advantage.) In particular, the initial purchase and setup price—the capital expenditure (capex)—has prevented SMBs from deploying more than the bare essential security tools, say network firewalls and antivirus. Adopting other security technologies, such as those mandated by PCI Data Security Standard, has been a significant financial burden.

Pricing a product usually involves extracting the maximum possible amount that the customer is willing and able to pay. This is why vendors often employ price discrimination practices. For example, the vendor might offer a full-featured version of the product at a high price for customers who value the features and can afford them. The vendor might also offer a lightweight version at a lower price; this allows the company to capture the portion of the market that’s comprised of the customers who cannot justify or afford the higher expense.

Enterprise security vendors have had a hard time offering lower-priced versions for SMBs that include an attractive feature set. The cloud makes this easier by providing an alternative billing model with inherent price discrimination characteristics.

The Advantages of Cloud’s Billing Model for SMBs

One of the essential aspects of cloud computing, according to NIST SP 800-145, is measured service. It involves “leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).” In other words, cloud providers can bill customers based on how much of the service was actually used.

SMBs that do not use many units of a security service find it more affordable to use the pay-per-use billing model than paying for the product outright. This model also provides the product’s vendor with inherent price discrimination, since the customers who make greater use of the service pay more for it than the lower-volume customers.

A related aspect of cloud services billing model is its conversion of the initial expense of obtaining the product (capex) into a stream of regular payments called operating expenditure (opex). Avoiding capex in favor of opex is attractive to many companies. This is particularly beneficial for SMBs, who might lack the cash flow to make a large capex payment, but who can keep up with opex payments.

Consider two-factor authentication as an example. When Google first rolled out this capability for its cloud customers, most SMBs wouldn’t have had the money or expertise to implement this control on their own. They got access to it by paying a relatively low monthly fee for Google Apps on a per-user basis. Today, multi-factor authentication is standard across most SaaS products — a testament to how cloud delivery made once-premium security controls ubiquitous.

These financial aspects of cloud services give SMBs access to security technologies they would’ve been unable to afford to buy outright. Cloud providers have since incorporated vulnerability scanning, log management, and web application firewalls (WAFs) into their standard offerings. What was once a prediction has become reality: SMBs now routinely use security services they wouldn’t have considered purchasing as standalone products.

More on
Product ManagementCloud
After 6+ years building the security program at Axonius from startup to scale, I'm exploring what's next. As I work on independent projects, I'm open to CISO or security product leadership roles where technical depth enables business growth. To talk, reach out on LinkedIn or email me at my first name at my last name dot com.
3 min to read
Published: February 17, 2011
Updated: March 4, 2026

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →