What Do Enterprise Security Customers Want?
And how can integrators give it to them?
Large, enterprise-scale end users are among the most complex in the security sphere. Beyond just sheer size — many span the country if not whole continents — their needs are different than smaller or even medium-sized businesses or enterprises.
When it comes to their security technology use, particularly the access control portion, often they are compared to large ships; they stay on course and don’t turn easily. For security integrators this can be frustrating. There are a lot of great new technology developments that could really help these customers with their issues, but getting end users to buy them has historically been difficult.
Things are starting to turn around, albeit slowly. But enterprise customers have a distinct set of challenges that security integrators and manufacturers need to be prepared to address.
What has changed? These customers are much more educated and aware of both what is out there and what they want to work toward, says Richard Goldsobel, vice president of Continental Access, Napco Security Technologies Inc., Amityville, N.Y. “Enterprise customers are much more aware than in years gone by on everything from Active Directory to integration of video. Years ago I spent so much of my time on education but I feel like now customers are asking us about topics.”
John Krumme, CPP, president and CEO, Cam-Dex Security Corp., Kansas City, Kan., says his company is seeing an increase in enterprise access control purchasing. “Most global customers are looking for ways to cut costs and standardize globally. We are working with several on a global standardization plan so their access and video management are the same throughout all their facilities. ... They are leveraging their access control investment throughout their global network.”
Advice for Integrators
Working with enterprise customers presents a unique set of challenges for security integrators. Here are a few pieces of advice from the experts:
“Don’t assume that you know what the customer will want; present multiple options and educate the customer so they can make an informed decision.” — Adam Kinder, DMP
“The integrator space is crowded, and it’s critical for these businesses to provide a high level of service and support for large enterprise. If they don’t, they will be replaced with another company who values the feedback of their customers. ”
— Eric Widlitz, Vanderbilt
“Listen and follow up by listening. Our industry has historically been one that talks and tells, which means the customer gets what we give them. Today’s customers are far more educated than they have ever been and often have a vision of what they are looking for.”
— Steven Turney, Schneider Electric
“As an integrator we have to know about different systems. We are not above bringing in help or expertise from our Security-Net partners to service product from other manufacturers our customers may have or have acquired.”
— John Krumme, CPP, Cam-Dex Security Corp.
— Eric Green, Honeywell
Part of the drive for this standardization is the increasing need for enterprises to manage both risk and compliance, says Justin Wilmas, senior director of sales for North America, AMAG Technology, Torrance, Calif. “Enterprise customers are looking more at not just access control but rather how the solutions inside of their estate help them solve their challenges holistically from a security point of view.”
Going hand-in-hand with standardization is something that is now absolutely table stakes: open architecture. With the aging of proprietary systems from companies such as the now-defunct Casi Rusco, customers don’t want to be caught flat-footed again, says Derek Arcuri, product marketing manager, Genetec Inc., Montreal. “[Enterprise] customers are a lot more aware of what open architecture means. They say they don’t want to be in the same situation they were previously in with proprietary systems.”
Another reason for this is the increasing merging of physical security and IT departments, says Eric Widlitz, vice president, North American sales, Vanderbilt, Parsippany, N.J. “We’re seeing more influence from the IT side of things as a result of the increased focus on cyber security and hardening the network on which access control functions.”
Perhaps the biggest shift is the way enterprise customers look at access control and what it can do for them, says Hilding Arrehed, vice president, cloud services–physical access, HID Global, Austin, Texas. “It is no longer simply a mechanism for securing doors, data and other assets, but also provides the means to create trusted environments within which organizations can deliver valuable new user experiences.”
Large enterprises are under a lot of pressure these days. Whether from a desire for cost savings or complying with regulations such as the recently implemented General Data Protection Regulation (GDPR) in Europe, there is a lot going on — and often access control is the least of it. However, those customers that understand or can be made to understand how their access control system can help them with some of these pressing issues are the ones most likely to invest in security upgrades.
“We are witnessing the collision of the enterprise with the Internet of Things (IoT), and organizations now must establish trust and validate the identity of people as well as things,” Arrehed says. “All this is happening against the backdrop of increasingly stringent safety and data privacy regulations.”
Steven Turney, security program manager, Schneider Electric, Dallas, says there are four big challenges he sees enterprise customers facing. “As I talk with customers and consultants we hear a revolving theme: budgets — though the economy has improved customers are still struggling to secure capital for expansion of systems and even internal labor; updates — updates are not being regularly deployed, which makes systems compatibility an issue; cyber security — today’s security and access control systems need connectivity, which introduces cyber security risks; and mobility. Today customers need connectivity while on the move through mobile applications.”
The problem, Turney adds, is today’s access control systems may exacerbate these challenges. “They are costly to update and maintain, limit mobility and have historically been deployed with a lack of consideration to cyber threats. That is why it is so important for customers to evaluate their specific challenges and look toward solutions that can address or mitigate those challenges.”
Before they can even begin addressing the more global challenges, one of the first steps — and one that many enterprise customers are in the midst of today — is the consolidation of systems.
“The biggest challenge today would be managing multiple systems,” says Adam Kinder, access control manager, Digital Monitoring Products (DMP), Springfield, Mo. “Users are very interested in converging multiple systems and technologies into one management system.”
This challenge has grown out of how the majority of enterprise organizations have evolved, Arcuri explains. “Maybe they outgrew their real estate or they took over a building and systems are not centralized. Systems can’t talk to each other and they have different operators for different buildings. They are weighed down by a silo.”
A Customer’s Perspective
Tim Chesney, maintenance supervisor for TVH Parts Co., Olathe, Kan., is an enterprise-level customer of Cam-Dex Security Corp. Chesney spoke with SDM about what he considers most important in an access control and integrated security system.
SDM: What are your biggest security needs related to access control?
Chesney: Our company is the world’s leading producer of after-market OEM quality materials like forklifts, bobcats, etc. Our biggest challenges are keeping tabs on people coming and going out of the building. Who is in the building and who is trying to gain access into different areas?
SDM: Are you making any changes or upgrades to your access control system currently?
Chesney: We are in the process of standardizing across the country and everything being put onto one platform. As these come online we are having Cam-Dex bring these sites up on the system. With our older sites we are in the process of working through the logistics of moving those to the platform.
SDM: What is the goal of doing this?
Chesney: It just makes it easier. We have salesmen that travel across the U.S. As of right now we have one facility up and our managers have to carry cards for that facility, the Olathe facility and the rest. Having them on one card will keep costs down.
Another advantage is compliance. Our biggest thing is customs. We can move product around the world a little bit easier with the government knowing that once we fill a container at our facility we know it was secure the whole time.
SDM: What is most important to you in a security integrator relationship?
Chesney: What we are looking for is if I call them we can have someone take care of an issue very quickly. There was one time that I had a family vacation in Florida. Our Miami facility needed to be locked down. I was able to dial into that system through VPN and lock the facility down. But if I didn’t have my computer I would be able to call Cam-Dex and they can do exact same thing.
It is not uncommon for large enterprise customers to have two, three or more access control platforms all operating in different locations — all taking different credentials, of course.
“Through the standardization process, and sometimes when these companies are acquiring other companies, along comes legacy security product,” Krumme explains. “Generally speaking the acquiring company already has a platform they have chosen to standardize on and the reason to make those changes tends to be for cost reduction and consolidation purposes.”
Tom Echols, president global accounts group, Security 101, West Palm Beach, Fla., adds, “Unfortunately a lot of these big companies have pretty significant investments in platforms. They have to be pretty dissatisfied to make a change. There are companies we work with that are a combination of several different acquisitions over the years. They didn’t have standards around security and they are looking to come up with a platform they can expand globally.”
But none of this happens quickly. Echols has a customer that has been working on this for eight years.
The length of time it takes is due largely to cost, he explains. “Nobody can write a check for $20 million to get on this one platform. I have these discussions whenever we engage with someone new. Often it starts with the credential itself. A lot of these companies are ‘Wild West’ when it comes to the cards that have been deployed globally. One of the first directions is to standardize on credentials.”
Eric Green, senior manager, enterprise access control, Honeywell, Melville, N.Y., says this anything goes credential philosophy is one of the first things companies today now want to address. “Typically enterprises want to have a one-card solution, which requires coordinating a lot of different things, so building out those types of practices is a big challenge for these customers. We have seen customers that mandate everything from the top down and others where every office makes their own rules. But we are seeing the Wild West fading away. They are starting to recognize the advantages to having everyone work in a similar manner.”
Access control systems in the enterprise have almost always grown over time, been connected with different systems, and integrated using the network. Only recently did anyone realize this could present problems when it comes to cyber security.
“There is a large threat of a cyberattack that can be conducted through an enterprise access control system,” Widlitz says.
“A lot of our customers are reaching out to us,” Arcuri says. “It used to be we talked about how secure are your controllers or readers and how often do you upgrade? These days we are finding a lot of end users doing lots of research online and coming to us with questions about specific encryption and how can we guarantee that our controllers are up to date.”
Echols agrees. “The thing we have seen in the last few years is the systems are getting more scrutiny from an IT perspective. They are asking ‘Are they good citizens of my IT world?’ We have been leveraging IT infrastructure for more than a decade, but really they just gave us a port and an address and were not paying as much attention. Now they are looking at components spread across the enterprise. This has become a much higher priority and they now have dedicated resources helping to make sure these things are not threats.”
The days of siloed departments within an enterprise facility are over, Wilmas adds. “A lot of times what is overlooked, especially from the integrator’s perspective, is the security department unfortunately doesn’t have all the funding so it requires buy-in from multiple stakeholders inside the organization. When you look at operational challenges, their customers are these other departments like legal and HR and IT. In order to serve them, they need better technology. Today a corporate vice president of security is not going to be the only entity moving forward with [security] technology or funding.”
MEETING THE NEEDS OF THE ENTERPRISE
While there are no shortage of challenges for the enterprise, both manufacturers and security integrators are stepping up to help enterprise customers overcome them — from easier upgrade paths, to unified solutions and more consultative selling.
“The enterprise customer is demanding more than just what an access control system can provide them in order to solve risk and compliance challenges,” Wilmas says. “That takes an auxiliary set of solutions that have to integrate and work seamlessly with the access system. There is a lot of talk today about unified security management.”
Unified systems let companies focus on just one system through a single pane of glass, Arcuri describes. “There are a majority of our enterprise customers moving over to our unified offering.”
The secret to getting them to do that, he adds, is making sure they understand the benefits. “We have to show them the pain of staying with what they have is greater than the pain of change. If we can get over the hump they can start to see those gains. We also have to show them the hump is not as big as it seems.”
Genetec tries to make things easier by having more open systems, as well as a partnership with Mercury, which is something several manufacturers are getting on board with to help with the upgrade process. “Their bridge strategy allows customers with proprietary systems to just replace the boards,” Arcuri explains. “This has opened up opportunities for companies that hadn’t considered upgrades because it isn’t a forklift change.”
Echols calls this type of change a lobotomy. “We work with customers on lobotomies where we take out the ‘brain’ of the access system and put in a new brain and manufacturers are making it easier to do that.”
Integrators are more involved than ever before in the details of planning for the future, Krumme believes. “I think that a number of our national or global customers are looking for assistance with plans and strategies on implementing standards and better understanding emerging technology,” he says. “We are doing a lot of consultative selling. It is not just about access control and securing your doorways. It is a complete, robust system.”
Bringing New Functionality to Multi-Supplier Access Control in an IoT World
In contrast to the video surveillance market, access control technology has historically been slow to change, in large part because of the high upfront costs to acquire and install a system and the longevity of the equipment — commonly between 12 and 20 years. End users and their need for open network-based infrastructures are driving recent changes in this market, as the line between physical security and IT continues to blur. Physical security systems are now often managed by IT departments and IT directors are rightfully demanding open architecture approaches (like IP networks) rather than the proprietary and sometimes duplicative design of traditional security systems.
The drive to an open architecture approach has proliferated across many related industries, and today we see lighting, HVAC and other functions residing on the network as well, offering businesses the option to minimize operating costs and to better control and monitor their facilities. This trend of hosting everything on an IP network clears a path for an Internet of Things, which in many respects is already here.
This approach has in turn driven the development of standards-based applications, and end users and systems integrators alike are recognizing the value of open standards, such as the interoperability standards created by ONVIF.
The open device driver used in ONVIF Profile A conformant access control panels allows end users to integrate control panels and management software from different manufacturers, facilitating interoperability for multi-vendor projects. This gives end users the ability to make choices on specific hardware for their access control systems and, even more importantly, means that if you want to install another supplier’s access control management software in the future, you won’t have to rip and replace existing access control hardware in order to do so. The common interoperability of ONVIF Profile A provides the bridge between the legacy hardware and new software if both are Profile A conformant.
The network can already transfer pieces of data from one system or device and correlate it with other data in analytics software programs, ultimately providing usable, actionable information to end users, aggregated from such systems as video, audio, intrusion, voice and others. Multiple network-based systems make things like intelligent building automation a reality, delivering cost savings, keeping people and assets safer and reducing energy requirements.
As one of the major platforms within a smart building environment, access control systems play a large role in this IoT scenario. When connected to other, seemingly disparate building systems using a common interface, this deeper interoperability enables increased productivity to the overall system. As a contributor to an intelligent building ecosystem, access control systems also serve as a repository of large amounts of data — tracking people’s movements for real time facility population data or facility usage based on the day’s meeting room booking schedule. The more data that is available within a system means the more quickly that adjustments can be made, further ensuring the security and efficiency of the building.
When enabled with artificial intelligence, access control and other building systems can begin to recognize patterns, anticipate events and behaviors, and make proactive changes to the building environment, enabling its occupants to work more efficiently. AI allows for systems to be smarter, more effective and provide additional cost savings by further reducing the administrative burden of the system.
With so much data being fed into these management platforms, from AI technology or other more traditional sensors, a stumbling block to true interoperability still remains. To effectively be able to harvest actionable information out of the received data, it has to be readable in a common format. Data readable in only one proprietary ecosystem will jeopardize the idea of interchangeable information, and further reinforce the silos that exist between the largest providers. Profile A could offer a solution for this in the future, by providing users with that common interface, and allow the market to continue to grow through interoperability and innovation.
To learn more about Profile A or any of the ONVIF Profiles, visit www.onvif.org. — Contributed by Bob Dolan, ONVIF Technical Services Committee and director of technology, Anixter
Enterprise customers are more willing to at least discuss, and sometimes plan for the adoption of some of the newer technologies, particularly cloud and mobile.
“More and more enterprise businesses are comfortable with adopting hosted services,” Arcuri says.
Wilmas agrees. “There is a big value to hosted solutions. If a security department is looking to make an investment and it will sit on the network, they have to work with IT. IT sees security as a customer and will ultimately bill them internally inside the corporate estate. A lot of organizations are looking at cloud-hosted solutions because when they invest in that it is a capital expenditure. With cloud you are looking at operational expenditure that is subscription-based and very little IT infrastructure is required. The value proposition is stronger.”
Even though there is an appetite, there is little movement, Krumme says. “Cloud-based systems are one of the most discussed topics we hear. But even though cloud is extremely popular it has been somewhat slow to be implemented. ... That’s not to say it won’t happen. With enough conversation we think it will.”
It depends on your definition of cloud whether the enterprise is adopting it, however, Echols says. “Most of our enterprise customers have gone away from the traditional client/server architecture and basically have an internal cloud. They want less brick and mortar and fewer data centers. Their policy is if they can buy the software as a service that is their first choice. Second they will use someone’s server like Amazon, and third they will host it themselves. It makes it easier to upgrade because they don’t have to worry about how to get 800 desktops upgraded.”
Mobile is another ongoing conversation, he says. “Mobile credentials are extremely popular. It is great at attention-getting, but we have been pretty slow to implement.”
It will happen, predicts Scott Lindley, general manager, Farpointe Data, Sunnyvale, Calif. “Security professionals creating access control systems need to be aware that 95-plus percent of adults 18 to 44 years own smartphones. That means every smartphone user, or almost everybody, could now easily download an access control credential. No longer will people need various physical credentials to move throughout a facility.”
For enterprise customers particularly, this could have huge benefits as they struggle to standardize on a single credential. For now, most are approaching it in the getting-ready phase, Arrehed says. “We continue to the move to mass adoption of mobile credentials as major enterprises worldwide prepare by ensuring their access control infrastructures are mobile-ready.”
One of the biggest challenges with enterprise customers is helping them keep current with technology, while slowly upgrading them over time. For some this is easier than for others, Krumme says. “We have a project we are working right now where the customer is saying, ‘We are going to put this particular product in because we have it in [other] facilities.’ We tell them, ‘This technology is 10 to 15 years old. What if you used a different platform with more cyber-protection and over time start phasing that into other buildings, instead of installing older technology just because it talks to what you currently have?’”
Krumme says that is a discussion his team has with customers frequently, but thankfully they more frequently understand the benefits of newer technology. “Sometimes the newer technology is even less expensive than some of the older, just not compatible. But more are willing to listen and look at this and make the case to executive management.”
For more information on enterprise access control visit SDM’s website where you will find the following articles:
“State of the Market: Access Control 2018”
“How the Cloud is Making Access Control Simpler”
“5 Big Trends Affecting the Enterprise”
“Solving Enterprise Pain Points”