From Standalone Products to Complete Solutions: The Advent of Customer-Centric, Enterprise-Aware Security
With its increasing technological sophistication, security is by necessity an engineering-driven industry. And, as engineers, we frequently focus too narrowly on the specs of a product rather than on how it can specifically meet a customer’s need. Too often, our industry has looked at technologies as ends and not means, or, to put it in marketing vernacular, we've pushed drill bits and shovels when what the customer needed was a hole. That is changing. To be effective, today's security needs to sell solutions, not products.
Let's look at a very common business security scenario. A person goes up to the front door of a business, and presents a card to the access system. It is approved, and the door unlocks. The person gains access to an interior area where he must enter a code to disarm the burglar alarm. While this is going on, a camera is continually recording the activity. So, in the first few seconds the person has interacted with three security products: an access control system, a burglar alarm system and a video surveillance system. Odds are, these three systems were manufactured by three different companies, installed by three different suppliers, and, most likely, none of them "know" the other two exist. They are three standalone products.
From product-centric to customer-centric
Contrast that with a customer-centric solution. A person goes up to the front door of a business, and presents a card to the access system. It is approved, and the door unlocks. And, at the same time, the burglar alarm is disarmed for a few seconds, and the surveillance camera, which was likely idle moments before, is activated by the activity and records the transaction.
Some of the benefits might be readily apparent; for example, there is less irrelevant surveillance footage archived because the surveillance camera now "knows" when there is something to record. But, behind the scenes there is more to report. When the person presented the access card, the "approval" portion of the access system is no longer a standalone database within the access system: it is likely connected to the central HR database, which communicates not only with the access system but other corporate databases such as payroll, auto leasing, cell phone activation and so on. When the employee is terminated in the HR database, all the other databases, including the access system, know it. Immediately.
In the first scenario, if that employee had been terminated the day before, it is, as we all know, a toss up whether the proper parties were contacted to get the person's access status changed, which, depending on the circumstances, can be a recipe for anything from embarrassment to disaster. However, in the customer-centric scenario, once HR knows that the employee is terminated, which is usually at the same time as the employee (if not sooner), all employment privileges are revoked instantly from all databases.
So, in the second scenario, if the person approaching the door was terminated the day before, their card will be rejected and the door will not unlock and the burglar alarm will not deactivate. But, the card is not just "dead." The access system will recognize it as a recently invalidated card, record the relevant information, and activate the camera to provide archival evidence that the card was used, and when and by whom.
All of these capabilities and more are what happens when you decide that what is needed is not "access system, burglar alarm and surveillance system products," but, rather, simply and holistically: "a way to make it easy for the people you want to get in to get in, and hard for the people you don't want to get in to get in."
Customer-centric means customer input
To do this most effectively, security companies can't afford to let engineers be isolated from customer discussions. There needs to be a direct or indirect conduit to feed them information from the marketplace.
This continuous input from the customer is essential. And most of the top security companies today host user meetings, conduct focus groups and surveys, and/or perform regular customer interviews, "Voice of the Customer" or other formal, specific marketing research.
It is interesting that much information about day-to-day customer needs is anecdotal and not likely to be anticipated without actually watching or at least getting direct feedback about real life experience. For example, just a couple of years ago the industry was hearing that, of all things, "politeness" was inadvertently beating the access system in many locations. That is, two employees are chatting, walk up to the door, the first swipes his card and courteously holds the door for the second person, who enters without swiping his card. So, that means there is no record of that second person ever being in the building, which, obviously, can cause various legal and security issues in some environments.
And, of course, this assumes that that second person is one who should be there, which is another issue; what if he was terminated yesterday and the first person doesn't know it, or what if the first person just "assumes" the second works there and would find it awkward to challenge him?
So, with this combined knowledge, a customer-centric solution could be developed. For example, the access control system could be integrated with the computer log-in system. And, if you're not in the building, obviously, you couldn't possibly be at your desk logging into your computer. So, employees soon learned that each one had to present their access card individually, bolstering security in the building.
Sometimes, situations are unique to an individual industry, and might not be anticipated without learning, first hand, about the needs of that type of enterprise. For example, a not unheard of scenario in the banking industry is an armed perpetrator lying in wait at the front door waiting for the bank manager to disarm the system and then walking in with him. This would not be anticipated if one continues to take the "one size fits all" product-centric approach, where, if one just knows transportation, or retail, or office, the scenario might not come up. But, taking the customer-centric approach, engineers would know to build in a way to neutralize this threat in the complete security solution they would craft specifically for the banking industry.
Contrast this with the old days of "product-centric" solutions." The bank would buy the same off the shelf burglar alarm system that any other business would buy, solving some, but not all of their challenges. Now, hopefully, they can buy a "customer-centric" solution, with multiple, custom-designed products all working together to solve their specific problems. And that helps make all of us safer, every day.