[CoffeeOnWrite]

Do you really believe that these world-class security teams have the authority to influence this detail of the pricing models of their organizations, or the political naivete to fight this fight?

[tptacek]

In some of these places, yes. It's a seller's market for this kind of talent, for whatever that's worth to you to know.

[CoffeeOnWrite]

Ok this is a _fascinating_ comment. (thanks for the discussion as always by the way!)

Is there a link between the market for security engineering talent and the leverage that the security engineers have within their organizations? Are you seeing anecdotes play out in the industry that inspire hope that the balance of power in business decisions is shifting toward the engineers?

[tptacek]

I don't think engineers automatically agree with you that organizations should pay less money for the services they're working on, is the issue here. It feels like a lot of people on this thread are convinced that Very Annoying Things are, per se, moral catastrophes. But they aren't. Services cost what they cost.

A literally equivalent way to look at the SSO tax is "the no SSO rebate". As a security engineer, I'm not prepared to launch a moral crusade over SMBs who don't adopt SSO on all their random SAAS apps; meanwhile, we're SSO on everything, and it costs us extra money, and that's life in the National Foosball League.

[CoffeeOnWrite]

I’m the commenter that’s not on a moral crusade, or even annoyed, I just question the business justification for gating SSO in this day and age :)

[tptacek]

See above: companies with SSO's are overwhelmingly less price-sensitive than companies without them, which tend to be smaller.

[CoffeeOnWrite]

Times are changing though. Smaller companies increasingly have SSO portals. At what tipping point will the industry embrace SSO for everyone?