top of page
  • LinkedIn

Most security renewals are decisions on autopilot.

We've been working in IT since 2007 and in cybersecurity since 2017. Across that span, one pattern keeps showing up across the organizations we've sat with: nobody really decides to renew most security tools. The renewals just happen.


A quote arrives forty-five days before the term ends. Someone forwards it to finance. Finance asks whether it's the same as last year. The answer is yes, give or take a price bump. The PO goes out. The contract auto-renews. The tool sits where it sat. No one in the room ever asked the only question that mattered: are we actually getting what we're paying for?


The cause sits one layer up, in the absence of an actual decision somewhere in the cycle. And it's one of the easier patterns to interrupt.


Why renewals get rubber-stamped


Renewals get treated as administrative because evaluating them feels expensive. Pulling a tool apart takes time and attention. You have to review what it actually does, who uses it, what it would cost to replace, what it would cost to drop. And it takes at least one conversation that nobody wants to be the person to start. By comparison, signing the renewal feels free. The tool is already deployed, already integrated into whatever workflow has grown around it, already familiar.


So the math gets framed implicitly as: the cost of evaluating the renewal is real, and the cost of renewing it is just whatever you paid last year.


For a tool that's pulling its weight, that math is roughly correct. Renewing is the right call, and there are better ways to spend an afternoon.


For a tool that isn't, the math is upside-down, and most orgs have at least one or two of those sitting in the stack. The contract has been renewing for years. Nobody quite remembers who chose it. The original use case has shifted or evaporated. A different tool has overlapping coverage. The dashboard hasn't been logged into in months.


Renewing that one carries a real cost: three to five figures of operating budget that won't be available for something else, on a quiet schedule that resets every twelve or twenty-four months until someone interrupts it.


What to actually evaluate


There's nothing fancy in the move we'd suggest. The shift is just choosing to make the renewal an actual decision rather than a default.


A few questions, asked honestly, get us most of the way there:

  • What was this tool originally bought to do? What problem prompted the purchase, separate from whatever the tool happens to do today. If nobody can answer this, that's information.

  • Is that problem still the problem we have? Risks shift. Compliance posture shifts. Other tools in the stack absorb things they didn't used to.

  • Who actually uses it, and how often? Logins, alerts acted on, reports run. If the answer is "nobody, really," that's also information.

  • What would change if it disappeared tomorrow? Worth taking the question seriously. Sometimes a real gap opens; often nothing meaningful does.

  • What does keeping it cost us in attention, not just dollars? Every tool needs upkeep: account reviews, license tracking, a person to own it. Underused tools tend to absorb more of that than their value justifies.


A director described a contract her org had been renewing for four years. She couldn't tell us, exactly, what the tool did. She knew it was on the security side of the budget. She knew the renewal had moved from $9,000 to $14,000 over those four years. When we walked through the questions above, the answer to most of them was some version of "I don't know," and the answer to the last one was "honestly, I don't think anything would change."


She didn't renew. She moved the budget to a different control they actually needed. Nothing broke.


That outcome isn't universal. Sometimes the answers favor renewing, and renewing with confidence is a better state than renewing on autopilot. What matters more than any single review's outcome is the habit of treating renewals as decisions in the first place.


Pick one renewal and run the questions


What we'd suggest, for an organization that wants to stop spending money on tools it doesn't use, is small. Pick the next renewal that's coming up. Block forty-five minutes on a calendar. Walk through the questions above. Decide.


If the tool earns its place, sign with conviction. If it doesn't, the worst case is that you've recovered budget for something better. The second-worst case is that you've turned a recurring autopilot expense into a real conversation about what your security stack is actually for.


Most of the orgs we've worked alongside already have most of the tools they need. What they're missing is a clear way to decide whether those tools are still earning their place. Renewals are where that shows up most cleanly, because by default the decision is being made every year, whether anyone is actively making it or not.


If a renewal like this is sitting on your desk, we're happy to think it through with you.

Comments


The Decisions Desk One email a month on a single security decision worth thinking through. No noise, no pitch.

Thanks for submitting!

bottom of page