Comprehensive endpoint protection platforms are often the single biggest software expense in an organisation’s security budget. Gartner analyst Peter Firstbrook reveals how you can drastically slash this expenditure.The way organisations buy essential security technologies is changing. Point products for anti-virus, anti-spyware, personal firewalls and host-based intrusion prevention (HIPS) are rapidly being replaced by endpoint protection platform (EPP) suites. In addition to these basic component technologies, advanced EPP suites will include network access control (NAC) and data protection technologies, such as data loss prevention (DLP) and full-disk encryption.By combining multiple related technologies into a single management framework, EPPs promise increased security while lowering complexity, cost and administrative overheads. The management and reporting capabilities of these suites is a substantial differentiator from standalone security products, especially for larger businesses.Worldwide, spending on the combined enterprise anti-virus, anti-spyware, personal firewall and desktop intrusion prevention segments was more than US$2.2 billion in 2005, and Gartner expects the EPP market will grow to nearly $3.6 billion by 2010. This market is still dominated by the big three traditional anti-virus vendors (McAfee, Symantec and Trend Micro), which represent roughly 85% of the market share. However, many nimble vendors are beginning to challenge the status quo with innovative EPP solutions and a higher level of customer focus, pushing the dominant players in the market to invest in new features and functionality, and to keep pricing rational. Microsoft's impact on the enterprise market is still nascent, however, it is expected to have a growing market share, starting primarily in small or mid-size businesses (SMBs).Cutting endpoint protection costsIn Gartner’s 2008 CIO survey, security did not make the top 10 list of technology priorities in Australia and New Zealand, while it ranked number six worldwide and number two in Asia. This may be a sign of market maturity, but it could have a negative side effect of removing security from the spotlight and reducing the budget allocated to security. This may place organisations at greater risk from emerging threats.Endpoint protection is often the single biggest software expense in enterprise security budgets. Research shows that anti-virus and other key endpoint protection (anti-virus, anti-spyware, personal firewalls, host-based intrusion protection and encryption) make up almost 60% of enterprise security software spending.Buyers of endpoint protection platform products are often at a disadvantage because of a lack of experience. Vendors negotiate contracts daily, while individual organisations only negotiate every two to three years at most. However, there are several strategies available to organisations looking to reduce the cost of endpoint security.* Switch to a lower-cost vendorList prices for EPP suites with equivalent functionality (such as anti-virus, anti-spyware, personal firewall, host-based intrusion prevention and a management console) vary considerably. Moving from a $28/seat per year solution to the least expensive $4.45/seat per year version would save almost $120,000 per year for a 5000-seat organisation. The impact on the current-year budget will depend on the license termination schedule and deployment time.Switching vendors is not without its own costs however. These costs are the sunk cost of administration time and not significant out-of-budget expenses.* Consolidate vendors and productsUse a single vendor whenever possible. Multiple products from multiple vendors are more expensive because of the lack of volume pricing and require more administration effort and training. Meanwhile, the maturity of this market has resulted in less differentiation between best-of-breed and suite components.It may also be possible to take advantage of larger strategic providers, such as IBM, CA or Microsoft, by bundling EPP products into larger infrastructure contracts for software and/or services to increase total contract value and discount levels.* Negotiate better on incumbent RenewalsNever let a vendor take your renewal for granted – begin negotiating renewals at least six months before expiration to provide enough time for competitive bidding and migration planning. Although it is true that there is a cost to migrate from one vendor to another, negotiators should keep in mind that there is also a cost to the incumbent vendor to replace non-renewing customers. It is much less expensive for them to renew a customer than to find a new one.If you have multiple contracts from a single vendor, attempt to align contract termination dates to increase total contract value under negotiation: the larger the deal, the more pressure on the incumbent vendor to renew it. Always bring in a competitive vendor (and competitive value-added resellers) in the renewal process to put pressure on the incumbent vendor.Purchase only what will be deployed in the next six months, however, negotiate options pricing for anticipated future products or services upfront. Once you have signed the deal and deployed the base product, the vendor's incentive to offer discounts for add-on products is drastically reduced. Ensure that all add-on agreements are coterminous with the primary contract.Negotiate for suites that provide endpoint and server protection based on the total employee population, including solutions for mobile devices and home PCs. Ideally, seat counts should be banded (such as 5500 to 6000 seats) rather than discrete (for example, 5549), to avoid a continuous software license accounting process and continuous cost increases for growing companies. Also, negotiate global contracts that encompass other subsidiaries to bring volumes into next price. Specialised server licenses should be license per socket, not CPU, operating system or application instance, to accommodate multi-core CPUs, blade servers and virtual machines.Training and installationNegotiate hard for training and installation support; these items can often be reduced to travel expenses. Negotiate premium support costs down, or attempt to upgrade to the next level of support for a minimal increase in price.If you have a named support engineer (SE), add an addendum that enables SE replacement without cause. Although this item doesn't lower budgeted cost, it can reduce administration time. Most EPP product dissatisfaction can be traced to problems with incompetent SEs.Keep support and maintenance contract terms short – two years at most. Competition is heating up, and prices are expected to continue to decline and suite value will improve during the next few years. Rather, to protect against aggressive renewals, negotiate a limit (for example, +5% to 10%) on renewal rate increases.Ensure that the maintenance contract includes no cost migration to new versions of products of similar function. This protects against vendors discontinuing a perpetual licensed product and forcing users to buy a new license for a product that essentially does the same function.When possible, shift to subscription-based licensing with equal annual payments rather than high upfront license component costs.Offer to be a reference customer. Vendors are often looking for testimonials, case studies and users willing to share their experience; the vendors may be willing to offer discounts in return for a commitment to be available for reference calls with the press, analysts and other companies, or for print media testimonials and so on. Larger companies and recognisable brands are more desirable to the vendor. For public companies, review the vendor's last-quarter guidance to better understand the salesperson's motivation.RecommendationsBy following these negotiation best practices, we estimate that organisations can save as much as 40% off list prices on maintenance renewals. The three most effective strategies for reducing cost are switching to a lower-cost provider, consolidating products and vendors, and more-effective contract negotiations. However, a company’s ability to achieve budgeted savings and the timing of these savings will depend on contract termination dates for incumbent vendors.