Working with IT on Access Control

Manufacturers and physical security pros must adjust to the IT world

Manufacturers Step Up
Why haven’t the top-tier manufacturers updated their systems in response to these demands from IT professionals? Many of these systems were initially designed perhaps 20 or more years ago — long before most of today’s IT standards were even proposed. Bolting on today’s standards in ways that enable the existing investments to stay in place is often unwieldy and oftentimes impossible. Sometimes, the code for these legacy systems has been patched and extended to the point of no return. Notably, a few top-tier access control products of more recent vintage are better able to support IT standards and have benefited with increased market share.

Concurrently, each top-tier manufacturer has developed, or is in the process of developing, a new product that meets many of the IT industry demands for standards. The problem is, this effort is taking a long time. The history of new product development in the security industry seems to predict at least 18 months to get the product out the door and at least another year to get feature sets working robustly. Usually, the new product initially supports only a subset of existing panels with legacy support coming much further down the road, if at all.

Complicating the matter, many of the major players in the access control market have acquired multiple legacy access lines and are attempting to develop one product that will support each of these investments. Ironically, IT staffs often perceive physical access control applications to be trivial database applications — something that could be developed with a few months of focused effort.
IT professionals generally understand their industry’s standards in addition to industry trends. They often lean toward products that embrace IT industry trends — some of which are disruptive to the traditional security marketplace. One example is the trend toward moving intelligence to the edge of the network. For access control, that means pushing some of the intelligence that we traditionally put in access panels into the card readers located at the door. This allows the possibility of system that can more easily scale from a few doors to tens, hundreds and thousands of doors without reconfiguration. This trend could disrupt the growth prospects of traditional access panel sales and might not be eagerly embraced by their manufacturers.

Instead, we see the card reader companies carefully introducing these intelligent card readers into the marketplace. These new products may not offer the full range of features supported by current access panels, but edge readers fit into the way IT looks at the world in terms of IP network infrastructure. More full-featured products are likely to soon emerge.

The IP Trend
A second trend is the move away from the client-server architecture and toward embedded, Web-based network appliances. For many applications, this eliminates the need for a separate security server and looks to the IT professional like one of his intelligent network routers. Manufacturers employing this approach have been taking market share from the traditional client-server manufacturers for at least the past year.

Yet another disruptive trend in our industry is lock manufacturers building card readers directly into their locksets. The next step is building IP-based locks that are combination card reader/control panels that can work over a wireless network. The rule of thumb in the security industry is that the installed cost of adding card access to a door runs between $2,500 and $3000. IP-based locksets offer the prospect of cutting that cost in half and creating entire new markets for access control. While early in their evolution and not appropriate for all applications, this example of pushing intelligence to the edge of the network will likely be a game-changer for the security industry.

One of the truisms in technology is that trends and transitions do not happen as fast as we initially think they will, and yet when they do happen, our initial perception of their impact is often widely underestimated. When the trend finally reaches its tipping point, the effects are often more profound than we had imagined.

The Death of Legacy Systems?
While the days of the large legacy access control systems may be numbered, they are not going away anytime soon. Despite the pressure from the IT staff, most corporate executives are loath to change out a six- or seven-figure investment while it is still functioning at full capacity. Manufacturers will find compelling ways to extend the useful lives of these investments. The newer IT-based access control solutions will find traction most often in new “greenfield” projects and the transition from the legacy systems will largely come through attrition.

So what we are seeing is IT people pushing decisions on access control that are based on how well the solutions fit into their standards and trends. And sometimes the security side of the operation may suffer for that. But things will evolve. The features will become more robust on the new emerging architectures; however, we are not there yet. So, a security director may need to be vocal and willing to fight for those critical features and functions.

But the change has begun. At a recent conference, I was talking with a security consultant who told me about a long-term client of his that requested he design a security package and specifications for a new data center. Two integrators were invited to bid — a security system integrator and an IT integrator. Both had established relationships with the client. Even though his price was higher, the IT integrator won the job because the decision makers were more comfortable with his knowledge of their networks, standards, policies and procedures. This is a cautionary tale for security integrators.

The bottom line for security directors, CSOs and system integrators is this — you have to get up to speed on the IT side of the business. If you are competent, the IT folks will be willing to work with you or at least listen. If you know their language and their standards and you propose things that make sense from their point of view, then you will be a friend. You may know the best place to position cameras, but if you do not know the IT jargon, in their eyes you do not know what you are talking about.

If all you know is legacy equipment and you cannot understand the IT objections to it, you are going to be left outside the door. Yet the IT staff probably knows very little about security in general, much less the many specific needs (like life safety codes) of an access control system.

So stay involved and remain relevant in the new world order. Learn how to apply your wealth of security knowledge using the emerging IT centric trends and standards.