In recent tweets, I referenced a concept I created when I first joined Forrester: the “Security Services Flywheel.” Given recent activity in the market, it makes sense to put it in writing in a blog.

The Security Services Flywheel is based on the Disney flywheel. It serves as an explainer on why security services continue to stay relevant, no matter how sophisticated products get. The gist of the flywheel is simple:

Product vendors overpromise and underdeliver. Users (re)discover — often far too late — that this happens with every product they buy and turn to services to tackle the missed expectations.

The Cycle

  1. A new product emerges. Product market fit exists, and the new offering gains market share.
  2. Adoption issues emerge, as organizations realize that deploying and implementing new technologies pose challenges for them.
  3. These adoption headaches lead to deployment and integration professional services engagements, using project-based consulting engagements led by services partners of the product vendors.
  4. Day-to-day use and administration becomes a headache, and third-party managed security services (MSS) enter the fray.
  5. Then the “product” becomes a service of a sort: software as a service (SaaS)! And now you don’t need to maintain it, right? Well, no. SaaS is just a product hosted somewhere else by somebody else, and it requires care and feeding.
  6. In comes managed SaaS. This is where the SaaS product capabilities and outcomes get managed as well.

This cycle — specific to the cybersecurity world but applicable to products and services in other segments — can be validated all the way back to firewalls and security information and event management (SIEM). The first firewalls gained acceptance and market share in the early to mid-1990s. Value-added resellers and integrators came around to install them. The mid- to late 1990s gave rise to the first managed security services providers (MSSPs). Early SIEMs emerged in the mid-2000s: Professional services to implement SIEMs came about, a new round of MSSPs emerged, and others added it to the service portfolio.

The cycle continues, with every product that emerges requiring professional service to implement, managed security services to run, and eventually managed SaaS (that is, if the product survives long enough).

Now, what’s primarily different — recently demonstrated in the endpoint detection and response (EDR) segment and happening in real time in the extended detection and response (XDR) space — is that rather than depend on partnerships for those services, vendors launched their own managed security SaaS service almost immediately. Historically, product vendors would partner with services providers to deliver services and would wait a significant amount of time before launching their own services, or they wouldn’t launch services at all. That gap shortened from years to months in recent history, and it’s all but disappeared by 2022. Once vendors emerge from stealth on launch day, they bring fully managed versions of their products to market.

The New Cycle Happens Concurrently And Skips Steps Entirely

  1. A new technology category emerges.
  2. The deployment and integration woes derived from on-premises technologies are eliminated due to SaaS. Now the most common problems stem from migrating from legacy systems to new systems. Some professional services still exist but are much smaller in scale and largely drive software development efforts to automate migration as much as possible.
  3. Some adopters have existing managed security services or an outsourcing relationship they want to drive the SaaS product, especially for enterprise customers. At the same time, these existing services firms have a competing solution in the market or one soon to be released to the market.
  4. Simultaneously, for the other portions of the customer base, the product vendor launches with two or three tiers of managed services coupled with its own SaaS offering, which is:
    • Largely self-service with SaaS platform support only.
    • An “enabling service” designed to help solve basic uses of the platform, such as user configuration, reporting, and dashboard creation. Note that these include no cybersecurity expertise per se.
  5. A “premium” tier of the SaaS solution exists that offers full management of the platform and includes the necessary domain-specific cybersecurity knowledge missing from the less expensive tiers. In this case, “premium” distinguishes the outcomes offered and the pricing of the solution.

The economic and financial incentives make sense, of course. Every investor loves recurring revenue businesses. But it’s also due to customer experience. Security teams have far too many competing priorities to run all the technology they need for their security program. And that’s where they need to focus their time and attention — running their security program, not the blinking lights upon which it is built.

When it comes to product vendors offering their own services (as with managed XDR), customers benefit from an additional value-add. When vendors manage their own products, the service makes them part of their user community. This development changes things. Historically, enterprise software vendors (security vendors fit into this category) sold to buyers that were not users of the product. For example, CISOs budget and buy a SIEM; their teams log in and use it. When vendors deliver their own services on top of their product portfolio, they gain additional insights because they became a user of their product on behalf of their customers. This feedback loop creates an engine for continuous improvements (as is true with all SaaS, not just security).

Blended product and service delivery offer tangible cybersecurity benefits as well. SaaS platforms grant telemetry far beyond what on-premises technology can offer before coupling it with a continuously delivered service. Better telemetry can drive macro trends in detection, enhance analytics with details on false positives and negatives, and refine prioritization based on customer context. Then, the insights from an engaged user base of subject matter experts (analysts working for the vendor) deliver superior outcomes for customers every day through the managed services portion. Vendors offering a combined portfolio of products and services reap rewards that product-only or services-only vendors miss out on.

The line between SaaS — a product as a service — and managed services continues to blur. Compelling benefits make this combination too powerful to pass up. If the market confuses you when EDR vendors become managed detection and response (MDR) vendors, XDR vendors launch managed XDR, SaaS vendors manage their own SaaS capabilities, and the next big acronym goes from product to service, the answer is: It’s the Security Services Flywheel at work. The Security Services Flywheel is a perpetual motion machine that keeps services relevant even when technology paradigms shift, causing product vendors to become services vendors to survive.

Take The Risk Out Of Adopting New Security Technologies

For security practitioners, this process helps “derisk” the early adoption of emerging security technologies. CISOs can transfer the risks inherent in adopting and deploying emerging tools from internal personnel by leveraging the services these vendors offer via service-level agreements and master services agreements. Most security leaders don’t enjoy life as an alpha or beta tester of products, and that won’t change. However, instead of waiting for version 2.0 or 3.0 to go live before considering a technology, security pros can adopt version 1.0 if it’s coupled with a strong, attached service offering.