The Uberization of Security’s Business Model

The Uberization of Security’s Business Model

Is it time to reduce the total cost of ownership for the security program?

The increase in the direct costs to deploy and maintain physical and logical security systems such as access control, video management, communications, cyber defensibility and visitor control combined with the increase in the indirect costs needed to operate and support these systems, has reached a tipping point. Companies large and small are now actively seeking a fresh approach to optimizing their physical and logical security operations and managing their risk, while capping or reducing their total cost of ownership (TCO).

What we are now witnessing in the physical security space is very reminiscent of what we saw in the early years of the IT industry where many companies first deployed IT systems and computers and then because of the steadily increasing costs, started looking for a more economical way to support the deployment, maintenance and operation of those systems. The company that recognized the opportunity presented by the desire for companies to control their IT costs was Electronic Data Systems (EDS), which owned the lion share of the market for a very long time and led to the creation of the category of services commonly referred to as “outsourcing.”

By 1980, the outsourcing model was being used in other industries. For example, a Design, Build, Own, Operate, Maintain (DBOOM) contracting model was being used by energy services companies (ESCO) to provide measurable savings and advantages to government and business clients at every stage of their energy efficiency projects. Specifically, the value proposition for using this contract model is described by the following operational elements:

  • Design: Drawing only from best-in-class energy infrastructure components without supplier bias, ESCOs can tailor a solution to maximize efficiency or to manage development costs.
  • Build: ESCOs can partner with local contractors to complete a project or recruit internationally renowned experts to oversee construction, retrofitting or installation.
  • Own: Clients can take control of the new facility or let the ESCO run it and manage energy delivery.
  • Operate and Maintain (O&M): ESCOs can train existing staff to run on-site systems, take on all O&M responsibilities or recruit new staff to operate and maintain energy infrastructure.

The companies that deployed this model differentiated themselves from vendors that pushed specific solutions, limited contractor choices or required long-term contracts. The DBOOM enabled ESCO provided vendor independence and complete freedom of choice as well as measurable costs.

Slow to Adopt

So far, when it comes to systems and their components, the physical security industry has been slow to adopt the outsourcing model even though they led the creation of one of the largest “outsourced” markets in the United States, the $64+ billion uniformed guard services. The primary cause of this slow adoption rate is the lack of vendors who have the resources needed to support an outsourcing model. Additionally, the security market has a culture of risk aversion that is compounding the slow adoption rate.

Finally, the need to control the costs within the physical security space has been accentuated by the risk from cyber-attacks. The industry has become increasingly aware of the vulnerabilities that the physical security devices/systems pose to the security of the corporate networks. Chief Security Officers (CSO) are finding themselves stuck in between knowing they need the physical security systems and the awareness that those same systems may lead to a serious security breach. We call this the “Insecurity of Security.”

Faster, Better, Cheaper

The convergence of CSOs and CISOs wanting to reduce the direct costs and the indirect costs while mitigating the vulnerabilities of their systems is a watershed moment within the security industry that taken together will outweigh the individual concerns that prevented them from outsourcing the deployment, maintenance and operation of their security systems.

The scorecard for delivering a fully hosted suite of consulting, technology, and professional services, or IaaS, will include the ability to create a collaborative ecosystem of platform providers, application software vendors, and hardware vendors. Initially, the technology services will include access control, video management, visitor management and critical communications. However, “infrastructure” refers to some or all of the security technology infrastructure as well as the management, maintenance, metrics and reporting needed to fully leverage the investment. This can only be delivered by a SOC and NOC provider with a depth of integration and managed services pedigree as well as the consulting services to create and manage the program from the perspective of the CSO.

Back to the Future

The underlining business model of IaaS is not a new one. Uber, VRBO, Airbnb, Wag and many others have been successfully leveraging a model commonly referred to as a “sharing economy.” The concept of a sharing economy has been morphing since it first appeared in the U.S. around 2014 and still today, no one can agree on a definition. At its core, the concept takes advantage of a trend where consumers don’t want to “own” something like a car, vacation home, bicycle or an electric scooter, and would rather just purchase the service in the exact amount they need and forgo the costs of maintaining them while those same things remain idle in the garage or in another city. On a very fundamental level, this represents a risk management strategy. On an individual level, the consumer can mitigate their financial risks by only consuming what they need.

The IaaS model is designed to take advantage of this emerging business model, by offering customers options to outsource the ownership and/or operation of their physical and our logical security systems. As previously mentioned, CSOs know firsthand how much it costs to install a physical security system. They are now becoming aware of the indirect costs to operate and maintain those systems, including the costs of servers, networks, switches, IT staff and system administration. At first glance, the indirect costs can range between 20 percent and 70 percent of the direct costs. More work needs to be done to fully validate these numbers, but it is safe to say, that indirect costs are increasing at a time that most corporate IT departments are looking to decrease costs through some sort of outsourcing model.

In addition to the direct and indirect costs of security, the attention of both CSO’s and the Chief Information Security Officer’s (CISO) are the vulnerabilities that are created by deploying physical security devices on the corporate network. Traditionally, these devices were either not designed with cyber hardening in mind, or if they were, they weren’t being maintained with the same rigor of a laptop or desktop computer. In either case, the layer of security that was deployed to protect company assets may in fact, enable a breach. These vulnerabilities can be addressed at the device level, but again, most IT teams are primarily focused on protecting the most importance assets against an unceasing barrage of cyber-attacks. They have little patience, time or resources to spend on physical security systems. If a sharing economy model existed within the physical security industry, it would enable an enterprise consumer to purchase the services they needed without having to build, operate and maintain it. It would provide many more features that would be available at the time of need but today almost always go unused. The term “uberization” comes to mind. Uber recognized a demand for a car service that didn’t require a person to buy, rent or wait for transportation through a dispatch system. They brought people together who had a car that wasn’t being fully leveraged from a financial perspective, with the people who were willing to pay for a ride.

What Uber did for the car sharing service industry, IaaS could do for the physical security industry because it will, for the first time, provide corporate consumers options to purchase the physical security services they need, without having to buy the whole car.

IaaS will also raise the bar on the cyber security protection of the physical security devices through the direct monitoring of the devices through a 24/7 Network Operations Center (NOC) and/or the ability to air gap the network that the physical security systems ride on from the corporate network.

IaaS will also unlock other market opportunities by offering enterprise quality products and services to mid-market companies that traditionally lacked the financial resources needed to deploy a system of their own.

This article originally appeared in the March 2019 issue of Security Today.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety