Coffee Cup Cheers, Security Gang — let’s talk about the reality every CISO feels, even if no one wants to say it out loud.

If Part I explained the economic machinery that elevated ARR into the north star of cybersecurity’s business model, Part II steps directly into the trenches — where CISOs, procurement leads, and CFOs collide with the consequences of these models every single day.

This isn’t a story of “bad pricing” or “rough negotiation seasons.”
This is the story of structural misalignment.
A misalignment created by a decade of financial engineering that optimized for investor certainty but destabilized enterprise predictability.

Cybersecurity didn’t become more chaotic because threats evolved.
It became more chaotic because the billing models evolved faster than the businesses using them.

Let’s break down what that looks like in real life.

When Security Spend Stopped Being Infrastructure and Started Being a Volatile Meter

For decades, cybersecurity spend behaved like traditional IT infrastructure:

• Buy once

• Maintain annually

• Upgrade strategically

• Forecast cleanly

A firewall was a firewall.
An endpoint agent was an endpoint agent.
Support renewals came with predictable percentages.