Cybersecurity talk currently dominates many events in the physical security industry. And it’s about time, given that we are all playing catch-up in a scary cybersecurity environment where threats are constant and constantly evolving. I heard an interesting discussion about cybersecurity recently among consultants attending MercTech4, a conference in Miami hosted by Mercury Security and its OEM partners.

The broad-ranging discussion touched on multiple aspects of cybersecurity, including the various roles of end user IT departments, consultants, and integrators. Factors such as training, standardisation and pricing were also addressed as they relate to cybersecurity. Following are some edited excerpts from that discussion. 

The Role Of The IT Department

Pierre Bourgeix of ESI Convergent: Most enterprises usually have the information technology (IT) department at the table [for physical security discussions], and cybersecurity is a component of IT. The main concern for them is how any security product will impact the network environment. The first thing they will say, is “we have to ensure that there is network segmentation to prevent any potential viruses or threats or breaches from coming in.” The main concern for IT departments is how any security product will impact the network environment”

They want to make sure that any devices in the environment are secure. Segmentation is good, but it isn’t an end-all. There is no buffer that can be created; these air gaps don’t exist. Cyber is involved in a defensive matter, in terms of what they have to do to protect that environment. IT is more worried about the infrastructure.

The Role Of Consultants And Specifiers

Phil Santore of DVS, division of Ross & Baruzzini: As consultants and engineers, we work with some major banks. They tell us if you bring a new product to the table, it will take two to three months before they will onboard the product, because they will run it through [cybersecurity testing] in their own IT departments. 
If it’s a large bank, they have an IT team, and there will never be anything we [as consultants] can tell them that they don’t already know. But we all have clients that are not large; they’re museums, or small corporations, or mom-and-pop shops. They may not be as vulnerable from the international threat, but there are still local things they have to be concerned about. 
It falls on us as consultants to let them know what their problems are. Their IT departments may not be that savvy. We need to at least make them aware and start there.

Wael Lahoud of Goldmark Security Consulting: We are seeing more and more organisations having cybersecurity programs in place, at different maturity levels. At the procurement stage, we as consultants must select and specify products that have technology to enable cybersecurity, and not choose products that are outdated or incompatible with cybersecurity controls. 
We also see, from an access control perspective, a need to address weaknesses in databases. Specifying and having integrators that can harden the databases, not just the network itself, can help.

The broad-ranging discussion touched on multiple aspects of cybersecurity, including the various roles of end user IT departments, consultants, and integrators
The impact of physical security products on the network environment was a dominant topic at the MercTech4 consultants roundtable discussion

The Need For Standards On Cybersecurity

Jim Elder of Secured Design: I’d like to know what standards we as specifiers can invoke that will help us ensure that the integrator of record has the credentials, knows what standards apply, and knows how to make sure those standards are maintained in the system. I’m a generalist, and cybersecurity scares the hell out of me.
We’re not just talking about access to cameras, we are talking about access to the corporate network and all the bad things that can happen with that. My emphasis would be on standards and compliance with standards in the equipment and technology that is used, and the way it is put in. It can be easier for me, looking at some key points, to be able to determine if the system has been installed in accordance. We are seeing more and more organizations having cybersecurity programs in place, at different maturity levels"
I’m taking the position of the enforcement officer, rather than the dictator. It would be much better if there were focused standards that I could put into the specification— I know there are some – that would dictate the processes, not just of manufacturing, but of installation of the product, and the tests you should run accordingly.

Pierre Bourgeix: With the Security Industry Association (SIA), we are working right now on a standard that includes analyzed scoring on the IT and physical side to identify a technology score, a compliance score, a methodology, and best-of-breed recommendation. Vendor validation would be used to ensure they follow the same process. We have created the model, and we will see what we can do to make it work.

Terry Robinette of Sextant: If a standard can be written and it’s a reasonable process, I like the idea of the equipment meeting some standardized format or be able to show that it can withstand the same type of cyber-attack a network switch can withstand. We may not be reinventing the wheel. IT is the most standardized industry you will ever see, and security is the least standardized. But they’re merging. And that will drive standardization.

Jim Elder: I look to Underwriters Laboratory (UL) for a lot of standards. Does the product get that label? I am interested in being able to look at a box on the wall and say, “That meets the standard.” Or some kind of list with check-boxes; if all the boxes are checked I can walk out and know I have good cybersecurity threat management.IT is the most standardised industry you will ever see, and security is the least standardised"

The Role Of Training

Phil Santore: Before you do any cybersecurity training, you would need to set the level of cybersecurity you are trying to achieve. There are multiple levels from zero to a completely closed network.

Wael Lahoud: From an integrator’s perspective, cybersecurity training by the manufacturer of product features would be the place to start – understanding how to partner the database, and the encryption features. 
We see integrators that know these features are available – they tick the boxes – but they don’t understand what they mean. Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organization. That would be a good starting point.

The Role Of Integrators

Wael Lahoud: Integrators like convenience; less time means more money. So, we see some integrators cut corners. I think it is our role (as consultants) to make sure corners are not cut. If you rely solely on integrators, it will always be the weak password, the bypass. We have seen it from small projects to large government installations. It’s the same again and again.

Even having an internal standard within an organization, there may be no one overseeing that and double-checking. Tools will help, but we are not there at this point. I will leave it up to manufacturers to provide the tools to make it easy for consultants to check, and easier for integrators to use the controls.

Before you do any cybersecurity training, you would need to set the level of cybersecurity you are trying to achieve
Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organization - so training is very important

The Impact of Pricing

Pierre Bourgeix: The race to the cheapest price is a big problem. We have well-intended designs and assessments that define best-of-breed and evaluate what would be necessary to do what the client needs. But once we get to the final point of that being implemented, the customer typically goes to the lowest price – the lowest bidder. That’s the biggest issue.

You get what you pay for at the end of the day. With standards, we are trying to get to the point that people realise that not all products are made the same, not all integrators do the same work. We hope that through education of the end user, they can realise that if they change the design, they have to accept the liability.It’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it"

The big picture

Wael Lahoud: The Windows platform has a lot of vulnerabilities, but we’re still using it, even in banks. So, it’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it. That’s where the cybersecurity program comes into play. There are many vulnerable products in the market, and it’s up to professionals to properly secure these products and to design systems and reduce the risk.

Pierre Bourgeix: The access port to get to data is what hackers are looking for. The weakest link is where they go. They want to penetrate through access control to get to databases. The golden ring is the data source, so they can get credentialing, so they can gain access to your active directory, which then gives them permissions to get into your “admin.” Once we get into “admin,” we get to the source of the information. It has nothing to do with gaining access to a door, it has everything to do with data. And that’s happening all the time.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Larry Anderson Editor, SecurityInformed.com & SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SecurityInformed.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SecurityInformed's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

How ISC West Has Changed The Game In Security Over The Years
How ISC West Has Changed The Game In Security Over The Years

Being in the physical security industry for almost two decades has been an exciting journey, with significant changes that have impacted the world of security. Companies today must be proactive when it comes to securing their facility and are lucky to have so many choices when it comes to security technology. From the beginning, the ISC West show was always at the forefront of new technology and brought together the very best technology and industry professionals in the “City of Lights”. Back in 2001 when I first entered the security world, video surveillance was the key driver, and transitioning from analog cameras to IP video cameras was the talk of the town. In the early 2000s, the ISC West show was filled with video manufacturers showcasing their new IP cameras and the IT folks were just starting to get involved with the security decisions.  Back then the ISC West show consisted of a myriad of video manufacturers exhibiting their camera lines. Where now in 2020 the high-profile enterprise-level camera manufacturers dominate the show floor. Over the last two decades, keeping up with the technology advancements of IP cameras was a difficult feat for most camera manufacturers and the high-profile manufacturers who had the funds to invest in R & D were the only ones that survived. Changing the game in video surveillance and access control  In the early 2000s, the ISC West show was filled with video manufacturers showcasing their new IP cameras Another huge change that our industry has seen over the years was the increase in the number of acquisitions. Smaller security manufacturers started being acquired by the larger ones, which changed the game in video surveillance and access control. In addition to manufacturers, large security integrators like Convergint Technologies & Anixter were also buying smaller commercial integrators and dominating the market. At ISC West today, you will see predominately high profile – big name manufacturers and integrators where the smaller companies were either acquired or went out of business.    Revolutions in the industry The security industry also faced a huge revolution with three major technologies driving growth in the security market – Network-based technologies (IoT enabled solutions), Access Control as a Service (ACaaS) and Mobile Credentials. ISC West saw this evolution coming and created specific educational seminars dedicated to these topics. Another big push that came into play in the last few years was being able to integrate a host of technologies like video and access control by using an open architecture platform. Many partnerships were formed in the security industry due to this massive push for integration. At ISC West, we now see many companies having their partners sharing booth space. This helps reduce costs for exhibitors in addition to giving smaller companies credibility by being recognized with the bigger players in the industry. In addition, ISC West makes it easy for attendees to plan out their show schedule in advance with the mobile app; creating a convenient way to access show information from mobile devices.  From the beginning, the ISC West show was always at the forefront of new technology Emerging excitement  Today, ISC West continues to be an exciting show that is jammed packed with educational sessions, networking events, and new pavilions that help segment the security industry into different sectors. An example of some new technology pavilions includes drones & robotics, loss prevention & supply chains, and emerging tech. All new start-up companies that are 5 years old or less can be part of the emerging tech section of the show. Here entrepreneurs can unveil new and upcoming security technologies; creating a win win situation for any size business looking to make its name known in the industry. New technology, innovations and rising trends Another huge focus at the ISC West show is public safety. A full range of solutions are offered at the Public Safety Pavilion including barriers/bollards/gates/perimeter security, surveillance, access control, and alarms - along with innovative technologies for gunshot and drug detection, license plate recognition, acoustics, facial recognition and AI, connected vehicles, communication systems and devices, alerts and monitoring, and active shooter solutions Today, ISC West continues to be an exciting show that is jammed packed with educational sessions, networking events, and new pavilions and training. Virtual reality demonstrations have also been available at the show to help attendees with preventative measures when it comes to school and public safety. Some new vape and metal detection technology built on the IoT concept will be featured at ISC West 2020 to help combat the vaping epidemic in our country. With active shooter incidents on the rise, metal detection and perimeter protection at schools will be an important part of the show. Awards and showcases When it comes to show press, we have also seen an influx of awards for security manufacturers that are exhibiting at the show. The major security publications have been offering manufacturers the opportunity to submit a product in distinct categories and win a prestigious award at the show. This creates “buzz” about your product and great for social media postings. Live video interviews at an exhibitors’ booth has also become a very popular tool to increase brand awareness and thought leadership for exhibitors. The ISC West show offers numerous ways to drive traffic to your booth and promote new product launches seamlessly. Over the years, the show has created a conduit The ISC West show offers numerous ways to drive traffic to your booth and promote new product launches seamlesslyfor manufactures and integrators to showcase new products and technologies to end users across multiple vertical markets.      At the top of the game  While the security industry continues to evolve, the one thing that stays constant is the wealth of information that ISC West offers to its attendees.  The show always brings together the latest technologies and thought leaders that will continue to change the game in security for years to come.

ISC West 2020's Education Conference Program: What Not To Miss
ISC West 2020's Education Conference Program: What Not To Miss

ISC West has been on a strong momentum path over the last 3 years, and has evolved to a comprehensive and converged security event – covering the spectrum of physical security, public safety, cyber-physical convergence, IoT/connected security, emerging technologies such as AI and Lidar, and advanced detection technology. Its notion of 'comprehensive security for a safer, connected world' encompasses both the integration of key technologies along with the need for cross-functional teams collaboration – and themes of workforce development and diversity in security.  Along with its premier sponsor SIA (Security Industry Association), a highlight of ISC West is the SIA Education @ ISC West conference program. With over 80 sessions (via a paid conference pass) and high-profile keynotes (open to all badge types), the event provides a strong combination of education/training along with a large expo floor (over 300,000 of exhibit space) and a total of 30,000 expected attendees. Here are some examples: Day 1 Keynote: Wednesday, March 18, 8:30-9:30 a.m. Scaling Enterprise Risk Management at the Speed of Global Transportation Charles Burns, head of security – new mobility, Uber, will explain how Uber navigates a challenging landscape by using technology to enable their business, secure company assets and ensure the safety of riders and drivers globally. Day 2 Keynote: Thursday, March 19, 8:30-9:30 a.m. On the Edge of Transformation: Securing a Connected Future With IoTBrought to you by: Amazon Web Services (AWS) Michael MacKenzie, general manager, Amazon IoT Connectivity & Control, AWS, will explain how AWS IoT enables organizations to protect the evolving security-focused Internet of Things ecosystem, built on the rapidly progressing marketplace underscored by the convergence of our digital and physical worlds, in order to secure the connected world of tomorrow. March 18, 2020, 9:45 AM - 10:45 AM "I Dreamed a Dream": Leading in the Smart/Safe/Connected City Revolution: There are millions of devices already deployed in cities across the country and around the world. With billions more coming, those devices have a significant impact on the delivery of a range of services including safety and security. In this session, there will be a discussion of how to form a smart/safe/connected city strike force to create a positive business environment and mitigate public safety threats. March 18, 2020, 9:45 AM - 10:45 AM Security on The Ledge: Transforming Willis Tower, an American Icon: As a DHS SAFETY Act designated site, balancing the demands of the building’s distinction with the competitive leasing market and trends toward open, collaborative workspaces is a challenging feat. This session will explore how the design team weaves physical security and technologies into the renovation, embracing a five-star operational experience in this high-population, high-throughput symbol of Chicago. March 19, 2020, 1:00 PM - 2:00 PM How Robotics Enables Cybersecurity With a Human Touch: Access control is a vital element of any cybersecurity program. It can tell you who has badged into the system, but not who is actually on the premises. By integrating robots into a security team, it can capitalize on robotics technology with a human factor to help security managers know who is in the facility after hours, and to protect an organization from cyber breaches. March 19, 2020, 11:00 AM - 12:00 PM Diversity & Inclusion in the Security Industry – Your Questions Answered!: Do you know the meaning of (and the difference between) “diversity” and “inclusion”? Do you know how diversity and inclusion (D&I) can contribute to your business goals and help achieve competitive advantage? This session will explore the importance of D&I to the success of the security industry now and in the future. March 19, 2020, 3:30 PM - 5:00 PM DHS Town Hall Meeting @ ISC West: Enhancing Security and Doing Business at the Speed of Life: DHS is changing the way they do business in areas of contracting, tech-scouting, and experimentation. They are seeking new ideas and partners to enhance security and accelerate technology solutions. This meeting will explore what DHS is doing to ensure things like passenger checkpoints, cargo container screening, and first responder operations. (note: OPEN TO ALL BADGE TYPES) “SIA and ISC West deliver the most robust and compelling educational programming possible through the SIA Education@ISC West conference program,” said Dr. Elli Voorhees, director of education and training at SIA. “Each year, SIA volunteers review many expert conference proposals to determine the most cutting-edge sessions and topics that will drive success for the industry.”   See the full list of education sessions.

An Insight Into 2020's Upcoming ISC West Events And Attendees
An Insight Into 2020's Upcoming ISC West Events And Attendees

ISC West attendees include physical and IT security professionals; dealers, installers, integrators, end-users (from various vertical markets), law enforcement/government officials, consultants, specifiers, architects, engineers, consultants, and more. Within the ISC brand, we are continuing to diversify and grow the number of attendees by attracting international visitors, as well as encouraging physical and IT/IoT teams to visit the show together.   Our VIP program, branded the ISC Executives' Club® program, attracts the highest level attendees who have buying power for their organization. Members include: high level end-users from government, education, healthcare, retail, casino gaming (and other verticals), national integrators (along with their End User customers), specifying security consultants, and independent dealers/installers with open projects and decision-making power. Some examples of Executive Club clients attending this year's event are the Department of Homeland Security, Apple, Google, San Francisco 49’ers, Sephora, AirBnB, and United Airlines, just to name a few. “We are so honored to have such dedicated and influential customers in our Executives’ Club program. They are among the top thought leaders of the physical/IT security industry, and we are truly grateful for their loyalty to our event brand”, said Sharon Kelley, ISC Attendee Relations Manager. The show floor The show floor has six featured areas to mirror the evolution of the converged security industry. The areas include: Public Safety, Smart Home, Connected Security, Emerging Tech, Drones & Robotics, and (new for this year) Loss Prevention & Supply Chain. The Emerging Tech and Loss Prevention & Supply Chain areas will be located in the Venetian Ballroom, along with the International VIP attendee lounge, and Venetian Ballroom Theatre, which will feature complimentary Drone & Robotics and Loss Prevention education sessions, along with the Mission 500 5k run/2k walk awards ceremony. At the show, you’ll see a new ISC re-brand that has created more identifiable segments and will assist with easier show floor navigations for attendees.The ISC Executives' Club® program attracts the highest level attendees There is never a shortage of special events at ISC West. Below are a few you won't want to miss: Charity Events (AIREF Golf Classic, Mission 500 5k run/2k walk) Awards Ceremonies (Sammy Awards, New Product Showcase Awards) Industry parties (SIA Market Leaders Reception, ISC West Customer Appreciation Party at TAO). These events are designed to enable attendees and exhibitors network with peers and forge new connections. Visit the ISC website for a list of all our Special Events taking place. Women in security SIA Women in Security Forum is thrilled to be hosting the second annual breakfast at ISC West In addition, the SIA Women in Security Forum is thrilled to be hosting the second annual breakfast at ISC West. “It’s great to see the security industry embrace this initiative and we hope signature events like this will continue to raise awareness of the importance of gender diversity as a competitive differentiator” states Kim Landgraf, SIA Liaison for the Women in Security Forum. This year’s breakfast will feature keynote speaker, Jaime Paris Boisvert, GM for Siemens Smart City Infrastructure.  Jaime will share her insights on leading strategy, sales, and operations whilst working closely with clients to deliver solutions that optimize buildings and infrastructure by improving energy efficiency, comfort, safety, and security. Looking beyond ISC West this March, the ISC Security Events portfolio for 2020 also includes the Expo Seguridad event in Mexico City in April, ISC Brazil in Sao Paulo in June, and ISC East in New York City in November (co-located with Infosecurity North America).