IT
Bytes . . .
The
introduction of IT-centric solutions for the security arena has sparked
great interest among IT and security professionals alike. Indeed, the
entrance of such systems is already having profound effects on installers
and end users in terms of how they manage, respectively, their businesses
and installations. That being the case, will the debate about what technology
to deploy eventually become irrelevant? John Kirtland (pictured) of
Quadrant Security Group examines the issues involved.
What is, has been and will be the impact of IT in the security world?
Most articles on this topic have been scripted by product manufacturers,
and tend to focus on technology convergence. Here, I'm going to take
a somewhat different approach.
In theory, there's no discernible difference between the IT and security
industries in terms of how manufacturers take their products to market
but, in practice, the two are very different. IT manufacturers understand
that their role in the value chain is to produce a fantastic product
and then market the living daylights out of it! They train their resellers
to sell, implement and support their product. They also focus on high-level
support to accredited resellers such that the end user receives the
required amount of back-up.
For their part, IT distribution companies have an equally well-defined
role. They don't sell their own branded product because the main manufacturers
would refuse to supply them. Their prime role is to service those resellers
who do not have the capacity to demand a direct relationship with the
manufacturing community.
Within this structure, the end user possesses a very clear view of the
level of expertise and support to which they have access. They can work
with an accredited partner that has all the support mechanisms in-house
to look after their systems, or they can go to a company that buys its
product from a distributor and has little in-house expertise.
Formal channel management
Formal channel management allows the manufacturer to distribute its
product widely while still ensuring that the end-user is properly supported.
IT manufacturers no longer sell to every individual customer and then
provide direct support themselves. Many years ago, the IT market recognised
it was a business model that simply wouldn't scale. Our industry is
still very nervous about wholehearted implementation of channel management.
The security industry harbours manufacturers who allow anyone to install
their product(s), regardless of expertise or commitment. They provide
free training, further encouraging a lack of commitment to any professional
standard of implementation and support. Typically, when problems arise
at a later date, the installation company simply doesn't have the skills
- or the commitment to the product - to make it work. Then the manufacturer
steps in to protect its own name.
This chain of events is purely reactive, and doesn't instil professional
standards within our installation and integration community. The result
is utter confusion and a distinct lack of confidence emanating from
the end user.
Due to a limited budget, many manufacturers are understaffed in their
Service Department. These departments struggle to do a reasonable job
of looking after their customers properly, and yet there's no chance
of increasing the size of that team as there's no budget to do so. There's
very little service income unless the manufacturer enters into chargeable
support agreements with its resellers. Even then, these will only materialise
if a formal programme is in place. There is nervousness about putting
a programme in place, and so the whole cycle begins again.
Why are manufacturers nervous? Mainly because they don't want to prevent
anyone from having access to their product even though they readily
admit - albeit behind closed doors - that the majority of installers
who buy the product(s) aren't capable of looking after it/them. They
worry that if they put a programme in place a reseller who isn't accredited
will go elsewhere to buy a competitive product (presumably from a manufacturer
that doesn't have an accreditation programme). What we have created
for ourselves is a market where we compete to the lowest common denominator.
IT channels have implemented recognised levels of accreditation and
management. They operate to the very highest common denominator. That's
where the security industry should be heading.
Differentiation in the markets
IT resellers add value to standard products by building custom applications
on top of standard product offerings. There is little (if any) evidence
of this happening in the security industry because of the reluctance
of manufacturers to band together and create a set of open standards
that will enable products to talk seamlessly. We buy converter boxes
or software so that Camera X can talk to Recorder Y. We become locked
in to a manufacturer and cannot break free without a major 'rip out'.
Reseller differentiation is implemented in a very superficial way by
security manufacturers, resulting in much of the customising work that
needs to be done being carried out by the manufacturer. Resellers struggle
to differentiate themselves from the competition.
You could argue that, by keeping everything proprietary and within your
control, you will survive forever because you have captive customers.
It's a monopoly. Learning from the IT world, however, history would
dictate that these organisations are the first to collapse when open
standards are put in place. As long as manufacturers keep everything
to themselves, there's no opportunity for the reseller to make any real
differentiation, nor a genuine commitment to the product. If there is
little or no commitment, the end result is poor service and support.
We still find manufacturers undertaking the design of the system that
goes in to the bid documents of a reseller who, on achieving success
with the quote, then employs that manufacturer to commission the system.
This is counter-productive and fails our industry. Am I alone in thinking
this to be wrong?
Change is required . . . Now!
We need a profound change of emphasis in security that will create greater
customer value, provide better support to the end user, increase the
professional standing of the discipline and help with the development
of open products.
This change will be initiated when mainstream IT manufacturers make
their move into our market space. They will look to their existing channel
to deploy these new security systems. A number of integrators in the
security industry may also have the opportunity to sign up. When we
do sign up we'll be in for a bit of a surprise. It's likely that we
will have to:
* train and test our engineers every year
* meet stringent accreditation criteria
* have our discounts measured by our accreditation level
* cross-train or recruit IT specialists
* initiate chargeable support requests
* benchmark salaries against the IT industry to hire and retain talent
Our customers will also find things changing . . .
Manufacturers will be expecting customers to have a software support
agreement, otherwise no support will be offered. Support will only be
offered by an approved reseller. The price of support services will
increase as a result of salaries benchmarked against the IT sector.
Traditional security manufacturers will not be unaffected by this change
either. Core products will be threatened by the IT companies. Commodity
edge devices will remain untouched, though, leaving the security manufacturers
to fight over their share of cameras, housings and readers. Their reseller
base will be marginalised and they will have to sign-up new IT resellers
for their channel programmes. These programmes could well be lacking
in terms of clarity, rigour and depth.
Distribution companies should also note that their current methods are
going to be subjected to close scrutiny. IT manufacturers will expect
a distributor to manage the smaller reseller community. They cannot
work with anyone who has their own competitive product offering, and
will expect a high level of support to be provided to the smaller resellers
on a chargeable basis. In addition, competition from IT distributors
is going to increase.
Convergence and the end user
The convergence of IT and physical security technologies will have a
profound effect on most end users, who will either determine to embrace
change - and capitalise on the opportunities it offers - or decide to
do nothing as the situation appears too difficult to resolve (it often
involves politics, you see).
Convergence is throwing up a number of questions. For a start, who owns
the business process? Security is a business process. There are goals
and objectives to be reached, and a methodology to be applied to turn
input into outcomes. Who owns those outcomes? The traditional stand-alone
nature of the security system is gradually being eroded. The technology
of today and tomorrow is more complex, and most certainly IT-centric.
Does the Security Department have the skills necessary to look after
it? Does the IT Department want to look after it?
Who owns the budget? Always a contentious issue, of course, but the
answer becomes somewhat less relevant once you have answered the first
two questions.
The process question may seem a tad unnecessary. The real issue to be
clarified is how the security process interlinks with other processes
that interface with it. This includes areas such as Health and Safety,
Human Resources, IR, risk management and so on. All require an interface
with the security process, and may even influence the nature of it.
So . . . The Security Manager still owns the security process, but there's
now a larger number of stakeholders who can (and will) influence how
that process is managed. This is all happening because of the data that
the Security Department's operatives have at their fingertips in electronic
format. Information may well be power, but within today's more enlightened
management teams the real power lies in the sharing and provision of
information.
End users now have a greater desire for 'joined-up thinking', such that
they might use all of the available information within their organisation
to create links and identify trends that, previously, would have been
too difficult to measure. This collaborative working is driving the
integration of IT systems and the sharing of data, and it is in this
are that the in-house security manager may no longer have the sole voice.
In a system that connects outside of the security world, other stakeholders
will influence the solution.
The security manager will no longer be in total control of his or her
own destiny. They will still be seen as the custodian of their part
of this joined-up thinking, though, and will be expected to deliver
their objectives.
The technology aspects regarding which system to buy are going to become
less of an issue as we move through to the next generation of IT-based
security devices. There will always be the edge devices - the cameras,
readers and contacts, etc. In particular, the systems at the core of
the control and management of access, surveillance and associated data
storage are moving away from proprietary platforms to a standard PC
or server platform that could be provided by either the reseller or
the end user. End user purchasing power will play a part in this, as
many corporates take advantage of the deals they already have in place.
Impact on the industry
These trends will have a huge impact on the security industry. IT platforms
may be purchased by anyone in the value chain. End users will have their
own provider, in addition to standards for hardware and operating systems.
What about the deployment of software on a free issued machine?
The practice among security manufacturers who provide software that
runs on third party platforms is to specify and limit those platforms
on which the software will work. Our experience of this has been mixed.
We're nervous, because we're not sure that it's going to do 'what it
says on the tin'.
Moving to an open platform environment will need the manufacturers to
step up their testing before we are all capable of sleeping soundly
at night! They are heading in the right direction, but the steps required
to move from their proprietary system to an 'open platform' add a corresponding
step change in development and testing.
Solution ownership also requires special consideration in this area,
as well as in the service and support area. It's not hard to envisage
the scenario where the end user installs, say, a server and a reseller
then adds to it the software that's supplied by the manufacturer. In
moving towards an open platform with hardware and software supplied
from many sources., we introduce a level of doubt. Finger-pointing over
problems begins.
We should also expand on the need for change control. The discipline
of change control in these IT-centric systems will become more crucial,
and will be particularly relevant when troubleshooting and resolution
are required. We're not great at change control. It's an area in which
we can learn from the practices that are already in place in the IT
industry to improve our professionalism.
When the cope of work is specified, the role and responsibility of each
member of the value chain will need to be carefully discussed and documented.
We may think that we do it now, but we'll need to be more rigorous in
the future. This becomes more complex with the increase in the number
of people involved. The responsibility for making sure that each of
the scopes of work meet to create the finished article rests with the
end user. It is possible, however, for the end user to 'sub-contract'
this responsibility to an integrator to make sure that everything is
covered.
We should introduce the concept of industry-recognised standards in
project management - such as PRINCE. This formal methodology requires
training and accreditation, and is geared around delivering projects
in complex environments. It's commonplace in the IT industry.
Solutions made up of many discreet elements that supposedly work together
in a seamless fashion are more complicated to install and certainly
more difficult to troubleshoot and support.
It's a complex scenario
Consider the example of a server running a security application. The
hardware and operating system have been provided by the IT Department
through its procurement deal and installed by members of the team. The
reseller has used the auto-script process to install the software.
The IT Department has a policy of applying service packs to operating
systems within six months of them becoming available and upgrades the
operating system on the server in line with its policy, which creates
a problem with the security application. The first time the security
manager finds out about this is when his operators report that the system
isn't working correctly, so the first choice of action will be to call
someone. Who do they call?
At the end of the day, we will all need to re-evaluate how we buy and
provide support services. There's a clear distinction between the edge
devices and the core systems. When we reach the core with a number of
manufacturer and end-user provided system elements, the process of troubleshooting
becomes more complex. Resolution will not always be straightforward.
The response time Service Level Agreement will be supplemented by a
diagnosis or 'workaround' metric. Until we know the nature and extent
of the problem, how can we send the right engineer, from the correct
stakeholder, to resolve the fault?
Remote access for fault determination is readily available but, sadly,
often not put in place for obvious reasons. Most of them can be overcome
by deploying the correct level of network security systems.
ITIL: what will it mean?
The IT industry will influence us through the introduction of ITIL (an
IT industry model for support teams, call management and escalation).
The practitioners must be trained and accredited.
We mustn't ignore the pace of technological change and its delivery
to the marketplace. As the security industry continues to embrace digital
systems, so the ease of product development and launch has increased.
It is going to be even harder to know when to buy a new technology.
The fear is that kit is out-of-date before it's even commissioned!
Aside from the difficulty in making the technology decision, it also
adds a level of difficulty to our abilities - that's all of us . . .
end-user, reseller and manufacturer - to keep abreast of the latest
systems, service them well and support them in a professional manner.
As a result, we'll witness resellers and integrators offering fewer
brands so that they can maintain their market knowledge.
Our end users have a much harder time of it because they simply don't
have enough hours in the day to keep up-to-date. It's more likely that
their buying decisions will be swayed by the name of the manufacturer
rather than the product itself. Remember the old adage: 'No-one ever
lost their job for buying IBM.'
John Kirtland is the Group Sales and Marketing Director for Quadrant
Security Group (http://www.qsg.co.uk).