The quality and functionality of third-party security services has improved in recent years, experts say. Unfortunately, the cost of those services hasn't.

Despite the budget pressures caused by a bad economy, most security services firms have not cut their subscription prices, experts say. Although market pressures have driven costs slightly lower than they were five years ago, current prices are more stable, says Jason Hilling, executive for management and service strategy at IBM.

"The costs are not going down significantly with the maturation and saturation of the market," Hilling says, "but companies are delivering more for the same cost." As more enterprises move to managed and cloud security services, providers are differentiating themselves through value-added services, Hilling says. For example, managed intrusion detection systems that served at 1 gigabit per second (Gbps) five years ago can now run at 10 Gbps for the same price today.

If you're looking to cut the costs of security services, then you should focus on contracts, say market experts. Firms locked into a long contract at a relatively high service price can benefit by renegotiating their contracts, says Khalid Kark, vice president of security and risk management for analyst firm Forrester Research.

"In the interest of getting a good deal, many firms would sign long-term contracts with [service providers]," Kark says. "Yet now they've found out that costs have come down more than expected five years ago."

While a multiyear contract may not have been a good deal in years past, the relative stability of today's security services pricing could mean a long-term deal now will help to cut future costs, says Kathy Jaques, chief marketing officer for managed security provider SecureWorks. A big advantage of long-term contracts is that clients get a predictable cost structure, she says.

"Partly because of the economy and partly because of how budget cycles work, predicting the cost has become very important for clients," Jaques says. "They are locking into contracts so they will know what the costs will be two to three years out."

Typically, the size of the company and the length of the contract are two major factors in service price. Depending on the client's needs, SecureWorks also rolls hardware prices into the cost of the service. "It depends on whether capital expenditures are easier to approve for the client or operational expenses are easier to approve," Jaques says.

Software-as-a-service models are another good way to cut costs and are often delivered at a single subscriber price. When e-mail security provider Postini was bought by Google in 2007, the company underwent a study of its pricing and decided to ditch the old model of contracts and volume discounts, says Adam Swidler, senior product marketing manager for Google's Postini service.

"We really changed the artificially high pricing to a realistic list price," Swidler says. "We put the price online so people could see it, and we enabled them to buy the service online, as well." Postini now has 50,000 companies -- about 18 million users -- using its service.

Forrester has estimated that managed security services will see significant growth in the next few years. The number of companies that outsource their e-mail security, for example, will likely jump to more than one-third in the next 12 months, up from 25 percent today. And while 13 percent of companies already outsource vulnerability management, another 19 percent are very interested in doing so in the next year, according to a Forrester report released last month.

Although enterprises are looking to save budget dollars, costs are not the main reason for their interest in managed security services, according to Forrester. Round-the-clock monitoring and better protection of IT assets are more important factors in the outsourcing decision, according to its survey of firms. Greater competency of security services' professionals ranks third, with cost reduction running a close fourth place.

"The services have all become comparable in the past few years," Kark says. "The value-added services are where they are differentiating themselves."

Google's Postini has also found that costs are not always the only reason companies consider its service. Many customers are attracted by Google's infrastructure, which all but the largest companies would have a problem creating, Swidler says. The availability of a third-party infrastructure frees a company's IT staff to work on other projects, he notes.

"The notion is that you can take the IT resources that were dedicated to the care and feeding of your IT systems and put them to work on other strategic projects," Swidler says.

During the past three years, security service prices have become much more affordable for small and midsize businesses because telecommunications firms and Internet service providers are rolling up security services into their connectivity packages. Companies interested in reducing costs can look to see if their local providers offer security as part of the service bundle.

"Telcos have really come up with some interesting models for cost reduction," Forrester's Kark says. "In the future, a lot of these services will be baked into the infrastructure."

IBM's Hilling agrees. "The telcos' bundling of security services will really drive the business for SMB in the next few years," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.