Security is a Renewals Problem
How to negotiate with the vendors you already have
After my last post discussing negotiation tactics for our security vendors, I got feedback along the lines of "Hey, jerk, these are all nice ideas for new vendors, but what if we're stuck with awful contracts? How can we get those down"?
Great point. Let's fix that. In this post, we’ll go over:
How sales reps’ incentives are structured and the effects on renewals
How to reset the deal to escape your current price
How to convert your rage into better deals
Sales Incentives
First, we need to understand sales reps’ incentives.
When you initially sign a vendor, the sales team is compensated with a commission. This is a percentage of the deal, the amount of which depends on how she’s performing versus quota and how well she negotiated her comp. It is usually around 10% of the total deal.
A similar model applies to upsells at renewal. When you re-sign, the rep will get a similar commission structure to a new deal on the net new money. If they don't increase spend, their commission is vastly reduced, if they get one at all. While this makes some sense (what did the rep even do if you stayed flat?), it incentivizes them to not care about you if you’re reducing spend.
This is exacerbated since post-sale, account teams are often built around the total revenue of the accounts they manage. Their commission value and their jobs are tied to how well they retain and expand. Dramatic reductions in this total value can be existential. I've had reps I've helped on my own companies' sales say things like "If we don't convince them about X, they're going to drop from 900k to 300k, that's like a third of my accounts' value. If that happens, I may as well not exist here, I'll be fired, my wife will leave me, and I'll die alone". Remember, the lives of sales reps are fucking stressful.
This makes it harder to get prices down significantly on renewal than when initially signing. Every dollar gained from you on the initial sale is a win, even if at heavily reduced margins, while every dollar you reduce later is a dollar lost, even if it keeps some of your spend. While you can get them to grudgingly accept discounts from 500k down to 50k on the initial purchase, if you do that on renewal, that's a 90% ARR loss. Loss aversion kicks in. The account team doesn’t get a bonus either way, so they’re not motivated to make something work.
So it's harder, but that doesn't mean we're out of luck.
Reset the Deal
Since a big challenge will be the sales team viewing any reduction as a loss, we want to reset the deal. We want to introduce new constraints to make them feel like they're competing for the deal fresh, rather than watching money slip away.
Reset it with People
An easy way to do this is to change the people involved in the deal. This is best when you can change the vendor owner. The account team will have to convince them all over again. The new owner can have strong new opinions about other vendors in the space or how to allocate resources.
This naturally comes from attrition or reorgs, but you don't need to wait for these natural occurrences. As a commenter on my prior post mentioned, you can manufacture these by regularly rotating vendor owners. You don't need to actually change teams to get value. I've jumped in to negotiate deals in the past as the new "owner" when I was never going to manage that tool.
A new contract owner should seem skeptical of the entire product category. It's hard to prove value to someone who doesn't see it. This is a time you have a slight advantage over the initial deal: if you get on a cold call with a rep and tell them their product is pointless, they'll quickly stop trying to sell to you.1 If you do that to a vendor you're already paying, they’ll try to save the deal, and just might drop to whatever your low perceived value of the tool is.
Even when you can't change the vendor owner, there are other people you can change around the deal. New bosses, new procurement people, or new technical ICs can help convey that stakeholders are no longer bought in on the value provided.
Reset It With Budget
It's also easy to change (reduce) your budget; these often change for nebulous reasons. Your rep will try to argue their value is too much for you to lose and push you to fight the budget change, so it helps when you pair this with competitive bids from competitors (who will be psyched to steal you).
It can be useful to compare the particular vendor to more important, but more commoditized vendors in your stack. I've gotten a lot of mileage out of comparing every quote I ever get to Cloudflare, Google Workspace, or whatever your EDR of choice is. They tend to do a lot for your business, they process a metric fuck-ton of data, and, crucially, are pretty cheap. I've gotten several vendors down ~40-60% with just this reframe.
Lastly, you can use that, technically, vendor and people budgets come from the same pot of money.2 Let’s say your primary engineer managing the vendor's tool is named Kevin3. Kevin is highly engaged with the tool and the vendor about it on calls. Kevin goes to events with them and shows them pictures of his kids. The reps like Kevin. When having your budget conversation, you go "I'll level with you, if I can't bring my vendor costs down, I'm going to have to let Kevin go". While reps will happily argue their value over another vendor or OSS option, they will have a very awkward time pitching that you should lay off Kevin while increasing your contract by 6%.4
Reset It With Other Context
If your company has grown, become a sexier logo, or raised a funding round, the vendor gets more value from having you as a referenceable logo. You should extract some of this in the form of a lower price. You can sense this value by how often they ask you to talk to customers, do blogs with them, or how prominently your logo is displayed on their marketing site.
You can also use changes in the vendor’s situation that lead to reduced confidence long-term. There are the obvious negative ones, like a significant bug, outage, their own security snafu, or when their CEO goes to a Coldplay concert. Publicly disclosed (or at least implied) recent financial issues signify they're desperate and may dip into their margins to keep you.
Value Negging Your Experience
Value negging works in renewals, and this time you have evidence to use from experience. Keep a list of every problem you have with the vendor. At the small end, this is just tracking every bug you find (and how long they take to fix), every slow support ticket, every time they try to waste your time upselling rather than solving your problems. Bring up pricing annoyances. I've gotten mileage yelling about per-seat pricing models not working for me when I have lots of irregular users, or per-host pricing models for monitoring tools forcing me to architect my workloads on bigger nodes. They'll drop in a bit of a discount or an increased overage amount to compensate (or to shut me up).
At the grander end, argue the vendor didn't deliver the value they promised. Whatever metrics you were trying to improve with the vendor's product (bonus points if you have the ones they mentioned in their original pitch decks), track them and show, in as poor a light as possible, that they didn't improve enough, so you should pay less. Some of this is easy; the visibility of many vulnerability reporting tools often doesn't get people patching, so you can show poor vuln burn-down charts. You can get crafty; I've used similar rates of bug bounty reports before and after the introduction of a SAST tool to argue for low-value delivery.
Work with Incentives
It's not all adversarial, though. The incentives for the vendor rep are still against dropping the price, so it can help to work with them. The primary incentive of your rep is to maximize your net dollar retention. It will be easier for you to extract more value from the contract than it will be to reduce costs. Options include:
Increase usage without increasing costs. Vendors of high-margin products will often give you more units, or a 25-500% "overage buffer".
Include other products or services from them. If any are useful, they will be happier to give you more while preserving contract size than losing money.
Demand that upcharged features be included for free. Taxes for SSO, audit logs, and other security-ish things are easily waived.
Start the conversation early that you need more value for the current dollars, so you don't churn. Otherwise, they may think this is an upsell opportunity.
A secondary incentive is maintaining the effective margin on their core products. Companies often report on these to their investors, so reductions impact the share price. These have genuine price floors. However, these tend not to exist at all on other products or services5. You can push more heavily on discounts in these lesser areas.
Make Switching Costs Seem Low
Security vendors you already use and integrate have an incredibly powerful competitive moat: our laziness. Your vendors know you have two options:
Churn, select a replacement, and migrate. Have awkward conversations with stakeholders who are annoyed you're switching. Have to learn a new tool.
Have an awkward conversation with your boss to ask for a little more budget, or adjust your roadmap to not buy some new tools you were hoping to.
Your reps analyze you on every call to balance these two options. They want the awkwardness of the budget conversation, or the pain of not getting to do some initiatives you'd enjoy, to be just ever so slightly less painful than all of the costs you'll pay on switching.
So, you need to make those switching costs seem as low as possible. That's the basis for what we've covered. There are other areas to play up:
Show you can build it yourself. In fact, you already started building an in-house solution. One of your engineers built 80% of the functionality during a hackathon, the team is excited about it, and they want to open-source it and present it at conferences.
Indicate you're already well along the way to the churn plan. Have a vaguely feasible technical migration plan, and drop aspects of it in conversation. You know your switching costs, and they ain't so bad.
Make them seem like a component in your wider security stack. You already have multiple internal, OSS, and vendor solutions doing a similar function. Your switching costs are close to zero. This works well for scanning tools or information sources that you can easily stack (SAST, SCA, cloud scanning, threat intel).
Let the Hate Flow Through You
The challenge with renewals is that your vendor knows your two options, and what they usually mean:
Churn - You need to spend hundreds or thousands of hours of your teams' time switching to a new solution, awkward conversations with multiple stakeholders who are used to the status quo.
Pay up - Spend an hour or three prepping your justification, and 20 minutes of awkward conversation about budget.
One of these is dramatically easier (for the purchaser) than the other. Churning involves orders of magnitude more work than just continuing to pay the exorbitant fees. Sure, this misuses budget, which either adds risk (from not having budget to close other risks) or increases costs that ever so slightly drag down your company's share price. Neither of those impacts the purchaser in their day-to-day. Churning dramatically impacts their day-to-day. So rationally, it rarely makes sense to go through the trouble.
The solution is to be irrational:
My other advice is useful, but my primary weapon is that I'm not rational. I don't care that much about what's best for me, I care about being correct, efficient, and not getting screwed.6 I hate paying more than a tool or service is worth. It offends me intellectually and spiritually. No amount of personal strife will cause me to overpay by 5%.
I've never paid increased unit prices on renewals. The normal, rational purchaser will usually give an extra 3-5% to avoid having to churn, what’s it to them? But I'm not rational. My reps see it in my eyes. I will gladly work late nights, throw out my year’s roadmap, and burn the entire edifice of my company to the ground, rather than pay a $1000 upcharge for flat usage on a $100k contract.7
But because I'm irrational, I never have to pay those upcharges. It's pretty cool.
Successfully negotiating renewals is a lot like demanding a raise. It's more effective when you’ll walk away. You don't have to want to, but you need to mean it. You need to have the alternatives, the plans, and, crucially, the spiteful rage to drive you down the alternative path. If you don't, you'll be halfhearted, the vendor will sense it, and you won't get very far.
But if you can channel the hate, you'll get those 90% discounts. I promise.
This is 90% of my calls with security vendor sales reps.
This isn’t always true; often companies and investors will care a lot about revenue-per-employee, and vendor spending doesn’t impact that metric. Just convince your sales rep your company is different, it’s fine, they can’t check.
There’s always a Kevin.
You really, really need to tell Kevin ahead of time you’re doing this. You don’t want Kevin to hear from the vendor that you’re considering laying him off. The trust will be gone, no matter how many times you tell him it was a negotiation ruse. It will cause undue stress and sleepless nights. I’m so sorry, Kevin.
If you encounter a product version that feels similar but significantly cheaper than the core product, that exists to sell at a lower margin under a different product SKU, so it doesn't affect the core margin metric.
Freud would have a field day with me, I’m sure.
To be clear here, I am fair. When my usage dramatically increases, in a way that has a very real impact on their costs, I’m okay paying more. The point isn’t that I’m wanting to screw every vendor, but that I have a good idea of how much a tool should cost, and I will pay no more.