Enmeshment in cybersecurity: blurring boundaries between products and services
Looking what makes security service companies to build their own products and vice versa - why products companies are adding services, as well as what this means for the future of the industry
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
I have previously talked about the evolution of the channel partner ecosystem where different players, such as consultants, integrators, and resellers are merging into one. In this piece, I am covering the blurring boundaries between security products and services.
Products and services enmeshment
Wikipedia defines enmeshment as a “concept in psychology to describe families where personal boundaries are diffused, sub-systems undifferentiated, and over-concern for others leads to a loss of autonomous development”. This idea of blurring and increasingly less noticeable lines between concepts perfectly describes what is happening in cybersecurity.
A decade ago, anyone looking to segment and classify cybersecurity companies would first split them into two buckets: products and services. This distinction was pretty clear:
Service companies are those whose business model is to sell professional expertise. Security service providers typically have three lines of business: reselling products (often called value-add resellers or VAR), project-based services (penetration testing, security assessments, and the like), and managed services (24/7 SOC and continuous security monitoring, detection, and response). Because of the linear relationship between growth and the need to hire more people and few barriers to entry, service companies have seen lower exit multiples compared to their product counterparts, and consequently, they struggled to attract venture funding.
Product companies make money by developing and marketing a product. Unlike services which tend to be more transactional, products can generate recurring revenue. Most importantly, after the product is built, it can be sold to a virtually unlimited number of customers; something not available to service providers who are repeating the same (or similar) work for different customers, often starting from scratch every time. All this made it possible for product companies to rapidly acquire new customers and capture a large percentage of the market share quickly. Product companies can bring outsized returns and are therefore well-suitable for venture funding.
Both products and services are equally important, and the two areas tended to attract different kinds of entrepreneurs: those who built their security experience working in the military, as government contractors, and as independent consultants, were (and still are) much more likely to start a service company. On the other hand, those who worked for product companies, have been much more inclined to build a security product.
In the past decade, this clear delineation between products and services started to disappear.
Security product vendors: adding services and emphasizing adoption
Upselling existing customers
The main factor that drives security product vendors to offer services is the desire to increase their share of the customer's wallet, and subsequently generate more revenue.
Every market segment in the industry follows a similar trajectory. First, a startup is claiming a new market area. If there is indeed demand for what the company is offering, two things happen: the startup can grow and onboard new customers, and it is forced to fight fierce competition that emerges as soon as it’s clear that the new category has potential. Eventually, the commoditization of the new offering and the number of competitors in the space make it hard to acquire new customers, and companies start looking for ways to grow by leveraging their established relationships.
There are several viable strategies product vendors use to grow revenues with existing customers:
Increase the price of their offerings. This one is the most obvious but also the most risky as it can lead to significant churn (cancellations) when customers negotiate better deals with competitive solutions.
Build products to address new use cases and solve other problems customers are dealing with that it is not yet solving. This strategy, also known as product-market fit expansion, is a great way to supercharge growth and cross-sell the existing customer base.
Create leveled offerings and layer services on top of the products the company already offers.
The latter option, namely designing services that can be sold as value-added or premium versions of the offering can be especially successful for a few reasons. First, not everyone is looking for the same level of service, which naturally creates opportunities for more tailored solutions. Second, there is a growing realization that products alone can only do so much and that skilled security practitioners are the only way to achieve an advantage over the adversary. Third, it is not currently possible to automate or fully productize incident response, so a security vendor looking to provide holistic coverage to its customers often has little choice but to find a way to offer a service component.
Removing the obstacles to adoption for prospects
One of the biggest challenges for any security product vendor is getting its solution configured and implemented. Every customer’s environment is unique, and simply deploying the tool does not mean that it will start adding value immediately.
The degree to which different prospects can access cybersecurity expertise varies greatly, and so does the level of support necessary for them to get started. Some potential customers just need access to the vendor’s knowledge base, and technical and API documentation, while others may lack the in-house expertise necessary to adopt the new solution. By offering professional services and optional implementation consulting, product vendors can greatly increase their conversion rates and improve customer experience.
It is worth noting that implementation consulting shouldn’t be seen as an alternative to self-serve onboarding: there is no reason why prospects and customers should not be able to locate answers to their questions and get started with a product on their own terms.
Security service providers: adding products and productizing services
Improving unit economics & achieving scale
The fact that service business requires people to provide value, makes it hard to scale. The more demand the company is seeing, the more people it needs to hire, train, and develop to deliver projects. While it’s not possible to entirely escape the limitations of the services model, it is quite realistic to optimize it. To do it, security service providers need to find a way to deliver their services at scale; in other words, they need to automate as many of the manual, repetitive tasks as possible. Automation can flatten the linear relationship between customer demand and the number of employees, but it cannot magically change the economics of a service provider. To further increase margins, MSSPs, and MDRs with the right technical talent can build their own security platforms.
“To escape the limitations imposed by the services model, successful providers invest in technology first. This means an emphasis on repeatability, seamless and automated customer onboarding, rapid integration of data sources, buying or developing tools to automate labor-intensive and repetitive parts of service offerings, and the like. In other words, to escape the limitations of the services model companies can productize their service offerings. Investing in this upfront helps alleviate the future pressure build-up and build a more competitive offering. If a service provider needs a large number of security engineers and architects, the price point of their services will be much higher. This will force clients into the “build vs. buy” decisions: if they stand to save 10-20% by outsourcing their security to a third party, it starts to make sense to do it internally instead.
If a founder is looking to build a steady, sustainable business capable of bringing $5-25 million in ARR, then investing in technology may not be as critical. However, for those with ambitions to become a $100 million and bigger service provider, they must establish a solid tech platform for their offerings. Examples of companies that did this well include Mandiant, Critical Start, and Cyderes; by investing in technology early, and by using it as a differentiator to scale services and achieve operational efficiency, these service providers were able to achieve levels of growth not commonly seen in the MSSP/MDR/IR space. In project-based services such as consulting, investing in technology may play some role, but it is still heavily reliant on the “the more business they get, the more people they need” formula.” - Source: A deep look at investing in cybersecurity services for VCs: why, why not, and how to
Raising venture capital & achieving higher multiples on exits
The economics of the service model doesn’t offer a well-understood path for building and scaling a tech company quickly. First, because of the high reliance on expensive talent, the typical margins a well-managed security service provider can achieve is around 40-60% - well below that of a product company which can go well above 80%. Second, a product company can hire, and if needed - replace its employees much more easily than a service firm. In cybersecurity, good talent is scarce so a service company’s ambitions for hyper-growth will always be limited by the supply of security talent.
The money invested in a product business gets translated into a technical product that can be used by virtually any number of potential customers and therefore has objective value. In the service business, on the other hand, invested capital is spent on delivering a service to a limited number of customers; after that is complete, there is usually no residual value that stays in the company except the goodwill and the new experience which is easily lost when employees move on in their careers. Product companies, due to their nature, are expected to invest much more in marketing than their service counterparts who are much more reliant on relationships and direct sales. Over time, the marketing spending compounds, and product vendors see their brands being valued more compared to service firms.
All these factors impact the economics of mergers and acquisitions: exit multiples of security service companies are substantially lower than those of their product counterparts. These days, when and if a security service provider considers going public, it will typically try acquiring (more rarely - building in-house) a product component. Having a product side of the business can increase the amount of money the firm stands to raise during the IPO. The same is true for acquisitions: everything else being equal, a service provider with a product component will be valued higher than one without.
The difference in exit multiples directly impacts the types of investors entrepreneurs can attract. Founders of product companies can raise capital from VCs as well as other market players including angel investors, private equity firms, and investment syndicates. Service providers, on the other hand, see little interest from venture capital firms who, by the nature of their funding model, have to look for companies likely to become outliers and return 100x or more of the original investment. Consequently, MSSPs and MDRs are much more likely to be successful in raising money from VCs if they have a product/SaaS component.
Providing a visibility layer for their customers
The time when customers would relinquish any visibility into their security operations and just trust that their service provider is “keeping them safe” is slowly going away. More and more companies are looking for a way to gain visibility into the work their vendor is doing.
This demand for visibility is forcing security service providers to design customer portals where IT and security leaders can see what managed security service (MSSP) or managed detection and response (MDR) providers are tracking, and what impact it has on customers’ security posture.
Reducing complexity and improving scalability
Every customer has unique needs, coupled with different expectations about the type and quality of services, and this variability creates unnecessary complexity for service providers. One way to handle this is productizing services - packaging different offerings into a “product” with a well-defined list of “features” and pricing. Productizing security services offers many advantages, including:
The ability to reduce complexity around the sales process and simplify negotiations. When a customer is evaluating a productized service, they can see a full description of what’s included and what’s excluded in one place.
The ability to simplify pricing conversations. By transparently outlining what tiers are available, and what’s included in different tiers, security companies make it easier for customers to decide what level of service they will be getting, and how much it will cost. Moreover, productizing services makes it possible to set a per-unit price ($X per employee, $X per endpoint, etc.) that makes pricing easy to calculate and make sense of.
The ability to automate systems and processes and by doing so, maintain consistent quality and level of service.
Shorten the time it takes to deliver services and increase productivity by hiring specialized security professionals or even outsourcing different parts of the well-defined process to countries with lower labor costs.
Productizing a service isn’t the same as simply listing all offerings on the website; it is first and foremost about focusing on outcomes over activities. A productized service enables customers to pay for achieving a specific result and not have to think how exactly that result will be accomplished - by getting a product, a service, or a combination of both.
Changing customer expectations and the impact on the future of security
Over the past decade, we have seen that customer expectations about security have evolved. More and more buyers are looking for holistic solutions that fully address their problems: they don't purchase a product or a service, they purchase an outcome. It's then up to a vendor how it delivers the outcome - by offering a product, a service, or a combination of both. In product management, we call this “Jobs to be done” - focusing on what problem the user is trying to solve, not the specific offering they end up buying to solve it.
The line between cybersecurity products and services and getting more and more blurry. As we go into the future, that line is going to disappear altogether.
Attackers are people and to outsmart them, we will continue to need people on the defense side. In the past, service firms focused on offering bespoke solutions. That came at a high cost, especially compared to standardized cost-effective offerings designed by product vendors. Today, service companies are starting to build products that enable them to serve more customers, improve margins, and position themselves as a solution provider. This, in turn, makes them more attractive to investors and increases exit margins for both acquisitions and IPOs. Product companies see that customers want last-mile customization of generic solutions, which forces them to start adding services to their portfolio. This enables product vendors to increase their share of the customer's wallet, design new offerings, and subsequently generate more revenue.
Cybersecurity vendors of the future will be expected to offer holistic, outcomes-focused solutions, which can only be achieved by blending products and services. Companies looking to get started on this path will have to pick one side (product or service) as a primary area of focus and have that area drive their identity. It’s extremely hard to excel at both, but it’s possible to find the right balance between the two; Mandiant, Expel, and Dragos, among many others, are great examples that this can indeed be done.
Another factor that comes into play is the impact of LLMs and generative AI on the services industry. If automation will make it possible to improve margins and reduce the linear relationship between the number of customers and the number of people a company needs to hire to deliver the work, I would expect more security companies to start adding services to their portfolio of offerings.