This article originally appeared in the January 2024 issue of Security Business magazine. Don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter if you share it.
Hosted cloud-based services are rapidly changing how many integrators provide client security services – from single-site locations to multi-state enterprise organizations. Many reasons are driving this industry change, including the cost-saving elimination of on-premises hardware and the availability of subscription payments, providing clients with set budgets and integrators with dependable recurring revenue.
Clients may choose from a growing list of hosted services such as video and access control, visitor management, and weapons detection. Data from security equipment may reside on servers maintained by the integrator, product manufacturer, or other third-party providers.
The Security Business 2023 State of the Industry report reflects this trend. Of the integrators and consultants who answered our survey, a whopping 87% reported they now offer or specify some degree of cloud-based and/or subscription-based services. This is up from 64% in the 2022 report.
According to Eagle Eye Networks President Ken Francis, who has long been a proponent – and a vendor provider – of cloud and managed services: “Changes in the industry are forcing integrators to change the model of their business, and if they don’t, they are going to antiquate themselves. It is transform or die.”
With video surveillance and access control options leading the way, integrators are finally seeing the many concrete business benefits that subscription-based offerings can provide. To gain a better perspective on this topic, Security Business asked its three-member expert panel to share their experiences with subscription-based services and what they see for its future.
The panel includes John Nemerofsky, chief operating officer of SAGE Integration; Shaun Castillo, president of Preferred Technologies; and its newest member, Christine Lanning, president of Integrated Security Technologies.
“We do multimillion-dollar projects, so when installing cameras for $30 to $50 a month each, we must install and monitor many of them to create a solid recurring revenue base. Yet, once you have that base, it is powerful. We are far from that, but I know many of my industry peers generate tremendous recurring revenue.”
He sees subscription-based services enabling clients to create predictable budgets, something advantageous to virtually all businesses; however, on the downside, he sees cloud-based technologies downgrading the industry’s technical acumen and craftsmanship as full system installations become less critical.
Lanning says she has mixed feelings about subscription-based services – primarily because 60% to 70% of IST’s business comes from government organizations. She says those federal and state departments and agencies are highly skeptical of any off-premises, cloud-based services they cannot fully control. She estimates about 15% of her clients use hosted services on a subscription basis. Within that group, she includes clients requiring typical data-driven services and those requesting hardware such as mobile surveillance trailers for constriction sites and other locations.
These concerns were highlighted in the Security Business State of the Industry report; in fact, the top two concerns about subscription-based offerings cited by integrators and consultants were: End-users bypassing integrators and going direct to manufacturers for renewals or initial purchases; and licensing costs.
“Don’t give up on your ideal client profile just to sell subscription-based services,” Nemerofsky says “Look for client needs that require these services. Clients will be open to the idea if it solves a problem for them.”
Do the Benefits Outweigh the Concerns?
Nemerofsky believes that subscription-based services offer a significant advantage due to the recurring revenue they provide. “In the past, integrators typically operated on a project basis,” he explains. “This means that when they land a million-dollar project, they mobilize, order equipment, and increase their revenue. However, when there is a lull in construction, their revenue takes a hit, yet their payroll remains the same every month. By contrast, recurring monthly revenue from subscription-based services can flatten cash streams, making the business more predictable.”
According to Lanning, integrators with higher levels of RMR can expect greater profits if they decide to sell their businesses; however, she advises industry colleagues to always put the client first before adding hosted services.
“It must benefit the client, or it doesn’t matter how valuable the RMR is to your business,” Lanning says. “Our government and enterprise clients are hesitant to purchase subscription-based services. If I tell them that’s all I’m selling, they will likely choose to go elsewhere.”
In addition to RMR, Castillo says, hosted systems enhance an integrator’s ability to add remote assessment tools capturing problems and providing more system uptime. “With a cloud-based system, the integrator has more tentacles in the system to better monitor and quickly address issues with servers or devices. That’s a way of doing business that enhances the customer experience. Also, when we host the systems, we gain a lot of customer usage data that helps our marketing, sales, and operations teams improve their performances.”
Adds Lanning: “Install more than an access control system. Think of a complete remote security system that handles access control so when there is an incident, you have video that plays into it, along with intrusion detection and other systems that are part of the system.”
Embracing the Cloud Means Cybersecurity Becomes a Top Concern
The three of the panel members credit hosted services with increasing overall awareness of cybersecurity; however, for Lanning, that also comes with a need to prove it.
“It is not the monthly cost that turns off our government clients – it is their concerns around cybersecurity,” Lanning says. “For us to work with government in the cloud, we must get what is called an Authority to Operate agreement and they'll delve into all the specifics of the software. Where did it come from? Where is it installed? How is it protected? How do we ensure that only approved people view the data? There are many issues around this that you don’t see as often in the commercial space.”
Also, she says every widely reported news story of a system hack – such as last September’s attack on MGM casinos leading to a $100 write-off on third-quarter results – leads to more client scrutiny of cybersecurity issues. “If someone hacks an app on your mobile phone, it is no big deal – you can’t play solitaire. But in our business, we’re talking about overall facility security,” Lanning says. “Clients must assess the cybersecurity risks and decide whether to take security in-house or trust an integrator or manufacturer to care for their needs. It is vital that integrators diligently vet their own operations and those of their manufacturing partners, especially on the software side.”
Nemerofsky adds that integrators looking to sell commercial subscription-based services should adhere to SOC 2, a voluntary compliance standard for service organizations specifying how organizations manage customer data.
“You have to explain to your clients what you are doing with their cloud-based data,” he says. “Three years ago, a client asked me about SOC 2. I didn’t know, so I ran back to my team and asked, ‘What the hell is SOC 2?’ I’ve since become very knowledgeable about the standard as our enterprise clients want to see that compliance before we can do hosted installations at their sites. Also, integrators must step up their game and ensure employees can answer questions they are likely to receive regarding privacy issues.”
How it Changes the Integrator-Manufacturer Relationship
According to Lanning, IST rates manufacturers on 20 parameters, including who owns the company, how long it has been in business, and whether it has a cybersecurity policy, insurance, and a hardening guide.
“We want to know everything from tech support to how their systems work. We make sure the products we rep are really good, not just okay. The customers we approach usually have regulatory security requirements and they’re not going to mess around with cheap systems.” She says she’s rejected partnerships with manufacturers that couldn’t meet IST’s standards.
Castillo says many manufacturers have heavily invested in their hosted cloud-based solutions. “They must sell their product, so if security integrators are a barrier to installations, they will get closer to end-users and sell the product directly to satisfy their investors. In some cases, we see a strain on manufacturer–security integrator relationships due to these subscription-type solutions.”
He also warns that manufacturer-hosted systems may minimize integrator profits. “We see some manufacturers offering much smaller discounts on subscription-based services – sometimes half of what we would get with traditional perpetual licensing agreements,” Castillo says. “Be sure to find ways to add value to what manufacturers provide in their subscription-based services. If you don’t, you become nothing more than an installer in a paperwork process.”
Nemerofsky warns of a potentially costly expense when dealing with a manufacturer's hosted or managed system. As cameras or readers are installed, the integrator must turn on the service to change IP addresses and passwords; yet, it may be another two weeks before the system is fully installed and the dealer is ready to begin invoicing the client.
“This may result in being billed by manufacturers, which in our case, could cost SAGE up to $30,000 or more per year,” Nemerofsky says, adding that he advises working with manufacturers to align billing to when a client is invoiced for services.
Castillo offers another warning when dealing with a manufacturer’s subscription-based services. “Many manufacturers’ systems don’t allow customization to meet a client’s specific needs and enhance an integrator’s potential RMR. You must be able to customize because that allows you to create a better solution and enhance the value you deliver to your customers.”
Changes to the Integrator-Customer Relationship
The panel members are big proponents of embedding their company’s personnel at client sites as another form of subscription-based services. Typically, these employees handle security system maintenance, software updates, and badging operations.
“There’s some potential for extra work at these facilities because you essentially have embedded staff who are your champion growing your system,” Lanning explains. “This could be very lucrative for integrators working with government and private enterprise clients.”
Offering subscription-based services helps an integration firm differentiate itself from those not offering these options; however, Lanning says that focusing solely on easy-to-install, cloud-based systems creates a low barrier to entry, leading to more competition. “Then, you [may] see your profit margin erode,” she adds.
Selling hosted security services requires different approaches to clients than a traditional design-build project. Subscription-based services are about getting the system up and running quickly.
That, says Castillo, changes the focus of many integrator’s employees previously trained on traditional project services. “We're investing a considerable amount of money and training into our ability to sell subscription-based services to our customers because that is what more of them need. This different sales approach may require a segregated sales team that focuses solely on cloud-based RMR and hosted solutions.”
Nemerofsky says it is important to have software capable of automating a customer’s monthly changes to keep the billing process accurate and on time. “We can’t let even one new camera add go unbilled, but manually keeping up with every change is impossible for the back-office staff. It took some heavy lifting to get our systems customized for every change, but now it is all automated.”
According to Castillo, changes to back-office procedures, such as automated invoicing and reminders, require security integrators to become better businesspeople.
And Nemerofsky warns integrators about going into subscription-based services without up-to-date client contracts. “Make sure you have your I’s dotted and T’s crossed.”
Paul Rothman is Editor-in-Chief of Security Business magazine. Email him your comments and questions at [email protected]. Industry veteran and PR maven Jon Daum contributed to the writing of this article.