Can Cybersecurity Companies Leverage Outcome Based Pricing?
Steven Forth is a Managing Partner at Ibbaka. Connect on LinkedIn
Outcome or results based pricing has become a hot topic again. Many see it as the ultimate form of pricing, and of value based pricing, as it directly ties the amount paid to the outcome.
There are many challenges to adopting outcome based pricing though, the two most important being
Clarity - can the outcome be specified in a way that both parties will agree on
Attribution - most important outcomes have multiple causes and dependencies and both parties need to be able to agree on what led to the result
At last week’s Usage Economy conference in San Francisco, there were a number of discussions on outcome based pricing and questions on how it could be applied to cybersecurity.
Cybersecurity is a challenge for outcome based pricing as the desired outcome is ‘nothing happened’ or ‘business as usual.’ As one person asked, ‘How does one price a negative?’
Ibbaka has a number of customers in the cybersecurity space, none of whom are using outcome based pricing at this time, but several of them are posing the question (or being asked by customers).
How can we apply outcome based pricing to cybersecurity?
Ibbaka is committed to using generative AI applications to increase the value our pricing and value management platform deliver to our users. So we go to generative AI first to answer these questions. We started with a simple prompt on Perplexity on the Perplexity Pro model (we generally run the same prompt against multiple models and compare the results).
We started with the simple prompt
“How can outcomes or results based pricing be used to price cybersecurity solutions?”
You can work through the prompt and response here.
The high-level summary follows.
Outcome-based pricing can be an effective model for pricing cybersecurity solutions, as it aligns the interests of the security provider with the customer's security goals. Here are some ways outcome-based pricing could be applied to cybersecurity:
Key Performance Indicators
Pricing could be tied to specific cybersecurity KPIs or metrics, such as:
Reduction in the number of security incidents or breaches
Decrease in the mean time to detect (MTTD) or mean time to respond (MTTR) to threats
Improvement in overall security posture scores
Reduction in vulnerabilities or increase in patching rates
Lowered risk scores for key assets
The provider would receive higher compensation for achieving agreed-upon targets for these metrics.
Let’s pause and imagine for a moment what would have happened if Crowdstrike had been using outcome based pricing in July when it released a faulty update that caused about 8.5 million Windows devices worldwide to crash. This was not a security incident per se, but it was caused by a security company and if Crowdstrike had been using a pricing metric based on system availability (see below) it would have suffered even more serious consequences.
The initial response from Perplexity seems a bit shallow and mundane (as is often the case when Large Language Models are given simple prompts).
A Generative Concept Blend for Cybersecurity and Outcome Based Pricing
One way to prompt generative AIs is by giving them a framework and context to work with. We have found concept blending to be a compelling way to work with these systems. Generative pricing, Ibbaka’s approach to pricing second-generation generative AI applications is a concept blend of dynamic pricing and value based pricing.
Concept blending takes a generic domain (in this case Software Pricing) and then uses this as a context to combine two other domains (in this case Cybersecurity and Outcome Based Pricing).
We generated two context documents for (and from) Perplexity, one on the cybersecurity space and key companies active in the space and one on outcome based pricing. To give Perplexity an understanding of concept blending we provided links to two resources:
Some Innovation Patterns from Concept Blending by Steven Forth (author of this post)
Concept blend for Cybersecurity and Outcome Based Pricing generated by Steven Forth using Perplexity Nov. 17, 2024.
The following post was put into Perplexity and run on the following models Perplexity Pro, GPT-4o and Claude 3.5 Sonnet.
“Method: Concept Blending
Domain 1: Outcomes/results based pricing
Domain 2: Cybersecurity
Context: Refer to the two attached documents for information on the two domains.
Refer to the following two web resources for information on concept blending
https://www.linkedin.com/pulse/some-innovation-patterns-from-concept-blending-steven-forth/?trackingId=2MuMytXnTLKPCnvEhRjqfg%3D%3D
https://markturner.org/blending.html
Task: Create a concept blend for cybersecurity and outcomes/results based pricing.
Assess whether outcomes/results based pricing is a possible way to price cybersecurity services.
Propose some ways to apply outcomes/results based pricing to cybersecurity solutions.”
You can see the full result for Perplexity Pro here.
The key points are as follows.
Answer
Concept Blending: Cybersecurity and Outcomes/Results Based Pricing The concept blend of cybersecurity and outcomes/results based pricing creates an innovative approach to pricing cybersecurity services based on the actual security outcomes and value delivered to customers. This blend combines the protective nature of cybersecurity with the performance-driven model of outcome-based pricing. Assessment of Applicability: Outcomes/results based pricing is indeed a possible and potentially effective way to price cybersecurity services, although it comes with certain challenges and considerations:
Measurable Outcomes: Many cybersecurity metrics can be quantified, such as the number of threats detected and blocked, reduction in successful attacks, or improvements in response times
Value Alignment: This pricing model aligns the interests of cybersecurity providers with their clients, as both parties benefit from improved security outcomes
Differentiation: In a competitive market, outcome-based pricing can help cybersecurity companies stand out by demonstrating confidence in their solutions
Long-term Focus: Cybersecurity is an ongoing process, which aligns well with the long-term perspective often required in outcome-based pricing models.
Data Collection: Many cybersecurity solutions already incorporate robust monitoring and reporting capabilities, facilitating the measurement of outcomes
However, challenges include
Attribution: It can be difficult to attribute security improvements solely to a single solution or provider
External Factors: Cyber threats are constantly evolving, and some factors affecting security outcomes may be beyond the provider's control
Defining Success: In cybersecurity, the absence of negative events (e.g., breaches) is often the desired outcome, which can be challenging to price
Proposed Applications
Threat Prevention Pricing: Charge based on the number of verified threats prevented or blocked. For example, a company could pay a base fee plus an additional amount for each prevented attack above a certain threshold
Incident Response Efficiency: Price based on improvements in incident response times or reductions in the average cost per incident
Compliance Achievement: For industries with specific security regulations, price based on successful compliance achievements or audit pass rates
Data Breach Prevention: Implement a pricing model where the provider offers a guarantee or insurance-like component, with reduced fees or payouts if a significant breach occurs.
Security Posture Improvement: Use a scoring system to evaluate an organization's overall security posture, with pricing tied to improvements in this score over time
Uptime and Availability: For cybersecurity solutions that also impact system availability, price based on achieved uptime percentages or reductions in downtime due to security incidents
Phishing and Social Engineering Defense: Price based on improvements in employee phishing test results or reductions in successful social engineering attempts
ROI-Based Pricing: Develop a model that calculates the return on investment (ROI) of the cybersecurity solution, with pricing tied to achieved cost savings or prevented losses.
Tiered Outcome Pricing: Offer different pricing tiers based on the level of security outcomes achieved, allowing customers to choose their desired level of protection and associated pricing
Hybrid Model: Combine a base subscription fee with outcome-based components, providing a balance between predictable revenue for the provider and performance-based incentives
Implementing these models would require careful contract design, clear metrics definition, and robust monitoring systems. It's also important to consider the potential risks, such as providers focusing too narrowly on measured outcomes at the expense of overall security. A balanced approach that considers both specific metrics and holistic security improvements would be ideal.By blending cybersecurity with outcome-based pricing, companies can create more accountable, value-driven security services that align provider success with customer security goals. This approach has the potential to transform the cybersecurity industry by shifting focus from selling products and services to delivering measurable security improvements.
There are many other follow-up questions that you can investigate yourself on the above thread. If you have the right access, try running the prompt on other models as well.
It is likely that leading cybersecurity companies will move to some form of outcomes pricing over the next three years. This is likely to begin with new products, and as these products will be AI-based we will see this first in security agents and other AI applications.
This is only one way to think about cybersecurity value and pricing and ‘how to price what does not occur.’ In a subsequent post, we will ask if cybersecurity can be priced as a form of insurance.
Book a demo today and discover how our unique B2B SaaS solution can increase sales, improve retention, and drive growth.
