What does the integrator of the future look like?
One of the consistent themes to emerge out of this week's TechSec conference is that, for the large part, the physical security integrators of today are not prepared for end users' needs today, and are even more ill-prepared to be satisfying end user demands in the very near future. (The caveat being that I'm talking about relatively large-scale projects. It may be that light commercial alarm systems with a bit of video and access control are being well delivered. That portion of the market is under-represented at TechSec because there aren't really "end users" in that market. It's unlikely the local retail shop has some kind of security director. It's just the owner of the store. Is he happy with his system? I have no idea. That person is hard to query on a large scale.) So, it would seem that a new breed of integrator needs to emerge (or is emerging) to address these large-scale jobs, like power stations, water districts, airports, retail chains, transportation agencies, and the like. But what will that integrator of the future look like? First, it's perhaps most instructive to look at the integrator of today. I've talked about this in the past, but it continues to be concerning that end users seem so dissatisfied with the performance of their security systems - and the performance of their security system integrators. So, why are they disappointed? 1. The products being sold to them are being marked up unreasonably, in their opinions, because they can go find the same products online for significantly less. Why, they wonder, are they paying for labor plus a huge mark-up? This is driving down margins for systems integrators, and creating a race to the bottom of out-bidding on price, of course, and I'll get to what that means later. 2. There is too much of a focus on technology and products and not enough focus on policy and design. This is why they are turning to consultants, because they feel they're just being sold pre-packaged systems and are not being consulted by integrators on the problems they want to solve. One end user at the show told a great story about calling up an integrator to get a quote on a video surveillance system in a warehouse. The integrator asked what the square footage was. He told him. "Okay," the integrator said, "that'll be a 16-camera system. I can be out there to install it next week." The integrator (maybe it's generous to label the company that way) never even looked at the property, or asked a single question about the end user's concerns, and was ready to sell him a system. I fear this is too commonplace an occurrence. 3. When it comes to the network, security integrators just don't understand. End users are having their IT departments get involved in the sales process and they're being told the security integrators just don't have a clue about end-point security, about trusted appliances, about network access control, about denial of service attacks, etc., etc. Security integrators are trying to meet demands for IP-based products, but aren't willing to invest in the training or people necessary to do this in a responsible fashion. End users are unimpressed, to put it lightly. 4. Security integrators don't have the project management skills to deal with the large-scale security projects that are being spec'd. I've heard this from manufacturers, from consultants, and from end users alike. Why do you think Genetec created a professional services division? Because the integrators are doing so well deploying their product? Take the PSIM software category. These software packages are incredibly complicated to deploy - so much so that the manufacturers can't scale because the integrators don't have the skills to do the installation and to mange it themselves they'd have to hire hundreds of software engineers to manage the deployments, which only come along once in a while. These guys - VidSys, Orsus (now Nice), CNL, Proximex - have a seeming value proposition, but they can't seem to get out of the gate because they can't develop a cadre of integrators that can get their software out into the field. Is this because their software is overly complicated and impossible to deploy, or because the integrators won't staff up to take on the challenge of the deployment? It's hard to know. But at least part of the problem is a lack of software engineering skills possessed by the integrators, and a futher part of the problem is a lack of project management skills. They can't seem to think big enough. 5. Those large government contractors - Lockheed, Northrop, Boeing, etc. - don't seem overly interested in the commercial, non-governmental market, and when they do enter the space, end users have a hard time getting their attention. There was general agreement that end users want access to upper management and want accountability from their integrators. This is hard to get from multi-billion-dollar companies. So, what do integrators need to do and look like in order to solve some of these problems? This was addressed most clearly in a panel discussion that featured Bill Bozeman, who runs PSA Security, a product-buying co-op/distributor for some 300 security integrators; Paul Cronin, who runs 1nService, a somewhat similar organization for IT-focused systems integrators; and Pierre Trapanese, president and owner of Northland Controls, a systems integrator based in San Francisco. The panel came about because I asked Bill and Paul to put together something on how physical security integrators and IT integrators can partner to approach jobs. This was a theme of theirs when they announced a collaboration between their two organizations last spring. However, their message when they finally came and presented is that the whole partnering thing really just isn't happening. Basically, just two of Bill's 300 security integrators had taken advantage of the relationship and cheaply joined 1nService. Virtually none of them was interested in reselling IT products and doing IT integration. Nor was any crossover happening between companies who were members of the two organizations. No partnering was happening. About eight of the 1nService guys had joined PSA [Edit, 2/11/10 - Bozeman tells me that three 1nService members have actually joined PSA. I had 8 in my notes from Paul's presentation], mostly to install IP video, which Paul said is a rapidly growing business driver for his members. Essentially, the IT guys are just coming in and taking the business and don't really care to work with the PSA guys, or at least don't feel like they have to. In Bill's opinion, if it wasn't for the security knowledge needed for installing access control systems, he'd be really scared for the future of the physical security integrator. As it is, he's not exactly bullish. However, Pierre was on the panel, Bill said, because he represents a company Bill feels can succeed going forward. In fact, he said Northland had grown more rapidly than any PSA member he'd ever seen (some 10 times in the last four years) and because of that actually flew out to San Francisco to personally take a look at the operations and try to figure out what they're doing so right. He was especially impressed with Northland's ability to quickly expand with overseas offices, something Bill said he's tried to do on more than one occasion and with more than one company, and failed every time. So, what can we learn from Pierre, Bill, and Paul when it comes to addressing the five problems above? 1. Product mark-up. The recession has driven margins down, and they're not coming back up. There was general agreement on that. But Paul was a bit incredulous that security integrators were ever marking so far up in the first place. IT integrators largely live on 8-10 percent margin mark-up on product sales, with as much as 55-60 percent of all revenues coming from service, he said. This happened when the market commoditized in the 1990s, and that put a lot of integrators out of business who were dependent on product margins. Those that survived switched to a service model, and Paul said the Y2K concerns solidified this business model when integrators realized they could be vital to a business's overall operations and that they could sell themselves as long-term partners with their customers. Bill estimated that security integrators are now living on gross margins that are half what they were in the 1990s, but that most integrators have not changed to the service model, and were thus trying to survive on jobs being bid at 18-20 percent gross margin, with almost no recurring component. This is not how Pierre does things. Get this: Pierre said Northland had a good year in 2009, and didn't win a single bid. That's right, not one bid in 2009, and they were profitable. It wasn't for lack of trying. They just couldn't get their bids low enough, and were unwilling to take unprofitable jobs. So they focused on servicing their existing customers, and managed to do that pretty well. And when they do sell products to those customers, they tell them exactly what the mark-up is and why they're worth it. Security integrators of the future will have to live on low product margins and develop long-term relationships with their customers for which they are paid on an ongoing basis. These companies do exist. It's the model Stanley uses, though they focus more on light commercial. It's the model DTT uses, though they focus only on quick-serve restaurants. It can be painful to make that move, of course, and it takes capital. The residential community knows all about financing growth by ceding product margin in exchange for lucrative long-term contracts. Systems integrators need to find funding sources for making this transition, and train their sales people to understand selling for the long-term instead of selling to win the bid on price alone. Of course, it's hard to win bids in the first place if the end users are buying on price. That's why it's vital to develop relationships with the customers you do have and to show your value to end users before the bid process starts. 2. Selling solutions, not technology. This is something that many people have been talking about for years, but the message still doesn't seem to be getting through. End users need help understanding how to use the technology. They need integrators who can consult on problems and apply technology appropriately so solve specific issues that are important to end users. This came up in Paul Bodell's presentation on video wants vs. video needs. He outlined a scenario where a school was concerned about graffiti and an integrator sold the school a megapixel camera system to help them make identifications. Great idea, but why are you selling them a system that records megapixel quality at 20 frames per second? Do you really need thousands of images of that person tagging the wall? Or do you just need a few great images you can use to make identification. The integrator sold too much system, with too much storage, and it was ultimately too much cost for solving the problem, which left the school district unhappy and unable to use that money to solve other problems. The integrator of the future knows sales people need to be trained on what the technology can and can't do, and need to be trained to ask end users lots of questions before they even start to talk about technology. 3. Understanding the network. This one is easy. The integrator of the future invests in Cisco-certifications, Microsoft-certifications, and engineers and techs in general that are well trained and know their products inside and out. Yes, this sometimes means actually paying for product training, as crazy as that sounds to integrators used to being given free training by manufacturers. Bill talked about the tough job of realizing that all of his 300 integrators in PSA can't be trained on all of the manufacturers' products that would like to sell through PSA. These software manufacturers are not going to give everyone expensive training for free, and, in fact, want to be able to hand select those integrators who do get to resell their product. How do you tell your member companies: "I'm sorry, but you're now allowed to resell that product?" But that's what has to happen. Unless you're interested in investing in the right people and the right training, you're not going to get to resell the right products in the future. 4. Project management skills are vital. This is similar to the point above. The integrator of the future will be staffed with high-level, expensive business-people who understand project management. Pierre told a story about how his competition was incredulous at the salaries Nortland was doling out. How can they possibly be profitable and pay those kinds of salaries? Well, because the people worthy of those salaries generate better revenue, obviously. Bill said the integrators of tomorrow need to be staffed by Stanford MBAs, and they're hard to come by. I would say: "Bollocks. Standford MBAs are a dime a dozen right now." Security integrators need to understand that you don't have to be a "security guy" to be valuable to a security integrator. Where are the security companies at the job fairs at the major universities? Why are security companies telling recruiters like TSS that they only want to hire guys with experience in the security industry? Why do there continue to be about zero women in the security industry? Because the security industry does a crappy job of recruiting and is seemingly unwilling to pay for high-level talent. The security integrator of the future will not be relying on $12.50 an hour techs to be the face of their organization to the customer. The integrator will increasingly see themselves as white collar, with multiple valuable talents, including everything from product installation to software development to policy consulting. 5. Here's the good news. The security integrator of the future will likely be a mid-sized independent company with revenues between $5 and $25 million. When the IT industry changed rapidly, Paul said, there wasn't a vast swath of consolidation amongst the installation companies, and there continue to be a huge amount of mid-sized IT companies that are Cisco resellers, etc. He said the smaller companies were more agile, more able to change to suit end user demand, and more likely to provide exceptional service to end users because the upper management was likely to be directly involved in the projects. It's these mid-sized security integrators that can stand to benefit so much from a few good hires. One or two Cisco engineers. An MBA. Maybe a talented marketing professional to go with that project manager. Yes, you may have to take on salary, but if you hire right, they should pay for themselves. And if you hire them young, fresh out of school, you'll get them cheap, and they'll be computer savvy and likely to quickly understand the new developments in security technology without having to be "security guys." Video on the mobile device? Yeah, they get that. Network access control? Um, duh, that's kind of important. Privacy concerns? They've lived their whole lives online. They know what to protect and how. Further, these mid-sized companies don't have a huge infrastructure that will make moving to a service model quite as painful. It's these mid-sized security integrators who are likely to be able to secure funding for making the transition, if necessary, without needing a huge influx of capital. Conclusion: Some of these moves toward the future involve painful decisions and investment, yes, but nothing I've outlined seems impossible. Yes, the manufacturers could help in the transition by building products that are easier to install and have fewer highly technical requirements. Yes, they could work together to create some standards. That would help. However, much of an integrator's value going forward will result from knowledge and ability, not from having a particularly good relationship with a particularly strong brand in the industry. If I tell a good integrator today that she'll be able, in the future, to compete on intelligence and skillset instead of price and vendor relationship, I think she'll like that just fine.