SD&I Cover Story: Managed Services

Feb. 13, 2018
The MSP business model represents the future for physical security systems's how to piece together the perfect combination of services to create a new path to greater profits

To anyone reading security industry publications and attending security industry conferences over the past few years, it is clear that there is strong consensus within the industry that managed services – particularly the Managed Services Provider (MSP) business model – are the future for physical security systems integrators. What is not so clear is how soon such a transition will occur, what the opportunities are to provide managed services, and the first steps to get started.

“Managed services” does not mean performing fix-and-repair service call response on a fixed RMR basis, although a few companies have managed to do that with certain customers. It is not about providing one-time services like installing and setting up products, and waiting for service calls. Instead, it is about continuous value-added service that is the basis for continuous revenue.

“Opportunities for security integrators to expand the value their organizations offer are dependent on their ability to become more customer-centric,” explains Eddie Meltzer, CEO of Security Cloud & Mobile Partners, a company whose mission is to help security end-users and integrators optimize their service and support programs.

“Integrators need to refocus from a project and hardware/software-based strategy (i.e. one-and-done and transaction-based relationships) to a well-defined services-based strategy that focuses on the business outcome of their customers – more specifically their customers’ success,” Meltzer adds. “This will require some changes to their organizations and an honest review of what results and information their systems are delivering.”

The security industry’s rearview mirror will not be much help with that thinking; however, there are three places for integrators to look for clues: IT managed services, a deeper understanding of customers’ needs, and advancing technology.

Many integrators have found that the time to start the transition to becoming a MSP is now. There are many opportunities to start providing managed services, especially by automating and improving service capabilities.
What steps come next will vary depending on factors relating to the integrator, the markets served and the technology infrastructures of the customers.

Understanding the IT Managed Services Model

Overall, the security industry needs to better understand – and catch up with – the nature of today’s technology and how it is managed in the IT domain. That means using digital tools and electronic systems – the same type of automated tools that IT departments use to monitor networks and systems, and to automatically patch and update them to keep software and devices feature-current and cyber-secure.

Most electronic security system deployments today are not cyber-secure or well-documented; in fact, those that are cyber-secure have mostly been secured by the customer’s own IT departments.

“Being an MSP means adding value, and the opportunity to deliver that is far broader than ever before,” explains Brad McMullen, Stanley Security’s VP of Marketing and Product Solutions. “IP-based physical security has naturally led to customers wanting service assurance, cyber-hygiene, remote management and other data-driven services for their infrastructure.”

The value of documentation: The first step to providing these data-driven services is documentation. Managed service providers always document their systems because it saves time, prevents mistakes and enables them to respond quickly to customer questions. Documentation also keeps them prepared so that as new product versions and technologies arrive, they can quickly scan the information about customer systems to identify prospects where they can now add more value.

System Surveyor – a design and documentation tool that helps simplify security system management and reduce design time – provides the type of documentation that customers value. Managed system providers must rely on such tools to make their work more efficient and effective.

More than a decade ago, IT learned that the reactive approach of waiting for user service calls is not feasible for maintaining high system uptimes or as the primary means of diagnosing computer and network problems. Digital automation – continuous system monitoring and automatic reporting – is the only way to stay on top of things. Status detection and reporting, and problem alerting can be instant or nearly so. Another important factor is that automation scales well, whereas human labor does not.

The value of information: As professionals in the IT and compliance audit departments of large organizations know, auditing physical security system deployments has been a notoriously labor-intense process, especially compared to the ease of auditing IT systems.

Viakoo is attempting to make that process easier for security, using machine learning and other advanced algorithms in a software solution that automatically verifies and reports on the performance and integrity of physical security systems, with alerts for service issues and a ticketing system for managing them.

Recently, cybersecurity services firm Coalfire validated an end-user’s use of Viakoo to support retail point-of-sale PCI compliance, finding that the auditing of 36 physical security PCI controls could be fully or partially automated by the software.

Using a tool to digitally verify the status of physical security controls, and packaging up such information for an organization’s compliance reports, is a good example of an integrator providing value-added service. Such opportunities exist for integrators whose customers must comply with programs like energy utility NERC CIP, data center TIA-942-A, supply chain CTPAT, and federal agency FedRAMP; but also for non-regulated customers who want high assurance of security system performance.

“Having solutions – like Viakoo and others – that can address developing needs around cybersecurity, corporate and regulatory compliance, and risk assessment is important to meeting customer needs,” says Gina Stuelke, CEO of Kansas City-based Kenton Brothers Systems for Security. “As a first step, we have found that a focus on automation goes a long way towards delivering the kind of managed services that IT-savvy customers appreciate.”

“Integrators must find a way to actually add value to the services they provide in order to get the recurring monthly revenue,” McMullen explains. “If you just sell the service contract and don’t add value beyond that, you aren’t in the Managed Services business.”

Stanley uses the Viakoo service to deliver its own Managed Services offerings. “Our customers get the combined value of Viakoo’s automation and Stanley’s deep service experience – a unique offering,” McMullen says.

Proactive service: Andrew Lanning, co-founder of Integrated Security Technologies Inc., of Hawaii, explains that just as the break/fix model of electronic security system maintenance gave way to the service contract model, the service contract model is expanding into the as-a-service model – which can include hardware (Platform as a Service), software (Cloud ACS or VMS), maintenance (preventive inspection/maintenance), monitoring (system health, patch management, etc.) and reporting (weekly, monthly or quarterly uptime) bundled together or a la carte into a single monthly payment.

“This lets the client plan for annual security costs, which increase incrementally with system growth,” Lanning says. “The real value for the client is in the monitoring and uptime reporting – what good is a system that is offline when you need it most?”

“Our business has changed more in the last five years than in the previous 50, and one of the most significant changes is adding more managed services offerings to our lineup,” Stuelke says. “The opportunities are as wide-ranging as our customers are – some are very focused on knowing their systems are always working as they should; some need to ensure their security is compliant to industry standards; and some want more remote management capabilities, just to name a few. These are all best done ‘as a service.’ Most of our products now live on the network – through that, we are able to address our customers’ critical need for responsiveness.”

The First Steps to Becoming an MSP

Integrators must understand each customer’s technical and operational environment before assessing the need for promoting whatever they can feasibly offer “as-a-service.” Thus, the first step, according to Meltzer, is internal analysis:

  • Do we have the technical resources and expertise in IT networks and infrastructure? If not, will we make the necessary investments?
  • What changes need to be considered to the sales processes?
  • What changes need to be considered to the commission structure?
  • What additional training will be required?
  • Are new skill sets required from potentially new personnel?
  • Are there new vendor relationships that need to be established?

Meltzer stresses that integrators must have the wherewithal to sell and deliver these services reliably and profitably – which may require organizational changes. “Are they a service-led organization? Do they leverage service capability as a market differentiator? That will speak volumes into their culture and whether an as-a-service strategy will be successful,” he says.

Once the groundwork is laid, Lanning recommends the company use a ticketing system to drive the managed services business model. “Learning to track time spent servicing is critical to understanding how to monetize the services you perform for your clients,” he says. “We use ConnectWise for our internal and external projects and services delivery.”

The next step is to set up a help desk that can handle basic customer inquiries and perhaps advanced technical support (internal and external), depending on your size. “Security product platforms are beginning to integrate health monitoring APIs into tools like ConnectWise, so it is only a matter of time until the MSP model is the only thing that will make sense to our IT savvy clientele,” Lanning says.

Lastly, Meltzer recommends determining the mapping of available as-a-service solutions given the existing security technology infrastructures and needs of an integrator’s particular and unique clients.

The Vendors’ Role

Security industry manufacturers have a role in supporting the managed service business model – especially those with cloud-based offerings. The idea is to use digital tools and automation to reduce or eliminate manual effort in supporting products, thus enabling integrators to focus on serving and adding value for customers.

Both customer network usage and security video usage can change over time, and under the as-a-service model, integrators need the means to be proactive in ensuring customer systems continue to perform as intended.

“Standard IT tools can’t present the security systems-specific information that is needed,” explains Ken Francis, President of cloud video company Eagle Eye Networks. “Eagle Eye provides integrators with a dashboard graphing 13 cloud video system performance metrics for that reason.”

Customers do not generally have insight into how their network and video usage profiles change; thus, an integrator can leverage capabilities such as Eagle Eye’s dashboard to provide that information and help the customer plan ahead for expansion. Eagle Eye also manages its on-premises appliances, performing updates and security patches automatically while notifying integrators of the updates.

Axis Communications has a history of working in the hosted video market, anchored by its Axis Video Hosting System (AVHS) platform. According to Steve Burdet, the company’s North America Product Manager, the company is developing “a new cloud-based service engineered from the ground up, called AXIS Guardian, targeting video service providers” that will eventually replace AVHS.

The service, Burdet says, is cloud-hosted by Axis, enabling the company to update/evolve the system and services faster to meet the needs of integrators and customers. “AXIS Guardian has central device management functionality that includes camera automatic firmware updates. Guardian also has alarm receiving center integration with more integrations to come in the future.” Expect Axis to find ways to expand automatic firmware updates to other types of camera deployments.

Early successes in managed services have highlighted two main points regarding integrator adoption of the managed services model and their relationship with security vendors:

  1. Vendor products/services must support the “as-a-service” model; and
  2. IT-style tools are needed to effectively and profitably deliver services at any scale.

There is an abundance of untapped opportunity via managed services for tech-savvy, customer-savvy integrators. Integrators should take the initial steps of assessing their current capabilities and knowledge, gauging the customer landscape, and determining required internal changes to sustainably sell and deliver managed services. 

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities ( He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security.

SIDEBAR - Surveillance Systems: The Weak Link?

IT-style automated updating and documentation can protect integrators, their clients and the technology

Video surveillance systems typically have multiple shortcomings – customers with high-camera-count video deployments find it nearly impossible to keep camera firmware current, and most cameras never have been updated since installation. Although cameras are computers that have embedded web servers and run video analytics software, they were not designed to be managed the way that IT departments manage servers, printers and other networked computing devices.

Full-feature cameras have settings that cannot be set in the VMS software – they must be configured via camera web pages; thus, with settings variations residing across hundreds to thousands of cameras, most camera systems are not fully documented or backed up.

One result of video surveillance system shortcomings is that security video systems have become the highly publicized target of choice for large-scale malware attacks. Another result is that when corporate security investigators look for the video record of an incident that should be there, 10-20 percent of the time the video is missing.

Just two years ago, the city manager of Dallas told reporters, explaining why a police officer shooting was not captured by the new camera system, that based on the state of technology and cost factors, it was reasonable to expect that 80 percent of the cameras would be recording at any one time. That meant out of the city’s 400 new cameras, 80 of them would not be doing their job on any given day. That caused quite an uproar.

“Using Viakoo automation we have been able to end the missing video problem,” says Brad McMullen, Stanley Security’s VP of Marketing and Product Solutions. “Managed Services are about leveraging specialized automation services on a continuous basis to have infrastructure performing at (better than) 99-percent uptime for all devices and systems. With that in place, we can build the true managed services – such as solutions for service assurance of video and access control systems, virtualized preventative maintenance, systems verification and compliance, and camera password checking and firmware updating, among others.”