SaaS vs. Self-Hosted Solutions
As a business manager, you fight every day for sustainable profitability. You spend much of your time devising ways to stay profitable on shrinking product margins and rising labor costs. Blended gross margin on your installation work is likely somewhere between 20 and 30 percent. After making payroll, paying suppliers and normal business expenses, your net profit can be 10 percent or less. Sound familiar?
Many integrators have concluded that product and installation revenues are not sufficient to support a healthy organization in the long term. Following the lead of IT integrators, smart integrators are moving from an installation to a service focus. Services offer several advantages over simple installation revenue. Services provide for higher gross margins, less risk, higher perceived value, more impact on your company’s valuation and increased chances for repeat business —all great reasons to be focused on building service revenue.
Moving towards building a stronger base of recurring monthly revenue (RMR) is a great first step to achieving higher revenue and profitability goals; however, you need to make some tactical decisions on which services to offer and how to deliver and support those services. For years, the primary security industry service has been alarm monitoring. It is the most basic type of service — simple to install, clear value proposition and well-defined service parameters. Some integrators choose to invest in their own central station; others create partnerships to outsource this function, but both models work. Individual businesses usually decide on internal vs. outsourced by analyzing how their resources could be deployed to provide the best ROI for the least risk.
The Next Generation of Services
Integrators looking for a next-generation service to offer will likely hit on access control and video. Here, you are faced with the same choices as in the alarm business — build it or outsource it. Again, both models work, but building it still requires a significant commitment of time and resources.
Another difference with hosted access control is the business model is less defined than alarm monitoring. Some companies offer self-service hosting, where the customer uses a remote application, but essentially operates the system as if it were on site. Other companies offer “managed services,” which rolls up hosting of the software with other common access control functions such as cardholder administration and report generation. The services you offer can be customized to fit the markets you target, what your customers want to buy, and the resources you have to deliver those services.
Hosted Access Control Options
Search for hosted access control, and you will see results from a variety of companies. The primary manufacturers that turned up in my search were Kantech, AMT and Brivo, and all three are interesting because each offering differs. Kantech offers a solution that integrators host themselves; AMT offers both self-hosted and AMT-hosted solutions; and Brivo is exclusively an outsourced services provider. These are only three — many more are bound to enter this market. Let’s take a deep dive into the pros and cons of self-hosted vs. outsourced solutions.
Self-hosted: With self-hosted, the access control manufacturer provides software that you install in your data center and establish as a shared hosting infrastructure among your clients. Acquisition costs for hosted access software can range from $5-$50K, depending on the system. The integrator will then need to add the data center environment, broadband network, computers, UPS and, of course, the IT resources required to operate the system.
Fortunately, several companies such as Rackspace, Amazon and Microsoft offer what is called Infrastructure as a Service (IaaS). As depicted in the nearby graphic from Rackspace, IaaS providers can handle many of the details of a hosted system for you. IaaS costs vary from a few hundred to several thousand dollars per month, depending on a variety of factors such as computing resources, bandwidth consumption, fault-tolerance protections and professional services required. Using an IaaS provider will help cut down on the up-front expenses and ongoing resource commitment, but the integrator will generally be responsible for maintaining the application and handling such issues such as up-time, data privacy audits and information security.
Outsourced hosting: Another option is to shift responsibility for the operation of the complete solution to a Software as a Service (SaaS) provider. SaaS providers take responsibility for all of the items mentioned in the above example, along with providing the core software application, data privacy and data security. Such web-hosted products are centrally operated at a data center and shared amongst thousands of different companies — called a multi-tenant SaaS application.
Examples of such SaaS products include Salesforce.com, Workday and NetSuite. If you haven’t heard of these companies, you owe it to your business to check them out. Recent market analyst reports put SaaS software market growth at 25 percent per year. Why such solid growth? Because SaaS customers choose to leverage the infrastructure and operational capability investments made by SaaS companies rather than making those investments themselves.
Since the infrastructure is shared among many users, SaaS applications are very robust and cost-effective. The entire application is accessible from a browser via most any computer or mobile device. Web-hosted solutions are also self-provisioned, scalable on demand, and typically purchased on a “pay as you go” basis. It’s not necessary to purchase any application software to operate a SaaS product. This has greatly lowered the barriers to entry in many industries and generated a wave of new growth in small business.
Outsourced vs. Self-Hosted
For SaaS, the integrator needs only a computer with a browser to set up and manage the application. The SaaS provider should handle everything from the software application to the computers and datacenter environment. SaaS companies will provide a Service Level Agreement (SLA), which guarantees the operation of the system at a particular availability level, such as 99.999%.
For a self-hosted solution, the software provider supplies the application and the integrator will be responsible for creating the self-hosted operating environment. The integrator can choose to provide the data center, servers, power, cyber security protection measures and IT resources themselves or outsource it to an IaaS provider. In the self-hosted case, it will be up to the integrator to decide if they will provide an SLA and what uptime their infrastructure will be designed to deliver.
A New World of Standards
While central alarm monitoring was a unique security industry service with a limited amount of industry-wide operating standards, web-hosting is a global IT service with well-recognized operational standards. Integrators looking to provide self-hosted services meeting IT standards should become familiar with the Cloud Security Controls Guidance published by the Cloud Security Alliance Organization, whose mission is “to promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing.”
Regardless of the infrastructure choice made between self-hosted and outsourced (SaaS), using the baselines provided in these standards, integrators should be able to answer the following questions:
1.What is your track record of availability and SLA guarantee?
2.What are your data security controls and how are they audited?
3.Do you have multiple, secure, disaster-tolerant data centers?
4.Does this service require any inbound holes in my firewall?
5.How does this service perform device authentication?
6.How do you perform on-going vulnerability assessments?
7.Does this service provide two-factor administrative authentication?
8.How do I integrate this service with other business applications I have?
Are You Ready to Sell?
Hosted and managed services require a professional, consultative sales approach. This is not bid work — projects are generally not advertised as RFPs. The sales process for a service-based business typically follows these steps (note the high reliance on professional selling skills such as research, needs assessment and conveying your solution’s business value):
Step One: Generate leads — Your potential sources include website and search engine optimization, architects & engineers; referrals; direct mail, email and advertising campaigns; security consultants; leads from your SaaS partner; industry associations (BOMA, IFMA, ASIS, etc.); telemarketing; and working the territory.
Additionally, you should mine specific vertical markets. Good prospects for hosted and managed services include: medical offices; child care locations; government; multi-tenant properties; fitness chains; law firms; manufacturing facilities; housing authorities and HOAs; and schools.
Step Two: Use details to work the sale — Once you have the prospect’s attention, it is critical to be able to answer the eight questions listed above. It is also important to demonstrate your solution — if you say you have a simple, web-hosted application, then be prepared to log-on and show them how simple it is. Provide the prospect with a demo account to let them play with the system — they have come to expect this from other IT SaaS services, so just like the technical benchmarks established for cloud service providers, your salespeople will face sales benchmarks established by the wider SaaS provider community. Be prepared to give them the tools needed to win.
Wanting to be in the RMR business is a great start, but succeeding in building an RMR business will take continuous effort, focus and discipline. Start the renaissance of your business by getting out of that installation rut and forging a new future for your service-based business with hosted services.
John Szczygiel is Executive Vice President of Brivo Systems LLC. To request more info about the company, please visit www.securityinfowatch.com/10213096.