Locked in: How long is too long for security vendor contracts?

Stephanie Benoit Kurtz thought she had a good deal when, in one of her former CISO roles, she signed a three-year contract with a vendor for vulnerability management as a service.

Benoit Kurtz inked the deal thinking that her security operations program would make full use of all the offered features. But she found early into the three-year stretch that her team only used about 60% of them.

She says she was in a bind: paying for a product that wasn’t really the right fit with no way to get out of the contract.

“It’s hard to go back to the manufacturer and say, ‘I didn’t need that module so can I get my money back?” They don’t seem to want to engage in that conversation,” says Benoit Kurtz, a former security executive who is now lead faculty for the College of Information Systems and Technology at the University of Phoenix.

She acknowledges that there are lots of lessons to be learned in that anecdote, such as negotiating upfront a way to adjust costs and being more diligent about matching vendor offerings to the organization’s future state.

She says the experience also illustrates the challenges of trying to pick the right timeline for the contract itself. As she notes, there’s the tradeoff between the better pricing that typically comes with longer contracts and the agility, flexibility, and ability to more easily course-correct that shorter terms enable.

A delicate proposition

Picking the right vendor, negotiating the best contract terms, and determining its length are challenging tasks for nearly everyone, including CISOs.

But seasoned security executives say they often have a more challenging time than other functional leaders in handling those tasks, particularly when it comes to determining the right contract length.

Here’s why: CISOs contend with threats that quickly emerge and shift as do the skills, tools, and policies that counteract them. As a result, CISOs see the list of vendors that can help them also change fast—with some innovating faster than others, merging to maximize benefits, or sliding into oblivion because they fail to keep up. Additionally, CISOs must consider the complexity of implementing, configuring, and managing the products they buy, knowing that they may need months of work before they actually see value—let alone maximize it.

Those dynamics are on top of the traditional factors that influence enterprise contract negotiations, such as getting the best prices and needed service level agreements.

The mix of all those, and the need to balance multiple and sometimes contradictory demands, makes picking the right length for contracts a delicate proposition.

CISOs, executive advisors, and consultants say the best strategy is to consider all those elements when negotiating each and every contract. They further advise CISOs to collaborate with procurement pros and the finance team to understand what’s going to be the right contract timeline for the organization before signing off on any deal.

“One size doesn’t fit all, one situation is not like another, and companies differ,” says Alan Brill, senior managing director in the risk management practice at the consultancy Kroll and a Kroll Institute fellow. “I’m not suggesting that every company has to go through a long, complex procurement process but there is a checklist of things to think about.”

Key considerations

Darrell Keeling, vice president of information security for Parkview Health, says he does indeed run through a list of considerations when determining how long to commit to any one vendor or technology.

“A lot of it in this space, in my organization, is all about timing and a sense of where we’re heading with our strategy,” he says.

Keeling considers, for example, the technology and how it’s expected to evolve to ensure it keeps up with the innovation in the market. He reviews potential vendors’ roadmaps to ensure the vendors will be capable of providing the support, service, and updates he’ll want throughout the contract term. He says what he finds in that process shapes his decision on contract length.

He also tries to anticipate whether the solution he’s buying will soon become a commodity service offered by another one of his vendors; if yes, he says he opts for a shorter term, definitely under three years.

And he tries to anticipate whether a vendor will merge with another in short order, which again has him favoring a shorter contract length to guard against getting stuck with a product that isn’t a priority for a post-merger entity.

Yet Keeling says he does factor pricing into his decisions, too, noting that a three-year contract that guarantees no or limited price increases gets his attention.

Overall, he says he strives to balance agility and stability and price, a balancing act that sometimes favors short contracts and other times longer ones.

That variation is smart, says Michael Ebert, a partner in the Advanced Solutions Cybersecurity Practice at the consultancy Guidehouse.

“Evaluate all contracts against your needs, your requirements, your existing skillsets and your comfort level,” Ebert adds. “Ask: Does it work for my environment and am I getting the right price based on what will work for my environment.”

Finding the elusive sweet spot

Although experts say CISOs must determine what’s right for them for each contract they sign, there is a consensus that five years or more is too long and should be avoided. Already, five-year agreements are rare, with anything longer nearly nonexistent.

There’s good reason for that, says Jeff Pollard, vice president and principal analyst with Forrester Research. Technology, security and business change too fast to make any five-year contract a deal worth making, as security teams could be encouraged to keep the technology, even if it’s no longer serving the organization well, because it’s in place or offered at a great price.

Although there’s agreement around what’s too long, opinions differ around whether and what the ideal contract length would be.

Security leaders say there are pros and cons with each of the other typical contract options (one-, two-, three- or four-year options). They note that there are benefits and drawbacks with each based on numerous factors—from the maturity of the product to the maturity of the organization to the price being offered.

Pollard, for example, says one-year contracts tend to be better when deploying a newly introduced technology or a technology new to the security organization. Shorter terms can also be beneficial when addressing a new challenge. “If you’re solving a problem that just got handed to you, maybe you don’t know about all the issues, or it’s an urgent issue to resolve, [these contracts] let you get something in even if you don’t know whether it will be a long-term issue or a long-term solution. You can at least solve it for the moment,” Pollard says.

That then gives the security team time to assess both the problem and the newly deployed technology, allowing staff to gather information that can shape the next move.

That, however, is also the downside of short contracts. “You may have to go redo all that effort quickly. You’ll be back shopping in months and possibly have to rip and replace,” Pollard says.

Moving up the timeline, two-year contracts can be good for situations where problems and solutions are more fully defined and better quantified, “where you’re reasonably confident that the issue and solution will be around for a while, and you understand them well and you won’t have to reassess the market quickly,” Pollard says.

There are still some drawbacks to two years, he says, noting that if the technology doesn’t meet enterprise needs for any reason “you have to live with it longer.”

When it comes to the typical three-year contract term, Pollard says the biggest benefit centers on costs, as vendors generally offer the best prices for these agreements.

On the other hand, he and others point out that these three-year deals commit the security department to the technology for a hefty stretch—regardless of whether it continues to mature alongside the organization’s needs and the overall security market. These contracts also commit department money for that span of time, something experts say could be concerning particularly today as fears of recession continue to grow.

Experts offer additional factors to consider when setting contract terms.

Bryce Austin, CEO of TCE Strategy, a virtual CISO and cybersecurity consulting firm, considers a product’s stickiness, for example.

“If you’re talking about a sticky product, something that’s hard to swap out, or something that takes a fair amount of configuration, I’m still a fan of multiyear contracts for those kinds of things,” Austin says.

In such cases, CISOs need to consider the often significant investments required to configure and deploy those technologies when setting contract length, Austin says, noting that the size of those investments means they’ll likely take longer to generate benefits and full returns.

However, Austin says he still mostly favors shorter contract terms for various reasons. He says shorter terms help CISOs guard against falloffs in quality or service should a vendor get bought by another company or should the vendor shift its resources to advancing other products in its portfolio.

Austin says he typically only considers a three-year contract when the financials are particularly enticing, such as a guarantee of no price increases.

Even then, though, he says vendors must demonstrate they can always meet the performance and service requirements set by the CISO. And to provide further protections, he seeks contract terms allowing either side to exit the deal with notice.

Scott King, vice president and CISO of Encore Capital Group, says he likes contracts in one- and two-year increments, with renewal options in those increments.

He says he finds that those tend to offer the right balance for him and his company.

But he says he doesn’t just go with those timelines automatically; he still reviews his options.

“You really have to understand what are the types of technologies you’re going to need long term vs. the ones you’re going to need for a shorter time. Or whether a technology platform is something that will soon be replaced by a more advanced technology. How disruptive it is. How time-consuming it is to deploy. Whether the vendor is losing its competitive edge,” King says. “You want to get the most value out of these contracts, so you really need to do your due diligence. You don’t want to have to leave a multiyear contract that isn’t working, because that’s going to lead to a stranded asset and sunk costs.”