Today’s security director faces yesterday’s vendor

Next-generation security chiefs are emerging as security systems merge with IT. The new breed has training, credentials, and technology know-how. Security people are also growing more finance-savvy so they can successfully make their pitches to their bosses for dwindling corporate funds.  But are IT vendors changing their tunes in concert with their security customers?

March 17, 2009
By Rosie Lombardi

The new guard
In the past, the people in charge of physical security were typically culled from the ranks of law enforcement and the military.

But over the past ten years, there’s been an influx of credentialed
people armed with college degrees and an alphabet soup of industry
designations such CPP, CISSP, PSP and CFE on top, says Bill Bradshaw, an
Oakville, Ont.-based independent consultant and regional vice-president for ASIS
in Canada.

“There’s been a shift away from ex-police — CSOs and security managers
are more tech-savvy today,” he says. “The old guard is also getting
into technology, but I see a reluctance to get too far into it. They
understand what should be going on in IP-based enterprise systems but
they don’t understand how the guts work.”

There’s also been an influx of risk management concepts in security and
other senior roles, says David Tyson, senior director of information
security at San-José-based eBay. “Some larger organizations have
migrated towards a total risk approach, and physical security reports
to legal or a chief risk officer,” he says. “SMBs still tend to have
ex-police in charge of this area, but they’re getting savvier too as
there’s been more focus on technology in law enforcement and the
military in recent years.”

With the convergence of logical and physical security on networks, IT
people are also getting involved in security, which creates a certain
tension, says Bradshaw. “CIOs see security in terms of firewalls and
VPNs – there’s no way to integrate a brick wall with a database. But a
CSO sees his job as protecting physical assets, people and information.”

Since security systems aren’t standalone anymore, security directors
now need to consider their impacts at multiple points. “When you insert
a physical security system into the network, the key question becomes,
‘How do I manage this downstream?’” says Tyson.

Security is embedded everywhere via the shared network, so security
directors must also work with a multitude of departments. “The
responsibilities for using, managing and reporting on the system is
spread across the organization – we see Facilities responsible for
maintenance, IT responsible for applications, HR responsible for card
management and Security responsible for system monitoring – some of
which is outsourced to security services companies,” says John
Sheridan, security consultant at Ottawa-based Tiree Facilities
Solutions Inc., a workplace design firm.

But security departments must also compete with these same departments
for dwindling corporate funds. And above them, there’s of course the
CEO to please, armed with a BlackBerry and himself much savvier about
technology these days – who is casting a baleful eye on expenditures in
this ferocious economy in conjunction with his first lieutenant, the

As a consequence, security directors are becoming, by necessity, more
finance-savvy as well. “They’re all looking for cost justifications
when they buy technology from vendors. The MBA hats come out, and they
ask about net present value, ROI, and TCO,” says Michael Martin,
digital media architect at IBM Canada.  

“Bottom line, I need quantifiable business value from vendors – or I won’t get the money,” says Tyson.

How to drive security customers crazy
But many vendors are still singing the same old tunes from previous
eras without much regard for the hard realities of the economy and the
changing business landscape for security technology. Consultants and
end-users recite a litany of complaints.

A major vendor mistake is selling technology features instead of
solutions, often wrapped in technology bafflegab, says Bradshaw. “For
example, saying their video images are superior to the other guy’s
because it uses H21 compression. Even technical people don’t really
understand what that means. All the CSO wants to know is if he’ll get a
good enough shot to identify a person.”

Vendors aren’t providing substantive information customers can use to
sell the benefits to their bosses, says Tyson. Saying a camera can
pan-tilt-zoom is selling a cool feature, but what he really wants to
know is its effect in reducing or dealing with security incidents. “In
most cases, vendors just give me fluff – they’re not helping me make my
business case. All of them claim their solution will solve my problem,
but when I ask them which one, they can’t provide an answer.”

Nor do they provide the metrics needed to evaluate the benefits, he
adds. “I asked a number of vendors what metrics they use to track their
products to ensure they’re actually performing to solve my problem –
and I didn’t find anyone who tracked that. No one’s focused on if we’re
succeeding with their product.”

Disappearing acts once the sale is closed or when the going gets tough
is another common complaint. “Salespeople promise you the moon in
results, for example, saying integration will be easy. Then six months
later, when you’re in integration mode, they drop you – no more
support, box A won’t talk to box B, and all the vendors are blaming
each other,” says Alain Turcot, physical security manager at IBM

Inexperienced salespeople with insufficient knowledge about their
customers’ business and existing infrastructure are often sent in with
generic product data sheets. “Vendors send young salespeople who don’t
have knowledge about older technologies, so they don’t take legacy
systems into consideration in their sales,” says Turcot.

The tough economic climate is spawning particularly obnoxious sales
tactics, warns Martin. “I’ve had two clients come to me in 2009, asking
for help in dealing with aggressive vendors. One CIO said if he blocks
vendors, they go around him and go after his security managers. They’ve
never seen such aggression before – it’s out of control. The client had
to form a vendor review committee to cope. ”

The new songbook

Even before the current recession hit, the instability in the physical
security technology sector had many customers worried. There have been
many mergers, acquisitions and bankruptcies in recent years, says
Martin. “Frisco Bay is now owned by Stanley Tools, and GE has been
scooping up companies.”

Security directors want assurances their vendors will be around for the
long haul, as the typical life cycle of security technology is about
seven to 10 years. “When I’m shopping for IBM, my prime concern is how
long that company has been around, and if they can ensure service and
honour their warranties. I have some colleagues who saved some bucks on
their new DVRs but the company went bankrupt after a year,” says

Customers who’ve been burnt have learned their lessons, warns Tyson.
“I’ve seen a long list of companies that sold cool technology go out of
business, and this has caused years of headaches for their customers.
People making buying decisions are more savvy now.”

Market forces may force vendors to change their selling tactics, as
major IT companies such as IBM and Cisco are encroaching on the
physical security side, he adds. “IT companies are way better at
building and distributing IT systems than physical security vendors.
When the day comes that they really move in, it’ll be over for the ADTs
and Tycos of the world. They should be worrying about these paradigm

Some of these vendors are starting to respond, says Martin. “GE and
Stanley are bringing in armies of educated staff. And ADT is working
hard to change its approach, but others aren’t so stellar. Vendors from
the era of two Bobs and a truck who put in alarm systems still have a
long way to go.”

Vendors will need to change their language now that they’re selling to
C-level executives versed in risk management concepts, says Bradshaw.
“There hasn’t been as much change as there could be on this score. CSOs
think in terms of threat, risk and vulnerabilities.”

And their language also has to adapt so other departments involved in
purchasing and using the system understand its impact, says Sheridan.
“Features and functions have to be expressed in terms that every
department can relate to – everything from how the system is going to
be maintained to how much bandwidth the system will use on a particular
segment of the network. There are more stakeholders and decision
influencers inside the buying organization than ever before — each with
their particular needs, challenges and desires.”

More creative terms of sale are also becoming important to customers
with much less discretionary spend than they’ve had in the past, he
adds. “Many customers are looking to amortize capital purchases across
operational budgets. And they’ll be more receptive if there are two or
three pricing options instead of a single buy price.”

A universal complaint is that vendors need to really listen to what
security directors want to accomplish instead of maintaining their
laser-like focus on selling equipment, says Bradshaw. “If a CSO wants
to install an access control system, maybe it’s better to have a guard
at a particular location instead of a piece of equipment, or maybe
improved lighting is a better solution than putting another camera.
Technology isn’t always the best answer.”