The Future of Locksmithing

One of the first principles of excellent locksmithing we all learned as apprentices is "good enough is always good enough." That's the idea that we can always add a second or even a fourth deadbolt to the door, but that doesn't make the door twice or four times as secure.

As Mark Garfinkel, the master locksmith I apprenticed under in Wilmington, Del., told me more than 20 years ago, "Give the customer everything she needs and only what she needs."

That phrase says a lot. It tells us to give as much value as we can, but not to add unnecessary costs and layers of security. Why? So we have a healthy profit margin, but still have a happy, safe, repeat customer.

However, I've noticed that "good enough" keeps changing. The line in the sand that marked how much to sell is drifting in a surprising direction. Today our customer doesn't just want a lock change on the office vestibule; he or she wants an access control system or an identity management system. And that change is signaling a major transformation of the future of locksmithing.

From the customer's point of view, the service provided by locksmiths simply is not good enough.One customer told me the entire problem. He has 300 doors in six buildings in two cities. Some of the doors use Schlage sectional keys. Others use HID card readers. In addition to the doors, he has guard desks at the front desks and parking lots. Employees and contractors have ID badges, separate key cards, and a ring of metal keys.

So in order to solve the customer's whole problem, we have to break it down into components. The employees and contractors are specific people with specific privileges. The customer has a lot of people doing a lot of things, so he needs an easy way to manage it. And at the end of the day or end of the month, he wants a report saying who did what, so that he can check to see that the security program is working as expected and fix problems.

The 4As of Security

Who are you? What may you do? How do we manage it? Is it working? These are the four fundamental questions of security and point to the four basic categories of security -- Authentication, Authorization, Administration, and Audit, The 4As.

Locksmiths are masters of Authorization, which is allowing and disallowing access. But few locksmiths deliver excellent solutions for authentication, administration or audit.

Authentication is the process of identifying the person who holds the key — essentially making sure people are who they say they are and are holding precisely the right keys.

Administration is the process of enrolling new people, assigning precise privileges or access rights, and un-enrolling or deprovisioning keys and privileges when the person's privileges change.

Audit is the process of collecting information about how the keys and locks and doors are actually being used. Is someone propping open the rear door? Does a change key unexpectedly operate a master-keyed cylinder in the north wing?

Some of you are reading this and thinking that you deliver some of those other As. But I think it's safe to say that most locksmiths install and key the locks, hand the keys to the person writing the check, and head for the bank.

Even if a very progressive locksmith offers advice and services around all four As, he still is likely not coordinating the enrollment and provisioning of the electronic key cards with the clipboards or software used at the guard desks, and with the database of employees in the human resources department.

But that is precisely the problem from the customer's point of view. He wants an authentication, authorization, administration and audit architecture for his entire business. In short, the number of customers who merely want new locks is being outpaced by customers who want the entire identity management system.

So that leaves two alternative futures for locksmithing. Either we specialize in keys and locks, or we "own" more of the solution the customer wants to buy. If we do the first and specialize on the hardware, then for certain locksmiths will evolve into repair technicians. The access control system integrators will sub-contract to locksmiths for some keying, and for hardware repair. But the integrators will do all of the installations and will "repair" locks simply by swapping them out. Electronic keys will eventually replace almost all metal keys in business settings. In time, the only business left will be esoteric repairs and legacy locksmithing.

And don't think to yourself, "Yeah, but there will always be some locks with keys." You should be aware that the information technology world has already come up with a way of using a special smart card to operate battery-operated locks on completely non-wired, disconnected locks. It really works and it really does make keys on remote sheds or airline cockpit doors obsolete eventually.

The other future looks brighter. Locksmiths will find partners in access control vendors and installers, guard services, database and directory experts, and human resources software vendors. Together, this alliance will offer a more complete solution to the customer and will keep the locksmith in the middle.

Bottom line: The customer is more interested in people and their privileges than in the locks that enforce the privileges. Locksmiths must become identity experts, not lock experts. After all, it's not our job to secure the building. It's our job to secure the business.

Steve Hunt is the former head of security research at Forrester, and now is president of 4A International, LLC based in Chicago, the first security convergence company, helping the physical security industry to better utilize information technology,