This article originally appears as the cover story in the April 2021 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag on Twitter and Security Business magazine on LinkedIn.
Many security systems integrators count on recurring revenue sources to attain and maintain profitability. When the economy falters or a pandemic shuts down onsite operations, this income source – often billed monthly – is a lifeline enabling integrators to pay their bills between equipment installation projects.
Without recurring monthly revenue (RMR), one integrator says he and his colleagues are left to “install a system, roll out the door and say ‘Here is my card. Call me if you need me.’
That is a challenging way to do business – especially in today’s security environment, where end-users and equipment manufacturers are pushing for hosted, cloud-based systems requiring less onsite hardware.
In this exclusive Security Business roundtable, three veteran integrators share opinions on what traditional and new services to include in a recurring revenue portfolio while also preparing for a changing industry business model:
John Nemerofsky is a 25-year industry veteran, held executive positions with several large national and major regional integrators before joining Kent, Ohio-based Sage Integration as Chief Operating Officer. Sage serves Fortune 100 and other enterprise clients across the United States.
Michael Ruddo is Chief Strategy Officer for Herndon, Va.-based Integrated Security Technologies (IST), one of the nation’s largest independent integrators serving government agencies, healthcare, technology, property management and other commercial entities. Ruddo has 35 years of security industry experience.
Brad Wilson is President and COO of RFI Communications and Security Systems, and he has spent 37 years delivering integrated security and fire and life safety solutions to Fortune 500 companies, hospitals, universities, government agencies and transportation authorities in Northern California, Washington and Nevada.
A Building Block for Successful Business
Nemerofsky says RMR should be an essential piece of any systems integration business. “Integrators go through peaks and valleys with installation projects, but payroll, rent and other fixed expenses stay the same,” he says. “If your RMR can cover those fixed costs, you have stability, and you don’t have to worry as much about project revenue this month or next. It changes how you can go to market.”
Wilson agrees, adding that RMR gives him the ability to weigh each potential installation project’s value and judge how it fits his overall business plan: “If I see a project for an existing customer, I’ll take it without a strong RMR component,” he says. “But if I have a new client opportunity with no subscription services tied to the project, I am more than likely to pass. If I cannot get RMR out of it, why do I want to deploy my high-priced assets with no ongoing return? Otherwise, you live and die by projects.”
The three integrators all say they do not view RMR services as add-ons, but rather a way of doing business, leading to better security results for their clients.
Ruddo says IST often incentivizes its recurring revenue agreements to provide a price break for longer-term contacts. In fact, IST puts recurring revenue into three categories, starting with traditional RMR for integrator-provider services billed monthly. The integrator also has RAR – recurring annual revenue – often related to government clients preferring to view costs annually. A third category, RCR – recurring contract revenue – applies to staff augmentation, typically on an annual or multi-year basis. IST embeds employees at a client’s site eight hours a day, five days a week to perform corrective and preventive maintenance. An IST staff member often becomes the administrator of the client’s entire security management system.
“Most companies do not have a dedicated person for those RCR functions, which often falls to the IT staff since the security system resides on the network,” Ruddo explains. “This is where systems integrators can help their clients, and it is a big part of our business strategy. By utilizing our staff’s expertise, we are better able to maintain systems we install, keep clients’ systems up to date, and look for new technologies to meet their changing needs. We have seen a lot of success with this model.”
Embedded staff is also a big part of Sage Integration’s business plan. Nemerofsky estimates up to 80% of Sage’s technical team is embedded with large enterprise clients, creating a vital source of RMR that was particularly helpful as some installation projects were delayed or canceled due to the COVID-19 pandemic.
The integrators also collect RMR from traditional sources including service level agreements for preventive and
Wilson adds that RMR services tend to create a tighter bond between integrators and clients. “RMR provides a higher exit barrier,” he says. “The more you bundle recurring services with installation projects, the stronger your commitment becomes to the customer and the same is true of the customer’s commitment to you.”
Hosted and Managed Services
A hosted, cloud-based solution enables virtually any size organization to eliminate the need to buy, deploy and maintain hardware and software. Hosted services rely on cloud-based servers located at sites maintained by the integrator or a security system manufacturer. A managed system counts on the integrator maintaining equipment on a client’s site. With virtually all newer security devices dependent on a network, hosted and managed systems provide integrators with an excellent source of recurring revenue.
Hosted services benefit many enterprise organizations by enabling them to afford more robust security systems by eliminating up-front costs of onsite equipment, Nemerofsky explains. “Just on the video side, a client might need powerful servers that sell for $25,000 to $30,000 each,” he says. “You see how the savings add up going the way of a cloud-based system as opposed to one on-prem.”
Nemerofsky adds that property management firms and senior living facilities – which often lack IT staff – are two enterprise markets often attracted to hosted systems. “But day-in and day-out, the SMB space is where these cloud-based services have their legs,” he says.
Wilson says hosted and managed services provide a win-win for integrators and their small and midsize clients with 8 to 24 doors. “These SMBs don’t have an IT guy – much less an entire department available – to do the work,” he says. “This is perfect for an integrator. We make sure all equipment is working and software patches are up to date. I don’t need my team to climb a ladder to provide these services. Eight to 24 doors, and a little beyond the SMB model, offers tremendous growth potential for hosted services.”
About half of IST’s business comes from federal government agencies, which, Ruddo says, are typically early adopters of new technology and services; however, that hasn’t been the case with hosted services. Federal agencies have many certifications and cyber requirements to meet, making it challenging to deploy cloud-based security solutions. Also, a number of agencies have in-house teams that prefer to maintain full control of their security environment. Still, Ruddo predicts that within the next 5-10 years – perhaps fewer – on-premises installations will go the way of the VCR or DVR in favor of hosted and/or cloud-based systems.
“It is easier to control a system’s cyber-health in a cloud environment,” Ruddo says. “Most security industry professionals now realize things are as safe in the cloud, if not safer, than they are with an on-premises server system.”
Nemerofsky reminds clients that the one-time payment for installing a security system on-premises does not signal the end of expenses. There are still labor costs for personnel – either the client’s or the integrator’s – to add software updates, anti-virus software, conduct backups and more. “The efficiencies from reducing on-premises server maintenance enables a client’s staff to focus on other activities, including security and other business needs,” he says.
The Role of Manufacturers
The integrators agree that security equipment manufacturers will play a role in the future of RMR. Ruddo says many
“They are eventually going to hand us a price list that will show the cost per month or year for each camera or door reader linked to a remote server,” he says. “We are going to have to embrace the model, apply a mark-up and pass it along to clients. I don’t see (manufacturers) going any other route.”
With many manufacturers’ devices available on the internet, Wilson says, it is not uncommon for end-users to come to RFI looking only for installation service. Additionally, Amazon reportedly reaches out to integrators with an offer of a flat fee to install home security and smart home devices, while it retains any subscription services.
“I can’t contribute to a manufacturer or online distributor billing a customer,” Ruddo says. “I need more return on the investment that I have made in IT specialists.”
Drivers of RMR Adoption
A younger generation of security professionals is helping drive end-user acceptance of paying for monthly services. Wilson says the concept fits well with their personal spending patterns, including leasing cars and bundled services from online providers.
“Our customer contacts are changing from veteran ex-law enforcement guys to 28-year-olds carrying laptops covered with decals,” Wilson says. “These younger security and IT people see value in the (managed) services we offer and look at RMR expenses as operational costs that can be written off annually as business expenses as opposed to large capital expenditures that depreciate over many years.”
Wilson says cyber hygiene and security assurance is another RMR driver, as the need to protect edge devices and wireless cameras requires routine password updates. The time and expense of changing passwords at larger projects with hundreds of cameras is beyond most end-users, proving an opportunity for integrators to handle – and charge – for the service.
Ruddo says not all of his firm’s RMR came as the result of an IST installation. “Client relationships often depend on what happens after the install,” he says. “Sometimes we’ll take over a project installed by another integrator and…provide ongoing life-cycle maintenance services.”
How Much Recurring Revenue?
Recurring revenue helps integrators thrive in the good times and survive when business is slow. Wilson says that integrators should derive a minimum of 18% to 25% of their revenue from RMR.
“It creates a lot of stability to have RMR to count on when the installation projects aren’t as big or as frequent as they were,” he says. “You must have recurring revenue as part of a balanced portfolio. Without it, many integrators will be hard-pressed to stay in business. (Integrators) can make a better margin on professional, IT, managed and hosted services than on the sale of $500 cameras.”
For its part, Sage Integration set a 2020 goal of 20% of its revenue coming from recurring revenue. Nemerofsky says they finished the year at 23%, leading Sage to change its metrics and aim for a higher percentage in 2021.
Emerging RMR Services
In addition to traditional sources of RMR, newer services are emerging that the integrators say offers solutions for client problems while increasing revenue.
Nemerofsky says mobile credentials, with smartphones replacing plastic access control cards, save end-users significant procurement, storage and printing costs. “We buy a mobile credential for about $3 each and sell them for $4,” he says. “Nobody will buy mobile credentials for just a year, because they don’t want them to expire; so, they order for three or more years at a time. Imagine the number of credentials a university or hospital campus might use each year. It is a great form of RMR.”
Ruddo says a new service IST sells uses a third-party provider of cybersecurity services. He says the solution does require the installation of some equipment on the client’s network to create what he calls a “cyber SOC, for lack of a better name.”
“It is a great add-on that should be fairly lucrative for systems integrators,” Ruddo says. “It is still a bit of a tough sell, because if a client has not been breached, they do not understand the potential financial impact, making it hard to prove ROI. If they have been breached, they get it. As more breaches happen and more attention is paid to cyber hygiene, that is a service that every system integrator should be supplying their clients.”
Wilson says he expects compliance testing for security and safety standards to soon become another good source of RMR. Government agencies will drive new compliance standards tied to video, access, visitor management and other systems.
He says the future also will see greater reliance on Video Software as a Service (VSaaS), and that increased venture capital investment is bringing more providers into the space. This aligns well with the impact of the pandemic and the value propositions of remote access, cloud analytics and sharing.
In addition, integrators should be on the lookout for mobile apps and other relevant add-ons that could provide RMR.
“During this pandemic, we had clients call and ask for touchless solutions to bring people back to work,” Nemerofsky says. “We found one, Destination Dispatch, that uses a smartphone app to control building elevators. It remotely supports four to 25 cars. Integrators deploying this app are paid monthly for each user.”
Here are a few of many additional examples:
- Mask Enforcer uses facial recognition to identify employees and enable them to enter a building without touching a door. The system also denies access to employees not wearing face masks. This hosted solution generates revenue per device, per month.
- Data on current and near-term weather may be necessary to enterprise organizations operating facilities across the country or worldwide. AccuWeather provides detailed weather warnings and forecasts with greater accuracy than the National Weather Service. This hosted app generates $300 per month, per location, to integrators.
- Artificial intelligence-assisted ZeroEyes video vision identifies weapons being carried into a building or other facility. The technology is hosted, offering another source of RMR.
Advice on Transitioning to an RMR Model
Unless it is a family-owned business passed down to the next generation, most integration firm owners will eventually sell their business to fund retirement. This, according to Nemerofsky, provides another example of the value of a steady cash flow from RMR.
“When it comes time to sell your business, a potential buyer will pay some percentage of EBITDA (Earnings Before Interest, Taxes, Depreciation and Amortization),” he says. “But if you have established sources of RMR, they will pay you a higher percentage on your hosted and managed services.”
Nemerofsky warns against rushing to set up an RMR business component without first establishing performance indicators and front and back-office protocols that are key to achieving success.
“Decide how much RMR you want to sell and what technologies will help you meet that goal,” he advises. “Consider the cash flow, the margins, total labor costs, depreciation, service and training costs and make sure the back office – accounting – is set up to bill for monthly services. Also, review your contracts to see that they cover the potential liabilities associated with that portion of the business.”
Do not neglect training your sales team, as selling RMR requires a different skill set than project installation (read much more from sales expert Chris Peterson on page 40). Additionally, the integrator must incentivize selling RMR. Sage might pay a 10% commission on installed equipment’s gross profit margin, and between 15% and 18% on RMR profit. As many RMR contracts are multi-year, the salesperson and the company are both guaranteed annual income.
Paul Rothman is Editor-in-Chief of Security Business magazine. Access the current issue, full archives and apply for a free subscription at www.securitybusinessmag.com. Jon Daum of security-centric PR firm Daum Weigle (www.daumweigle.com) contributed to the writing of this article.