For those that aren’t in the industry, the easiest example is to look at Adobe Creative Cloud. This is a suite of software for creative professionals. It used to be that you would pay a fixed fee to buy the software that you wanted and you would own that software until the end of time. You could buy single apps for hundreds of dollars or the creative suite for thousands of dollars. Every year or two, the company would release a new version of the software with new features and you could choose to upgrade or not.

Another example would be Microsoft Office which used to be a suite of productivity tools that you’d buy, bring home, and install. It was expensive. Like Adobe, the product was commonly pirated because it was too expensive for the average user but the average user wanted the functionality. These days, well, you can just get a subscription to Microsoft 365 (formerly Office 365 and probably renamed again before you read this blog) and bam! For just a few dollars a month, you too can have professional word processing.

Putting on our finance bro hats, the subscription model makes a lot of sense. It’s recurring, sustained revenue. Instead of money coming into the company on a sporadic basis with license renewals or new purchases, money now comes in more frequently and in a way that’s easier to predict. Also, bonus, the subscription model is often cheaper for clients which opens up the potential customer pool. No longer do we need to focus on those with huge cash reserves, we can sell to anyone that can afford our low monthly price.

When all of this talk of SaaS hit the scene so many years ago, I liked the idea. It felt perfect because it opened up a lot of avenues for the smaller companies I worked at. Also, in some cases, it freed us up from thinking about lower-level IT problems (like, running servers and storage to host the application) because it was now hosted elsewhere. All for an ultra-low cost that anyone can afford!

Today, though? Maybe we need to reevaluate all of this.

My core complaint is that the subscription model assumes that your situation never changes. Also, now that everyone is using the subscription model, the client loses out. There’s a subscription for everything and all of those subscriptions add up. Fast.

Consider my password vaulting strategy. I pay an annual fee for the 1Password family plan. It’s something like $65 per year for the family plan in order to vault passwords with this third party. It’s worth it to me and we’re talking a little more than $5 per month. This is something I can currently afford.

The problem with this subscription: I have to pay for as long as I need access to this data (probably my whole life) but I have no guarantee of income for the same period of time. What happens should I decide that this subscription is too expensive? Worse still, what happens when the company decides that I need to pay more?

Companies are increasingly holding our data hostage like this. It sounds dramatic but, on the business side, subscriptions aren’t dollars per month. They can be tens of thousands of dollars per month. And here’s the real kicker: management wants to cut your budget but requirements in the industry keep increasing making it harder to walk away from these bad deals.

Subscriptions have become a necessity because you need so many tools, you can’t hire enough people to manage and maintain them all. You have no choice but to rely on other companies to provide that management for you. And, in many cases, the companies have stopped offering anything except their subscriptions. The only choice you get is cloud or self-hosted. Or another way of phrasing it: rely on often subpar vendor support or spend a lot of money to hire a full team of people to support the product. No matter which you choose, though, you’re paying a regular fee to that vendor.

Did I mention that while everyone was making the rush to subscription models – support went downhill. Those companies offering services got hit the same way as the rest of us. Bean counters came in and said, “Hey, this is great, but how can we increase our margins on all of these subscriptions?” Proper premium support is always the first to go.

The individual software companies won’t fix this problem. The subscription revenue is just too good and their purview is too small. Instead, I would expect to see managed service providers stepping in to offer a different kind of a subscription. One subscription to rule them all. That kind of thing.

In essence, a well positioned service provider really could help in this scenario. The service provider could leverage its client base and larger capital to wrangle bulk discounts out of the software providers and then package these together into one cost for the client. The client pays one cost to the service provider who then manages the various technologies in the stack and provides support around it.

Don’t walk away from this post thinking this is some new, grand idea. It’s a continuation of a lot of what I’ve said about outsourcing security. It’s something that you can absolutely pay your service provider for today. In fact, it’s not too much different than how my current business unit operates.

What I want, though, is for it to become the norm. Because one of the most annoying things about working in security is all of the non-security work you get stuck doing. Security, overall, would improve if all those smart people that like to find the bad guys could just focus on that.

The other annoying this is working with multiple different support stacks. Wouldn’t it be grand to just have one number to call and complain to? “Hey, you’re stack is broken, fix it.” That would be way better than fighting the vendor blame game. You know, the one where you call support and they say, “I see you haven’t updated unrelated product X in a while, you’ll need to do that first so we can prove it’s not the issue.” I haven’t had to do that in a while but it’s making me mad just thinking about it.

Anyway, we need to fix this. Security budgets are being squeezed and there’s a lot of time being wasted justifying individual technologies that should be treated as part of the same stack. That log management solution you bought into? It’s not a standalone system anymore, it’s part of the security stack and the value of that stack is derived from all the products together. Sure you could replace the one product but then you need to think about interoperability with everything else you built around it.

If the service provider can consolidate this into a single line item in your budget, you can put a price to your security stack that isn’t just the sum of a bunch of individual technologies. Probably most importantly, you can let your security people focus on what matters – delivering value to your company by keeping you safe instead of focusing this numbers game. They can focus less on justifying technology choices and let the service provider play that game.

You know, just leave the boring stuff for someone else so your security team can focus on what really matters: finding bad guys and getting them out of the environment.