Products versus services. For many years, every purchase made by security and tech leaders fell into one of these categories. The same tribes existed for vendors: product and service. In this context, we define security services as “managed security services,” not consulting.

In contrast to security services, security pros typically use consulting services for three main reasons:

  1. Executing large strategic initiatives like a security team re-org
  2. Tactical execution like deploying technologies
  3. As sin eaters … with engagements designed to monetize blame by transferring accountability for initiatives destined to fail

On the other hand, security services are used to augment an existing team. But security services are not historically where the CISO has started their buying journey.

CISOs Buy Products, Then Services

CISOs most often start their buying journey looking for a product. Then, when the product fails to perform equal to sales promises, the security team is short-staffed, or the company experiences rapid growth, the CISO looks for a managed service to augment their staff. Products and services have been parallel paths; one company builds the product, another company supports it with a service.

Forrester’s Security Services Flywheel

Where things get complicated is when the security team switches to a new tool or during a merger or acquisition where the security team inherits another tool. To keep the CISO as a customer, the managed service provider must then support two different tools. This happens with firewall, VRM, EDR, SIEM, and the list goes on.

The need to support a wide array of tools across customers created a challenge for service providers as the number of product vendors and types of products grew. Service providers were expected to support multiple different vendor product offerings without the service provider having any sway over features the vendors added.

The product vendor did not necessarily care about the service provider, and the service provider only cared about products with large enough market share to make management worth it from a business perspective. Product and service delivery roadmaps, development, and support efforts lived in entirely different worlds.

Higher Profit Margins And Simplified Delivery Drove Product And Service Crossover

The split between product and service didn’t last forever. Providers of managed security services changed things up. They continued to monitor several EDR agents … but only MANAGE one. They became more prescriptive by recommending a specific agent to customers. The reason: They can do more when they manage versus monitor, it simplifies delivery, and they can also charge more. It also sacrificed total addressable market, however. The pitch to clients was, “Our experts evaluated all of the available solutions and selected the best-est one of all! Now we can custom-build our service around this tool, making it so much better!

But the definition of “best-est” varies. Often, providers defined “best” not as “most effective” but as “most margin when bundled and sold as part of our service.”

This increased the likelihood of successful implementation and day-to-day usage of products. Services companies simplified delivery and support by settling on one technology versus a handful, becoming true experts on the products.

Hallelujah! Nirvana! Utopia! Elysium! Well, no. This was more like a game of chicken where everyone punches a ticket to Valhalla. The fairytale ending where products and services worked with each other, defeated the hackers, and retired to their … well … not castles — and certainly not moats (ahem), because those vanished — never happened. And that — it turns out — is great news!

Service Providers Start Selling Products, And Vice Versa

Products and services were friends for a moment. And that brings us to “Mean Girls”: Underneath every dazzling press release promising how two companies partnering together would produce amazing results, friends became enemies. Product and service vendors decided they were less Gretchen Wieners and Karen Smith and more Regina George and Cady Heron. The film also proved prescient, considering some product and services vendors also got hit by a bus (check out our XDR and MDR Forrester Wave™ evaluations to see that).

That’s a somewhat lengthy way to say that the divide between products and services ended around this time, but we think the “Mean Girls” reference makes it worth the minimal detour. Today, there is no product or service divide. Product vendors now deliver and sell services. Services vendors now develop and sell products.

Start Buying Services, Then Products

Security leaders and their teams need to adapt to this shift and eliminate product vs. services siloes in their mental models and roadmaps. Moving away from legacy thinking on products and services leads to far better outcomes when selecting a blended approach.

Now, let’s talk about the best part of this convergence. Put simply, the vendors that blend product and service offerings and invest in BOTH will deliver better outcomes than those that stay siloed or depend on partners. They can:

  1. Accelerate improvements of products with service delivery practitioners in house.
  2. Minimize the risk of failed and stalled deployments or low utilization of product.
  3. Reduce vendor sprawl.
  4. Sync use cases with capabilities.
  5. Leverage skilled practitioners as key stakeholders in product development.

This comes with a few challenges, however:

  • There are way more vendors to sort through. Back when you used to walk uphill both ways to the CFO’s office, two easy categories existed. If you wanted a product, a set of vendors existed. If you wanted a service, you picked from a different set. Now, they compete. Five large EDR vendors and 15 large MSSPs became 20 MDR vendors competing for the same spend.
  • They use the exact same words with wildly different definitions. Though many companies will now be selling the “same” thing, the way they deliver the offering, the expertise they bring to that delivery, and other factors will vary widely. History matters here, especially with how vendors approach a combined offering. Even the definition of threat hunting is a great example of how this can go awry when vendors are introduced to a concept through business instead of expertise.
  • It’s tough to know whether to start with the product or service first. There’s a ton that goes into this question. At a high level, the connection with your service provider is typically closer, has more touchpoints, and relies on better customer support than that with your product vendor. Leading with expertise in the form of a service gives your team access to practitioners instead of product managers, which is where security teams tend to struggle the most.

If you have questions about the service provider and product vendor relationship, which you should choose first, or anything related to this, reach out to Allie and me. We understand the difficulties that CISOs face when finding a reliable product or service and are happy to walk you through the best vendors for your use case.