This is the eighth article in a series of articles that explores the convergence of physical security technology and information technology, and its impact on Security departments and IT departments, their personnel and their vendors. This is not just the convergence of physical security and IT security, but a larger convergence of information technology with physical security systems.

If the security industry doesn't heed its customers' cries for convergence, IT and BAS (Building Automation Systems) companies will.

For the foreseeable future the need for security products and services will continue to increase. However, the industry expansion is not likely to be “more of the same” compared to past years. Security needs drive the industry's growth, but other factors shape it. There are many forces that have been at work affecting four critical factors that are set to shape security industry growth:

• technology development
• competition
• customer expectations and demands
• financial sector and investor interest

A Security Stock Watch

SecurityStockWatch.com (SSW) is an independent leading research and analysis firm specializing in the Security Industry. The SSW 100 Index, developed by SecurityStockWatch.com, is the only market index dedicated to the security industry. The performance of the SSW 100 Index has sharply outperformed the Dow, Nasdaq , and S&P 500, on a consistent basis since 2002. See Figure 1   below . Full details of the index are contained in a 261-page report by SecurityStockWatch.com titled, "Profitability Survey, Research and Analysis of the Security Industries", available for free download at:
www.securitystockwatch.com/prod_survey.html.

Figure 1 . The SSW 100 Index

For investors this picture is good news, because in prior years it has been very difficult to get a handle on the security industry from an investment perspective. One reason for the excellent performance of the index is that it goes well outside of the categories of companies that most of us associate with the words “security industry”. The index is composed of stocks “that make it their business to concern themselves with the security issues that now plague our lives on so many fronts...” The stocks fall into these groupings:

• BioDefense (11 companies)
• Environmental Security (13 companies)
• Fraud Prevention (23 companies)
• Military Defense (18 companies)
• Network Security (18 companies)
• Physical Security (17 companies)

This author reclassified the companies on the SSW 100 Index into a different set of categories, to reflect the type of company providing the solution as opposed to the security area to which the solution belongs. The purpose of the reclassification was to help identify convergence factors relating to the index. Figure 2 below shows the results.

Figure 2 . SSW 100 Companies categorized by company type.

53 companies—more than half of the index—are IT sector companies. (4 of the IT sector companies also operate in other sectors as well.)

Somewhat similar to how the SSW 100 Index included IT companies to achieve growth and performance, eventually most of today's security manufacturers, integrators and consultants must also reach out to embrace some aspects of IT. This is because the scope and direction of the four factors critical to security industry growth—technology development, customer demands and expectations, competition and investor interest—have changed significantly, as a result of one or another type of IT convergence.

IT Integrators Take On Physical Security

IT systems integrators have been eyeing physical security projects for two reasons. First, physical security is an important part of information systems security. Second, physical security access control projects are computer-based and network based systems that often interface with Human Resources (HR) information systems, increasingly for the purpose of integrating physical and logical user provisioning (assignment of access privileges). This type of IT integration provides an increased ROI for physical security access control systems that are capable of being integrated. The IT side is more complex than the physical security side, which has comparatively few computers. This has lead IT integrators to conclude that if they can handle the IT side, they can handle the physical security side, especially for IP based systems.

The annual IT project revenues from of any one of the eight largest IT systems integrators exceed the combined revenues of the top 100 physical security system integrators. Certainly they have the financial wherewithal to incorporate physical security products and services into their businesses.

That has been happening most significantly with IP-based digital video systems.

For example, Cisco Systems, Inc. recently completed a project to migrate its 2,600 cameras from a proprietary DVR solution to a network-centric Lenel Systems software application, which Cisco Security Operations controls and Cisco IT supports from its existing server and network operations centers. Prior to the project, Cisco Safety and Security department was storing digital surveillance video on DVRs, the system grew until the Security, Technology, and Systems (STS) department found itself managing more than 330 servers at Cisco facilities worldwide. The department was overburdened by the need to keep so many servers online and up to date with the latest software patches. “One hardworking IT administrator can take care of 100 boxes, and we had three times that many,” says Ken Lang, STS video program manager.

“One morning, IT informed us that about a third of our [DVR] servers were infected”, says Lang. “That was our wake-up call to abandon the ‘silo' support model, where we purchased and self-managed equipment, and instead to work closely with IT to deploy standard server equipment for CCTV.”

Cisco selected IBM Global Service Delivery (the world's largest information technology services and consulting provider) as the implementation arm for the new solution.

The benefits of Cisco's migration to CCTV over IP include:

• Video storage requirements were lowered by 60 percent, representing US$500,000 in savings. The new system reduces storage volume requirements because it has the intelligence to store video only if motion is detected.

• Operational risks were mitigated by expediting maintenance and repair. “When a proprietary box broke, we had to dispatch local security integrator technicians, who often were unfamiliar with our site requirements, to come on site and work with in-house video system technicians,” says Deon Chatterton , program manager for the STS group. “Remediation might take five days or longer. Now we have a two-hour response and 24-hour turnaround for repair.”

• Maintenance costs were reduced by 20 percent because Cisco IT has economies of scale and spends less time monitoring and maintaining servers.

• System security was increased. “Now that we're standards-based, the system is much more secure,” says Chatterton. “Network protection and virus definitions are implemented as soon as available instead of when we get to it.” Cisco IT has contracted through IBM to provide remote security-related updates. The system has paid for itself more than once by enabling the Safety and Security department to apprehend people who had stolen equipment and then recover the stolen property.

Changing the IT elements of Cisco's video system, and switching to infrastructure management provided by Cisco IT, are what provided these and other benefits and made the project so worthwhile.

Download and read the entirety of the Cisco case study from the Cisco website at: www.cisco.com/en/US/about/ciscoitatwork/case_studies/security_dl4.html

IT Projects for Biometrics and ID Systems Dominate the Corporate Landscape

A visit to the websites of smart card makers reveals that their marketing efforts are mainly oriented towards IT departments. For example, the current home page of the ActivCard website states, “ ActivCard is a leading global provider of strong multi-factor authentication, password management, and trusted digital identities with market-designed solutions for Governments, Enterprises, and Financial Institutions…” A September 2002 ActivCard press release states, “ActivCard Identity Technology Selected by Microsoft IT Security Group For Largest Deployment of New Corporate ID Badges.” ID badging systems have traditionally been in the province of physical security. Within recent years, as shown by this two-year-old press release, they have increasingly become IT projects.

Biometric security for PCs and Networks, including fingerprint scanners built into keyboards, means that there will be far more biometric security devices employed for logical security than for physical security.

Building Controls Companies Take On Physical Security

It's not just the IT sector that is bringing new competition for physical security projects. The #1 company on Security Distributing and Marketing magazine's list of 2004 Top System Integrators is Siemens Building Technologies—a building controls company for whom security systems projects are less than 20% of total company revenue.

Two major security companies, GE Security and Bosch Security Systems have both released products designed to facilitate integration of HVAC, lighting, fire alarm and security systems. They are Facility Commander from GE, and System 3T Building Management Solution from Bosch. The integration for both is based upon Ole for Process Control (OPC), a well known standard in industrial automation and building controls. OPC is a series of standards specifications, which are available from the OPC Foundation (www.opcfoundation.org). Architect & Engineering firms increasingly require product specifications compliant with OPC, and since security systems are part of building controls, it makes sense to support OPC integration capability.

Financial Sector Interest

John E. Mack III, Co-founder and CEO of USBX Inc., and former CEO of Protection One (one of the largest monitored security services in North America ) said in a May 2004 interview with SecurityStockWatch.com, “The convergence of digital technology with security systems, has spurred capital investing in security equipment. Security systems with digital technology can yield heightened productivity because things like video surveillance can be done much more effectively today.”

Mack also said, “And we've seen a more recent trend where companies involved in IT integration work are looking at the intersection of physical and logical security, or the intersection of IT infrastructure with physical security infrastructure all of which is now operating on the same network with digital systems in the security arena. All of this is causing large IT integrators to focus on acquisitions in the security space.”

In 2003 three firms established the annual Security Growth Conference (www.securitygrowthconference.com), USBX (www.usbx.com), Security Systems News (www.securitysystemsnews.com) and Mitchell, Silberberg & Knupp (www.msk.com). This conference brings together CEOs of the largest global security companies with CEOs and Senior Executives of the leading independent security companies and members of the financial community for high-level business development, merger and acquisition opportunities, financing and networking. Participants in this conference were able to observe another trend: an increasing number of companies whose founders and CEOs come from IT company backgrounds, such as NetBotz (www.netbotz.com) and VistaScape (www.vistascape.com). Although not presenting at the conference, DVTel (www.dvtel.com) is another company whose executives come from the world of IT. The personnel of such companies can engage in productive dialog with regard to both security and IT issues, and their products designs and marketing reflect their knowledge.

New Definition of “Security Industry”

As the SSW 100 Index indicates, the definition of “security industry” is expanding. Mack explains, “Historically, the focus on the security equipment business would not have included the notion of a bomb detection business, but more likely, card access control, alarm panels, and digital video surveillance equipment. Certainly there is a broader interpretation today, which includes things like bomb detection, IT solutions and a whole range of things. We're also seeing a very broad definition of physical security from companies interested in broad exposure to the market.”

The increased threat of terrorist biological, chemical and radiological weapons has also added a new dimension to security and many companies. Thus chemical and medical companies are now contributing security solutions.

Convergence Means More Business Opportunities

Mr. Edward Y. Ching, Senior Technology Analyst Rodman & Renshaw, LLC, said in an interview with SecurityStockWatch.com, “I believe that government and corporate enterprises are planning a return to network expansion projects that were put on hold due to the downturn in IT spending from 2001 to 2003. I think that wireless networks, enterprise security and data storage solutions should be high on enterprise IT budget lists.” This would provide increased opportunities for upgrades and expansions of physical security networks and systems, too, many as part of corporate IT projects.

Gemplus's U.S. Corporate Security Systems Study, carried out by Frost & Sullivan in December of 2003, showed that 30% of Fortune 500 companies surveyed are currently using or testing smart cards within their security systems and 39% of the companies surveyed plan to use smart cards within their corporate security systems within the next three years.

The question remains as to who will see the bulk of the security projects, traditional security system integrators or their IT competition? Security system manufacturers, integrators and security consultants need to give serious consideration to the trends being examined in this article.

Manufacturers

To maintain viability for their companies, many manufacturers need to establish viable positions for their products in building controls and IT, to the extent that their products will be installed, integrated and used by or for IT departments or building controls companies. This includes educating their specifying consultants and system integrators. What will happen when IT systems integrators come knocking? The response certainly should be based upon a corporate strategy developed with an awareness of the trends identified in this article. For most security companies, such strategies will involve decision-making factors that did not exist when the current corporate strategy was formed.

Integrators

Physical security system integrators need to become IT savvy in a hurry. Partnering (with an IT systems integrator or network consultant) is not a replacement for getting educated. On one recent physical security system project, which utilized the customer's network backbone, the security systems integrator relied completely upon a network consultant to provide the specification for the system's network components. The network portion of the specification omitted some key equipment. The integrator had to absorb the cost of the network equipment including installation and setup. This cost exceeded the network consultant's fee, who didn't specify the equipment because the security systems integrator didn't provide the information that would have indicated its need. Mistakes like these by security integrators encourage end users to take a closer look at what IT systems integrators have to offer.

Security Consultants

Security consultants also need to be more IT savvy regarding the kinds of system integrations the products they specify will be involved in. In most cases the software (middleware) that “glues” the various applications together will be provided by IT either as an in-house or contracted effort. The requirements and design for the middleware will include the security system integration. Not only must the security consultant be able to discuss the security system's role in the overall integration, he must specify a system that is up to the task.

The Biggest Danger: Ignoring the Customer

The previous article in this series (ST&D July 2004, “Broad Convergence – IT, Security & Building Controls”) discussed the need for interoperability between systems, and pointed to the building controls industry as an example of customers driving change. In retrospect, it can be seen both customers and companies would have benefited from a more timely industry response. The article suggested that the security industry take a lesson from the building controls industry, and actively pursue interoperability without having to be dragged into it by the customer base.

There is danger in looking to the history of building controls industry for guidance. It took 10 years to develop the BACNet specification (www.bacnet.org). The BACnet Committee is currently working towards standard objects and services for security. This effort relies upon improvements to the network security model within the BACnet standard. The Network Security Working Group was formed in January 2001, and work is still in process on the network security model. The Life Safety and Security working group has recently completed work on the life safety features of BACnet needed for fire alarm systems and is just now starting to focus on security system requirements. If this work continues as previous BACNet work has, it will be years before BACNet contains the needed support for security systems, and years more before companies adopt it.

The danger is this: unlike the HVAC and lighting control portions of the building controls industry, the security industry can not safely drag its feet for years. The building controls industry did not have outsiders waiting in the wings that could simply come in and take the business away from it integrators. The security industry does. The IT industry has the technology, the people, and the money to pull it off.

Encroachments have already taken place, for example, with IP based video systems, web-based visitor management, and Identity Management Systems. ID management used to be the province of the security industry. IT companies came along and produced enterprise systems that securely manage identities and coordinate user details across an organization's many identity data sources. That's a much greater capability than what is offered by traditional security ID badging systems. Some security industry companies responded by adopting the related IT standards and interfacing with the IT systems. Most did not respond at all.

Microsoft

Implementing an Identity Management System is no small task. So, to help make the introduction, Microsoft offers a 6-month evaluation version of Microsoft Identity Integration Server 2003, which is downloadable from the Microsoft website. Microsoft Server 2003 includes a free implementation of a Public Key Infrastructure (PKI) system, suitable for small businesses. PKI is a component required for smart card based access control to information systems. Both Windows 2000 Server and Windows Server 2003 support smart cards for Windows logon.

Why stop there? What if Microsoft took a liking to networked video? Would we see Microsoft Video Management Server 2005, with a 6-month trial version downloadable from the Microsoft website? If that happened, you could expect to see the Microsoft development website offer a video server development kit, so that anyone could interface to the software. Networked video management software would be a conservative move compared to what Microsoft is doing in the automotive world.

This past July Microsoft and Fiat announced that they will design onboard information and communications systems—incorporating voice-recognition and global-positioning technology— to let people make hands-free phone calls and access online driving directions, among other features. They will also be able to listen to music stored in players via a USB connection in the dashboard. Fiat plans to integrate Microsoft's Windows Automotive technology across all Fiat, Lancia and Alfa Romeo models.

The planned Fiat/Microsoft system is still being designed, but it's expected to be less expensive than many other systems in part because it will be standardized across the car maker's lines, rather than customized for individual models. The deal is non-exclusive, which will allow other automakers to follow suit using standardized systems.

Open Standards and Interoperability Require Culture Change

IT has thrived on open standards and interoperability. Security industry manufacturers fear open standards and interoperability. They would much prefer things to remain unchanged. But the IT door has already been opened, and it cannot be closed.

Cisco reports that the chief lessons learned from the transition to digital CCTV pertain to making the best use of Cisco IT resources. “Physical security and IT security are converging,” says Chatterton , “and the two groups need to work more closely than before. When we managed the servers ourselves, a hardware or software problem was a serious issue for the department. Now we just generate a case and IT uses their technical resources and expertise to resolve the issue. We had to shift our culture to let IT do the work and run through its own processes.” The Cisco case study document states, “All parties agree that the culture change required to partner with IT yielded dividends.” (Underline emphasis added.)

Like Cisco, many end-users are experiencing corporate culture change due to convergence. Unless there is a corresponding culture change within security industry companies, the end-user change will amount to a shift away from traditional security companies to IT services companies.

Commoditization

Manufacturers, and to some extent integrators, fear the commoditization that open standards and interoperability will bring. Most don't stop to think that their current success is due in large part to the commoditization that has already occurred in IT. If the network cards of the early 1990's had remained proprietary and kept their $500 price tag, we wouldn't have IP-based video or IP-based anything. Now gigabit Ethernet adapters are less than $100, and high-speed networks are commonplace. Today's security systems require a commoditized IT world.

Hal R. Varian, professor of business, economics and information management at the University of California , Berkeley , says in a New York Times article of May 6, 2004 , “Standardization and commoditization of a technology don't always mean that innovation stops. Once products become commodities, they can serve as components for further innovation.”

“In the 19th century, American manufacturers created standardized designs for wheels, gears, pulleys, shafts and screws. As such standardized parts became widely available and could be purchased ‘off the shelf,' there was an outpouring of invention,” explains Varian.

Commoditization is what has made the IT explosion possible. Millions of people could take advantage of and build with what only hundreds or thousands could before. IT service providers no longer make money selling network cards. They sell information systems. And neither the customers nor the service providers would ever desire to turn back the clock.

Why wouldn't commoditization in the security industry result in a security explosion? History says that it would. History also tells us that commoditization, based upon open standards and interoperability, is the inevitable next step for the security industry.

Customer demand for interoperability between brands will keep building. If it is not satisfied from within the traditional security industry as we know it, it would only be a small step for a few companies outside the industry—or for the single largest security customer, the government—to work to produce open standards. It has already happened with smart cards.

Smart Card Interoperability

A major impediment to the widespread use of smart cards in both the private and government sectors has been interoperability. The majority of smart cards from different vendors are not interoperable. They must use software and smart card readers specific to the type of card. Since private industry had not stepped forward to establish interoperability standards, the Information Technology Laboratory (ITL) of the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce began working with industry and other government agencies to provide interoperability specifications and guidelines to give organizations an open and standard method for using smart cards. On July 16, 2003 version 2.1 of the Government Smart Card Interoperability Specification was released.

The Digital Security Initiative work group of the Smart Card Alliance said, “The release …is a significant event in the smart card world as it is the first comprehensive effort to address the interoperability requirements of the enterprise market. It will become as important as Europay/Mastercard/Visa (EMV) specification is to the Payment market and Global System Mobile (GSM) specification is to the mobile telephony market.”

What if a company was able to contract with the federal government to (a) develop interoperability standards and then (b) provide systems based upon those standards? Is such a company liable to take the market by storm, leaving other companies to do their best to catch up?

The largest combined physical and logical security project, the Department of Defense's Common Access Card (CAC) project, was initially severely hampered by poor response from the smart card and security industries. More progress has been made implementing the IT side of the projects than the physical side. It's not just a matter of “stovepipe” management or lack of dialog between physical and logical security groups. The side with more standards and greater interoperability (thanks to the Government Smart Card Interoperability Specification) has made the most progress.

The NIST Government Smart Card Interoperability Specification can be downloaded from: smartcard.nist.gov/gscis.html

According to the USBX Quarterly Security Report of May 2004, “The majority of the large security budgets allocated to government agencies will be used to integrate disparate security devices instead of purchasing new systems . Most government agencies have standalone systems at multiple sites that make integration a greater challenge. The government will look to invest in technologies that provide complete solutions with integrated functions such as time and attendance and building control, and make them more robust.” (Underline emphasis added.)

Integrators have mixed reactions to reports like this, because what they can actually accomplish is limited by the capabilities of today's systems. The security industry will not be able to continue frustrating customers for much longer, without forcing outside action.

Shaping the Security Industry

It is inevitable that security industry will evolve and expand. Will the shape of that expansion come from within the security industry as we know it, or from without? If the changes are likely to have any impact on you, give some serious thought to your part in it. Whether by casting a vote, raising a voice, or leading an initiative—do something.

From Security Technology & Design Magazine, September, 2004.