Leaders in Access Control An Exclusive Security Dealer Roundtable

Oct. 27, 2008
Panelists discuss: "Selling Security to Corporate America."

Susan Brady: Continued concern about security threats has forced corporate America to take a closer look at security in the workplace. Businesses are realizing that the risk is very real and that steps must be taken to ensure everyone’s security. Please comment as to how access control plays a part in this process.

Tom Echols, Director Systems and Sales, Honeywell Integrated Security: Today’s corporations are utilizing managed access control systems as the key component of their overall security programs. Access control security management platforms allow corporations to monitor and manage personnel around the globe from anywhere in an enterprise. Observation of employees, contractors, visitors and even children at corporate-sponsored daycare facilities can all be consolidated into a single solution.

Steven Van Till, President and COO, Brivo Systems, LLC: When properly managed, access control keeps the “bad guys” out and lets the “good guys” in. That’s the first step in providing enhanced security, but this assumes you can always tell the bad guys from the good guys. That’s why an increasingly important function of access control is keeping records of events, and being able to correlate them with other security systems such as camera surveillance and photo ID databases. Coupled with offsite storage of such data or the use of a hosted security service—which guards against insider attacks on data systems—it should be possible for access control systems to play a valuable forensic role, even if their primary role—keeping the wrong people out—has been subverted.
Peter Boriskin, Director of Product Management - Access Control for Tyco Fire & Security: Access control is a vital part of workplace safety, it is the decision made on who can or cannot get in to a particular facility, parking garage, hospital, and airport. We see an increased need for organizations to tie their HR or ERP system to access, as they want to keep them synchronized without the requirement for human intervention.

John Petze, President & CEO of Privaris: An organization’s first line of defense is clearly physical access to the facility. Reasonable steps must be taken to ensure that only authorized personnel enter the facility. Doing so protects company assets and ensures the safety of employees, both of which have a direct bearing on the degree of financial risk to which the business is exposed. Though when talking about security in the corporate setting, access control should be redefined to include logical access ? securing access to computers, networks and applications ? because beyond “getting in the door” are the very real security risks related to the increasing number of employees that work from home, on the road, or who are accessing corporate IT assets and increasing amounts of sensitive data from external networks. Companies looking to implement new security systems, or upgrade existing systems, should take a serious look at the approaches available to address physical and logical access with a unified, or converged, strategy. It is now possible to implement a single credential identity verification system to control employees’ access to buildings and facilities, as well as to computers and networks, while at the same time simplifying and streamlining the user experience.

Martin Huddart, General Manager of Ingersoll Rand Security Technologies, Schlage electronic security: In general, the corporate customer is paying more attention to the perimeter of their facilities and putting in more policies and technologies to control access at the outer perimeter. Typical technologies include online card access, integrated CCTV, barriers, turnstiles and even biometric identity verification.
We have seen an increase in interest for two factor authentication where a single card transaction is no longer sufficient to grant access—a PIN or biometric ensures that a lost or stolen card is not a weak link in the system. Corporate customers are also paying more attention to the processes that are used to manage and monitor the system so that their investments in products are maximized. Examples here are more robust visitor management processes and more oversight of who is allowed to issue credentials and change access rights.
For the corporate customer, it is also important to get productivity and a return from this security investment. Technology plays an important part in this productivity need. Systems exist which integrate the management of all online and offline openings into a single application and database. They can also tie in alarms and video to those transactions and maximize the productivity of security staff.
As another example, new wireless technologies allow more doors to be monitored and controlled in real time for a significantly lower installed cost then conventional wired access control. These and many other innovations allow more doors to be effectively managed and monitored for any given budget.

Brady: Employees are asking that companies look at new security measures to protect themselves. How big a factor do you think the employees play in a company implementing better security?

Echols: Employees are a corporation’s most vital asset! Workers want and expect a safe and secure work place. Leading corporations recognize that an investment in security is an investment in their people.

Van Till: Employee awareness of and adherence to security policies is often the least expensive way to improve the security posture of an entire organization. That’s because in our experience the majority of breaches come from carelessness or employees working around practices they find inconvenient.

Boriskin: Employees are key in implementing better security. If they see the value and can be trained to look for unusual behavior, they compound the benefit of an automated system many times.

Petze: Employees are a crucial link in implementing any successful security strategy. Well meaning policies that don’t take into account the reality of human factors can fail to achieve their intended outcomes, and also work to deter employee buy-in. An example is the documented affect of frequently requiring employees to change their passwords, in which employees record their passwords on sticky notes at their desk in order to remember them. So while the new passwords may be harder for a hacker to crack, the exposure created by visible passwords results in a net zero security gain. Similarly, environments where employees are assigned numerous different security credentials (i.e., passwords, access cards and tokens) increase the risk of loss and unauthorized usage. Security protocols are only as strong as their degree of user adoption.
As such, the bar for successful corporate protocols has been raised. They not only have to be secure, but also convenient, non-intrusive, and user-friendly.

Huddart: In some cases, employee concerns can be the trigger point for a security investment. In any situation, employees play an important role in effective implementation of security policies in the corporation. Examples include reporting suspicious or unusual behavior; avoiding tailgating, particularly by unknown people, and enforcing visitor management policies.
Sometimes, technology presents an opportunity for the company and employee interests to be aligned as in the case of the biometric reader. As an example, a facility which deploys a hand reader for perimeter access can eliminate the need for keys or cards, something employees can simply forget about carrying to the job.

Brady: By understanding client environment, dealers can design security solutions to meet the needs of their customer. Facility security has become a growing industry in recent times. Dealers have to protect both the people and objects that make business work. What is the process for designing an access control system for the corporate client with this in mind?

Echols: Honeywell has gone to great lengths to understand the needs of businesses in specific vertical markets. Our research has given us insight into the needs of these customers, as well as the knowledge we need as a manufacturer to bring the right technologies to these markets.
The insight we have gained from such research also plays a major role in the overall design and implementation of security systems today. Dealers need a solid understanding of a facility’s operations, workflow, turnover, outsourcing, visitor traffic, compliance issues and a host of other details in order to effectively design an access system today.

Van Till: The process always begins by working with the end user to clearly establish the objectives and priorities for the project. What are you trying to protect? How much is it worth? Is human safety at stake? What is the budget?
Not all access control situations are the same, which means that the solutions should not all be the same. The notion of a one-size-fits-all solution is a big and possibly dangerous fallacy.
In terms of product selection, end users need to make sure that their dealers have selected vendors that have a range of solutions that can scale across a single facility, multiple facilities, or even multiple countries, if need be. The trick is to avoid overpaying for local solutions but still be able to implement enterprise-wide solutions when necessary.

Boriskin: Really this starts with the type of industry that the client is in, and how much regulations play a part. In an industry that is heavily regulated, electronic access control can be used as a means to enforce the policy or legislation that is in effect. If the client has life safety issues beyond the traditional personnel and property, electronic access control may be mandated by the industry.

Petze: The process for designing obviously varies dramatically based on the client. The investment in defining and documenting requirements is always the critical first step. During this phase the dealer should assess that the depth of security knowledge and focus and skill-set of the client organization. For example, some organizations are very experienced with IT security and yet have a very limited understanding of physical security and the interplay between those domains. Others are just beginning to address IT security advances. The dealer needs to be prepared to be a trusted advisor as well as an experienced installation and service company, and understand that responsibility for physical security is increasingly being assigned to people responsible for IT security.

Huddart: One model of system design has the dealer develop a layered approach to perimeter security and monitoring based on a risk assessment of the individual facility. Given the location of the perimeter doors, shipping docks and main doors, where to control security before someone can access the inner core of the building. What is in that ‘inner core’? A control room, a laboratory, an R&D center, customer records?
A risk assessment will determine options for the number of layers within the building that are required and what types of technologies are needed. An offline lock may be sufficient for a file storage area, but online access with CCTV may be needed for more sensitive areas. What type of credential technology is appropriate? What functions and level of credential security are required and is there a need to store data on the credential for other applications? More and more, access control applications need to tie into other enterprise applications, with HR management systems being a common one, so consideration for this data exchange needs to be made.

Brady: Is there any other advice you can offer dealer integrators on how to market to corporate clients? What specific assistance does your company give dealers as they go through the process of addressing corporate clients’ needs?

Echols: A dealer’s existing presence in a particular vertical market may provide a level of “industry expertise” that the competition may not have. We believe the key to determining effective market presence is identifying the right opportunities. When evaluating vertical market presence, the following should be considered:

• In which vertical markets are you doing business today?

• What impact does the geographic market play?

• Is this a vertical market that has a large presence in your sales territory? Many industries are concentrated in geographical areas – for example, 80 percent of pharmaceutical/biotech companies’ operations are in the northeast and on the west coast.

• What regulations or market pressures may be impacting the security spending of a particular vertical market segment? Sarbanes-Oxley is significantly influencing the financial industry, while FDA regulations are at the forefront of driving security upgrades in the pharmaceutical industry. HSPD-12 and FIPS 201 is not only impacting U.S. government agencies, but is also starting to affect state and local governments. NERC has announced new regulations that will impact energy companies from generation to distribution networks. How do you help them reduce their risk?

Once you have identified potential markets, think about the type of relationships you have. How good are those relationships? What do you know about your customer’s business – both internally and externally? Have you ‘been there’ for that customer in good times and bad? Have you earned the right to ask for additional business or referrals? Are you considered a ‘trusted advisor’ to your customer?
Too many times we fail to leverage our greatest asset—our customers. In order to take advantage of opportunities to expand services and increase sales, it is essential to really understand the issues, risks, fears and long-term goals faced by an organization; and know how they operate: What are their products, markets, sister businesses and suppliers? What are their critical success factors or market drivers? Who are their top customers? What value do they provide their customers? Who are their competitors? How do they win and grow? Honeywell has a number of market experts who can help you answer these questions, and we have developed a number of vertical market solutions and marketing materials to assist in all aspects of the sales and support process.

Van Till: The IT team is now a major part of the buying process, so corporate clients are increasingly concerned with the information security profile of the physical security products they are buying. The dealer needs to be prepared to discuss data security, encryption, backup, redundancy, disaster recovery, and—for server-based systems—additional topics such as virus protection, patch management, revision control, software upgrades, and obsolescence. If a dealer cannot address these topics, they will not be able to sell into a large corporation, because they will not be able to effectively engage the IT team and satisfy them on their hot-button issues.

Boriskin: One of the best things that an integrator can do to tailor systems to their customers’ requirements is to become educated in the market space that their customers operate in, or leverage an expert in that area who knows the “why” behind legislation, rules and regulations. One of the benefits we offer our integrators is the assistance and support of our physical security professionals in application design, vertical marketing and if need be, professional services.

Petze: Always understand a client’s goals before considering how your capabilities and the technologies that you offer can address them. Knowing what a client is trying to achieve is paramount to being able to convey your own solution in a context that is most attractive to their needs. Put yourself in the customer’s shoes and remember that the best way to gain respect in a selling situation is to first and foremost be a good listener. Privaris works with its dealers to relay sales techniques and tools that employ common sense methodologies.

Huddart: More and more applications run over common IP backbones in the corporation and, therefore, the IT staffer has to buy into system design and understand connectivity and bandwidth issues. In many cases they may be the decision maker for our security products. There is much talk about convergence in the industry and the first layer of convergence centers around the network – a physical connection issue. The dealer has to be familiar with the technologies and concerns of the IT decision maker in this process. One way to cope with this is to seek new skills. As an example, the Physical Security Network Associate qualification one -day class.
The second wave of convergence is less developed but will also require more technology integration and intra-departmental alliance building in the corporate world. This involves convergence of the rules of physical and logical access control. The typical scenario is that the employee has to have a valid building access event before a PC or network logon event is permitted. Dealers will need to keep up to speed in this rapidly changing world.