Accountability lives in the seams between vendors

A customer emails on a Tuesday to ask why a login from a region your company does not operate in showed up on their shared account. You are the chief operating officer, so it lands with you. You forward it to your managed security provider, who confirms the sign-in looks suspicious and says the account itself is administered by your managed service provider. The managed service provider says the account is fine on their end and the alerting belongs to the security team. Your cloud consultant, copied for reasons nobody remembers, asks a clarifying question and goes quiet.

Three competent vendors. Three clean answers. And 40 minutes later you still cannot tell a customer who is investigating, because the honest answer is that no single party agreed to. Each one did exactly what their contract describes. The investigation lives in the space their contracts do not.

That space has a name worth saying out loud. It is the seam, and the seam is where accountability quietly goes to die.

A growing SaaS company assembles its stack the sensible way. A managed service provider runs help desk and devices. A managed security provider, often called an MSSP, watches for threats. One or two consultants cover the parts that need depth, the AWS account or a tricky Microsoft 365 migration. On a slide it looks like coverage. Every box has an owner.

The problem is never inside a box. It is at the edges, where one vendor's job ends and the next has not formally begun. Identity is the textbook case. The managed service provider administers Microsoft Entra because they run M365. The security provider watches sign-ins to that same Entra tenant because spotting compromise is their job. When a Conditional Access policy needs to change in the middle of a suspicious login, who decides, and who is answerable if it goes wrong?

The seams that swallow ownership tend to be the same few:

• Identity, split between whoever administers Entra and whoever monitors it.
• Cloud guardrails, set by whoever runs the AWS Control Tower landing zone and watched by whoever reads the GuardDuty findings.
• Incident response, where the timeline crosses identity, endpoint, and cloud, and no one contract spans all three.

Each vendor is right that the gap is not theirs. They are all right at once. That is the trap.

A stitched stack does not feel broken on a normal day. The tickets close, the dashboards stay green, the invoices reconcile. The gap only reveals itself under pressure, when a customer is waiting or an auditor is asking, and pressure is the worst possible time to discover that a responsibility was never assigned.

This is the part a price sheet cannot show you. You can compare line items across vendors and feel like you are managing cost. What you cannot see on that sheet is the unowned middle, the set of decisions that require someone to act across boundaries no contract drew. Security is not a tool you bought five times over; it is an operating problem that lives precisely in those crossings. A stitched stack buys you five capable operators and zero owners for the work between them.

A seam costs nothing on a calm Tuesday and everything on a bad one. The bill always arrives when a customer or an auditor is already watching.

The deeper issue is trust, which is the currency you trade in as a COO. When a customer asks who owns their security, "well, it depends which part" is not an answer that survives a renewal conversation.

Closing the seams is not about firing vendors or pretending one company can do everything well. Some work genuinely needs a specialist, and a sound operating model keeps that specialist reachable without making them your daily contact. The fix is to stop being the integration layer yourself and to hand the spaces between the layers to one party whose explicit job is to own them.

Integration earns its name when three things are true:

• One owner is accountable for the full incident timeline, named as a role, not a committee, so a Tuesday email has a destination before you forward it anywhere.
• The overlapping layers, identity and cloud guardrails and the controls that ride on both, sit with that one operator, so the handoffs happen below your desk, not across your inbox.
• Specialists get brought in by name when an engagement needs more AWS or Azure depth than a generalist should claim, and they stay separate from the day-to-day coverage, never becoming another seam.

That is the difference between integrated and merely bundled. A bundle is five logos on one invoice with the same gaps between them. Integration is one accountable owner for the crossings, which is the only thing that makes "who owns this" a question with a one-sentence answer.

Walk back to the suspicious login. The sign-in alert belonged to the security provider. The account belonged to the managed service provider. The cloud context belonged to the consultant. Every piece had an owner, and the one thing that mattered, deciding who investigates and telling the customer, belonged to none of them. That gap was not a vendor failing. It was a design you inherited without choosing it.

The number worth knowing is not how many vendors you have or what each one costs. It is how many decisions in a real incident have no owner until you become one. Count the seams in your own stack, the places where every vendor is correct that the work is not theirs. When the next customer writes in on a Tuesday, who, by name, already owns the answer?