Security services and products

1. What is the current situation?

In traditional information security vendors, the proportion of security services and security products has been seriously out of stock. Generally, the sales volume is 80% of the total security products, security services account for 20%, and some even have fewer. Therefore, in front of the company's decision makers, only products are more important than services, because selling services does not make money, only products can make money. This is indeed a common phenomenon in the security industry.
From the perspective of people who do services and sell products, those who do services look down upon selling products. It is often said that these products will be sold all day long. The people who sell products think that service is too imaginary and there is no practical thing. They think that service providers are full of people running trains, which is unreliable. However, many product sales personnel, in order to be able to sell products, why is it not just a full-mouth train? Some customers boast that their products are omnipotent. It seems that they can solve all security problems as long as they are connected to security products.
So for customers, is it important for security products or security services? Or are they all important? People who have learned the basic theory of information security know the concept of Information Security Engineering. From the perspective of the entire lifecycle of information security engineering, information security engineering includes several important stages: 1. Risk Identification ---> 2. Demand Analysis --> 3. Design and deployment ---> 4. function verification ---> 5. Maintenance waste. Security is a project, it is neither a product nor a service, but a combination of products and services, just like the relationship between doctors and medicines. If you want to put security products and services in the information security engineering stage, the General Security Services include risk identification, demand analysis and design processes, while security products are only the deployment process. From the perspective of several phases of Information Security Engineering, the deployment of security products involves product deployment only after risk identification, requirement analysis, and design, the actual situation in our industry is that many security vendors create risks and create demands to sell products. Back to the question above, which of the following is more important for customers? I think the situations of every enterprise are different. For example, a company that is just getting started with informatization is not doing well in basic infrastructure, so that they can manage IT processes or design the entire security system architecture, this is obviously unreasonable. It is like letting a child start learning to run without learning to go. Therefore, security construction should be a step-by-step process, rather than a one-stop process. The CTO once interviewed a group's CTO and asked when security was the first step? So much money is invested every year. When should I start? Well, security is a continuous process, and there is no beginning, because risks are dynamic and constantly changing. We all know that PDCA only involves continuous planning, implementation, inspection, and improvement, to ensure continuous security.
2. Current Bottlenecks of Security Services and Security Products
People working in Party B, whether engaged in services or products, can feel that services are getting harder and harder to sell. Why? The reason is that the service is corrupted and the product is saturated.
Why are 2.1 products getting harder and harder to sell?

People who have done product sales may feel that security products are getting harder and harder to sell now? There are two possible reasons:
1. Currently, all kinds of security products in the security market are of a wide variety and a wide variety. You can find multiple manufacturers for any type of security products, their respective security products are similar in terms of performance, function, and price. In this case, what is the competitiveness of their own security products? It seems that we can only rely on customer relationships and price wars.
2. What else can we sell if all the security products of an enterprise are available? This problem should be a common problem. Generally, enterprises of a slightly larger scale have been "ransomed" by major product manufacturers over the past few years and should have bought the products, I should have bought either of them. I once saw a leakage scanning device on a customer's cabinet in a customer's Data room. I'm also curious to ask, do you still want to buy a leak scanning? Who knows where the customer came from? When did you buy it? I don't know. Obviously, when the customer has all the security products, the product sales usually do not know what to sell? You can only start to write up your requirements.
2.2 why is the service getting harder and harder?
People engaged in security services may also feel that the services are getting increasingly difficult and customers have higher and higher requirements, and service personnel are getting higher and higher. Unlike a few years ago, the scanning tool used to scan and export a report. This is even the service. As a result, the customer now says you are doing the service. Isn't it a scanning tool? What else? I also summarized why the service is getting harder and harder now?
1. customer requirements are getting higher and higher. In the past few years, because customers did not know what security services were, and they had no idea, they could only let security companies worry about it. As we have mentioned above, a vulnerability scan would be a security service. In the past two years, due to various hacker attacks and frequent news and newspapers in the underground industry chain, enterprises have paid more and more attention to security requirements. In addition, enterprises have been constantly brainwashed by the staff of major security companies, I already know what security services are, have a certain understanding of security, and then have basic ideas and know what I want.
2. The level of security service personnel is uneven. Now, many security companies are looking for a few people to pick up security service projects. Have these employees ever done security services? I can't see it all. So in this context, can the Security Service Project do well? Can customers be satisfied?
3. small profits and low investment. This is also a common problem. Many security companies bid at a low price to win the project. One case is that the bidding price is low. After the service is completed, the products will be sold later, to make up for the service price difference. Imagine that in this scenario, before the service project is implemented, it has already been computed to sell what products, and such service projects are too targeted and want to sell what products, the customer will find the problems that the product can solve in a targeted manner, so that the customer can pay the bill. It was thrilling to see the design part of the security solutions provided by some vendors to customers during the project process. The various types of scare and a small risk contribute to serious security problems, as if not, the company is not far from collapse. Another case is that, after winning the bid at a low price, the project content is completed with both quality and quantity due to the profit relationship. In this case, you can only start to confuse it.
2.3 what should we do in information security construction?
In fact, not only do Party B's personnel think security is difficult, but from the perspective of the customer, they are also confused and do not know what problems exist in their own enterprises? It is usually only exposed to solve one hidden problem that cannot be found or solved. These hidden problems are often fatal. Once they happen, they can cause serious consequences. During the pre-sales period, the most frequently asked questions may be the following:

1. We have already bought many products. Why are there still many problems?
2. What products should we buy if there are so many security products on the market?
3. Which security products are what we really need? Many products have overlapping functions. Which product is the most suitable for us? How can we maximize the product's effectiveness? How to deploy it?
4. How to manage so many security products? How can we find problems from massive logs?
5. Why are there so many security problems when higher-level organizations fail to comply with standards and are criticized?
6. What security risks does our company have?
7. What should we do in the future for information security?
In short, the problem is unknown, the target is unknown, and the steps are unclear. The situation is unknown, that is, I do not know the current situation, and I do not know how many problems the enterprise has? The goal is unknown, that is, what is the enterprise's information security goal and what level should it reach? The steps are unclear. because you do not know what the security goal is, you cannot formulate targeted security construction ideas and steps. You do not know how to achieve the security goal through step-by-step security construction.
3. Challenges and opportunities
There are so many questions mentioned above. It seems that security is getting harder and harder to do. Otherwise, I personally think that the current situation is both a challenge and an opportunity for Party B, although there are many problems.
Specific challenges include:
1. High requirements on the level of security personnel. Security personnel should constantly learn new knowledge and concepts and enrich themselves so that they can share their most advanced and successful experiences with customers.
2. professional services. It is not only the improvement of skill level, but also the improvement of service level. The first two weeks of a service project are the key phases of the project. Why is it the key? This is because this period of time is an important stage for you to establish a trust relationship with the customer. Only when the customer trusts you can the subsequent work be carried out, therefore, the embodiment of professional competence in the past two weeks is particularly important.
3. Train of Thought Change for sales personnel. Many product sales personnel may not be very popular with customers when they visit the customer for the first time. Why? Because the customer feels that the purpose is too strong, product sales will visit the customer, and the ultimate goal is to sell the product, no matter what the process is, it has been guessed by the customer, therefore, each sentence made by the salesperson in the customer is for the final sale of the product. Unlike technicians, technicians help customers solve problems. Therefore, our sales staff should change their thinking and do not emphasize how good their products are and how good their performance is? If I am a customer, I will ask sales: Do you know what problems we have? You sell products to me? It's like we went to the hospital to check our health. The doctor gave you a bunch of medicines instead of doing anything for you. Will you accept them? Therefore, we should think about the problem from the customer's perspective. Even if we cannot sell products, it is okay because we cannot buy or sell products. If the customer thinks that you are actually helping them solve the problem, he Chou cannot do business?
Let's take a look at the opportunities and directions brought about by the problem:
1. business-oriented. Security is the ultimate protection for the business. Currently, many security construction solutions and business considerations are seldom considered. During risk identification and planning, many do not consider the impact on the business? It only takes security into account. Everything is designed around security. At present, it is common to understand business security, security, and business. Therefore, in the future, if the security company can evaluate and design the customer's business process and business development direction, it will surely become a bright spot.
2. system construction is a good opportunity. Recently, it was found that system construction projects have become a hot topic recently, and many enterprises have this requirement because the infrastructure has been improved after years of information security construction, however, security incidents still occur, and enterprises begin to realize that security is not only a technical issue, but also a management issue. We often say that money can solve none of the problems. In the security industry, the technical solution is not a problem. The management problem is a problem. The management problem is ultimately a problem of human management and human. Solving human problems is usually achieved through the cultivation of security awareness, technical means, and punishment of the system. On the other hand, customers do not have a general idea and direction for future information security construction, and they urgently need to rely on third parties to help them establish their own security construction ideas and directions.
The above is just a Summary of the security products and security services from the perspective of Party B. It is also a simple summary of myself. Because of the relationship between time and capability, what I wrote is not completely correct, mistakes and omissions are inevitable. Please forgive me!