It’s an access control service with many names: hosted, managed, cloud, shared. Whatever you call it, the idea is for security integrators to take on more of the responsibility of the hardware, software, processes and maintenance — and, more to the point, enjoy the recurring monthly revenue it brings in.

Historically, few security integrators have been willing to take this on. Unlike security dealers, who have access to 24/7 central stations and are based on the RMR model, the integration channel is unused to the concept and has often found the idea overwhelming. In fact, when Gene Samburg of Kastle Systems, Falls Church, Va., first conceived the idea of managed access control in the early 1970s, implementation was cumbersome and it was tricky to hit on a winning formula (see “Managed Access Has Come a Long Way,” page 69). But in recent years this has changed dramatically due to advancing technologies such as IT-based systems and the cloud.

“There have been tremendous advances in cloud-based access control recently, as cloud computing has opened a world of possibilities for the systems integrator,” says Lukas Le, director of cloud services, Galaxy Control Systems, Walkersville, Md. “The trend we are seeing is for integrators to take on more services that they can offer to their end users to become a ‘total resource’ for the customer. This trend is supported by open platform technology that enables seamless integration between door hardware, access readers, software and other system components to allow dealers and integrators to utilize best-in-breed solutions.”

Cloud solutions make things easier for the security integrator, adds Brian Matthews, director of sales for Feenics Inc., Ottawa, Ontario, Canada. “They don’t have to be as sophisticated. As margins get tighter, integrators who want to stay profitable need to move to something. Services are profitable.”

Patrick Barry, CEO of BluBØX Security, Andover, Mass., says this is part of a larger big shift in the security industry in general and access control in particular. “The entire security industry is moving in the direction of providing security services. This is due to globalization and the commoditization of the industry. Systems integrator margins are eroding and they are looking for new ways to supplement the margin with things like managed access. It is becoming a necessity and the migration is mostly because of economic factors. At the same time, customers have become more sophisticated and more demanding of product and service. Systems integrators face a tough problem: ‘How do I compete while making enough money on the initial sale to keep my doors open and get paid for the ongoing service that customers demand post-installation?’ Physical Security as a Service (PSaaS) and recurring revenue solutions are a win-win for everyone,” he says.

This is the conclusion that some integrators are just starting to come to, adds Steven Turney, security program manager for North America and Canada, Schneider Electric, Carrollton, Texas. Turney recalls a conversation he recently had in which an integrator partner was lamenting that customers kept calling him for things such as changing time schedules because they had forgotten how, until he finally realized it was an opportunity to take over that task for the customer, for a fee.

“It was a really interesting conversation,” Turney says. “I am seeing this epiphany just within the last two to three months where they are starting to realize they are missing an opportunity.”



For security integrators grappling with the question of whether they should start down this path, Turney advises first stepping into the hosted model, which is an increasingly common architecture. It can be hosted by the manufacturer or the integrator, depending on how it is set up from that particular manufacturer, and it provides the integrator RMR for simply hosting the platform. From there — as more of Turney’s integrator partners are finding — certain end users have an appetite for more services.

“Most of our partners are doing the hosted deployment,” he says. “The customer is still managing their system from day to day, but they can get rid of the burden of having servers…. The only real difference from what we used to do versus today with the cloud is where that server is sitting, who is paying for it and how it is supported.” 

While integrators are starting to get into hosted access control, often they stop there, says Scott May, regional sales manager for RS2 Technologies LLC, Munster, Ind. The reasons range from cost of software, server and what type of customers they want to service, to the manpower required for managing the system, he says. “Do they want to sell managed services or just hosted and allow customers to log in and manage their own?”

More and more manufacturers are introducing platforms that make hosting an easy proposition today. “In the access space a number of integrators have created managed platforms, but that required them to invest heavily in hardware and software and cobble together a solution to make that work,” says Robert Lydic, global vice president of sales, ISONAS, Boulder, Colo. “We wanted to develop a platform that is in the integrator’s best interest.” The ISONAS model allows the integrator to buy licenses that allow them to have multiple end users underneath their individual log-ins. “It is an off-the-shelf managed platform that requires no hardware or software to get the platform.” It can be either hosted or managed.

Systems like this and others from the likes of Brivo, BluBØX, Feenics and others are a far cry from what Feenics founder and CEO Sam Shalaby found in his 34 years as an integrator. “We have been doing managed services since 1989. The frustration of our experience was technology. It just wasn’t there.” That was why he decided to found a company that could help others.

“Our platform allows the integrator to get into the model of managed services without a major investment on their part.” Still, Shalaby admits, there is a need to educate the channel about opportunities like this. “There is a little bit of reluctance from the average integrator because they are not used to that recurring revenue model. They don’t know how to step into it.”

There is also a misconception that managed services requires a full monitoring or operations center set-up, which isn’t always the case anymore, depending on how “managed” you want to be. (See “The Hosted-Managed Continuum,” page 72.) “ You don’t have to have a monitoring station to be in managed services,” Shalaby says. “The VAR can gauge what business model he wants to get in. They can ease into it. They can start by providing daytime services and exceptional service at night. They can do it from their home if they want to [on a mobile device].”

As the means to do it gets easier, some security integrators are increasingly deciding to go for it. “Some of the more savvy integrators are starting to invest in these types of solutions, particularly as end user acceptance grows, says Stuart Tucker, senior director of enterprise solutions, AMAG Technology, a G4S company, Torrance, Calif. “This represents a continuous revenue stream for them and a lower upfront cost for the end user. It’s easier for the projects to get funding support, and allows for capability, which is difficult for many large companies.”

There is also a common perception that managed access control is only applicable to a select set of customers — property managers and small- to medium-sized businesses that don’t have an in-house security department. While this is still mostly true, technology advances, changing buying structures and a shift in attitudes about outsourcing are slowly changing that dynamic.

“The things you can do are so much greater today and it is the expectation today,” Barry says. “If you broaden the definition of managed to include providing security and redundancy for the system, having the ability for the customer or integrator to manipulate the system from anywhere, have integrated visitor management and really understand the broader implications, it is [potentially] for every single customer.”

The trend is at least getting security to the cloud, Turney says. “IT departments are used to this notion of support agreements and outsourcing … and now are actually recommending security departments push [things] to the cloud.”

Once it is in the cloud, then it is about individual use cases, Tucker adds. “If you understand the value propositions and why a company would want to have security provided as a service, then you will understand what you must be able to deliver in that respect. Start-up costs may seem high, but recurring revenue is the gift that keeps on giving as long as you can meet the customer’s expectations.”

Managed access just makes sense in certain cases, says Charles Anthony, vice president of sales and marketing, SecuraKey, Chatsworth, Calif. “For the right application, managed access control realizes the true value of access control by keeping a system running efficiently, effectively and economically.” And the security integrator is in the best position to do this as the expert in the system he or she designed and installed.

Matthews recommends doing a “root cause” analysis to determine if this model is right for you. “Look at your customer base and see what problems they have had. Were some of those problems self-inflicted? That is a perfect case for managed services. From a hosting perspective, have they ever had a server crash? What about updates? Would they like this headache to go away? If done right managed services provide the customer better service and lower total cost of ownership.”



While it is true that implementing managed access is easier than ever before, there are still some considerations and challenges integrators will face when starting out.

“It is a bit of a mindshift,” Shalaby says. “You have to change your culture a little bit, but you are rewarded for it because you are paid monthly.”

This mindshift includes making sure technicians are IT savvy and understanding how to provide service remotely. Integrators need to be well versed in the “jargon” of cybersecurity, Turney says. “Concepts, specifically around encryption and how the data is handled are conversations that always come up with the IT department.”

Beyond that, make sure you are prepared to follow through, Tucker cautions. “To do this correctly integrators need the right IT resources (people and equipment)…. There are maintenance responsibilities that accompany taking on a hosting operation and a provider must be aware of and able to manage these requirements or be at risk for failure.”

On the sales side, there is the leap from straight commission sales to selling RMR.

“Change your commission plan to account for the RMR aspect of what they are selling,” Barry recommends. “They are still selling 95 percent of the same things, but put in a plan that not only addresses what they are selling one time, but has a kicker in there for RMR building up over time, like an annuity. You can pool all the RMR and give them a piece of it, or take three years’ worth of RMR and treat it as a one-time sale and commission them at the time of sale.”

Mitchell Kane, president of Vanderbilt Industries, Parsippany, N.J., says commissioning is one of the most important elements. “The biggest requirement is for the integrator to set up a compensation plan for the sales department that drives the behavior and keeps them motivated. Unlike the conventional central station alarm business, 100 percent of access control revenue is typically achieved at the time of sale. With this model, revenue is more of an annuity; the installed base has to be built up over time before meaningful profit is realized.” Vanderbilt just released a hosted solution in late 2016, he adds.

At the top level, reasonable expectations are key, Le adds. “Management must be committed to its success, be willing to invest what is necessary, and allow enough time to show proper sales results. If the management team is looking for quick profits, then failure will surely follow.”

Another important consideration is the security of the server. There are two types of cloud — public and private — and integrators first must decide which they are using. Private requires more work, but may offer greater security. Many manufacturers offering cloud solutions do so using reputable and highly secure public clouds, such as Amazon, Microsoft Azure and others. This allows them to offer an easier path for the integrator, while still maintaining the security customers demand.

For those that are hosting their own server, choose wisely, says Shawn Sharp, president of Kingdom Security LLC, Houston, an RS2 integrator. “Make sure to spec out a server that will grow with the system. The software is a large cost, but … we were able to allow the software to grow as we won projects. Most of our cost was setting up the production server then configuring a backup and making sure it all worked without having the customers to cover the cost. We chose to do it right the first time as a long-term play for our company.”

Finding the right vendor partner is critical; whether you work within your existing manufacturer structure (especially as more of the main players get on board with hosted and managed options) or choose one of the newer cloud-only solutions, look for one that is willing to help you with the process.

“The integrator needs to talk to vendors and see which one can help him the most, not just in getting the product or technology, but does this vendor have the technology that is evolving? Will they help me grow or can they teach me? Integrators want to get into it, but there is still this hesitance,” Shalaby says. “We do a lot of hand-holding because we have to. This is new.”

BluBØX also does its share of hand-holding, Barry adds. “If our integrator partners are not equipped or staffed to provide these services then we can provide them for them, for a fee, and they can still make money offering the service. We also teach our system integrator partners the PSaaS RMR model and what they can expect to earn for various size systems.” On average, this number is 40 cents of RMR for every dollar of equipment installed, he says.

Some integrators and other non-manufacturing partners are even willing to help out their fellow integration companies with hosting or managing systems. “Kingdom Security offers a reseller program for all RS2 dealers,” Sharp says. “This allows integrators to get into the hosting services without the upfront cost. Once the dealer or integrator gets enough customers to justify setting up a server it’s an easy cut-over process.”

Once you have your provider, your staff on board and are all set to begin, then it is time to get down to details, Turney adds. “From a people perspective they first have to figure out what are their support operating hours going to be? Will they stay with the traditional 8 to 4 or 9 to 5 scenario, or go 24/7? If they do that, then they have to figure out how to handle staffing.”

Steve Van Till, president and CEO of Brivo, Bethesda, Md., says he receives many questions about how to price services. “There are higher rates of hosting adoption now, so that has put more integrators in the position to think about doing a managed service on top of that. But there are a lot of questions about how much others are charging for this or that.” He recommends checking the GSA schedule, which has listed prices for the government. “It is a starting point because it gives a menu.”

Finally, it is time to get the customers on board with the plan.

“Look at your customers from a service point of view,” Turney advises. “Where are those calls coming from? Any specific customers? Types of calls? Maybe those are the customers you approach first. Use your in-house analytics and say, ‘Mr. customer, you called us 15 times in the last few months. We are always happy to support you, but we think there is another option that will help you save money. Are you interested?’ That opens up the door to the conversation about managed access.”



If an integrator is considering offering managed access (or even just getting into hosted cloud access), most experts agree: the time is now.

“The advice I would give them is to jump in with both feet,” Lydic says. “Managed access control is an exploding market with the advent of IP products and cloud services. It allows them to increase customer retention and profitability and satisfaction; and due to the technological data associated with access control being so small, it really scales in a manner the likes of IP video struggles with.”

Turney adds: “Don’t be afraid of it. Just because it is different doesn’t mean it is hard. Do your research and homework, especially on IT and the protection of data, because you are going to get asked about it. Then sit back and evaluate what your needs are as an organization. What is going to help you? What else are you going to have to learn? Then just do it. It is not a major hurdle to overcome in comparison to what you were traditionally doing in access control.”

In fact, the general trajectory of access control systems over the last several years is making things easier, if anything. Open systems not only make it simpler to integrate and migrate systems, but can ease the transition to cloud hosted or managed for the customer, as well.

“If I have a legacy system, how do I move? One of the reasons we started with Mercury is they have so much equipment installed out there,” Barry says. “Anyone that has a Mercury controller can easily move from a legacy system to the next generation without replacing any of their hardware. The nice thing about cloud-based is you don’t have to touch their system until the moment you are ready to switch it over.”

In fact, Mercury is trying to make it even easier to do this, says Steve Lucas, vice president of sales and marketing, Mercury Security, Long Beach, Calif. “The other side of the managed services piece is we recognize that within our products there is a lot of data around maintenance and run-time operation around our controllers and things connected to it. We continually try to improve and expose that data so third-party systems can connect and get data such as the health of the network and uptime and other things important from a maintenance standpoint to help out the integration channel.”

Not only can this make remote services easier to do, but it also provides more data to offer the customer as a service, he adds. Managed access control may be just the tip of the iceberg, in fact. Many see it as the entry to much more service-oriented offerings, some of which are just beginning to be understood by the channel.

“You need to look beyond traditional access control that is out there today,” says Steve Spatig, general manager of electronic access solutions at Southco Inc., Concordville, Pa. Southco provides cloud-based access control solutions for non-traditional openings such as equipment, data racks and cabinets. “Integrators should be looking at the latest technologies and not get too bogged down by the way it has always been done. The whole nature of these systems is that they are remotely managed, without having to put in the level of effort required for older, wired solutions that required rolling a truck to perform service.”

Barry sees a need for a complete overhaul of definitions around services. “First, the industry needs to update its definition of ‘managed access’ because it is very old fashioned, along with the services associated with it. The world has moved on and left the security industry behind and it’s time for us to play catch-up.” Barry suggests a new term should be PSaaS.

“It encompasses so much more. Would you include system support? I would. Would you include automatic equipment replacement or upgrade? I would, because you can’t just let it sit there and die. What services can you bill your customer for? What things can you do to generate RMR?

“I think people are missing the big picture of what they should be transitioning to — supplies as a service, issuing cards and visitor badges, digital credentials and annual increases. Make sure you are increasing by 3 to 4 percent every year.”

But, Barry cautions, the window of opportunity for doing this may be short. “I would say start as soon as you can because PSaaS is a ‘land grab.’ Once a customer starts with PSaaS, they tend to stay with it and the company that is providing it because it is a win-win for both end users and systems integrators. The sooner you start, the faster you will move ahead of your competition and the more customers you will get and keep.”


Managed Access & the Cloud

It is hard to overstate the impact the cloud has had and will continue to have on managed and hosted access control, and integrators’ abilities to offer it.

“The cloud is allowing them to scale and not have a substantial capital investment,” says Robert Lydic of ISONAS. “They don’t have to purchase servers and software and hardware in order to talk to customers.”

The cloud lets manufacturers like Feenics offer scalability and capability that just weren’t possible before, says Sam Shalaby. “The mobility that cloud provides did not exist before. If you had a system with 100 readers, to introduce redundancy was very, very expensive. Now the cloud does it much cheaper.”

If there is a “downside” to the cloud when it comes to managed services it may be that it makes things too easy, says Brivo’s Steve Van Till. “Philosophically, when we created our system, our orientation was much like any other online website, which was ‘Let’s make it simple enough that someone with little to no training can figure out how to use it and enjoy all the benefits of a self-service model.’ In our thinking we have created more of the Amazon experience than the hardware store experience.”

This could mean that more users can handle things themselves, says Gene Samburg, office of the chairman and founder of Kastle Systems. “Because the cloud is so available to people it gives them more incentive not to outsource but to do it themselves, thinking it is so easy to do.”

But does that inherently make fully managed services less attractive to the end user? Not necessarily, says BluBØX’s Patrick Barry, who views the cloud as a natural evolution. “One thing people need to recognize is the security industry goes through epochs every 15 years or so as a result of technology moving to a new place and platform. Those changes, which are usually disruptive, force people to go to a new way of doing things.”

He compares it to the music industry: “It’s equivalent to upgrading from buying digital music and storing on an iPod to streaming or listening offline from a music service like Spotify or Apple Music. You are still listening to music. But with the streaming service you have many more choices. It is more convenient and you have a known monthly cost. The same applies for managed access or PSaaS.”

What’s more, he says, offer the right types of services and users will go for it, just like they did in the music industry. “I bought the Beatles White Album five times on five different media.”


7 Ways to Expand RMR Opportunities

  1. SaaS licenses

  2. System support agreements

  3. Equipment upgrade agreements

  4. Managed services (including database management, reporting, access provisioning, cybersecurity and much more)

  5. Supplies as a service (including hardware)

  6. Digital credentials

  7. Annual increases


Managed Access Has Come a Long Way: Just Ask Its Founding Father

Gene Samburg, founder of Falls Church, Va.-based Kastle Systems (SDM’s 2015 Systems Integrator of the Year), is widely recognized as the founder of managed access control. SDM spoke with Samburg about his experience and his thoughts on the industry now.


SDM: How did you go about defining what managed access meant when you started out?

Samburg: In 1982 I was at one of these executive business programs they offer for three weeks every year. At the first session the professor says take your sign down and write what business you are in. I knew we were doing something different then, but I wasn’t able to put my finger on what it was. The first year I wrote security business. The next year I took [that] sign down and wrote services. By the third year I had figured out I was in the outsourcing business where a client would buy our system and would outsource the operation of the system to us because his alternative was to run it himself. Once I identified what our difference was, our whole marketing changed. I was never really an integrator. I was really an outsourcer.


SDM: What is different now from when you started doing managed access?

Samburg: Now there are a number of hosted systems out there. When I think back from 1972 to 1985, those 13 years were like pulling teeth. We were swimming up against the tide. When we finally broke through it was only because this was a unique marketplace. One of reasons we were successful in Washington D.C. was because they were office building owners. The real business of Washington is office building real estate. An office building owner is in the business of running an office building. So when someone came in and said, “I can run your security for you,” the office building owner said, “okay.” We were successful because when we did the office building the tenants saw they could hook onto this and make life a little easier.


SDM: What advice would you give integrators looking at managed access control?

Samburg: I am sure they are looking for new models and ways to differentiate themselves because nobody wants to be the same as the next guy. The difference between an integrator and somebody doing managed access is sort of like the difference between a grocery store and a restaurant. A grocery store sells products. The mindset of a grocer is a sales mindset. He buys products and sells them. An integrator does exactly the same thing: He buys product and sells and installs it and gets RMR from maintenance contract. There are probably 500 integrators in the U.S. and they all do the same thing.

But the whole idea of managed security is when you are moving from small into the large. That is a big leap. Your liability grows. If you screw up it is not just the legal liability but the whole business liability. You have to run this thing right because if you don’t the word gets out. You have to have the infrastructure. If you look at what a typical integrator does, they have purchasing department, engineering/IT that configures it, installation and service. They don’t have the department that is running it. That’s the whole idea of outsourced security. When we built Kastle that was the biggest department we had.

I think it is a great business and a unique business. But I did a lot of head beating to do this thing right. You can screw up installation and survive; but you can’t run it wrong.


The Hosted-Managed Continuum

There is not a hard and fast divide between what is hosted and what is managed access control, say the experts.

“In access control there is such a variance of what services you want to provide,” says Robert Lydic of ISONAS. “Do you just want to provide updates and upgrades and all of those software functions? Or do you want to go as far as any time the customer calls you, you take care of all the management of groups and levels and health monitoring?

There is a continuum, based on the integrator’s capabilities and the end user’s level of interest, he adds. “They can do everything from just hosting under their specific log-in all the way to doing absolutely everything for the customer.”

It is only limited by your imagination and what you are willing to provide, adds Sam Shalaby of Feenics. “How managed do they want to be? I had three models in my integration company: managed, hosted and shared. We had high-tech companies that cut security costs in half by taking care of daytime services and we took it over at night. We did card production, unlock this door in case of emergency, etc.”

There is a lot of room in the middle ground, says Steve Turney of Schneider Electric. “We will provide the channel the solution. How our partners and integrators want to deploy it is really up to them and the customer and what both of them are comfortable with.”



For more articles on managed access control visit SDM’s website, where you’ll find the following articles:

“All in With Managed Access”

“Find Your RMR in the Access Cloud”

“Kastle Systems Wins SDM’s 2015 Systems Integrator of the Year With Their Strong Platform for Success”

“Cloud Access Control Offers RMR Opportunities”