This article originally appeared as the cover story in the September 2024 issue of Security Business magazine. Don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter if you share it.
In the security industry, data is gold. The information gleaned from disparate systems such as access control, video, and others enhances other business activities.
In addition to improving end-user operations, these devices provide a golden opportunity for the integrators who install and monitor systems to increase revenue.
So how do you monetize data? Security Business turned to its expert integrator panel of John Nemerofsky, COO of SAGE Integration, Shaun Castillo, president of Preferred Technologies, and Christine Lanning, president of Integrated Security Technologies.
Castillo says security practitioners, for the most part, have not fully considered the value of security data as they should. Simultaneously, many customers have never considered using existing security data to improve operations, monitor employment needs, or increase profits.
“We have an obligation to our customers to give them the full value of their data,” Castillo says. “Customers will pay you for fulfilling that obligation. You also differentiate yourself from other security integrators because few deliver value from data.”
Adds Lanning: “People are much more aware of data’s importance today than five or 10 years ago. You used to store data and not think about it unless there was an incident; now, we [are looking for ways to] use that data to flag and even anticipate an incident.”
Common Data Reports for Customers
Nemerofsky says SAGE uses readily available data from installed systems to create reports highlighting activities such as equipment or network failures, door-propped or forced alarms, device end-of-life warnings, and employee response times.
He says the reporting process begins by identifying which data points integrators and their clients want to collect and then creating a benchmark for future comparison. “You might want to know how many minutes it takes an operator to triage a call received in the GSOC, and [examine] how to shorten the response time,” Nemerofsky explains. “Examine the data to set a benchmark; then, you can start measuring the potential return on investment.”
He makes a case for creating reports based on device performance. For example, a camera reaching its end of life might leave a customer no longer cyber- or SOC-compliant. “Your client might fail a penetration test because of an unsupported device on the network, and that leads to security vulnerabilities,” Nemerofsky says. “As an integrator monitoring these systems, you’ll know when to do upgrades.”
Lanning adds that people counting is one of the most requested data reports IST provides, as it helps clients better understand how their facilities are being used. For example, a financial institution that offers an employee gym wanted to know if its usage warranted the installation of security cameras.
“Security is an expense, but if there are ways a security department can use data to justify more funding, that can be very useful for an organization,” Lanning says.
In recent years, she says, her Department of Defense clients have become much more aware of insider threats. “Ten years ago, no one paid much attention to an employee normally working from 7 a.m. to 4 p.m. coming into the office in the middle of the night or on a Saturday afternoon,” she says. “Now, supervisors want data to provide situational awareness. They want to flag things before they become a potential incident.”
Indirect Monetization
Lanning has problems with the term “monetizing data.” She says it implies an integrator may market or sell customer information to advertisers and other sources as online social media sites and retailers do. “You should let them know that it is their data, but you are going to help them make better use of it in a way that can help them drive their business, save money, increase security – whatever the case may be,” she says.
Castillo explains that Preferred Technologies does not directly sell data to its clients; however, they are gleaning information to help them analyze it and help clients make more informed decisions. “It’s an indirect monetization, but it’s still monetizing data,” he says.
Castillo says by looking at and analyzing the numbers and setting benchmarks, integrators aren’t simply reselling data to customers; instead, they are reviewing information and providing services to various clients. Such data can help end-users to, for example: Have adequate cashiers available during peak times, monitor behaviors to assist with predictive policing, or review traffic patterns when designing new roads.
“In doing so, we’re helping customers get a better return on their investment and make a case to the C-suite for more security spending.”
Direct Monetization
Sometimes analyzing data can come with direct monetization. Nemerofsky gives an example of tracking enterprise customers’ data. By doing so, SAGE gains real-time information to minimize device downtime; thus ensuring compliance, as the integrator knows systems are up and meeting IT policies and legal regulations.
“As we start monetizing this device data collection, we do things automatically to reduce labor,” Nemerofsky explains. “Instead of manually updating passwords to 15,000 cameras, we do it in an automated fashion. You can automate firmware updates, further reducing security vulnerabilities. Device data monitoring provides cost savings and better protection against cyber threats. We charge a monthly fee per device for each of these things.”
Nemerofsky says this type of data benchmarking works best for enterprise clients with thousands of security devices on their networks, such as large corporate campuses, telecommunications companies, and regulated utilities. “This won’t play well for a law firm with one camera and reader or a restaurant with just a few devices,” he adds.
Know Your Clients
Castillo says monetizing data may seem strange to many integrators’ sales personnel. The drive to close sales and collect commissions often takes precedence over fully understanding a customer and suggesting new ways to improve their business.
“We need to teach our salespeople how to think beyond their daily routine,” Castillo says. “The best salespeople gain an in-depth understanding of a customer’s business – including the data that security systems generate – and [potentially] develop a greater understanding than the customer has themselves. With this understanding, the salesperson can help the customer make the best decisions for their business. There is a vast amount of available data. It requires creativity and thought to figure out how to leverage it.”
Castillo says an integrator should take samples to prove a hypothesis and estimate the benefits to justify charging extra for collected and reviewed data.
Nemerofsky adds that it is vital for integrators to consider how data needs vary by vertical market. “Integrators need to identify the critical data points to their end-users, and that will vary based on an integrator’s ideal client profile,” he explains. “Some may primarily serve government clients; others may focus on schools and hospitals. [SAGE] mainly works with enterprise clients in energy, communications, transportation, and other large sectors.”
Lanning says IST has built reports based on security data for years, adding that she hopes artificial intelligence will soon increase the number and value of this type of reporting. Currently, her team builds reports and charges only for the time it takes.
“I’m hoping AI helps us think outside the box regarding what data and reports are useful,” Lanning says. “Today, we have all this data, but what’s useful? How do you create business intelligence to help customers solve their problems? It goes back to understanding your customer. Getting deeper into the customer's needs is easier if you focus on a particular vertical and create the reports required to use data intelligently.”
Getting Started
Nemerofsky advises integrators looking to become involved in monetizing data to research the technology partners that make device reports available. For the extra fee, the integrator offers greater convenience and the knowledge that the data is customized to fit the needs of a specific client.
Lanning says she’d like more dashboards highlighting activities, including real-time events. Dashboards offer the same information as in integrator-produced reports but in an easy-to-view format.
“Some manufacturers are starting to come out with them, but they are very basic,” she says. “I want to see what doors are the most and least used. What’s due for maintenance? Things like that. A one-page dashboard that shows this type of information would be beneficial. I don’t know if we’re there yet.”
How Much to Charge?
How much should an integrator charge for additional data-related services? Although integrators add insights to their reports, most of the data is generated by manufacturer-supplied systems.
Castillo says there is no objective way to measure it, but it needs to be commensurate with the value it provides a customer. He recommends thinking about the return on investment provided. “Most of our customers are focused on security to help meet regulations and compliance, not improve operations,” he says. “If we can get them thinking in broader terms, it is better for everyone involved.”
One of Castillo’s clients, a large vehicle manufacturer, analyzed data from its factory’s security system and noticed factory workers leaving the facility daily for lunch. They invested in building a kitchen/restaurant within the factory and went overboard with the variety and quality of food served. It was a hit with employees, and by staying on-site, they returned to work faster.
“I think the factory reached a return on investment within three months,” Castillo says. “The savings and time needed for a return [on the investment] gives integrators an idea of what to charge. Sometimes, the extra service may be provided at no charge – because it differentiates an integrator from the competition.”
Nemerofsky says SAGE typically adds a 10% to 25% markup on the cost of data it acquires for its clients. “Remember, we are reselling software companies’ reports that we are being charged for,” he says. “[We are] putting our margin on it just like everything else.”
Lanning says clients are billed for the time an IST IT person takes to create the report. IST charges its standard hourly rate for customized systems and reports. The average custom report takes about an hour to complete, says Lanning.
“It’s not a complicated thing – I ask how we could help a client do better and how we can keep them more secure,” she explains. “That goes to our philosophy of helping our clients solve their problems.”
She adds that IST rarely has direct access to customer data: “It is onsite customer-maintained and supported data, especially with enterprise organizations. We don't have servers to maintain customer data, and, in most cases, remote access is not allowed. If we must create a report, we go to that customer’s site and do it there. Then, once we're done, we leave and no longer have access to that data.”
Another potential avenue to profits is via an integrator-owned cloud-based system instead of an end-user owning their systems and paying for the equipment and installation. In that case, Castillo says generated data could be sold to another party. “If the customer agrees and signs a licensing agreement, we can share it with other users,” he says. “But we don’t do a lot of that.”
Nemerofsky also points out that it may take up to a year for an end-user to complete an evaluation period and get onboarded with a big software company like Microsoft or Cisco. If the integrator is already onboarded, that data is available immediately.
“Enterprise end-users may find it worth paying the markup because buying data that way is easier,” Nemerofsky says. “A company with 80,000 readers and 80,000 cameras on its system will pay per device, per month to make sure its network, product end-of-life, and upgrades are under control.”
No matter what, the integrators agree that as a trusted advisor, it is important to be transparent with customers. “If you are going to be a good partner, tell your clients that if they don’t see value in what you’re providing, they have the option to buy the data directly from system manufacturers and analyze it themselves,” Nemerofsky says.
In the end, the value proposition when it comes to analyzing and leveraging the data generated by security systems is evident. An integrator takes a step on the path to greater profits by offering data analysis as a service, and the customer takes advantage by transforming that data into actionable steps to improve productivity, decrease overhead, and create a happier workplace. A clear win-win.
Industry veteran and PR maven Jon Daum contributed to the writing of this article.