Enterprises continue to pay too much for security software -- while the software vendors aren't doing enough research to keep up with fast-changing threats on the Internet, a Gartner analyst said Monday.

Security vendors are maintaining high profit margins on firewalls and antivirus software, products which are commodities these days, said Neil MacDonald, a research vice president at Gartner, during a presentation at the company's IT Security Summit in London.

Buyers should take advantage of the competitive environment in the antivirus software industry to negotiate better prices for such products, he said.

"I know it's hard to switch but you have to seriously enter the negotiations," he said. "Let the vendors know that you are not afraid to switch."

Security vendors have maintained a pricing scheme that contradicts the rest of the IT industry, MacDonald said. Typically with software or hardware, prices go down year after year with the introduction of new and better products. In some cases, however, security software often loses its effectiveness as new threats emerge, while prices stay high.

"Why in antivirus year after year do we pay more for something that gives us less?" MacDonald asked. "It's insanity. Why is information security immune from the trends of the IT industry?"

For the last 18 months, MacDonald has been researching adaptive security, a concept that envisions having different security products communicate with one another and evaluate threats in a more contextual way. MacDonald argued that security products should work together like the human body's immune system, where different defensive mechanisms work in concert with each other.

These days, a security product is often designed to address a single security aspect, such as fortifying Web applications, protecting endpoint devices or preventing network intrusions. Vendors have taken advantage of how organizations deal with a security problem by offering single products, a model that makes security overly complex, MacDonald said.

Vendors need to create security technology that is less rigid and can change when businesses modify their processes. Ideally, those products would able to apply certain security policies in certain situations, a concept MacDonald labeled as adaptive.

"Vendors are holding us back from enabling this vision," MacDonald said. "The vendors are delivering us too many unconnected point products with too much complexity."