Large, enterprise-scale end users are among the most complex in the security sphere. Beyond just sheer size — many span the country if not whole continents — their needs are different than smaller or even medium-sized businesses or enterprises. 

When it comes to their security technology use, particularly the access control portion, often they are compared to large ships; they stay on course and don’t turn easily. For security integrators this can be frustrating. There are a lot of great new technology developments that could really help these customers with their issues, but getting end users to buy them has historically been difficult.

Things are starting to turn around, albeit slowly. But enterprise customers have a distinct set of challenges that security integrators and manufacturers need to be prepared to address.

What has changed? These customers are much more educated and aware of both what is out there and what they want to work toward, says Richard Goldsobel, vice president of Continental Access, Napco Security Technologies Inc., Amityville, N.Y. “Enterprise customers are much more aware than in years gone by on everything from Active Directory to integration of video. Years ago I spent so much of my time on education but I feel like now customers are asking us about topics.”

John Krumme, CPP, president and CEO, Cam-Dex Security Corp., Kansas City, Kan., says his company is seeing an increase in enterprise access control purchasing. “Most global customers are looking for ways to cut costs and standardize globally. We are working with several on a global standardization plan so their access and video management are the same throughout all their facilities. ... They are leveraging their access control investment throughout their global network.”

Part of the drive for this standardization is the increasing need for enterprises to manage both risk and compliance, says Justin Wilmas, senior director of sales for North America, AMAG Technology, Torrance, Calif. “Enterprise customers are looking more at not just access control but rather how the solutions inside of their estate help them solve their challenges holistically from a security point of view.” 

Going hand-in-hand with standardization is something that is now absolutely table stakes: open architecture. With the aging of proprietary systems from companies such as the now-defunct Casi Rusco, customers don’t want to be caught flat-footed again, says Derek Arcuri, product marketing manager, Genetec Inc., Montreal. “[Enterprise] customers are a lot more aware of what open architecture means. They say they don’t want to be in the same situation they were previously in with proprietary systems.”

Another reason for this is the increasing merging of physical security and IT departments, says Eric Widlitz, vice president, North American sales, Vanderbilt, Parsippany, N.J. “We’re seeing more influence from the IT side of things as a result of the increased focus on cyber security and hardening the network on which access control functions.”

Perhaps the biggest shift is the way enterprise customers look at access control and what it can do for them, says Hilding Arrehed, vice president, cloud services–physical access, HID Global, Austin, Texas. “It is no longer simply a mechanism for securing doors, data and other assets, but also provides the means to create trusted environments within which organizations can deliver valuable new user experiences.”

ENTERPRISE CHALLENGES

Large enterprises are under a lot of pressure these days. Whether from a desire for cost savings or complying with regulations such as the recently implemented General Data Protection Regulation (GDPR) in Europe, there is a lot going on — and often access control is the least of it. However, those customers that understand or can be made to understand how their access control system can help them with some of these pressing issues are the ones most likely to invest in security upgrades.

“We are witnessing the collision of the enterprise with the Internet of Things (IoT), and organizations now must establish trust and validate the identity of people as well as things,” Arrehed says. “All this is happening against the backdrop of increasingly stringent safety and data privacy regulations.”

Steven Turney, security program manager, Schneider Electric, Dallas, says there are four big challenges he sees enterprise customers facing. “As I talk with customers and consultants we hear a revolving theme: budgets — though the economy has improved customers are still struggling to secure capital for expansion of systems and even internal labor; updates — updates are not being regularly deployed, which makes systems compatibility an issue; cyber security — today’s security and access control systems need connectivity, which introduces cyber security risks; and mobility. Today customers need connectivity while on the move through mobile applications.”

The problem, Turney adds, is today’s access control systems may exacerbate these challenges. “They are costly to update and maintain, limit mobility and have historically been deployed with a lack of consideration to cyber threats. That is why it is so important for customers to evaluate their specific challenges and look toward solutions that can address or mitigate those challenges.”

Before they can even begin addressing the more global challenges, one of the first steps — and one that many enterprise customers are in the midst of today — is the consolidation of systems.

“The biggest challenge today would be managing multiple systems,” says Adam Kinder, access control manager, Digital Monitoring Products (DMP), Springfield, Mo. “Users are very interested in converging multiple systems and technologies into one management system.”

This challenge has grown out of how the majority of enterprise organizations have evolved, Arcuri explains. “Maybe they outgrew their real estate or they took over a building and systems are not centralized. Systems can’t talk to each other and they have different operators for different buildings. They are weighed down by a silo.”

It is not uncommon for large enterprise customers to have two, three or more access control platforms all operating in different locations — all taking different credentials, of course. 

“Through the standardization process, and sometimes when these companies are acquiring other companies, along comes legacy security product,” Krumme explains. “Generally speaking the acquiring company already has a platform they have chosen to standardize on and the reason to make those changes tends to be for cost reduction and consolidation purposes.”

Tom Echols, president global accounts group, Security 101, West Palm Beach, Fla., adds, “Unfortunately a lot of these big companies have pretty significant investments in platforms. They have to be pretty dissatisfied to make a change. There are companies we work with that are a combination of several different acquisitions over the years. They didn’t have standards around security and they are looking to come up with a platform they can expand globally.”

But none of this happens quickly. Echols has a customer that has been working on this for eight years. 

The length of time it takes is due largely to cost, he explains. “Nobody can write a check for $20 million to get on this one platform. I have these discussions whenever we engage with someone new. Often it starts with the credential itself. A lot of these companies are ‘Wild West’ when it comes to the cards that have been deployed globally. One of the first directions is to standardize on credentials.”

Eric Green, senior manager, enterprise access control, Honeywell, Melville, N.Y., says this anything goes credential philosophy is one of the first things companies today now want to address. “Typically enterprises want to have a one-card solution, which requires coordinating a lot of different things, so building out those types of practices is a big challenge for these customers. We have seen customers that mandate everything from the top down and others where every office makes their own rules. But we are seeing the Wild West fading away. They are starting to recognize the advantages to having everyone work in a similar manner.”

Access control systems in the enterprise have almost always grown over time, been connected with different systems, and integrated using the network. Only recently did anyone realize this could present problems when it comes to cyber security.

“There is a large threat of a cyberattack that can be conducted through an enterprise access control system,” Widlitz says.

“A lot of our customers are reaching out to us,” Arcuri says. “It used to be we talked about how secure are your controllers or readers and how often do you upgrade? These days we are finding a lot of end users doing lots of research online and coming to us with questions about specific encryption and how can we guarantee that our controllers are up to date.”

Echols agrees. “The thing we have seen in the last few years is the systems are getting more scrutiny from an IT perspective. They are asking ‘Are they good citizens of my IT world?’ We have been leveraging IT infrastructure for more than a decade, but really they just gave us a port and an address and were not paying as much attention. Now they are looking at components spread across the enterprise. This has become a much higher priority and they now have dedicated resources helping to make sure these things are not threats.”

The days of siloed departments within an enterprise facility are over, Wilmas adds. “A lot of times what is overlooked, especially from the integrator’s perspective, is the security department unfortunately doesn’t have all the funding so it requires buy-in from multiple stakeholders inside the organization. When you look at operational challenges, their customers are these other departments like legal and HR and IT. In order to serve them, they need better technology. Today a corporate vice president of security is not going to be the only entity moving forward with [security] technology or funding.”

MEETING THE NEEDS OF THE ENTERPRISE

While there are no shortage of challenges for the enterprise, both manufacturers and security integrators are stepping up to help enterprise customers overcome them — from easier upgrade paths, to unified solutions and more consultative selling.

“The enterprise customer is demanding more than just what an access control system can provide them in order to solve risk and compliance challenges,” Wilmas says. “That takes an auxiliary set of solutions that have to integrate and work seamlessly with the access system. There is a lot of talk today about unified security management.”

Unified systems let companies focus on just one system through a single pane of glass, Arcuri describes. “There are a majority of our enterprise customers moving over to our unified offering.”

The secret to getting them to do that, he adds, is making sure they understand the benefits. “We have to show them the pain of staying with what they have is greater than the pain of change. If we can get over the hump they can start to see those gains. We also have to show them the hump is not as big as it seems.”

Genetec tries to make things easier by having more open systems, as well as a partnership with Mercury, which is something several manufacturers are getting on board with to help with the upgrade process. “Their bridge strategy allows customers with proprietary systems to just replace the boards,” Arcuri explains. “This has opened up opportunities for companies that hadn’t considered upgrades because it isn’t a forklift change.”

Echols calls this type of change a lobotomy. “We work with customers on lobotomies where we take out the ‘brain’ of the access system and put in a new brain and manufacturers are making it easier to do that.”

Integrators are more involved than ever before in the details of planning for the future, Krumme believes. “I think that a number of our national or global customers are looking for assistance with plans and strategies on implementing standards and better understanding emerging technology,” he says. “We are doing a lot of consultative selling. It is not just about access control and securing your doorways. It is a complete, robust system.”

Enterprise customers are more willing to at least discuss, and sometimes plan for the adoption of some of the newer technologies, particularly cloud and mobile.

“More and more enterprise businesses are comfortable with adopting hosted services,” Arcuri says. 

Wilmas agrees. “There is a big value to hosted solutions. If a security department is looking to make an investment and it will sit on the network, they have to work with IT. IT sees security as a customer and will ultimately bill them internally inside the corporate estate. A lot of organizations are looking at cloud-hosted solutions because when they invest in that it is a capital expenditure. With cloud you are looking at operational expenditure that is subscription-based and very little IT infrastructure is required. The value proposition is stronger.”

Even though there is an appetite, there is little movement, Krumme says. “Cloud-based systems are one of the most discussed topics we hear. But even though cloud is extremely popular it has been somewhat slow to be implemented. ...  That’s not to say it won’t happen. With enough conversation we think it will.”

It depends on your definition of cloud whether the enterprise is adopting it, however, Echols says. “Most of our enterprise customers have gone away from the traditional client/server architecture and basically have an internal cloud. They want less brick and mortar and fewer data centers. Their policy is if they can buy the software as a service that is their first choice. Second they will use someone’s server like Amazon, and third they will host it themselves. It makes it easier to upgrade because they don’t have to worry about how to get 800 desktops upgraded.” 

Mobile is another ongoing conversation, he says. “Mobile credentials are extremely popular. It is great at attention-getting, but we have been pretty slow to implement.”

It will happen, predicts Scott Lindley, general manager, Farpointe Data, Sunnyvale, Calif. “Security professionals creating access control systems need to be aware that 95-plus percent of adults 18 to 44 years own smartphones. That means every smartphone user, or almost everybody, could now easily download an access control credential. No longer will people need various physical credentials to move throughout a facility.”

For enterprise customers particularly, this could have huge benefits as they struggle to standardize on a single credential. For now, most are approaching it in the getting-ready phase, Arrehed says. “We continue to the move to mass adoption of mobile credentials as major enterprises worldwide prepare by ensuring their access control infrastructures are mobile-ready.”

One of the biggest challenges with enterprise customers is helping them keep current with technology, while slowly upgrading them over time. For some this is easier than for others, Krumme says. “We have a project we are working right now where the customer is saying, ‘We are going to put this particular product in because we have it in [other] facilities.’ We tell them, ‘This technology is 10 to 15 years old. What if you used a different platform with more cyber-protection and over time start phasing that into other buildings, instead of installing older technology just because it talks to what you currently have?’”

Krumme says that is a discussion his team has with customers frequently, but thankfully they more frequently understand the benefits of newer technology. “Sometimes the newer technology is even less expensive than some of the older, just not compatible. But more are willing to listen and look at this and make the case to executive management.”