Face Forward and Watch Your Back

Oct. 27, 2008

For the foreseeable future, the need for security products and services will continue to increase. However, new industry expansion is not likely to mirror the expansion of past years. Security needs drive the industry's growth, but four critical factors shape it: technology development, competition, customer expectation and demands and investor interest. Convergence has significantly changed the scope and direction of these factors.

A Security Stock Watch
SecurityStockWatch.com (SSW) is an independent leading research and analysis firm specializing in the security industry. The SSW 100 Index is the only market index dedicated to the security industry, and it has sharply outperformed the Dow, Nasdaq and S&P 500 on a consistent basis since 2002. Full details of the index are contained in an SSW report titled, "Profitability Survey, Research and Analysis of the Security Industries," available for free download at www.securitystockwatch.com.

For investors, this is good news, because in prior years it has been difficult to get a handle on the security industry from an investment perspective. One reason for the excellent performance of the index is that it goes well outside the categories of companies that most of us associate with security. The stocks fall into these groupings:

* Biodefense (11 companies)
* Environmental Security (13 companies)
* Fraud Prevention (23 companies)
* Military Defense (18 companies)
* Network Security (18 companies)
* Physical Security (17 companies)

This author reclassified the companies on the SSW 100 Index to reflect the type of company providing the solution as opposed to the security area to which the solution belongs. The purpose of the reclassification was to help identify convergence factors relating to the index. Figure 2 shows the results.

Fifty-three companies more than half of the index are IT sector companies. Some of the companies counted in more than one category.

The SSW 100 Index included IT companies to achieve growth and performance. Likewise, most of today's security manufacturers, integrators and consultants must eventually reach out to embrace some aspects of IT. If they do not, they risk losing business to an expanding pool of competition.

IT Integrators Take On Physical Security
IT systems integrators have been eyeing physical security projects for two reasons. First, physical security is an important part of information systems security. Second, physical security systems are increasingly becoming computer-based and network-based. Physical access control projects often interface with human resources systems, increasingly for the purpose of integrating physical and logical user provisioning (assignment of access privileges). This type of IT integration provides an increased ROI for physical security access control systems that are capable of being integrated. The IT side is more complex than the physical security side, which has comparatively few computers. This has led IT integrators to conclude that if they can handle the IT side, they can handle the physical security side, especially for IP-based systems.

The annual IT project revenues of each of the eight largest IT systems integrators exceed the combined revenues of the top 100 physical security systems integrators. Certainly they have the financial wherewithal to incorporate physical security products and services into their businesses.

In the Digital Video Arena
IP-based digital video systems have opened the physical security door for many IT systems integrators. For example, Cisco Systems Inc. recently completed a project to migrate its 2,600 cameras from a proprietary DVR solution to a network-centric Lenel Systems software application, which Cisco Security Operations controls and Cisco IT supports from its existing server and network operations centers. Prior to the project, Cisco's Safety and Security department stored digital video on DVRs. The system grew until the Security, Technology, and Systems (STS) department found itself managing more than 330 servers at Cisco facilities worldwide.

The department was overburdened by the need to keep so many servers online and up to date with the latest software patches. "One hardworking IT administrator can take care of 100 boxes, and we had three times that many," said Ken Lang, STS video program manager.

"One morning, IT informed us that about a third of our [DVR] servers were infected," said Lang. "That was our wake-up call to abandon the silo' support model, where we purchased and self-managed equipment, and instead to work closely with IT to deploy standard server equipment for CCTV."

Cisco selected IBM Global Service Delivery (the world's largest information technology services and consulting provider) as the implementation arm for the new solution.

The benefits of Cisco's migration to CCTV over IP include the following.

Video storage requirements were lowered by 60 percent, representing $500,000 in savings. The new system reduces storage volume requirements because it has the intelligence to store video only if motion is detected.

Operational risks were mitigated by expediting maintenance and repair. "When a proprietary box broke, we had to dispatch local security integrator technicians, who often were unfamiliar with our site requirements, to come on site and work with in-house video system technicians," said Deon Chatterton, program manager for the STS group. "Remediation might take five days or longer. Now we have a two-hour response and 24-hour turnaround for repair."

Maintenance costs were reduced by 20 percent because Cisco IT has economies of scale and spends less time monitoring and maintaining servers.

System security was increased. "Now that we're standards-based, the system is much more secure," said Chatterton. "Network protection and virus definitions are implemented as soon as available instead of when we get to it." Cisco IT has contracted through IBM to provide remote security-related updates. The system has paid for itself more than once by enabling the Safety and Security department to apprehend people who had stolen equipment and then recover the stolen property.

IT Projects for Biometrics and ID Systems
A visit to the Web sites of smart card makers reveals that their marketing efforts are mainly oriented towards IT departments. For example, the current home page of the ActivCard Web site states, "ActivCard is a leading global provider of strong multi-factor authentication, password management, and trusted digital identities with market-designed solutions for Governments, Enterprises, and Financial Institutions"

ID badging systems have traditionally been in the province of physical security. Within recent years, however, they have increasingly become IT projects. Biometric security for PCs and networks, including fingerprint scanners built into keyboards, means that there will be far more biometric security devices employed for logical security than for physical security.

BAS Companies Move In
It's not just the IT sector that is bringing new competition for physical security projects. The #1 company on Security Distributing and Marketing magazine's list of 2004 Top System Integrators is Siemens Building Technologies a building controls company for which security systems projects account for less than 20 percent of total company revenue.

Two major security companies, GE Security and Bosch Security Systems, have released products designed to facilitate integration of HVAC, lighting, fire alarm and security systems. They are Facility Commander from GE and System 3T Building Management Solution from Bosch. The integration for both is based upon OLE for Process Control (OPC), a well known standard in industrial automation and building controls. OPC is a series of standards specifications available from the OPC Foundation. Architect and engineering firms increasingly require product specifications compliant with OPC, and since security systems are part of building controls, it makes sense to support OPC integration capability.

Financial Sector Interest
John E. Mack III, co-founder and CEO of USBX Inc. and former CEO of Protection One (one of the largest monitored security services in North America), said in a May 2004 interview with SecurityStockWatch.com, "The convergence of digital technology with security systems has spurred capital investing in security equipment. Security systems with digital technology can yield heightened productivity because things like video surveillance can be done much more effectively today."

Mack also said, "And we've seen a more recent trend where companies involved in IT integration work are looking at the intersection of physical and logical security, or the intersection of IT infrastructure with physical security infrastructure, all of which is now operating on the same network with digital systems in the security arena. All of this is causing large IT integrators to focus on acquisitions in the security space."

In 2003, three firms established the Security Growth Conference (www.securitygrowthconference.com), USBX (www.usbx.com), Mitchell, Silberberg & Knupp (www.msk.com), and Security Systems News (www.securitysystemsnews.com). This conference brings together CEOs of the largest global security companies with CEOs and senior executives of the leading independent security companies and members of the financial community for high-level business development, merger and acquisition opportunities, financing and networking.

Participants in this conference were able to observe another trend: an increasing number of companies whose founders and CEOs come from IT company backgrounds, such as NetBotz (www.netbotz.com) and VistaScape (www.vistascape.com). Although not presenting at the conference, DVTel (www.dvtel.com) is another company whose executives come from the world of IT. The personnel of such companies can engage in productive dialog with regard to both security and IT issues, and their product designs and marketing reflect their knowledge.

Convergence Means Opportunity
Mr. Edward Y. Ching, senior technology analyst for Rodman & Renshaw LLC, said in an interview with SecurityStockWatch.com, "I believe that government and corporate enterprises are planning a return to network expansion projects that were put on hold due to the downturn in IT spending from 2001 to 2003. I think that wireless networks, enterprise security and data storage solutions should be high on enterprise IT budget lists." This would provide increased opportunities for upgrades and expansions of physical security networks and systems, too, many as part of corporate IT projects.

Gemplus's U.S. Corporate Security Systems Study, carried out by Frost & Sullivan in December 2003, showed that 30 percent of Fortune 500 companies surveyed are currently using or testing smart cards within their security systems, and 39 percent plan to use smart cards in their corporate security systems within the next three years.

The question remains: Who will see the bulk of the security projects, traditional security systems integrators or their IT competition? Security system manufacturers, integrators and security consultants need to give serious consideration to the trends being examined in this article.

What Manufacturers Can Do
To maintain viability for their companies, many manufacturers need to establish viable positions for their products in building controls and IT, to the extent that their products will be installed, integrated and used by or for IT departments or building controls companies. This includes educating their specifying consultants and systems integrators. What will happen when IT systems integrators come knocking? The response certainly should be based upon a corporate strategy developed with an awareness of the trends identified in this article. For most security companies, such strategies will involve decision-making factors that did not exist when the current corporate strategy was formed.

What Integrators and Consultants Can Do
Physical security systems integrators need to become IT savvy in a hurry. Partnering with an IT systems integrator or network consultant is not a replacement for getting educated. On one recent physical security system project that used the customer's network backbone, a security systems integrator relied completely upon a network consultant to provide the specification for the system's network components. The network portion of the specification omitted some key equipment. The integrator had to absorb the cost of the network equipment, including installation and setup. This cost exceeded the fee of the network consultant, who didn't specify the equipment because the security systems integrator didn't provide the information that would have indicated its need. Mistakes like these by security integrators encourage end users to take a closer look at what IT systems integrators have to offer.

Security consultants also need to be more IT savvy regarding the kinds of systems integration the products they specify will be involved in. In most cases the software that "glues" the various applications together (middleware) will be provided by IT. The requirements and design for the middleware will include the security system integration. Not only must the security consultant be able to discuss the security system's role in the overall integration, he must specify a system that is up to the task.

The Big Danger: Ignoring the Customer
The previous article in this series (ST&D August 2004, "Playing Catch Up: Convergence With IT and Building Controls") discussed the need for interoperability between systems and pointed to the building controls industry as an example of customers driving change. In retrospect, we see that both customers and companies would have benefited from a more timely industry response. The article suggested that the security industry take a lesson from the building controls industry and actively pursue interoperability without having to be dragged into it by the customer base.

There is danger in looking to the history of building controls industry for guidance. It took 10 years to develop the BACNet specification, and it will be years more before BACNet contains the needed support for security systems, and again more before companies adopt it.

The danger is this: Unlike the HVAC and lighting control portions of the building controls industry, the security industry cannot safely drag its feet for years. The building controls industry did not have outsiders waiting in the wings that could simply come in and take the business away from its integrators. The security industry does. The IT industry has the technology, the people, and the money to pull it off.

Encroachments have already taken place, as we've seen, with IP-based video systems, and similarly with Web-based visitor management and identity management systems. Some security industry companies responded by adopting the related IT standards and interfacing with the IT systems. Most did not respond at all.

The Threat of Microsoft
Implementing an identity management system is no small task. So to help make the introduction, Microsoft offers a six-month evaluation version of Microsoft Identity Integration Server 2003, which is downloadable from the Microsoft Web site. Microsoft Server 2003 includes a free implementation of a Public Key Infrastructure system suitable for small businesses. PKI is a component required for smart-card-based access control to information systems. Both Windows 2000 Server and Windows Server 2003 support smart cards for Windows logon.

What if Microsoft took a liking to networked video? Would we see a six-month trial version of Microsoft Video Management Server 2005? If that happened, you could expect to see the Microsoft development Web site offer a video server development kit, so that anyone could interface to the software.

Part of the threat of Microsoft is that it creates systems that are standardized to allow other groups to use the same technology. This would signal the end of popular proprietary technology and the beginning of a drop in system prices.

Culture Change
IT has thrived on open standards and interoperability. Security industry manufacturers fear open standards and interoperability. They would much prefer things to remain unchanged. But the IT door has already been opened, and it cannot be closed.

Cisco reports that the chief lessons learned from the transition to digital CCTV pertain to making the best use of Cisco IT resources. "Physical security and IT security are converging," said Chatterton, "and the two groups need to work more closely than before. When we managed the servers ourselves, a hardware or software problem was a serious issue for the department. Now we just generate a case and IT uses their technical resources and expertise to resolve the issue. We had to shift our culture to let IT do the work and run through its own processes."

Like Cisco, many end users are experiencing corporate culture change due to convergence. Unless there is a corresponding culture change within security industry companies, the end-user change will amount to a shift away from traditional security companies to IT services companies.

Commoditization
Manufacturers, and to some extent integrators, fear the commoditization that open standards and interoperability will bring. Most don't stop to think that their current success is due in large part to the commoditization that has already occurred in IT. If the network cards of the early 1990s had remained proprietary and kept their $500 price tag, we wouldn't have IP-based video or IP-based anything. Today's security systems require a commoditized IT world.

Commoditization is what has made the IT explosion possible. Millions of people could take advantage of and build with what only hundreds or thousands could before. IT service providers no longer make money selling network cards. They sell information systems. And neither the customers nor the service providers would ever desire to turn back the clock.

Why wouldn't commoditization in the security industry result in a security explosion? History says it would. History also says that commoditization, based upon open standards and interoperability, is the inevitable next step for the security industry.

Customer demand for interoperability between brands will keep building. If it is not satisfied from within the traditional security industry as we know it, it would only be a small step for a few companies outside the industry or for the single largest security customer, the government to work to produce open standards, as is already happening with smart cards.

Shaping the Security Industry It is inevitable that the security industry will evolve and expand. Will the shape of that expansion come from within the security industry as we know it, or from without? If the changes are likely to have any impact on you, give some serious thought to your part in it. Whether by casting a vote, raising a voice, or leading an initiative do something.

Ray Bernard, PSP is the principal consultant for Ray Bernard Consulting Services (RBCS), providing high-security consulting. For information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.