A Matter of Trust
Nov 1, 2006 12:00 PM, By MICHAEL FICKES
The $11 billion Somers, N.Y.-based Pepsi Bottling Group (PBG) is the world's largest manufacturer, seller and distributor of Pepsi-Cola beverages.
Yet the company's security staff consists of about a half dozen people. Terry McKinney, senior director of security, maintains a staff of two administrators at the company's headquarters. Three regional security managers cover the Mid-Atlantic, Southeast and West Coast operations. A fourth will soon come on board to monitor Canadian facilities.
Six or seven people seem too few for a company that operates 45 U.S. plants (98 worldwide), manages 260 U.S. distribution centers (527 worldwide), and employs nearly 35,000 people in the United States (66,000 worldwide).
McKinney keeps his department lean by outsourcing the company's security technology requirements. McKinney and his assistants manage the work of outsourced providers.
PBG buys the security technology and pays a fee for services but does not have to hire, train and update or pay a staff to monitor and administer the systems. Instead, the company purchases services from a menu offered by an outsourcing company — the Security Support Center (SSC), a division of Aegis Protection Group, Louisville, Ky.
As security technology grows more complex and expensive to own and use, a handful of companies have begun to market outsourced security technology services.
Is security outsourcing a good idea? Providers say security directors can afford to buy or lease (see related story, page 13) top-of-the-line security technology from an outsourcing provider because the labor costs for operating, maintaining, monitoring and administering an outsourced system decline dramatically as the provider spreads costs among a number of clients.
Others suggest that outsourcing conflicts with one of the most important goals of modern security practice: making security an integral part of a company's business. Take the contribution that security technology might make to the process of complying with certain federal regulations. Sarbanes-Oxley, for example, requires CEOs to sign statements saying they have reviewed and certified the delivered by financial reports. Part of what the CEO is certifying is that no unauthorized person had access to systems that would allow fiddling with the numbers.
Access control systems can help comply with these rules. The systems can restrict access to computers and rooms containing financial data, and they can provide an audit trail of the identities of those who did have access to the data.
Doesn't outsourcing conflict with this emerging role for corporate security? Just the opposite, says Brandon Reich, vice president of corporate development with SSC. “Security is becoming more and more integral to corporate strategy,” he says. “Outsourcing gives the security executive the tools necessary to execute that strategy in a more efficient and cost-effective manner.”
Lauris Freidenfelds, vice president of Sako & Associates Inc., a Chicago-based security consultant with expertise in technology, agrees, calling outsourcing a preference issue. “It is a concept that has been around for 25 or 30 years but is not always embraced by traditionalists,” he says. “Outsourcing today is a way of thinking outside of the box.”
Outsourcing is still the exception rather than the rule, although it has captured pockets of the security market.
For instance, Kastle Systems LLC of Arlington, Va., has been providing outsourced security technology services for 34 years. In the company's home market, the Washington, D.C., metropolitan region, outsourcing has become an accepted mode of operation, according to Jim Mustard, senior vice president. “Because Washington, D.C., is our corporate headquarters, we have done a tremendous job of changing the way building security is operated here,” he says.
Several factors appear to be broadening interest in outsourcing:
the effect of 9/11 on some corporate markets;
the need to bring in security expertise immediately;
security needs of businesses that operate from many small branch offices;
the arrival of open access control; and
video technology that can be deployed across all sites within large corporate organizations; and lower costs.
The 9/11 effect
The terrorist attacks of 9/11 led a number of property owners and businesses based in high-profile cities like Washington, D.C., New York, Chicago, Los Angeles and others to explore outsourcing security technology and services to experts.
For example, after 9/11, a major office real estate owner with a large Washington, D.C., property portfolio asked Kastle to recommend electronic security systems for 40 of its Washington-based buildings. Of primary concern were buildings located near the White House and other landmarks.
Kastle audited existing security technology and operations in each building, identified patterns and defined platform requirements for centralized system management. The system, now up and operating, offers capabilities similar to any well-designed security technology system. It provides management with an emergency lock-down ability on the premises. It streamlines visitor processing with an Internet-based system managed by Kastle. It includes a Web-based database management and photo-ID card administration system that tracks and responds to new hires, terminations, and permanent or temporary changes in privileges. Finally, it provides single-card access to multiple buildings, a particularly valuable service for the building owner's employees.
Early this year, an investment group acquired Carr-America's nearly 300 U.S. office properties. As part of that transaction, New York City-based Tishman Speyer acquired a portion of the Washington-based buildings. Despite the changes in building ownership, the outsourced security relationships continue.
Outsourcing provides immediate expertise
Tenants in multi-tenant urban office buildings also turn occasionally to outsourcing. Dickstein Shapiro Morin & Oshinshky LLP, a 500-plus-attorney law firm with offices in Washington, DC, and New York City, has outsourced security to Kastle since 1986.
The reason? “We're experts at practicing law; we're not experts in security,” says Sharon O'Meara, the firm's chief administrative officer.
Kastle designed and installed an access control system that it continues to maintain and operate. The system provides a single access card that works in the firm's two offices. The system also tracks the movement of guests and employees and provides an audit trail for investigating thefts.
Kastle monitors the system 24 hours a day, tracking alarms for fire, mechanical and electronic systems, and controlled access doors. When an alarm triggers, Kastle responds appropriately and notifies the firm. Kastle regularly updates the systems and adds features. At Dickstein Shapiro, a single employee administers the card distribution system and runs reports for both offices. The rest of the work is done in the Kastle operations center.
Multiple branch offices
Companies with numerous offices or locations may find outsourcing particularly economical. Diebold Inc., Canton, Ohio, for example, looks after access control technology and operations for a large financial services firm that Diebold executives prefer not to name. “This customer has 1,000 branch offices,” says Vince Lupe, director of product management with Diebold. “Bank branches have a lot of turnover among tellers and branch sales people.
“We took over the function of adding and deleting people. We also set up the door controls for area access. At night, you might want the cleaning people to have access to a specific area but nowhere else. An administrator runs the system and sets up the access permissions.”
In the end, the customer asked Diebold to perform the function of adding and deleting people to the rolls as they turned over. Diebold also developed an operating manual that specifically addressed the bank's alarm system.
Network security technology arrives
Back in the days when security technology used proprietary systems that could not be networked across existing company lines, outsourcing came with costs so high that many could not afford it. “Today, you don't have to buy new hardware for every corporate location, along with multiple copies of the software,” says SSC's Reich. “A single server in a data center somewhere will handle all of the corporation's facilities across the country. The same is true for an outsource provider.”
As access control systems move onto corporate networks, continues Reich, they have become bigger and more technologically complex. They differ from older proprietary systems that were relatively easy to figure out. Today, many corporate security departments do not have the IT skills necessary to run these systems internally.
The security officer or outsourcing employee that monitors a system works with an application and graphical user interface designed for an end-user. “Making the end-users' system simple enough requires people on the back end that can program and configure it,” Reich says. “That's part of what we do. We also manage and administer user accounts, and badging systems.”
Higher value management and lower cost administration
“Without outsourcing, I would spend all my time making sure that doors open and close properly, that the badging stations were operating, and that the equipment was receiving proper maintenance,” says PBG's McKinney. “With outsourcing, I have professionals from the electronic side of the business that handle problems — that no corporate security head really has time to handle properly.”
McKinney can spend his time developing strategy and managing security instead of fussing with details.
Overall, it costs less. A company that outsources security technology services does not have to hire, train, pay and maintain a staff to monitor the technology. Nor does it have to hire a staff to handle time-consuming administrative jobs like monitoring when individual employees come on board and depart.
“Photo ID badging is probably the single greatest opportunity for a company to cut costs,” he says.
According to Reich, setting up a badging system with a badge printer, camera, software, card stock and other supplies costs approximately $6,000. Annual recurring costs for maintenance and supplies total about $5,500. If a company has 100 facilities, each with a badging center, the corporate tab comes to $550,000 per year.
“I can't give you an exact cost for what we would charge, but I can say it will be as much as 80 percent less,” Reich says. “I think that when a company gets up to three badging stations, it becomes economical to outsource that service.”
And badging is just one available outsourcing service. There are others:
- electronic security administration and hosting;
- security service management;
- project and change management;
- compliance audits;
- employee orientation and training; and
- security incident reporting.
“If your security department can cut costs by outsourcing, while maintaining the same or even a higher level of security, then your company can justify future capital expenditures in other areas,” Reich says. “Sometimes the money you save by outsourcing will flow directly to the bottom line.”
Buying Or Leasing Equipment When Outsourcing
WHEN YOU OUTSOURCE ACCESS CONTROL SERVICES, you should also think about what kind of equipment deal to make. You can buy the equipment or you can pay a little more and lease it.
Why not take the least expensive alternative and buy? “If your company is stable or not changing very much, owning the equipment will be cheaper than leasing in the long run,” says Lauris Freidenfelds, a vice president with Sako & Associates, Inc., a Chicago-based security consultancy. “But if you know that you will have to upgrade and downgrade and change your equipment mix on a regular basis, leasing is the better decision.”
Just be sure, continues Freidenfelds, that you strike a deal that permits you to make changes, to add and delete equipment and locations.
Want to use this article? Click here for options!
© 2014 Penton Media Inc.
Today's New Product
In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.