This blog will focus on what I would do if I was a large physical security vendor.
1. Get all my PAC products to meet LDAP, SPML and XACML protocols.
This enables the products to easily interconnect with any of the logical identity and access management products. Most are now LDAP (Lightweight Directory Access Protocol) enabling communication between the enterprise directory and the PAC.
Recently at Toronto Hydro, they are in the test phase of implementing SPML (Service Provisioning Markup Language) for one of the Tyco companies PAC's - Intercon. I think this is the first PAC product to do this. (If I"m wrong email me and I'll update this blog). This is an open protocol that enables provisioning and deprovisioning of the PAC by the enterprise identity management system.
XACML (eXtensible Access Control Markup Language) is the ability for an identity management system to provide authentication for a PAC access. It's another open protocol just now being deployed in most identity management products.
By doing this, the PAC vendor gives more reasons to the enterprise to buy their products or to keep them there as the enterprise takes a global integrated view of physical and logical security.
2. Acquire SIM (Security Information Management) vendors and begin developing integrated physical/logical access incident management systems. This is the first of my four acquire recommendations. Physical access control vendors need to morph into access control vendors as the markets between logical and physical security converge. A smart physical vendor will see that by building the incident management system they can leverage their out-sourced services they already provide the enterprise re physical security. Otherwise, I believe that over time, their markets will degrade as other non-physical security vendors take over more and more of existing PAC service functions.
3. Acquire identity and access management vendors. The large Fortune 500 enterprises have already standardized their identity and access management on vendors like Oracle, IBM and others. The physical access control vendors will have to play nice with these (recommendation #1). However, there is the huge market of the Fortune 5000 companies that don't have identity and access management. By acquiring identity and access management vendors like Novell and others, the PAC vendors can leverage their security position to sell identity and access management solutions to the their clients.
4. Buy Quantum Secure before Oracle, IBM or SAP does. They are the market leader at the moment in integrating PACs of different types together. It is my own personal view that if the PAC vendors don't get with it quickly, someone like Oracle, IBM, SAP, Microsoft or Cisco will acquire Quantum and begin to eat the PAC vendor's lunch.
5. Sell solutions and build up a larger consulting portion of the PAC business. Selling hardware is not going to be the way to maintain healthy margins over the next 3-7 years. PAC vendors need to begin building up a strong, knowledgeable physical/logical security practice. This won't be easy since very few enterprises and individuals have the skills sets. I would likely buy up some identity and access management consulting firms and then train them in physical security integrations.
6. Retrain the existing PAC sales staff. Many of the PAC sales people are not very IT savvy. As the decision makes begin to become CSO's, CIO's and VP IT's, this means that the sales staff not only needs to know about what world they're entering but also to begin calling on these folks.
It is still very early days in the physical/logical convergence market. Getting a strategy in place now and beginning execution is much better than losing market share 2-3 years from now to what I call the future new competitors such as Cisco, Oracle, SAP, etc and then having to play catch up.