Death by 1000 Subscriptions

I can remember when the software-as-a-service (SaaS) concept really started taking off. It was a grand idea! Instead of paying a massive amount of money up front to license software that one would then have to manage, you could instead pay a little bit of money regularly and get access to the software. Added bonus, the vendor would host it for you!

For those that aren’t in the industry, the easiest example is to look at Adobe Creative Cloud. This is a suite of software for creative professionals. It used to be that you would pay a fixed fee to buy the software that you wanted and you would own that software until the end of time. You could buy single apps for hundreds of dollars or the creative suite for thousands of dollars. Every year or two, the company would release a new version of the software with new features and you could choose to upgrade or not.

Though, not upgrading isn’t really an option. The old version stops getting support and you won’t get new features.

Another example would be Microsoft Office which used to be a suite of productivity tools that you’d buy, bring home, and install. It was expensive. Like Adobe, the product was commonly pirated because it was too expensive for the average user but the average user wanted the functionality. These days, well, you can just get a subscription to Microsoft 365 (formerly Office 365 and probably renamed again before you read this blog) and bam! For just a few dollars a month, you too can have professional word processing.

Putting on our finance bro hats, the subscription model makes a lot of sense. It’s recurring, sustained revenue. Instead of money coming into the company on a sporadic basis with license renewals or new purchases, money now comes in more frequently and in a way that’s easier to predict. Also, bonus, the subscription model is often cheaper for clients which opens up the potential customer pool. No longer do we need to focus on those with huge cash reserves, we can sell to anyone that can afford our low monthly price.

Oh, and many of the subscriptions also come with term commitments. Or “cancel early and pay me all the money you would have paid” clauses. Or you can get a cheaper per-month rate by opting to pay for one or two years up front.

And lots of subscriptions are hard to walk away from because it’s not easy to change the technology stack.

When all of this talk of SaaS hit the scene so many years ago, I liked the idea. It felt perfect because it opened up a lot of avenues for the smaller companies I worked at. Also, in some cases, it freed us up from thinking about lower-level IT problems (like, running servers and storage to host the application) because it was now hosted elsewhere. All for an ultra-low cost that anyone can afford!

Today, though? Maybe we need to reevaluate all of this.

My core complaint is that the subscription model assumes that your situation never changes. Also, now that everyone is using the subscription model, the client loses out. There’s a subscription for everything and all of those subscriptions add up. Fast.

This probably hits home more in your personal life. How long have you been paying for Netflix? And how long will you continue to pay for it? I have numerous personal subscriptions that offer fundamental services that, what, I am paying for until I die? Most do not offer lifetime subscriptions where you can pay once and enjoy in perpetuity.

Just having a domain name costs money every year and I have too many of those. Web hosting. Software subscriptions. Email hosting. Et cetera. Lots of stuff likely to disappear within a year after death.

Consider my password vaulting strategy. I pay an annual fee for the 1Password family plan. It’s something like $65 per year for the family plan in order to vault passwords with this third party. It’s worth it to me and we’re talking a little more than $5 per month. This is something I can currently afford.

The problem with this subscription: I have to pay for as long as I need access to this data (probably my whole life) but I have no guarantee of income for the same period of time. What happens should I decide that this subscription is too expensive? Worse still, what happens when the company decides that I need to pay more?

Companies are increasingly holding our data hostage like this. It sounds dramatic but, on the business side, subscriptions aren’t dollars per month. They can be tens of thousands of dollars per month. And here’s the real kicker: management wants to cut your budget but requirements in the industry keep increasing making it harder to walk away from these bad deals.

You must collect data from some systems, but not others. You will retain that data for at least X amount of time but no longer than Y. Oh, and people have the right to ask you to delete anything that’s related to them. But don’t forget you need to notify those people should a breach occur that possibly impacts their personal data. Personal data? Oh that could be anything that helps identify the user, so make sure you mask that out in your data.

Subscriptions have become a necessity because you need so many tools, you can’t hire enough people to manage and maintain them all. You have no choice but to rely on other companies to provide that management for you. And, in many cases, the companies have stopped offering anything except their subscriptions. The only choice you get is cloud or self-hosted. Or another way of phrasing it: rely on often subpar vendor support or spend a lot of money to hire a full team of people to support the product. No matter which you choose, though, you’re paying a regular fee to that vendor.

Did I mention that while everyone was making the rush to subscription models – support went downhill. Those companies offering services got hit the same way as the rest of us. Bean counters came in and said, “Hey, this is great, but how can we increase our margins on all of these subscriptions?” Proper premium support is always the first to go.

It’s a good thing that premium support is an add-on subscription you can get with your base software subscription. Though, I’ve seen the professional services “training” provided by multiple vendors and I have to say – there’s nothing premium about that.

The individual software companies won’t fix this problem. The subscription revenue is just too good and their purview is too small. Instead, I would expect to see managed service providers stepping in to offer a different kind of a subscription. One subscription to rule them all. That kind of thing.

In essence, a well positioned service provider really could help in this scenario. The service provider could leverage its client base and larger capital to wrangle bulk discounts out of the software providers and then package these together into one cost for the client. The client pays one cost to the service provider who then manages the various technologies in the stack and provides support around it.

At a really high level, what I want is the client to pay one subscription fee and for that fee they get basic security coverage. All the acronyms: SIEM, SOAR, XDR, EDR, WTFBBQ, and whatever else you think of. The idea is simplistic, take on security operations for a client. For some clients, this will let them just focus on their business. For others, they can focus on doing the real security stuff.

Don’t walk away from this post thinking this is some new, grand idea. It’s a continuation of a lot of what I’ve said about outsourcing security. It’s something that you can absolutely pay your service provider for today. In fact, it’s not too much different than how my current business unit operates.

What I want, though, is for it to become the norm. Because one of the most annoying things about working in security is all of the non-security work you get stuck doing. Security, overall, would improve if all those smart people that like to find the bad guys could just focus on that.

The other annoying this is working with multiple different support stacks. Wouldn’t it be grand to just have one number to call and complain to? “Hey, you’re stack is broken, fix it.” That would be way better than fighting the vendor blame game. You know, the one where you call support and they say, “I see you haven’t updated unrelated product X in a while, you’ll need to do that first so we can prove it’s not the issue.” I haven’t had to do that in a while but it’s making me mad just thinking about it.

Anyway, we need to fix this. Security budgets are being squeezed and there’s a lot of time being wasted justifying individual technologies that should be treated as part of the same stack. That log management solution you bought into? It’s not a standalone system anymore, it’s part of the security stack and the value of that stack is derived from all the products together. Sure you could replace the one product but then you need to think about interoperability with everything else you built around it.

Do you replace all those other things too?

If the service provider can consolidate this into a single line item in your budget, you can put a price to your security stack that isn’t just the sum of a bunch of individual technologies. Probably most importantly, you can let your security people focus on what matters – delivering value to your company by keeping you safe instead of focusing this numbers game. They can focus less on justifying technology choices and let the service provider play that game.

You know, just leave the boring stuff for someone else so your security team can focus on what really matters: finding bad guys and getting them out of the environment.


One response to “Death by 1000 Subscriptions”

  1. Thanks! I’m so glad I stumbled across this blog – it’s been a real eye opener and also provided me with a lot of new information. Many thanks for sharing your knowledge!
    The article discusses the rise of software-as-a-service (SaaS) and its advantages for companies in terms of recurring revenue and cost savings. However, the author points out some downsides of this model, including the assumption that situations never change, the accumulation of subscription costs, and the holding of data hostage by companies. Additionally, the author suggests that managed service providers could offer a different type of subscription that consolidates multiple technologies into one cost for clients. This would allow clients to focus on their businesses while leaving the security operations to the service provider. Ultimately, the author argues that the security industry would benefit from letting security experts focus on finding bad actors instead of getting bogged down with justifying technology choices.


%d bloggers like this: