The Bigger Picture of Enterprise Access Control
What’s changed in the world of enterprise access control? And how can security integrators make sure they are doing the most for their largest customers?
As anyone who operates in the enterprise space already knows, enterprise-level access control is not just a bigger version of the SMB market. While everything about enterprise access control is indeed bigger, it is also much more complex, from the systems you choose to secure it, to other business operations it needs to integrate with, to who ultimately is the decision maker.
And like most of the world today, the enterprise is not immune to the fast-paced world of technology. Customers want all the latest and greatest things; but with thousands or even hundreds of thousands of cards and readers — not to mention back-end systems — in play, it is almost always not a simple upgrade. And it is the security integrator’s job to figure out how to get the customer to where they want to be, tomorrow or 10 years down the road.
John Moss, chief product officer, LenelS2, Framingham, Mass., says, “The enterprise is flattening. Most enterprises today consist of a small number of large facilities and a large number of small ones. This trend means that enterprises that were focused on a small number of large facilities now have many more facilities with which to contend. Enterprise access control systems need to be capable of addressing these requirements by offering scalable, flexible and open systems that offer customers choices.”
Integrator Ed Heisler, president, Facility Control Systems, St. Charles, Mo., agrees. “Because of the nature of large enterprises with several remote sites operated by different business units, and the lifecycle and new developments of technology, upgrades are seemingly constant — especially with acquisitions and expansions.”
That is not all that is driving upgrades these days. The issue of cyber security is huge in the enterprise. As more security systems, including access control, sit on the IT network, enterprise IT customers are realizing the vulnerability that is inherent in these legacy access control systems, some of which could be 15 or 20 years old.
“Customers are looking to upgrade their systems because of the issues surrounding their legacy deployments and the cyber threats they may represent,” says Matt Barnette, president, Mercury Security, part of HID Global, Long Beach, Calif.
And as they do that they are looking hard at what is next, and what more can be done. For many, this includes some of the hot button topics of the industry, such as big data, IoT, unified systems, business intelligence and identity.
“We are reaching a point in time where the industry is experiencing a boom in technological growth,” says Tim Vahary, product and marketing manager, RS2 Technologies, Muncie, Ind. “This, in turn, has provided a real impetus for organizations to change. Features that were once considered to be a luxury are now indispensable in a modern facility and they are looking to maximize efficiency and security by adopting new technologies … Tools revolving around mobile, biometrics and the cloud are now starting to be both trusted by end users more readily and are starting to stabilize at lower prices … These factors, in conjunction with the added value of higher security and a better overall experience, have been serving as a catalyst for enterprise organizations to adopt these new features and redefine their entire access control infrastructure.”
Another motivating factor — at least in some sectors of the enterprise — is increasing reporting and regulation requirements, says Despina Stamatalos, product marketing manager, access control, Genetec, Montreal. “The average lifecycle of an access control system is about 10 years. Rules and regulations have changed in that time and the reasons they installed the system 10 years ago may not answer today’s reasons … We are seeing more government and industry mandates that force customers to upgrade.”
For these customers in particular, unified systems — those with access and video and possibly more systems designed to work seamlessly together on one platform — are particularly a draw, adds Eric Green, chief product owner, enterprise solutions, Honeywell Building Technologies, Atlanta. “A lot of customers don’t want to have to learn three, four or five systems to manage all this; they are looking for ways, if not one system that can do it all, then one that can take or provide input from other systems so it can be managed from a single point,” he says.
“I think now more than ever clients want to see that truly unified platform,” agrees integrator Jorge Lozano, CEO, Condortech Services Inc., Fairfax, Va. “Our clients also expect a certain level of intelligence and intuitiveness from an enterprise PACS … Clients want to be able to verify the credential with an actual identity of a person. They want to know if that person has swiped in more than once today. They want to be able to revoke or grant permissions instantaneously.”
George Grammer, strategic product manager for access control, intercom and integration systems North America, for integrator Johnson Controls, Boca Raton, Fla. also sees more enterprise customers looking at unified solutions, but says the ultimate desire is choice. “Customers want lots of choices. They want to include mobile. They like unified platforms now … If they are going to go through a rip and replace upgrade they might as well dig deep and make the changes to get the end result they are looking for. No one wants a 1-2-3 step upgrade. They want a single step.”
While the good news is that enterprise customers — often described as “big ships” that don’t move or turn easily — are more interested in change and upgrades, this does put more of a challenge on both the integrator and the manufacturer. “They are demanding more of us, both the manufacturers and integrators,” says Rick Focke, director of enterprise access control, global security products, Johnson Controls, Milwaukee. “They want to make sure they get the most benefit out of their investment. They don’t want it to just give access control privileges but also provide other information, such as how many people are in the building? What is the occupancy rate?”
As more enterprises look to upgrade or plan for upgrades to their access control systems — or even their whole security ecosystem — this puts the security integrator front and center in every aspect from strategizing to making it happen. What are some of the biggest challenges integrators face today?
“The integration — true integration — with so many disparate applications,” says Nathan Schwab, president, Care Security Systems Inc., Montebello, N.Y. “There is an incredible amount of resources and costs for putting together and building these systems … We see many integrators and customers who don’t recognize the strategic planning [that goes into] enterprise integrated systems … putting the moving parts together in order to come up with a solution that is priced for budget and time and setting the expectation for what the outcome will look like.” This is a constant challenge, he says.
“Really the biggest challenge is providing an end-to-end solution that can integrate into the organization and provide operational efficiencies and situational awareness without creating an additional burden on the organization,” says Justin Wilmas, senior director of global sales, AMAG Technology, Torrance, Calif. Wilmas adds that access control is the traditional center of the security ecosystem of the organization, and increasingly the business overall.
“Everyone wants to be integrated into a single unified system, but with that comes challenge and complexity; and if you are adding complexity to the user inside the organization you are actually creating another problem,” Wilmas says. This means the integrator not only has to make sure the solution works, but that it is easy to use.
Another issue for integrators is the growing list of stakeholders within the enterprise with whom they have to interact — and converse knowledgeably. IT is an obvious one, and most integrators that work in the enterprise space have gotten a good handle on “IT speak.” But what about HR? Legal and compliance? It is frequently the case that all these departments, in addition to security, have not only a say, but are part of the funding of the whole upgrade.
“The reality is out of all those departments IT has the most funding,” Wilmas says. “It is very important we are partnered with IT in order to utilize that. But there are other key stakeholders or departments that are very important in getting funding.”
Stamatalos agrees. “One of the biggest challenges for integrators is who do they actually speak to? Who are the decision makers within the organization? In the past it was the security director but now we are seeing a lot more players.”
Beyond that, end users are more involved and educated about the process, she adds. “We are seeing end users are much more knowledgeable about the technology. They do their research before they speak to integrators. They talk to us at trade shows. They know what is out there, so the integrator needs to be up to date with the latest technologies and be able to add value to the information the end user already has.”
Green adds that this knowledge needs to be more specific than in the past as well. “One of the biggest things I see for enterprise integrators is the expectations for understanding the customer’s end-to-end business is higher. They are expected to have a knowledge of the business itself and the particular security needs of that type of business. They are expected to work with the IT teams and understand the IT infrastructure … Those who succeed are those who can take in that view and start to map out solutions that provide value to the end user.”
While more funding might be available today than in the past, there are also more places to spend it, meaning the integrator has to be able to coherently explain to each stakeholder how their solution will help them.
“There is some budget that customers are able to get to improve the system, but unfortunately most of them need to bring that message to upper management to highlight the risk [and reward],” says Francois Brouillet, product manager, Genetec — even then there are no guarantees. “A lot of our customers are still using technology like proximity and Wiegand. When we highlight that they are vulnerable they know, but don’t have the capability to re-card everybody or the budget to change all the readers … No one has a magic chest to pull money out of.”
One issue many organizations are willing to spend money on is cyber security. But that can be a double-edged sword for integrators who are only in recent years getting a handle on the issue themselves, or who may view it as a negative rather than an incentive.
“It could be argued that cyber security is now the most critical aspect of enterprise access control and security solutions,” says Eric Widlitz, vice president, North American sales, Vanderbilt, Parsippany, N.J. “Customers are more knowledgeable on this topic than ever before and they demand manufacturers and integrator partners that are confident in their abilities to protect their physical systems against the latest cyber threats.”
One thing is for sure, however. The issue of cyber security will only grow in importance and will become an increasing part of the process for manufacturers and integrators alike.
“The role of cyber security in enterprise customer deployments has now become embedded into every discussion,” Barnette says. “Nothing can be deployed, upgraded or modified without a review of the cyber-hardness of a product. The acceleration of these discussions, and the depth of the questions and information enterprise customers want, is commiserate with the threat. We expect this to increase over time.”
Last but not least, the relationship between the integrator and the enterprise customer has undergone a shift in recent years. More and more the term “consultative sale” is used, and the emphasis on the service side is often the differentiator between a happy or dissatisfied client.
“Organizations face a constantly changing array of pressures from multiple sources,” says John Szczygiel, executive vice president and COO, Brivo, Bethesda, Md. “Savvy CIO/CSOs are building lithe organizations with systems and infrastructure capable of responding to threats and capitalizing on opportunities with amazing speed. Integrators are challenged to keep up with this pace by bringing a continuous stream of new ideas and capabilities to help enterprise customers respond effectively to these pressures.”
Heisler refers to a “relationship of trust” with his enterprise clients. “Having the presence that our national and multi-national/global clients have requires us building a reliable network of talent (including partners) and building a relationship of trust with the customer — every day, so they and their customers know we have their best interests at heart and are working to create value for them.”
Words of Advice
One of the trickier aspects of the integrator’s job when it comes to working with enterprise access control clients is managing expectations relative to budget and time. Often projects are protracted over months if not years, so it is paramount to future-proof as much as possible.
“Upgrading to include the latest technology allows our customers the ability to efficiently integrate with other solutions and future-plan by providing the opportunity for growth and scalability,” Widlitz says. “It’s critical for integrators to work closely with customers from the very beginning of an implementation to find out what they want their systems to do in five to 10 to 15 years so that they can deliver solutions that can evolve appropriately. For example will a customer want to transition from proximity credentials to smart cards or mobile credentials?”
“The phrase we have come up with is the least cost of deployment with the least cost of ownership,” Wilmas says. “What [integrators] should be doing is providing a solution that can introduce automation around unified security, access control, situational awareness, identity management, etc., because that is what is paramount to enterprise customers today. It’s about having something that solves problems versus creating problems.”
Wilmas suggests doing a “planning workshop” with clients. “You have to involve all these different stakeholders so you really understand how their organization works. You do that by tying all these people into that workshop where you start at the beginning with questions such as: ‘Tell me what types of identities you have?’ ‘How do they get in and who makes the decisions on access levels?’ ‘Who is monitoring and approving that?’ ‘What compliance initiatives do you have?’
“Understand what is important to that organization so when you are bringing in a solution you can tie it to each component of that problem and provide value to each of those stakeholders. In the past we just locked down a door with access control, but we never asked, ‘Why? What is the reason behind it?’ You don’t get that answer without having an intimate understanding of how that organization works.”
Justin Norris, access control product manager, DMP, Springfield, Mo., agrees. “One of the major hurdles in the enterprise access world is to understand what your customer is using currently, what you are bringing to the table and what the advantages of that [solution] are. That is what sets you apart between integrators.”
Schwab offers this advice: “Don’t be selling. Be a consultant and a resource. Don’t sell products; sell solutions to problems. The products themselves should never be the primary focal point. What value does your recommendation actually provide? What real world pain do you make un-painful?”
Truly enterprise projects often require partnerships beyond just the integrator and the customer. Sometimes this means working with other integrators or contractors in different parts of the world, says Carl Stark, president and general manager, global accounts division, Security 101, West Palm Beach, Fla. “If integrators are going to work with a global client, there will be an expectation for enterprise-wide service capabilities. You could install a system using a subcontractor, but when that sub completes the project, the warranty period begins and service and maintenance become very important. Don’t commit to install an enterprise-class access control system and not be able to provide the service and maintenance that follows. The customer relationship will quickly fail if the integrator falls flat on its ability to perform service.”
Enterprise projects sometimes require the integrator to stretch their envelope, Vahary says. “Enterprise customers have the widest array of expectations and requirements. In order to sell a system and keep a happy customer, the integrator must fully understand all facets of a system and exactly what a customer requires … This sometimes means working outside of their comfort zone and exploring new solutions and technologies instead of selling the status quo.”
One of their best tools for this can be their manufacturer partner, says Steve Wagner, president, Open Options, Addison, Texas. “They should rely more heavily on the pre-sales capabilities of their systems provider,” he suggests. “Build their services into your project pricing to ensure smooth system startup and an initial user experience. Be prepared and willing to share the customer with your manufacturer. The better care provided to the client, the longer they stay a client.”
This is advice Heisler takes to heart. “It’s our job to figure out how best to use new products to benefit our customers and track what the industry is saying about the new technology. Luckily in the realm of enterprise security, many manufacturers are more than willing to help facilitate with the sales/training and diagnostic process to facilitate the use and promotion of their products.”
But in the end it is ultimately up to the security integrator to deliver what the enterprise customer is looking for. If they can do that, they will be in good shape.
Lozano says that integrators should be a “strong source of expertise in any given room, and not be so quick to close a sale. Every integrator knows to survey a site and ask compliance questions, but the pivot is to figure out how the integrator and the enterprise will measure success. Establishing the metrics for the engagement is crucially important and often overlooked. What will we measure besides budget? How will we handle change management? How will we provide value to the enterprise? What other areas of the business can we help through security technology? At the end of the day, we know the technologies will come and go. But you solidify yourself in your client’s minds if they receive a level of expertise and adaptable services from you no matter which direction you want to go.”