IT bytes...

What is, has been and will be the impact of IT in the security world? Most articles to date on this topic have been scripted by product manufacturers, and tend to focus on technology convergence. Here, we’re going to take a somewhat different approach.

In theory, there’s no discernible difference between the IT and security industries in terms of how manufacturers take their products to market but, in practice, the two are very different. IT manufacturers understand that their role in the value chain is to produce a fantastic product and then market the living daylights out of it! They train their resellers to sell, implement and support their product. They also focus on high-level support to accredited resellers such that the end user receives the required amount of back-up.

For their part, IT distribution companies have an equally well-defined role. They don’t sell their own branded product because the main manufacturers would refuse to supply them. Their prime role is to service those resellers who do not have the capacity to demand a direct relationship with the manufacturing community.

Within this structure, the end user possesses a very clear view of the level of expertise and support to which they have access. They can work with an accredited partner that has all the support mechanisms in-house to look after their system, or they can go to a company that buys its product from a distributor and has little in-house expertise.

Formal channel management

Formal channel management allows the manufacturer to distribute its product widely while still ensuring that the end user is properly supported. IT manufacturers no longer sell to every individual customer and then provide direct support themselves. Many years ago, the IT market recognised it was a business model that simply wouldn’t scale. Our industry is still very nervous about the wholehearted implementation of channel management.

The security industry harbours manufacturers who allow anyone to install their product(s), regardless of expertise or commitment. They provide free training, further encouraging a lack of commitment to any professional standard of implementation and support. Typically, when problems arise at a later date, the installation company simply doesn’t have the skills – or the commitment to the product – to make it work. Then the manufacturer steps in to protect its own name.

This chain of events is purely reactive, and doesn’t instil professional standards within our installation and integration community. The result is utter confusion and a distinct lack of confidence emanating from the end user.

Due to a limited budget, many manufacturers are understaffed in their Service Department. These departments struggle to do a reasonable job of looking after their customers properly, and yet there’s no chance of increasing the size of that team as there’s no budget to do so. There’s very little service income unless the manufacturer enters into chargeable support agreements with its resellers. Even then, these will only materialise if a formal programme is in place. There is nervousness about putting a programme in place, and so the whole cycle begins again.

Why are manufacturers nervous? Mainly because they don’t want to prevent anyone from having access to their product even though they readily admit – albeit behind closed doors – that the majority of installers who buy the product(s) aren’t capable of looking after it/them. They worry that if they put a programme in place a reseller who isn’t accredited will go elsewhere to buy a competitive product (presumably from a manufacturer that doesn’t have an accreditation programme). What we have created for ourselves is a market where we compete to the lowest common denominator.

IT channels have implemented recognised levels of accreditation and management. They operate to the very highest common denominator. That’s where the security industry should be heading.

Differentiation in the markets

IT resellers add value to standard products by building custom applications on top of standard product offerings. There is little (if any) evidence of this happening in the security industry because of the reluctance of manufacturers to band together and create a set of open standards that will enable products to talk seamlessly. We buy converter boxes or software so that Camera X can talk to Recorder Y. We become locked-in to a manufacturer and cannot break free without a major ‘rip out’.

Reseller differentiation is implemented in a very superficial way by security manufacturers, resulting in much of the customising work that needs to be done being carried out by the manufacturer. Resellers struggle to differentiate themselves from the competition.

You could argue that, by keeping everything proprietary and within your control, you will survive forever because you have captive customers. It’s a monopoly. Learning from the IT world, however, history would dictate that these organisations are the first to collapse when open standards are put in place. As long as manufacturers keep everything to themselves, there’s no opportunity for the reseller to make any real differentiation, nor a genuine commitment to the product. If there is little or no commitment, the end result is poor service and support.

We still find manufacturers undertaking the design of the system that goes in to the bid documents of a reseller who, on achieving success with the quote, then employs that manufacturer to commission the system. This is counter-productive and fails our industry. Am I alone in believing this to be wrong?

Change is required... Now!

We need a profound change of emphasis in security that will create greater customer value, provide better support to the end user, increase the professional standing of the discipline and help with the development of open products.

This change will be initiated when mainstream IT manufacturers make their move into our market space. They will look to their existing channel to deploy these new security systems. A number of integrators in the security industry may also have the opportunity to sign up. When we do sign up, we’ll be in for a bit of a surprise. It’s likely that we will have to:

• train and test our engineers every year
• meet stringent accreditation criteria
• have our discounts measured by our accreditation level
• cross-train or recruit IT specialists
• initiate chargeable support requests
• benchmark salaries against the IT industry to hire and retain talent.

Our customers will also find things changing... Manufacturers will be expecting customers to have a Software Support Agreement, otherwise no support will be offered. Support will only be offered by an approved reseller. The price of support services will increase as a result of salaries benchmarked against the IT sector.

Traditional security manufacturers will not be unaffected by this change, either. Core products will be threatened by the IT companies. Commodity edge devices will remain untouched, though, leaving the security manufacturers to fight over their share of cameras, housings and readers. Their reseller base will be marginalised and they will have to sign-up new IT resellers for their channel programmes. Those programmes could well be lacking in terms of clarity, rigour and depth.

Distribution companies should also note that their current methods are going to be subjected to close scrutiny. IT manufacturers will expect a distributor to manage the smaller reseller community. They cannot work with anyone who has their own competitive product offering, and will expect a high level of support to be provided to the smaller resellers on a chargeable basis. In addition, competition from IT distributors is going to increase.

Convergence and the end user

The convergence of IT and physical security technologies will have a profound effect on most end users, who will either determine to embrace change and capitalise on the opportunities it offers – or decide to do nothing as the situation appears too difficult to resolve (it often involves politics, you see).

Convergence is throwing up a number of questions. For a start, who owns the business process? Security is a business process. There are goals and objectives to be reached, and a methodology to be applied to turn input into outcomes. Who owns those outcomes? The traditional stand-alone nature of the security system is gradually being eroded. The technology of today and tomorrow is more complex, and most certainly IT-centric.

Does the Security Department have the skills necessary to look after it? Does the IT Department want to look after it?

Who owns the budget? Always a contentious issue, of course, but the answer becomes somewhat less relevant once you have answered the first two questions.

The process question may seem a tad unnecessary. The real issue to be clarified is how the security process interlinks with other processes that interface with it. This includes areas such as Health and Safety, Human Resources, IT, risk management and so on. All require an interface with the security process, and may even influence the nature of it.

So... The security manager still owns the security process, but there’s now a larger number of stakeholders who can (and will) influence how that process is managed. This is all happening because of the data that the Security Department’s operatives have at their fingertips in electronic format. Information may well be power, but within today’s more enlightened management teams the real power lies in the sharing and provision of information.

End users now have a greater desire for ‘joined-up thinking’, such that they might use all of the available information within their organisation to create links and identify trends that, previously, would have been too difficult to measure. This collaborative working is driving the integration of IT system and the sharing of data, and it is in this area that the in-house security manager may no longer have the sole voice. In a system that connects outside of the security world, other stakeholders will influence the solution.

The security manager will no longer be in total control of his or her own destiny. They will still be seen as the custodian of their part of this joined-up thinking, though, and will be expected to deliver their objectives.

The technology aspects regarding which system to buy are going to become less of an issue as we move through to the next generation of IT-based security devices. There will always be the edge devices the cameras, readers and contacts, etc. In particular, the systems at the core of the control and management of access, surveillance and associated data storage are moving away from proprietary platforms to a standard PC or server platform that could be provided by either the reseller or the end user. End user purchasing power will play a part in this, as many corporates take advantage of the deals they already have in place.

Impact on the industry

These trends will have a huge impact on the security industry. IT platforms may be purchased by anyone in the value chain. End users will have their own provider, in addition to standards for hardware and operating systems. What about the deployment of software on a free issued machine?

The practice among security manufacturers who provide software that runs on third party platforms is to specify and limit those platforms on which the software will work. Our experience of this has been mixed. We’re nervous, because we’re not sure that it’s going to do ‘what it says on the tin’.

Moving to an open platform environment will need the manufacturers to step up their testing before we are all capable of sleeping soundly at night! They are heading in the right direction, but the steps required to move from their proprietary system to an ‘open platform’ add a corresponding step change in development and testing.

Solution ownership also requires special consideration in this area, as well as in the service and support area. It’s not hard to envisage the scenario where the end user installs, say, a server and a reseller then adds it to the software that’s supplied by the manufacturer. In moving towards an open platform with hardware and software supplied from many sources, we introduce a level of doubt. Finger-pointing over problems begins.

We should also expand on the need for change control. The discipline of change control in these IT-centric systems will become more crucial, and will be particularly relevant when troubleshooting and resolution are required. We’re not great at change control. It’s an area in which we can learn from the practices that are already in place in the IT industry to improve our professionalism.

When the scope of work is specified, the role and responsibility of each member of the value chain will need to be carefully discussed and documented. We may think that we do it now, but we’ll need to be more rigorous in the future. This becomes more complex with the increase in the number of people involved. The responsibility for making sure that each of the scopes of work meet to create the finished article rests with the end user. It is possible, however, for the end user to ‘sub-contract’ this responsibility to an integrator to make sure that everything is covered.

We should introduce the concept of industry-recognised standards in project management – such as PRINCE. This formal methodology requires training and accreditation, and is geared around delivering projects in complex environments. It’s commonplace in the IT industry.

Solutions made up of many discreet elements that supposedly work together in a seamless fashion are more complicated to install and certainly more difficult to troubleshoot and support.

It’s a complex scenario

Consider the example of a server running a security application. The hardware and operating systems have been provided by the IT Department through its procurement deal and installed by members of the team. The reseller has used the auto-script process to install the software.

The IT Department has a policy of applying service packs to operating systems within six months of them becoming available. Meanwhile, the IT Department upgrades the operating system on the Linux server in line with its policy, which creates a problem with the security application. The first time the security manager finds out about this is when his operators report that the system isn’t working correctly, so the first choice of action will be to call someone. Who do they call?

At the end of the day, we will all need to re-evaluate how we buy and provide support services. There’s a clear distinction between the edge devices and the core systems. When we reach the core with a number of manufacturer and end user-provided system elements, the process of troubleshooting becomes more complex. Resolution will not always be straightforward. The response time Service Level Agreement will be supplemented by a diagnosis or ‘workaround’ metric. Until we know the nature and extent of the problem, how can we send the right engineer, from the correct stakeholder, to resolve the fault?

Remote access for fault determination is readily available but, sadly, often not put in place for obvious security reasons. Most of them can be overcome by deploying the correct level of network security systems.

ITIL: what will it mean?

The IT industry will influence us through the introduction of ITIL (an IT industry model for support teams, call management and escalation). The practitioners must be trained and accredited.

We mustn’t ignore the pace of technological change and its delivery to the marketplace. As the security industry continues to embrace digital systems, so the ease of product development and launch has increased. It is going to be even harder to know when to buy a new technology. The fear is that kit is out-of-date before it’s even commissioned!

Aside from the difficulty in making the technology decision, it also adds a level of difficulty to our abilities – that’s all of us... end user, reseller and manufacturer to keep abreast of the latest systems, service them well and support them in a professional manner. As a result, we’ll witness resellers and integrators offering fewer brands so that they can maintain their market knowledge.

Our end users have a much harder time of it because they simply don’t have enough hours in the day to keep up-to-date. It’s more likely that their buying decisions will be swayed by the name of the manufacturer rather than the product itself. Remember the old adage: “No-one ever lost their job for buying IBM”.