Outtake #1: UNDERVALUED

By: Steve Van Till

Undervalued: How the Security Industry Is Leaving Money on the Table 

And what business leaders can do about it

The Investment Opportunity Hiding in Plain Sight
“Buy low, sell high” is the oldest investment advice in the world. Warren Buffett’s refinement of this classic wisdom is to prioritize investing in undervalued businesses with strong fundamentals. 

Undervalued with strong fundamentals is a spot-on prospectus for the security industry today. Indisputably essential to life as we know it, yet not commanding the valuation that many of us know it can achieve. One of the culprits is that the industry has systemically underpriced its products and services. This is especially apparent in comparison to the price points of other enterprise software solutions, as well as many other corporate spending patterns. 

The good news is that there is a path out of this position that can unlock tremendous value.

Security vs Enterprise Software
For context, consider that the global enterprise software market surpassed $1 trillion in 2024. That equates to approximately $3,500 per employee per year across large and mid-sized businesses. This spending level is almost 15 times higher than for security at large enterprises and nearly 30 times more than at mid-sized businesses. A deeper analysis shows further disparities that we have inherited (or tolerated) as “the way it’s always been done.”

• Enterprise software seat licenses can easily exceed $150 to $300 per employee per month. Licenses for security system administrators, on the other hand, seldom exceed single digits per person per month and are generally frowned upon.

• Implementation fees for enterprise software packages are typically six figures, and can easily exceed $1M or more. Meanwhile, in security circles, we see pushback against small four-figure professional service fees that would greatly multiply the value an organization can get out of its security system.

• Enterprise software vendors drive expansion revenue through upsells of modular pricing, granular feature gating, and tiered offerings, with a growing set of individually priced AI add-ons. Security integrators often miss these high-margin incremental opportunities and instead focus on the next lower-margin equipment plus labor bid.

Security vs Typical Office Expenses
While it may not be surprising that enterprise software outpaces security spending by a wide margin, many mundane business expenses also command an outsized share of corporate budgets compared to security. 

• Typical food and beverage spending for mid-sized businesses is estimated at $50-$100 per month per employee. NFC wallet credentials, however, are often regarded as too expensive at $1 per month or less per person.

• Office copiers rent for around $500 per month—the rough equivalent of 50 video surveillance subscriptions. But as an industry, there’s pressure to continue racing to the bottom on pricing this essential security service.

• A basic 1 Gb office internet plan costs around $150 per month. That's equivalent to 10 doors of access control at $15 per month per door, which is an 80% discount (thanks to inflation) from when the subscription model was introduced 20 years ago. Nevertheless, there are still rear-guard attitudes about recurring SaaS fees being too expensive for many security applications (ironically, in an era when “RMR” has become a mantra among the faithful). 

Comparisons of monthly expense run rates are certainly not the end of the story. There are numerous other costs associated with providing security for any organization. People are usually the most significant component, and equipment leases (or amortized capital expenses) can also be substantial. But the same is true for enterprise software. Every one of those expensive seat licenses has a much more expensive professional sitting in that seat. On a technology-to-technology comparison basis, however, it’s undeniable that not all applications are remunerated equally.

The Valuation Gap
The result of this systemic underpricing is a huge valuation gap between traditional security companies and enterprise software companies. While this may appear to be a problem only for investors, it is equally a concern for security buyers. All technology companies require healthy gross margins to fund robust product pipelines. Constraints on margins ultimately limit innovation, resulting in less funding for new security products, slower feature development to counter emerging cyber threats, and higher long-term costs due to system replacement cycles.

More importantly, it leaves businesses vulnerable in ways they may not even be aware of. This is a critical point for security buyers in particular, as the “sell high” imperative applies to how security organizations communicate their value within their companies. Chronically underfunded (if you ask anyone in the biz), buyers need to work with their suppliers to get a bigger share of the company pie. That’s not greedy; it’s asking for enough to get the job done.

How Did We Get Here?

This isn't just a procurement oddity, nor can it be explained by familiar microeconomic principles. Traditional analyses rely on market dynamics, such as scarcity, variations in the cost of goods, or shifts in supply and demand. By its very nature, however, software can be sold an infinite number of times at virtually zero marginal cost, which means it’s never scarce. The cost of goods for most SaaS applications is fairly consistent, thanks to the numerous public platforms that have commoditized the infrastructure layer, providing the same cost basis to all comers. For the same reason, software prices are mostly inelastic, except in winner-take-all markets.

Why, then, are security products and services discounted compared to other goods of similar utility and complexity? Are we just so damn good at providing tremendous value at low cost? Or is it the perennial observation that we’re on the wrong side of the ledger—expense rather than income? Or are we somehow failing to convey the true value of security technology?

There’s some truth in all of these hypotheses. But the real issue is this: we have a brand problem. 

We’re not just undervalued, we’re under-positioned. 

The Brand Management Path

If you have a brand problem, then you need a brand solution. The same goes for poor positioning, which can only be corrected through repositioning. What to do? As a starting point for progress, we can borrow a few principles from classic brand strategy. 

Strategy 1: Own a Word

This is generally a great strategy for companies. At the industry level, however, we have a bigger problem: we all attempt to own the same words—safety, security, real-time actionable insights, and the more technically inflected cloud, mobile, data, analytics, encryption, etc. The result is that we commodify ourselves by all sounding the same.

So, let’s all find some new words. Pro Tip: AI isn’t one of them. Besides, it’s two words (and every survey out there shows that, as a buzzword, it makes consumers less willing to purchase your product).

Strategy 2: Develop a Positive Narrative
What’s our industry’s narrative today? In a word: prevention, which implies that success equals the null set. Not a good look. Unintentionally illustrating this point is a poignant billboard in southern California. “Bay Alarm,” it deadpans, “Making nothing happen since 1946.” It hurts because it’s true.

Changing the context, imagery, and associations we use could shift brand perceptions of the security segment as a whole. Think about how the “Got Milk” campaign made the dairy industry sexy with a splash of milk across the celebrity lips of Jennifer Aniston, Lisa Kudrow, the Williams sisters, and many more. 

What’s our “Got Milk” campaign?  It’s enablement. Let’s “Get Enablement.” And make security sexy. (Again)

Strategy 3: Tap into Emotion

Security should be a slam-dunk for emotional appeal, but there’s been a collective failure of imagination on this dimension for many years. Once you get past “Peace of Mind,” security brands are mostly devoid of emotional cues. Let’s face it, POM is not motivational.  It’s more like, take a nap. And, observationally, it looks like gummies and other edibles now own this phrase anyway.

Our buyers are people, not job titles, and people are motivated by emotions. Everyone loves a new toy. Everyone loves bigger, faster, and better. Everyone wants a cool new thing. And of course, we must never forget that the love language of CFOs is ROI.

Is being undervalued bad news?

On the face of it, being undervalued seems like bad news. It’s not. It's actually good news. Here’s why.

Would you rather own an asset that’s undervalued or overvalued? That’s easy. An undervalued asset is likely to go up in value, while an overvalued asset can only go down. All of us are already invested in the “security asset” not just with our wallets, but also our time, our careers, and our passion for his amazing industry. 

We’ve already bought low. Now let’s get out there and sell high.