Remember when an end user’s security director was the go-to contact for an access control sale and the information technology (IT) manager was brought in to consult on the network requirements? In the enterprise solution space, that model has turned on its head in the past couple of years.
“At one time the security team was responsible for decision making and the IT group was an influence,” says Ron Oetjen, president, Intelligent Access Systems, an integrator in Garner, N.C. “That has reversed in the past two to three years and more often the decision-maker is the IT group and the influencer is the corporate security team. Everything is based on the IT infrastructure and they are applying the same principles to access control that they use to select any kind of networking technology.”
But unlike the security department, IT isn’t interested in the hardware at the door, adds Bill Jacobs, vice president of access control and operations, Next Level Security Systems, Carlsbad, Calif. “They own the infrastructure, if not the security – often they don’t want to own that. They own the servers and license fees.”
Right off the bat, this can trip up an integrator used to working from the security model. “One of the issues when you get to enterprise sales is that the [security] end user has one thing in his head but doesn’t understand the complexity of his own request,” says John Moss, CEO, S2 Security, Framingham, Mass. “He doesn’t realize about data, synchronization, movement, backup, etc. This is basically a complex database management problem. There is no question that a lot of these sales are won and lost in the IT department.”
This is in contrast to how things used to be, says Steve Fisher, president and CEO, Open Options Inc., Carrollton, Texas. “IT now is your best friend and the sooner you reach out to them, the better,” he says. “No integrator can stay up to snuff in the technical world security is moving into without an IT friend. They are going to rule that roost, so you might as well embrace them early.”
Successful integrators in this space involve IT as soon as possible and as much as possible, adds Kevin Wine, vice president of marketing, RedCloud Security Inc., Sterling, Va. “If I were working at a systems integration business that dealt with the enterprise class customer set, I would be driving my engagement at every level in conjunction with IT. I would interview the physical security director in terms of what they were looking for but also know up front what IT is looking for.”
What IT is looking for is increasingly a very different approach and model than security integrators are used to.
Not Just a Bigger System
What defines a system as enterprise level? It is not just like any other access control system only bigger. And IT-as-buyer means that priorities have changed. Commoditization, centralization and standardization are the biggest IT “wants.”
“If you look at the classic CIO or CTO inside of an enterprise, their main objective is to figure out how they can assist the business to grow, capture more market share and leverage the required architecture,” says John Szczygiel, executive vice president, Brivo Systems LLC, Bethesda, Md. “For them, what is more important is not figuring out how to solve a bunch of problems so they can use some software, but rather to use the software to solve problems. They are focused on delivering value and are more willing to use shared services and adopt centralized functions.”
At their core, today’s enterprise systems need to be designed to be “distributed,” allowing localized control over a wide geography (national or international), but providing centralized databases and reporting capabilities.
“If you take most Fortune 1000 corporations and look at what they have deployed for access control technology, you will see they very often have access control systems, but the system in one facility doesn’t talk to the equipment in another, even though they may have overlapping populations,” Moss says. “Now they are looking to consolidate this so the corporation has a single database of people that drives personnel and credential information out to individual locations. We don’t look at an enterprise system as just like the system for a single building only much bigger,” Moss says. “If your design is to just make it bigger, that won’t work well.”
Manufacturers coming from a security space have tended to think in client/server architecture, but the major enterprise manufacturers are expanding their offerings at a fast pace to include Web interfaces, virtualization, mobile and cloud computing — options IT departments demand.
“We feel the industry is going into a Web-based type of model,” says Vince Lupe, senior manager for customer marketing for the enterprise segment, Honeywell Security Group, Melville, NY. “It is all about the connected landscape — anything from anywhere. You still have approvals and credentials to get you where you need to go, but you do things from the Web.”
Other manufacturers have taken the IT-centric approach or even come from that world to provide architectures more in line with what those folks expect.
“Legacy architectures typically require a lot more time and money to be spent,” Wine says. “Newer technology is an all-in-one network appliance built on a Linux operating system all wrapped up together.”
Jacobs adds: “Linux brings a smile to most IT managers because it is PC independent.”
From both sides of the industry, the most even-handed approach might be to meet in the middle, at least in the short term as the security integrator and their customers go from one way of thinking to another.
“The industry is changing,” says Dave Adams, senior director of product marketing, HID Global Corp., Irvine, Calif. “Making enterprise access control in the past was a very expensive proposition because of sheer size. If you take a panel in a closet at $3,000 multiplied by 1,000 panels you are talking serious money. There are some systems out there that are also still proprietary. The IT buyer is looking for more commoditized and leveraged products. It is a different mindset. We as manufacturers want to get there, but how? How do we make products that our traditional channels can install and maintain but still satisfy the IT buyer? That is the challenge to me because my channels aren’t the IT integrator; they are still the alarm integrator. As that alarm integrator works toward building their talent up to that IT level we need to make products as installable as possible while looking at new architectures. Traditional panels are not necessarily the future, but we may see network appliances with virtual panels and network connectivity between all devices.”
These appliances for enterprise class need to be small, robust and scalable. HID Global and others on the security side have in recent years begun to offer edge devices — reader/panel combinations that communicate directly over the IT/IP network. These alone don’t make an enterprise class system, however.
“What is sometimes considered an IT-centric solution is a Web-based system that has a decent feature set,” says Matt Barnette, executive vice president of sales and marketing, AMAG Technology Inc., Torrance, Calif. “The question is how does that scale up?”
Steven Lewis, senior product manager at Software House for Tyco Security Products, Westford, Mass., agrees. “When you have customers with 30,000 doors all over the world, it can be a bit challenging to manage in that type of architecture.”
That is where solutions such as Mercury Security, HID Global and others come in. They scale to those solutions that have thousands of doors through either IP-based controllers or traditional RS232. “We are developing these appliances capable of managing these doors — not necessarily telling them to lock and unlock, but managing the device itself,” Adams says.
“We are seeing some very successful system suppliers evolving that are Web- or cloud-based as well as traditional architecture based,” says Frank Gasztonyi, CEO/CTO, Mercury Security Corp., Long Beach, Calif. “Our products can work with any of those quite well. A system that can deliver either or both approaches often delivers the best value to the enterprise customer.”
Jacobs agrees. “We have IP appliances, but still offer the ability to do it via traditional hard cable or network. That gives the clients the opportunity to grow into that world as their IT departments and systems integrators grow.”
Oetjen cautions that this growth may not come without pains, however. “The most common thing we see is when you get into high-end databases and IT infrastructure, integrators will take on a project thinking it will be just like when they did that convenience store. Yes, it is access control. But you have to understand IT, the LAN, the databases and be careful what you sign up for,” Oetjen says.
Beyond the ‘Box’
The old model of selling a big job, installing it and moving on to the next big job doesn’t work in the IT-centric enterprise world. But squeezing margins and rising costs for training create a dilemma for the integrator. Thinking like IT is the answer here, too.
“If we were purely in the IT world and having this conversation people would look at the margins in the physical security world and say ‘Wow, that is impressive,’” S2 Security’s Moss says. “The bad news is that when selling physical security products in the IT world, your margins will be driven down on initial sales. The good news is the IT world has no trouble paying for services over time.”
The models must change, Open Options’ Fisher says. “The integrator has historically failed to serve himself well in recognizing the intellectual property they bring.” Charging varying rates for labor depending on experience and training, as well as charging for documentation, product research and other “consultative” services is a familiar and acceptable thing to IT buyers.
“IT departments have software support agreements with companies like Microsoft and Oracle,” AMAG’s Barnette says. “Security integrators need to get in the habit of upselling those types of agreements. They are good for the customer, integrator and manufacturer. They keep the customer on the latest revisions of the software and provide the integrator RMR. They should also look at providing more services for lifecycle management.”
HID’s Adams agrees. “Developing software-as-a-service and access control as a service model could be very beneficial because the access-at-the-door margin is going to come down. When you commoditize something you take the mystery out if it, and where there is mystery there is margin.”
Integrators who look at this as a positive opportunity will prosper, says Brivo’s Szczygiel. “Rather than relying on an exchange of hardware to make a profit, now they can sell their knowledge and that can potentially be more profitable. Assist the customer in customization of these systems, the policies related to them and the software surrounding them. Those are all great opportunities. If the integrator is savvy he can run a business that is equal to or even more profitable than the old model.”
Applying the Enterprise Mindset to Healthcare Environments
With a few key exceptions, hospitals and other healthcare institutions large or widespread enough to be considered “enterprise” have no different issues or expectations than their corporate counterparts. Within this unique environment many of the same features and architectures that make enterprise level access systems work for worldwide companies can benefit healthcare, too.
“In the large healthcare arena you will find they are usually spread out over a geographic area and have incorporated specialty units,” says Wayne Smith, vice president, Tech Systems Inc. “They are massive operations, not just geographically but in terms of the scale. They want to have seamless communications between staff and law enforcement, trend analysis and management.”
But they also have a unique population. “We are an industry that is 85 percent female,” says Shawn Reilly, chief of police and director of security, Greenville Hospital System, Greenville, SC. “We are an open institution 24 hours a day. None of our guest room doors lock. Access control for us is a tough balancing act to keep bad people out of the facility at the same time as encouraging everyone else to come in.”
Steven Lewis, senior product manager at Software House for Tyco Security Products, adds that there are aspects specific to healthcare such as infant abduction systems and tracking systems for equipment. “There are hundreds of beds and crash carts and hospitals can spend a lot of time trying to find those because they have been moved,” he says. “Healthcare institutions have to remain open and friendly in a different way than, say, a commercial business that doesn’t have nearly the same visitor count.”
But, like all enterprise access systems, they also want to afford nurses and staff the ability to control access to their individual areas while still maintaining a single system solution that security and IT have the management of, Lewis adds.
Reilly relied on Tech Systems to provide a system that would meet those needs. Using Software House’s C-Cure system enabled Reilly to have a flexible system that can be managed remotely and operates over the hospital’s VLAN.
“Across our enterprise we have five campuses that are all less than 25 miles from one another,” Reilly says. “Each is a hospital campus with multiple buildings. We use the same software and the same access control across all the campuses. We are blessed over other large systems who acquire hospitals with different systems, which makes it harder for them to integrate. We are in the process of coming up with a combined hospital call center with two other hospital systems. The other two security directors’ greatest challenges are that their software doesn’t talk to all of their facilities.”
Steve Fisher, president and CEO, Open Options, says that the nature of many hospital environments means that they could benefit from an “enterprise” solution. “Clearly there are some very large commercial medical institutions, but you also have a lot of religious organizations with one major hospital complex. To deploy a common credential in those environments would make that an ‘enterprise’ with similar network environments, similar expectations and security standards. When you look at a hospital environment it is very diverse between doctors, contractors, nurses, office facilities and they all want to carry one card. At that point you begin to move into an enterprise understanding. That is one of the better definitions of enterprise.”
Hospitals have a lot to control, says Dave Adams, senior director of product marketing, HID Global Corp. “The hospital itself has many different business units that may operate differently from one another. When you put it all together it operates like a large enterprise. And generally enterprise level access control systems are designed to survive any number of failures within them. They may have redundant servers and networks or alternate hosts. The enterprise level system brings to a hospital the ability to comply and keep running.”
Compliance issues such as the HIPAA (the Health Insurance Portability and Accountability Act) requirements for both security and privacy of health data are also never far from the minds of hospital administrators.
Such was the case with Blue Cross & Blue Shield of Rhode Island when it upgraded its headquarters. It relied on HID technology, including a smart single-card solution to both meet those requirements and create streamlined work.
“Is HIPAA a factor? Always,” says John L. Moss, CEO, S2 Security. “But it doesn’t prescribe anything that causes us to behave in a different way. The thing with healthcare environments is there is a lot of movement of people between facilities. These systems also need to be running continuously because the amount of disruption you can cause by having a failure in one of these settings is enormous.” For that reason, Moss says, the enterprise level “distributed” architecture is particularly beneficial for healthcare settings.
Adelante Healthcare, a private non-profit healthcare provider in Phoenix, found this to be true with the Brivo system it chose for its seven health centers located throughout Maricopa County. Using its Web interface, Adelante now has a single person administering multiple sites, allowing it to keep better records and have better access to data across the enterprise.
Raising Your IT ‘IQ’
IT being the primary influencer in the sales process means that the integrator needs to do more than just “speak IT.” Selling enterprise access control today means learning a whole new way of doing business.
“How do IT companies sell versus systems integrators? Systems integrators hire a great sales person who can find the customers and bring them to the table,” says Ron Oetjen of Intelligent Access Systems. “IT ‘team sells.’”
Wayne Smith, vice president, Tech Systems Inc., Duluth, Ga., agrees. “It is a much more consultative sell now. You have to involve a lot of different business units. In the past you talked to the security director. Now that everything is on the network it has to be a well thought out project plan, with conversations occurring between various business units that impact the whole organization. It takes longer to deploy a solution.”
Involving IT up front is key, and not just to get their buy-in, says Honeywell Security Group’s Vince Lupe. “Pretty much everything now has some sort of IP interface, and products need to be certified to run on the networks. IT manager may test products to validate that they will work.”
IT customers are smart. “In the past integrators have often had an advantage on their buyer, particularly in the physical security space because they were typically a non-technical person,” Szczygiel says. “In this new environment customers are very savvy. The IT person knows how their network operates and the standards they have to adhere to, and is likely to know as much or more about the technology you are selling than you do.”
Hiring or growing the employees to sell in this environment is a challenge for many integrators. “You have this great staff that has been with you for a long time, but it is a changing era,” Oetjen says. “Our job is to help these guys bridge the gap. We do a lot of training to raise the IT IQ of the company as a whole. And as we select and hire new people, whereas at one time we would have hired a certain knowledge base, now we are rewriting that job description to look for something different.”
Improving the education level of technical staff is key, says Masami Kosaka, president and CEO, PCSC, Torrance, Calif. “Integrators need to understand the advantages of having their technical staff certified in network communications. Many integrators spend excessive time correcting errors instead of avoiding them with appropriate planning and working with the IT staff prior to installation.”
Having knowledgeable staff can avoid a lot of pitfalls. Another key is to partner with a small number of manufacturers and really know everything there is to know about that product.
“We carry only one access control line,” says Alan Kruglak, senior vice president, Genesis Security Systems LLC, Germantown, Md. “I spend 100K a year on training just for one product line. If I carried three or four lines I couldn’t spend that kind of money and the techs wouldn’t have the technical depth.”
Steve Fisher of Open Options adds: “You need unique training on each of the products to understand the nuanced differences between them. One option turned off or one switch toggled wrong may make all the difference in the world for the system not working right in a particular networking environment.”