Last week 37Signals launched another product as part of their online productivity suite. It’s called Highrise and it is a CRM that complements their well known project management application Basecamp. They have a whole portfolio of Ruby on Rails based apps. Take a look at their Ta-da Lists if you have problems keeping up with your busy schedule. However, when I looked at at their pricing and feature structure I found something that has been one of my biggest pet peeves for a long time.

Source:highrisehq.com

The above table looks like your standard feature and pricing structure for any given product. Though, a closer look reveals that unless you are willing to pay 49$/month, your friendly man-the-middle attacker will get all your customer records conveniently delivered in clear text. In addition the model seems to be a bit unfair, because if a customer only needs 6 users and wants SSL, he still has to upgrade to the 15 User option which is double the price. Sorry guys, but that’s just wrong. And I’m not picking on 37Signals, I just use them here as an example, you can find this kind of approach all over the place.

The team at Pipeline Deals, another online CRM/Invoicing solution is doing pretty much the same thing:

Source:pipelinedeals.com - Choose between extra security or no security.

As I was just about to give up, maybe I’m too eager to keep everything secure, I came across FreshBooks. And wouldn’t you know it, look at that:

And the winner is: Freshbooks.com

Heureka! The guys as FreshBooks got it right, SSL, Firewall and data backups even for the free version! The funny thing is, all three vendors pretty much play in the same space - online billing or CRM services. Maybe it’s time for the others to rethink their posture on security? But again my congratulations to FreshBooks, they understand that security shouldn’t be an option - if you got it, use it.

Why does security always have to be optional?
It certainly creates additional revenue in the short term. But what about the long term, things like brand image, loss of customer confidence. Imagine a customer account gets compromised and confidential customer records get exposed. Not the kind of information you want to lose. And trust me, at one point someone will ask “What software did they use?”.

You gonna charge me for that?
Look at the car industry and what happened in the 70’s and 80’s. Mercedes, a pioneer in the airbag development, initially offered the airbag as an optional feature. I don’t recall the exact price but it was around $800. While the pundits praised their efforts, there was also a silent backlash. People started to ask questions like “You have a feature that makes the car more secure and the opportunity to save lives, but yet you charge us extra for it?” By the mid 80’s most cars came with airbags by default. Today, do you know of any car manufacturer that would charge for an airbag?

Security as Marketing Message
I’m saying that security should not be optional, as a matter of fact doesn’t “Look at us, our stuff is secure by default” sound much better than “Security, you want security? Here you go, but that’s extra!” The actual messaging might look different, but you get my point.

Still need security vendors
By the way, I’m not criticizing product companies or even security companies that offer actual security products. For example the server OS vendors came a long way, Solaris, Linux, AIX they all have a ton of security built-in for free. Even Microsoft is getting there. And what about the Symantec’s, Checkpoints, and McAfee’s of the world? Well they provide us with the choice to match our specific needs with the appropriate levels of security. All these companies give us the freedom to pick how much security we want. The examples I mentioned earlier don’t do that. It’s either on or off. But Maybe we are just in the early 80’s as far as security awareness is concerned.

5 Comments

Comments RSS TrackBack Identifier URI

Leave a comment