The merger of physical security and IT is known as convergence
Examining the road to convergence
The use of Internet Protocol (IP) in the security industry is increasing but little is known about the relationship between end users and the merger of traditional physical security and IT otherwise referred to as convergence in the security trade press. Markus Lahtinen of the LUSAX project examines the growth of convergence in the security industry and discusses complexities of this relationship.

The LUSAX project at Lund University in Sweden started in 2006 as a strategic research partnership together with ASSA ABLOY, AXIS Communications and Niscayah, to understand the industrial impact and end user consequences following the increased use of the IP to connect security equipment and transmit security data. The swift use of convergence can be confusing, but three main types of convergence are discerned:

  • Technological convergence: increased use of IP-enabled security equipment and technical integration of physical security systems like access control and video surveillance, as well as potential integration with other operational enterprise systems (for example staff and payroll databases)
  • Organisational convergence: the process of coordinating and integrating internal IT security, logical security and physical security for both efficiency reasons (to lower costs) and effectiveness reasons (for example, to address new organisational risks and threats that require coordination between IT and security)
  • Industry convergence: meaning the suggested merging - or even absorption - of the IT industry with the security industry

At the beginning of the research project, there was a sense of urgency in the security industry to ‘catch up' on the knowledge and efficiency associated with the IT industry. Following the terminology from above, industry convergence would push for both technical and organisational convergence. However, the diffusion pattern has not played out as fast as projected back in 2006. The verdict stands clear that technological convergence ishappening, but at an undetermined and slower pace.

The verdict stands clear that technological convergence is happening, but at an undetermined and slower pace

Despite the industry buzz on convergence, little is known and systematically documented on how security end users actually reason and act in relation to technological change. In order to understand the increased use and diffusion of advanced security technology, it is necessary to survey the preferences held by the end users to the value propositions associated with this new technology.  Yet of equal importance are questions on how security departments organise themselves internally and how they act and behave in relation to their immediate internal and external environments.  In summary, convergence cannot be meaningfully separated from the organisational position held by the security department.

Security directors and the security industry: the relationship myth

Based on survey data and interviews with top-tier security directors, several organisational concerns not previously documented have now been identified. One such organisational finding concerns the relationship between the security director and the security industry with regards to what sources are used to keep informed about industry developments.

The answers suggest that peers, colleagues and internal expert(s) matter more than trade shows, trade press, systems integrators and security consultants in keeping informed about industry development. Further statistical analysis suggests particular importance is given to internal expert(s), suggesting  that the internal expert plays a pivotal role in filtering industry noise and that peers and colleagues play an evaluative role to industry impulses filtered by these internal experts. Also, the internal expert usually collaborates with a security consultant in case of major system upgrades. This means that detailed decisions about security equipment rarely ends up at the security directors' table. This finding contradicts the commonly held view that top-tier security directors interact directly with the security industry.

Security directors recognise the value propositions of IP-based security

A second finding is the overall agreement seen by security directors in relation to the value propositions associated with new technology. Value propositions are understood as what contribution IP-based security may have to the security operations in terms of improved efficiency or increased security effectiveness. One example is scalability, meaning that adding an additional surveillance camera, for instance, does not require any costly back-end upgrades. Also, having security equipment running on the same network enables for integration beyond security purposes - for example real-time connection with the global employee database.

Understanding the organisational tree is key in understanding convergence
Knowing the place of security departments in the organisational tree is important in understanding convergence

Taken together, security directors see the value of security technology and also recognise the associated value propositions, but IP as such is not the primary item for top-tier security directors.

Standing of security departments in the organisational tree

Third and finally, the relationship between the security department and the immediate organisational environment is one sometimes described as being conflicting in the sense that physical security is portrayed only as being a cost-entry without any clear profit contribution. We believe this has mainly been used as industry-driven rhetoric to suggest a scenario of diminishing the importance of the physical security director, further bolstering the sense of urgency around the corner.

Quite the opposite, the collected data suggest physical security to be a well-established business process; and often even externally recognised as being a strategic one at that.

Consequently, the initial view describing the security department as being in an isolated position and a ‘necessary evil' is not shared by security directors. This might partially be attributed to self-preserving views held by the respondents, but too much attention has been directed into this form of simplifying security operations, unfortunately at the expense of understanding the underlying premises under which physical security operates.

Implications of convergence in the security industry

A security operation by its very nature is defensive, risk-averse and reluctant to simplify while strategic business logic often rewards risk-taking with a need to simplify complex market conditions. This implies an inherent and fundamental conflict between security decision logic and general market-oriented business logic that is not to be understood as being problematic, but in the best of cases being mutually rewarding. Management of successful security operations strike a balance between these logics.

The process of convergence will not follow a straight path
The path of convergence will follow a non-linear path

All in all, complex organisational conditions have direct impact on the diffusion speed of new security technology like converged systems. Industry-driven ‘copy and paste' deployment recipes for new technology are less likely to be adopted by advanced end users the same way it happened with the diffusion of core business-supporting software, for example software managing invoicing, inventory, and word processing software; relying only on logical components on standardised input/output hardware. Security systems rely to a greater extent on a combination of logical and less standardised physical hardware. This requires a more advanced input of system integration skills, be it skills for installing low-voltage analogue systems or network and IT skills for networked security systems.

Also, the diffusion pattern depends on the type of end user industry. Retail, for example, has a clear performance metric in the form of shrinkage that ties in directly with deliberate thefts. This enables the security operation to match accrued costs and investments to clear measures on losses. Banking and finance, a sector more regulated than most others, requires advanced security systems, where several subsystems need to be tied together to offer functionality that supports security effectiveness. Hence, procurement and major systems revisions in this sector follow a complex chain of decisions involving resellers, security consultants, architects (in the case of sustainable constructions) and internal security staff such as internal experts.

Having described a selection of organisational considerations affecting the convergence, it stands clear that this process will follow a non-linear path, more so for advanced multi-national end users focused on functionality and security effectiveness than the underlying technology providing for security services. For the same reasons, traditional security suppliers are kept insulated and are still in a position to harness their existing relations with end users. However, as a response to increased demand for converged systems, proactive security suppliers may in the long run increase their know-how and leverage their market position by following an incremental approach by engaging into end user projects requiring hybrid or full IP-based security systems.

Markus Lahtinen Markus Lahtinen
LUSAX project
Lund University
Download PDF version

In case you missed it

Has the gap closed between security fiction and security reality?
Has the gap closed between security fiction and security reality?

Among its many uses and benefits, technology is a handy tool in the fantasy world of movie and television thrillers. We all know the scene: a vital plot point depends on having just the right super-duper gadget to locate a suspect or to get past a locked door. In movies and TV, face recognition is more a super power than a technical function. Video footage can be magically enhanced to provide a perfect image of a license plate number. We have all shaken our heads in disbelief, and yet, our industry’s technical capabilities are improving every day. Are we approaching a day when the “enhanced” view of technology in movies and TV is closer to the truth? We asked this week’s Expert Panel Roundtable: How much has the gap closed between the reality of security system capabilities and what you see on TV (or at the movies)?

BCDVideo signs OEM deal with Dell EMC: positive impact for surveillance storage
BCDVideo signs OEM deal with Dell EMC: positive impact for surveillance storage

In a significant move for the video security market, BCDVideo has announced that it is set to become Dell EMC’s OEM partner in the video surveillance space. For nearly a decade, the Chicago-based company has been known as a key OEM partner of Hewlett Packard Enterprise (HPE), providing storage and networking technology to security integrators on a global scale. This latest partnership will allow BCDVideo to take their offerings to the next level. BCDVideo Vice President Tom Larson spoke to SourceSecurity.com to discuss the reasoning behind the deal, and how the programme will benefit partners, integrators, and end-users alike. Expanding BCDVideo's product offering For BCDVideo, the HPE OEM programme has been widely acknowledged as a success, allowing the company to leverage a globally recognised brand and provide high-quality, reliable solutions across video networking and access control. Nevertheless, explains Larson, HPE server solutions are primarily suited to large-scale enterprise projects, and are therefore unable to accommodate for the growth in small- and medium-sized surveillance applications. The global collaboration with Dell EMC will allow BCDVideo to open up a broader product offering, building on success in the larger enterprise market to offer tailored solutions to SMEs. Our aim is to look at all best of breed technology to serve the video surveillance marketplace, and that means multiple partnerships” Support for integrators By leveraging Dell EMC’s sophisticated digital storage platforms, BCDVideo will now be able to offer a more cost-effective solution to integrators, without sacrificing the resilience and IT-level service that BCDVideo is known for. With access to Dell EMC’s expansive global sales and technical teams, the company hopes to expand its reach, all-the-while providing partners with around-the-clock technical support and a five-year on-site warranty. Customers should be reassured that BCDVideo will continue to offer HPE platforms, service, and support. “Our aim is to look at all best-of-breed technology to serve the video surveillance marketplace, and that means multiple partnerships,” says Larson.  “The addition of Dell EMC to our portfolio is a major win for BCDVideo, for Dell EMC, and for our integrators.” The global collaboration with Dell EMC will allow BCDVideo to open up a broader product offering Meeting surveillance market demands At the technology level, assures Larson, Dell EMC’s server offering is well suited to handle the increasing video resolution and growing camera count demanded by the surveillance industry. At the larger end of the spectrum, the company’s Isilon Scale-Out NAS solution can handle tens of petabytes of data, making it ideal for large-scale security applications such as city-wide surveillance and airport security. Dell EMC storage solutions are already proving successful at major international airports including Dubai and Abu Dhabi, each with a camera count in the 1000s.Dell EMC and BCDVideo together are ensuring our customers get the right solutions designed for the surveillance market” For Dell EMC, the new partnership means the ability to expand on this success in the enterprise market, leveraging BCDVideo’s surveillance expertise and high-level customer service to offer tailored solutions for lower-volume applications. Since its inception, BCDVideo has differentiated itself in the security space by providing a high level of IT service to integrators making the transition to IP systems. By combining resources, the partners will be able to service VMS and analytics companies, software vendors, and access control providers, as well as traditional business integrators. Ken Mills, General Manager Dell EMC Surveillance, explains: “Surveillance storage is not just about capacity, it is also about performance and reliability. Dell EMC and BCDVideo together are ensuring our customers get the right solutions designed for the surveillance market.” Accomodating for growth BCDVideo is well placed to accommodate this anticipated growth. Last year, the company opened a new 51,000-square-foot global headquarters in Illinois, home to 90 separate stations within their Innovation Center where each system is customised according to integrator needs. The new facility allows for expanding business with new and existing partners in the security market.

How to manage physical security data in compliance with EU GDPR
How to manage physical security data in compliance with EU GDPR

Until recently, data laws have differed from one country to the next. This meant that for those organisations conducting business or protecting assets abroad, they needed to localise both their infrastructure and policies dependant on the country they were operating in. However, with the impending arrival of the EU GDPR (General Data Protection Regulation), which comes in to force on the 25th May this year, all of that will need to change. Data management in CCTV surveillance Surprisingly, despite the fact that much has been written about the impending EU GDPR, very little attention has been devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems. The EU GDPR dictates that businesses adhere to specific governance and accountability standards with regards to the processing of all data. As this includes such a large scope of data, any public or even private organisation using CCTV to monitor publicly-accessible areas must pay attention, as monitoring the public on a large scale is by default considered a high-risk activity. This includes information that shows who a person is, where they are and any other specifics about them.We have seen organisations defining corporate standards for their physical security systems based around IT standards and technologies According to numerous market research studies, many organisations are yet to take the necessary steps in order to review the new regulations and ensure the necessary changes are made to meet these obligations. To date, we have seen organisations defining corporate standards for their physical security systems based around IT standards and technologies. With the implementation deadline of the new regulations fast approaching, these should be in a better state of readiness, with standardised processes, common organisational approach and technology. Enhancing industry awareness of compliance  What’s more, a lot of legacy systems or disparate systems are still out there, and these may still have been entirely commissioned and operated by location-specific security teams. Regardless as to where your organisation stands in terms of technology, it is important to participate in the GDPR review with a greater sense of urgency.  The EU GDPR dictates that businesses adhere to specific governance and accountability standards with regards to the processing of all data Tony Porter, the UK’s Surveillance Camera Commissioner, has been incredibly vocal in recent months with regards to making security system operators aware that their activities will be subject to the GDPR and to signpost them to relevant guidance from the ICO. For those actively seeking to ensure their businesses are compliant, his organisation’s independent third-party certification is a great place to start. However, with just a few months until the regulation comes into force, it is unfortunate that his organisation is not yet in a position to confirm this will be sufficient to demonstrate compliance with the EU GDPR. Ensuring regulatory preparedness With this being said, there are still a number of steps organisations can take to ensure they are well-prepared when the law comes into play: Get involved in the GDPR discussion If you haven’t already, proactively initiate a GDPR discussion with your legal team and ask for their guidance. Conduct a gap analysis to identify what works and what might require improvement in accordance with the new regulation. Then engage your consultants, integrators and manufacturers who should be able to advise on appropriate solutions. In the vast majority of cases, it should be possible to upgrade the existing system rather than ‘rip out and replace’.The appropriate use of encryption and automated privacy tools is a logical step Adopt privacy by design Under the terms of the EU GDPR, data that is anonymised or pseudonymised is likely to be low-risk. The appropriate use of encryption and automated privacy tools is therefore a logical step. For example, video redaction that blurs out people’s faces in video unless there is a legitimate reason to reveal their identity can minimise the dangers of having security cameras deployed in public spaces. Seek out certified and sanctioned organisations, such as the European Privacy Seal group ‘EuroPriSe’, a professional organisation whose purpose is to ensure companies meet the ‘GDPR-ready’ privacy compliance standards. Consider cloud-based services Owners of on-premises video surveillance, access control or ANPR systems are responsible for all aspects of EU GDPR compliance, including securing access to the systems and servers storing the information. However, by working with an approved cloud provider it is possible to offload some of these responsibilities. For example, we partner with Microsoft Azure to offer these systems ‘as a service’. This pathway significantly reduces the customer’s scope of activities required to ensure compliance and is highly cost-effective. Yet it is important to realise it isn’t a full abdication of responsibility. You remain accountable for ensuring data is classified correctly and share responsibility for managing users and end-point devices.  With data laws changing around the world, businesses need to seriously consider how their security technology investments will help them manage risks in order to keep pace. With the GDPR deadline approaching, it is the ideal time to re-evaluate practices, partner with forward-thinking vendors and adopt technologies that will help meet privacy and data protection laws. This way, businesses can minimise risk, avoid costly penalties and be ready for anything.