Hi All
In CISA’s Secure by Design whitepaper, we urge software manufacturers to consider how their business practices may inadvertently reduce the security posture of their customers. We recommend that essential security features should be available as part of the basic service offering. Consumers should not need to pay premium pricing, hidden surcharges, or additional fees for basic security hygiene. In particular, we mention that single sign-on capability should be available by default as part of the base offering—consumers should not need to bear an onerous “SSO tax” to get this necessary security measure.
While it might seem reasonable to charge more for some features, this practice can hinder improvements in security posture by discouraging organizations from adopting a robust identity and access management (IAM) system. Organizations, including those below the security poverty line, deserve basic security hygiene. We argue that security should not be priced as a luxury good but instead should be considered a customer right.
https://www.cisa.gov/sites/default/files/2024-06/Barriers-to-SSO-Adoption-for-SMB-508c.pdf
Your thoughts and ideas?
Who pays the piper?
Regards
Caute_Cautim
It is true - sometimes, cybersecurity measures can be out of one's budget range. There is an argument that cybersecurity needs to be more of a priority at many organizations and there may be some truth to that. And yet I have observed that some vendors are indeed addressing others in the market like us that may be in the SMB space to provide more affordable solutions. I've seen this especially in the last 5-7 years.
Before my working as an industry SME in cybersecurity, I was an attorney in private practice. I represented a regional extension center. We found that, through the power of a group purchasing agreement, we were able to negotiate more favorable terms, both in terms of price point and also in terms of more favorable contractual language (not the AS IS, WHERE IS language that's standard in many vendor contracts).
I say that there's improvement, but we need to call on vendors to consider the rest of us. I work for a not-for-profit organization and I'm clearly within SMB. There are a lot of us out there. Whether it's a group arrangement or individual offerings to those that are smaller in size (not just the mega / large capitalized entities), I would like to say to the vendors that are listening - please keep in mind the smaller markets too in your offerings.
Notwithstanding that, I did want to say that there has been some progress regarding affordability of cybersecurity solutions.
However, we have made progress.
Some examples:
https://www.ama-assn.org/system/files/2020-12/stark-law-aks-summary-final-rules.pdf
And, fortunately, cybersecurity is a bipartisan issue. I've worked with Congressional staffers (Democrats and Republications) and they all agree - cybersecurity is an issue we all agree about and we're all concerned about. (And the governments around the world I've talked with and work with are also on board - whether in Europe, Asia-Pacific, or the Middle East.))
While it may seem that there is an issue that needs to be resolved - and we must acknowledge it - we are indeed making progress. But the point is that we need to keep on making progress. I'm just one person (amongst many) who has been fighting for positive change in the cybersecurity field as an advocate. We each can do our part in ensuring positive change.
Lee Kim
ISC2 board of directors candidate