Enterprises pay too much for security products according to Gartner. What's more, the software vendors are not doing enough to keep up with the latest threats, leaving customers under-protected.

Security vendors are maintaining high profit margins on firewalls and anti-virus software, products which are commodities these days, said Neil MacDonald, a research vice president at Gartner, during a presentation at the company's IT Security Summit in London.

Buyers should take advantage of the competitive environment in the anti-virus software industry to negotiate better prices for such products, he said.

"I know it's hard to switch but you have to seriously enter the negotiations," he said. "Let the vendors know that you are not afraid to switch."

Security vendors have maintained a pricing scheme that contradicts the rest of the IT industry, MacDonald said. Typically with software or hardware, prices go down year after year with the introduction of new and better products. In some cases, however, security software often loses its effectiveness as new threats emerge, while prices stay high.

"Why in anti-virus year after year do we pay more for something that gives us less?" MacDonald asked. "It's insanity. Why is information security immune from the trends of the IT industry?"

For the last 18 months, MacDonald has been researching adaptive security, a concept that envisages having different security products communicate with one another and evaluate threats in a more contextual way. MacDonald argued that security products should work together like the human body's immune system, where different defensive mechanisms work in concert with each other.

These days, a security product is often designed to address a single security aspect, such as fortifying web applications, protecting endpoint devices or preventing network intrusions. Vendors have taken advantage of how organisations deal with a security problem by offering single products, a model that makes security overly complex, MacDonald said.

Vendors need to create security technology that is less rigid and can change when businesses modify their processes. Ideally, those products would able to apply certain security policies in certain situations, a concept MacDonald labelled as adaptive.

"Vendors are holding us back from enabling this vision," MacDonald said. "The vendors are delivering us too many unconnected point products with too much complexity."