Steve Hunt on the Physical Security Industry

Security industry consultant Steve Hunt is a self-described rabble rouser. Hunt, a former analyst who once headed up the security research practices at Giga Information Group and Forrester Research, now runs Hunt Business Intelligence, an industry advisory firm. His additional background in physical security has made him a central figure in discussion about the interplay of physical and IT security.

On his site, securitydreamer.com, Hunt opines on anything from security trends to his love for Twitter. He recently posted a criticism of the physical security industry for a lack of innovation and spoke with CSO about the feedback he received to his comments.

CSO: You said your post criticizing large physical security companies was very popular. Can you give a brief synopsis of your argument?

Steve Hunt: The physical security industry is often characterized as an old-boys network. It’s an industry, in general, that is not used to public critique or criticism. There has been no Gartner group, no Consumer Reports magazine, to help customers and serve as their advocate. That means that the large companies have been able to develop sales channels that are sometimes impersonal.

These sales channels lock in customers and dont allow for a lot of freedom or flexibility to build a best-of-breed solution. If you are going to do business with Honeywell or Tyco, you pretty much have to do all of your business with Honeywell or Tyco. It’s not just because Honeywell and Tyco have a large number of products they want to sell you, but their sales channel has an incentive to lock you in. If a customer tries to add non-Honeywell or non-Tyco products to the mix on their own, the big companies can actually fight them legally or pull out their products. It’s just a really mean business.

I talked to senior executive at one of these large companies and said: “When was the last time you had lunch with one of the end users of your products?” And he said: “Lunch with an end user? I dont think I ever have.”

This is a top executive selling billions of dollars in products to end users. But he argued his customers are the distributors. And their customers are the integrators. And their customers are dealers and end users. Big companies are pretty far removed from end users.

In IT, we know about dealers, we know about integrators. But in IT, an end user always feels they have some recourse with the manufacturer. An end user can always call Symantec and complain, or call Microsoft and complain. But in physical security, there is no channel of communication, no way to do that.

Can you give an example of how this is hurting companies that use these products?

For example, one company I spoke with uses an access-control deployment from Honeywell. The system is excellent for opening doors and managing privileges. But they dont have a state-of-the-art visitor management system; a system where you log in visitors at the front desk and give temporary privileges. This company I spoke with, a large insurance company, tried to bring in a best-of-breed visitor system and integrate it into the Honeywell access control systems they were using. Honeywell pushed back hard and refused to let them do it.

What kind of comments did you get in response to your post?

Folks who agreed most loudly were the obviously the end users. But I got feedback from surprising source: consultant and integrators. They actually said: “It almost sounds like you are blaming us for perpetuating this model when all we are trying to do is make a buck.”

But I am kind of blaming them, the consultants and integrators. Consultants specify what they know. And what do they know? They know the products of the big companies. Why? Because the big companies send them on these boondoggle training programs to fancy resorts and hotels, give them formal training in the product and so-called sample specification sheets. The sheets say: “If you ever come across an access control or video surveillance deployment like this, heres how you should specify it.” And it gives a cut and paste from the Siemens catalogue, or the Bosch catalogue, for consultants to use with out using much creativity.

So, I think the consultants are kind of pawns in this big business. And the integrators, they face a different challenge. They, for the most part, do not sell in the sense that IT integrators sell. IT integrators are more inclined to listen to needs of a customer and perform what I call a consultative sale that includes listening and creative problem solving. In physical security, it’s rare to find that. Most integrators are order takers. “How many cameras do you need? Ok, we’ll ship them on Thursday and screw them into the wall.” That’s about it.

Where do you think the physical security industry headed? Will these practices change?

Physical security is still the big ship that is slow to turn. It’s turning and times are changing. Things are getting better, but it’s still fraught with a lot of tradition that makes agility in tech decisions difficult.

One of the important changes we are witnessing is the use of software and software licenses. Software licenses are an age-old concept in IT. But in physical security, it’s a brand new concept and some times a frightening concept. Physical security is in the business of selling and deploying boxes. Even companies with names like “Software House,” a large physical security brand under Tyco, dont sell software licenses. They sell boxes — access control systems.

Young software companies are forcing a change. Why? Because they can’t squeeze into the old-boys integrator network. So they doing what IT software companies have done for ages — sell direct. Then they hand the project off to local integrators, and then sign that integrator up as a reseller. That is the organic model of channel development and that is what young software companies are doing. And they are IT guys with an IT development team and an executive team that builds software for the physical security industry.

The theme of this course of change we are witnessing is the realization that the stuff of security is data. The video images, the access control events, the door opening events, the intrusion events — those are all being recorded digitally, on hard drives or on SANs [storage-area networks]. So, while might start out as analog — it’s recorded digitally and becomes data.

There is a dawning happening that the stuff of security actually is data. And what did we do the last time we were faced with million of bits of unstructured bits of data? We organized it with computers, software and networking. This is what we do with millions of bits of data. We use a standard, best-practice IT infrastructure. And that’s the revolution.