General wisdom holds that it’s for businesses to compete on price. If competitors repeatedly undercut each other’s prices, they will drastically erode each other’s profit margins. To what extent do these dynamics hold for information security products?
Consider well-established security product categories, such as anti-virus, network firewalls, log management and intrusion detection. The vendors prefer to make their products stand out by developing unique features; however, when the products are mature, the new features are rarely groundbreaking and can often be replicated by competitors. When products are perceived as being interchangeable, the buyer holds more negotiating power than the seller, and the vendors end up competing on price.
When Security Strengthens a Product Ecosystem
One way to stand out in a mature, crowded market is with price. Microsoft has done this by offering Windows Defender and its predecessor Security Essentials for free. Microsoft's objective was to strengthen the security of Windows, increasing the use of its operating system and the products running on top of it. In this case, Microsoft didn't worry about commoditizing consumer endpoint security products, because this wasn't where Microsoft wanted to make money.
Enterprise software companies sometimes bundle security products for free or very cheaply as part of a large deal. For instance, Rocky DeStefano pointed out that "Symantec, RSA (via EMC), Q1 (through Juniper/Enterasys), SenSage (through HP)” give away Security Information and Event Management (SIEM) products for free with other products or services"
In these examples, commodity security products are treated as loss leaders, and are positioned as a baseline component for other products or services.
When Low Price is a "Foot in the Door"
Vendors can offer a product inexpensively to bring attention to other, more profitable offerings. For instance, Qualys offers a website malware scanning service. The service is presently free, providing value for consumers who need it while exposing them the Qualys brand.
Security products are sometimes offered on freemium basis, whereby the vendor provides a lightweight versions of the products to capture the initial attention of the customer, with the hope of up-selling the more expensive product. One of the examples that comes to mind in this context is Immunet, which is free, and can be upgraded to a commercial version for enhanced anti-malware protection.
In these cases, the free security products act as advertisement and a way to get a "foot in the door" of the enterprise or consumer.
When Low Price Can Be a Competitive Advantage
Companies can price their products low, when compared to competition, to capture a major part of the market. In this case, the strategy usually entails eventually increasing the price or turning to the freemium model described above.
Sometimes, companies find a way to change the industry by providing long-term pricing that is drastically cheaper than their competition, and finding a way to keep costs low to turn this into a sustainable competitive advantage. This is similar to what Google has done for the email market when it created a feature-rich webmail product that offered practically unlimited storage.
I don't know of many examples of such innovation in the information security industry. One example that comes to mind is Reliant, which provides PCI compliance products for retail stores. Their prices are significantly lower than competitor's prices, and they intend to keep it that way. One way to look at Raliant's product is to nitpick at the ways in which its security is weaker than the competition's. The goal, though, is to make make PCI compliance and associated security benefits affordable for stores that wouldn’t have any security in place otherwise.
Inexpensive Security That's Good Enough
Not everyone needs the same rigor security controls. As the result, there's room for inexpensive security products that are good enough. These products aren't for everyone, but they are perfect for customers that wouldn't justify paying more for stronger security. In cases like this, price can be a competitive advantage.
Pricing a security product is a complex issue, and surely this post glossed over some factors, considerations and examples. For more thoughts on the cost of security tools, see my article Cloud Makes Security More Affordable for Smaller Companies. For more on how security products can stand out, see my post Ease of Use as a Competitive Advantage for Security Products.