Here Comes the Techs

It happens so often it’s become routine. John McClurg, CSO of Honeywell, is constantly charged by fellow executives to find ways to streamline operations related to security. One of the drivers is the growing number of IP-based security devices connected to Honeywell’s internal network. McClurg is the executive whose team must work with IT daily to ensure that both the network and the security architecture enable the business to achieve its goals.

Neither the network, nor security, should get in the way.

Frantic e-mails from chief information officers or pressing requests from the board of directors to comply with regulations or meet some business need all drive convergence projects. The enlightened in this industry realize that IT is a useful tool in the security executive’s toolbox.

McClurg is not the only CSO who sees the value of doing business with IT. The software and networking giants of IT see it, too.

In recent months IT mega distributors TechData and Avnet launched physical security initiatives; Cisco Systems acquired a video surveillance product company; and Sun Microsystems announced a physical security access control partnership.

We all knew it was coming, we just didn’t know when or how fast the change would happen. Past surveys that my team and I performed at industry think tanks like 4A International over the years showed very little happening in this “convergence” of physical security with IT. Revenue just started to appear two years ago as large corporations required greater efficiency in identity management and event management.

Companies such as Honeywell and Lucent, Nortel and Sprint were charging executives to find creative ways to leverage IT to lower the costs of security and increase its efficiency.

Security as information

The entry of information technology companies into the physical security sphere begs the question: When did security become information?

Your gut reaction probably is that security has always been information. Who goes there? What area belongs to us? What is this person allowed to do? Who opened that door? The answers to those questions are the basic information building blocks of a security program. So if information is akin to security, why has it taken so long to embrace information technology?

To be fair, access control and other types of vendors have been using PCs and software for 20 years. But the conversation of information technology, with its standards, interoperability expectations and networking has just begun.

IT companies weren’t ready for that conversation until recently, either. The big software and networking companies spent the last couple of decades just getting their sea legs under themselves in a tumultuous and highly competitive market, with innovations like the Internet drawing attention. But after September 11th, the IT world began to take notice of a huge market opportunity in “traditional” security.

But not all at once.

Executives at Intel were puzzling over processor chip (CPU) sales one day. One manager noticed that there were more CPUs being sold for digital video recorders (DVRs) than total TiVo sales. Who was buying all these DVR CPUs, and what were they used for? Within weeks, a team of executives was registering to walk the floor at the next physical security trade show taking notice of the trends of DVR adoption in video surveillance projects.

Cisco, Sun, Avnet, Anixter and TechData are leading the most exciting market shift in recent history. Each is setting its sights on the $120 billion physical security industry. And each is planning to take some of that revenue away from incumbents.

Avnet, the mega-distributor in IT has enjoyed a long and prosperous relationship with IBM, selling more than a billion dollars of IBM hardware and solutions through hundreds of channel partners each year.

But Avnet competitor, Anixter, has a head start. The IT cabling and communications equipment giant began selling cameras and physical security systems five years ago. Back then, IT customers were interested in IP cameras and turned to their trusted provider of high performance cabling, Anixter. “Business really picked up in 2004,” said Mike Duncan, senior vice president of security solutions at Anixter.

A defining moment

According to a report (written by this author) while heading the team at Forrester Research, the year of change was 2004, when companies spent $400 million dollars on projects requiring the cooperation of corporate security and IT. That was a quantum leap from the previous years when spending was essentially non-existent.

Suddenly, IT and corporate security directors discovered that the IT infrastructure could reduce costs and increase effectiveness of corporate security applications like surveillance and access control. No one in IT or security wanted to completely overhaul the security architecture. But everyone seems to want to begin the migration to the Internet protocol (IP) standard.

IT companies like the way that sounds. The solutions offered by the techs today assume that customers will use a combination of traditional and new, IP-based, solutions. Anixter’s Duncan describes his company’s perspective this way, “We have the ability to understand the customer’s existing security and network infrastructure and help them migrate to new technologies.”

TechData is a 30+-year-old distributor of technology products. IT integrators and resellers enjoy a large selection of competitive and functional products to add to their customer’s projects.

Over the last several years, TechData’s customers suggested more physical security products for the distributor’s portfolio. It was a trickle at first. After some years, TechData executives discovered that they had quite a few video surveillance products in the catalog, and a critical mass of integrators working on physical security projects.

This April, TechData announced its strategic product unit focused on the physical security customer and technologies. Physical security integrators will find some familiar products from Axis, Sony and S2. “There’s still a lot of work to do,” said Annette Taber, director of TechData’s Advanced Technologies Group, with oversight of physical security, point-of-sale and RFID technologies. “We definitely want to go after the physical security buyer.” But don’t think of TechData as merely a ruthless IT company encroaching on the physical security world. “We provide training, a state-of-the-art demo center, a broad range of tools including software and networking products and a consultative support for growing business and running business more efficiently.”

It won’t be long before proposed solutions to access control problems will be a mix of access control software, IP door controllers, directory servers, and enterprise single sign on software delivered by an IT integrator.

John Moss, founder of S2, is already putting something like that together. In April, his company announced a partnership with IT software company Imprivata, based in Lexington, Mass. Security directors can manage privileges to doors and facilities with the same tools used to manage privileges to the network and applications running on the PC, like e-mail. Streamlining administration cuts costs and increases effectiveness. This is the wave of the future.

But if companies are putting more devices on the network, and moving more data across the wires, you can be sure that Cisco will notice.

And they have. Also in April, Cisco completed the acquisition of SyPixx Networks, based in Waterbury, Conn. Cisco declared this representative of the beginning of an “Emerging Trend,” which in the lingo of Cisco means they expect to make a billion dollars annually from the physical security business at some point in the future. The SyPixx products will become part of Cisco’s Intelligent Converged Environment, an architecture combining data, voice and video on the same network, a sweeping trend in IT dominated by Cisco, Nortel Networks and Avaya. (For more on this, see the author’s April Business Matters column.)

Think of it as a new infrastructure for security. Instead of silos of proprietary, disconnected systems, there will be a platform on which dozens of applications will run. Video surveillance will be an application on this new “network,” as will video storage, and analytics, and facial recognition, and then access control and environment sensor monitoring. You get the idea. Once we agree on the type of plumbing we’ll all use, we can focus on building better solutions and extracting more value.

“Breaking down silos is always a pathway to value,” says Cisco’s Vice President of Emerging Technologies Marthin De Beer. He expects today’s massive adoption of converged networking to benefit the enterprise customer in many ways.

The new common platform originated with the Internet, motivating millions of people to share their data with one another easily and cheaply. That ultimately caused the wholesale standardizing of communication.

Physical security and environmental controls are two of the last technology areas to join the age of the Internet – but the change won’t happen overnight. De Beer describes it as “an evolutionary path, not a revolutionary path.” But the change is coming. And it is changing everything.

Some companies, like Microsoft and Symantec, are less interested in leading the charge. Microsoft bought Alacris this year to manage access cards used for networks, but has yet to formulate an identity management strategy for the enterprise. An informal conversation with a Microsoft product manager at the recent RSA security conference revealed that the software maker “isn’t clear about the possibilities of card-based access control.”

Symantec, the security and storage software giant, has building blocks for some compelling solutions in security event management, incident response, security intelligence, video storage, managed services and security reporting. Unfortunately for the market, Symantec is not yet ready to offer solutions for the larger security industry. But watch for such sleeping giants to take a commanding presence in coming months.

Who created these monsters?

Twenty years ago, access control and video surveillance were much simpler. There was no data security department in most organizations – and even if there were, it was relegated to the dark corners of the basement or data center. Similarly, corporate security was the last office at the end of the darkest corridor.

By the mid 1990s, the IT security hobbyists working on mainframe computers had made enough noise about viruses and hackers that business managers finally authorized a budget for data security.

The years went on, with security professionals dreaming up every bad thing that could possibly happen, then devising ways to mitigate them – all the while complaining that the executives don’t pay enough attention to security.

In 2000 the economy tightened up and for the first time corporate and IT security directors were brought out of the shadows and into the light – but it wasn’t the limelight of the stage. It was the interrogator’s lamp. For the first time, security experts were asked to describe protection efforts in terms of return on investment (ROI), and cost-benefit analysis.

It got worse after 9-11 when hundreds of CEOs called in the heads of IT security and corporate security for a briefing, only to discover that the two people had never met one another.

Then another shoe dropped. Enron. WorldCom. Sarbanes-Oxley. Basel II Capital Accords. European Union data protection directives. Suddenly, risk management was the new bon mot of the executive suite. Chief security officers rose to the occasion, but were limited in their influence. Security plays a role in corporate risk management – to be sure – but it is a role subservient to investment risk, brand risk, credit risk and the myriad other forms of risk management.

Meanwhile, the chief information officer (CIO) was steadily growing in status and influence across all sectors of the corporation. In time, the information technology professionals did the best job of translating the importance of technology to business value. Physical security professionals have still not learned that language. As a result, the IT professional is often the “go to” guy for technical risk mitigation.

In addition, IT security vendors such as Symantec, netForensics and Consul Risk Management are already “plugged in” to activities related to regulatory compliance. They make a natural partner for physical security and the CIO.

The IT security team is commonly brought in for projects related to identity management, one-card access management and security event management. Sometimes the IT security department calls on the expertise of corporate security when deploying biometrics, door controls or surveillance for sensitive IT areas such as the data center. The growing cooperation and mutual interests of the two groups is giving birth to new technologies.

Quantum Secure’s policy-based approach is representative of the new breed of security solution. The Silicon Valley-based company has developed a software platform managing access control, identity management and incident management across traditional and newer IP-based devices.

But not everyone thinks that change is good. Stan Schatt, analyst at IT research firm, Current Analysis, said that while small- and mid-sized companies embrace network convergence because of the clear savings on their telephone bills, “Large enterprises have dragged their feet in part because the savings are not as significant and in part because of the complexity of their network infrastructures. There also is a nagging concern about security and reliability.”

New world

Security executives know intuitively that security is not simply floating over to IT. IT is becoming a tool in the toolbox of the security director. IT makes connectivity cheaper and faster, cuts costs, improves functionality, increases value, and makes security better. The security executive that embraces IT as a tool will protect not only the interests of the corporation, but his or her own career, too. V