Cybersecurity talk currently dominates many events in the physical security industry. And it’s about time, given that we are all playing catch-up in a scary cybersecurity environment where threats are constant and constantly evolving. I heard an interesting discussion about cybersecurity recently among consultants attending MercTech4, a conference in Miami hosted by Mercury Security and its OEM partners.

The broad-ranging discussion touched on multiple aspects of cybersecurity, including the various roles of end user IT departments, consultants, and integrators. Factors such as training, standardisation and pricing were also addressed as they relate to cybersecurity. Following are some edited excerpts from that discussion. 

The role of the IT department

Pierre Bourgeix of ESI Convergent: Most enterprises usually have the information technology (IT) department at the table [for physical security discussions], and cybersecurity is a component of IT. The main concern for them is how any security product will impact the network environment. The first thing they will say, is “we have to ensure that there is network segmentation to prevent any potential viruses or threats or breaches from coming in.” The main concern for IT departments is how any security product will impact the network environment”
They want to make sure that any devices in the environment are secure. Segmentation is good, but it isn’t an end-all. There is no buffer that can be created; these air gaps don’t exist. Cyber is involved in a defensive matter, in terms of what they have to do to protect that environment. IT is more worried about the infrastructure.

The role of consultants and specifiers

Phil Santore of DVS, division of Ross & Baruzzini: As consultants and engineers, we work with some major banks. They tell us if you bring a new product to the table, it will take two to three months before they will onboard the product, because they will run it through [cybersecurity testing] in their own IT departments.
If it’s a large bank, they have an IT team, and there will never be anything we [as consultants] can tell them that they don’t already know. But we all have clients that are not large; they’re museums, or small corporations, or mom-and-pop shops. They may not be as vulnerable from the international threat, but there are still local things they have to be concerned about.
It falls on us as consultants to let them know what their problems are. Their IT departments may not be that savvy. We need to at least make them aware and start there.

Wael Lahoud of Goldmark Security Consulting: We are seeing more and more organisations having cybersecurity programs in place, at different maturity levels. At the procurement stage, we as consultants must select and specify products that have technology to enable cybersecurity, and not choose products that are outdated or incompatible with cybersecurity controls.
We also see, from an access control perspective, a need to address weaknesses in databases. Specifying and having integrators that can harden the databases, not just the network itself, can help.

The broad-ranging discussion touched on multiple aspects of cybersecurity, including the various roles of end user IT departments, consultants, and integrators
The impact of physical security products on the network environment was a dominant topic at the MercTech4 consultants roundtable discussion

The need for standards on cybersecurity

Jim Elder of Secured Design: I’d like to know what standards we as specifiers can invoke that will help us ensure that the integrator of record has the credentials, knows what standards apply, and knows how to make sure those standards are maintained in the system. I’m a generalist, and cybersecurity scares the hell out of me.
We’re not just talking about access to cameras, we are talking about access to the corporate network and all the bad things that can happen with that. My emphasis would be on standards and compliance with standards in the equipment and technology that is used, and the way it is put in. It can be easier for me, looking at some key points, to be able to determine if the system has been installed in accordance. We are seeing more and more organisations having cybersecurity programs in place, at different maturity levels"
I’m taking the position of the enforcement officer, rather than the dictator. It would be much better if there were focused standards that I could put into the specification— I know there are some – that would dictate the processes, not just of manufacturing, but of installation of the product, and the tests you should run accordingly.

Pierre Bourgeix: With the Security Industry Association (SIA), we are working right now on a standard that includes analysed scoring on the IT and physical side to identify a technology score, a compliance score, a methodology, and best-of-breed recommendation. Vendor validation would be used to ensure they follow the same process. We have created the model, and we will see what we can do to make it work.

Terry Robinette of Sextant: If a standard can be written and it’s a reasonable process, I like the idea of the equipment meeting some standardised format or be able to show that it can withstand the same type of cyber-attack a network switch can withstand. We may not be reinventing the wheel. IT is the most standardised industry you will ever see, and security is the least standardised. But they’re merging. And that will drive standardisation.

Jim Elder: I look to Underwriters Laboratory (UL) for a lot of standards. Does the product get that label? I am interested in being able to look at a box on the wall and say, “That meets the standard.” Or some kind of list with check-boxes; if all the boxes are checked I can walk out and know I have good cybersecurity threat management. IT is the most standardised industry you will ever see, and security is the least standardised"

The role of training

Phil Santore: Before you do any cybersecurity training, you would need to set the level of cybersecurity you are trying to achieve. There are multiple levels from zero to a completely closed network.

Wael Lahoud: From an integrator’s perspective, cybersecurity training by the manufacturer of product features would be the place to start – understanding how to partner the database, and the encryption features.
We see integrators that know these features are available – they tick the boxes – but they don’t understand what they mean. Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organisation. That would be a good starting point.

The role of integrators

Wael Lahoud: Integrators like convenience; less time means more money. So, we see some integrators cut corners. I think it is our role (as consultants) to make sure corners are not cut. If you rely solely on integrators, it will always be the weak password, the bypass. We have seen it from small projects to large government installations. It’s the same again and again.

Even having an internal standard within an organisation, there may be no one overseeing that and double-checking. Tools will help, but we are not there at this point. I will leave it up to manufacturers to provide the tools to make it easy for consultants to check, and easier for integrators to use the controls.

Before you do any cybersecurity training, you would need to set the level of cybersecurity you are trying to achieve
Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organisation - so training is very important

The impact of pricing

Pierre Bourgeix: The race to the cheapest price is a big problem. We have well-intended designs and assessments that define best-of-breed and evaluate what would be necessary to do what the client needs. But once we get to the final point of that being implemented, the customer typically goes to the lowest price – the lowest bidder. That’s the biggest issue.

You get what you pay for at the end of the day. With standards, we are trying to get to the point that people realise that not all products are made the same, not all integrators do the same work. We hope that through education of the end user, they can realise that if they change the design, they have to accept the liability.It’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it"

The big picture

Wael Lahoud: The Windows platform has a lot of vulnerabilities, but we’re still using it, even in banks. So, it’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it. That’s where the cybersecurity program comes into play. There are many vulnerable products in the market, and it’s up to professionals to properly secure these products and to design systems and reduce the risk.

Pierre Bourgeix: The access port to get to data is what hackers are looking for. The weakest link is where they go. They want to penetrate through access control to get to databases. The golden ring is the data source, so they can get credentialing, so they can gain access to your active directory, which then gives them permissions to get into your “admin.” Once we get into “admin,” we get to the source of the information. It has nothing to do with gaining access to a door, it has everything to do with data. And that’s happening all the time.

Download PDF version

Author profile

Larry Anderson Editor, SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SourceSecurity.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SourceSecurity.com's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

What are the obstacles to adoption of mobile credentials for access control?
What are the obstacles to adoption of mobile credentials for access control?

Using a smart phone as an access control credential is an idea whose time has come – or has it? The flexible uses of smart phones are transforming our lives in multiple ways, and the devices are replacing everything from our alarm clocks to our wallets to our televisions. However, the transformation from using a card to using a mobile credential for access control is far from a no-brainer for many organisations, which obstacles to a fast or easy transition. We asked this week’s Expert Panel Roundtable: When will mobile credentials dominate access control, and what are the obstacles to greater adoption?

How to choose the right security entrance for effective customer security
How to choose the right security entrance for effective customer security

Security and systems integrators across the nation are recommending and providing long-term security solutions to their customers. But when it comes to physical security entrances, integrators can easily fall into the trap of simply fulfilling an end user’s exact request without much pushback. Why? We believe the complexity and variety of entrances available makes it difficult to consult on the best solution, but also because there are a lot of assumptions at play. 1) Ask questions to determine the correct security entrance solution There is confusion in the security industry on the meaning of the word, “turnstile.” End users, when requesting a solution, tend to use the word “turnstile” to describe anything from an old fashioned, 3-arm turnstile to a high-tech optical turnstile to a security revolving door. We encourage security integrators to ask questions to discover how their clients want to mitigate the risk of unauthorised entry or “tailgating.” This can help determine the correct security entrance solution to meet the end user’s goal and budget. By asking the right questions and offering true solutions, you can enhance a relationship built on trust and consultation leading to potential repeat business. Below are four physical security goals—crowd, deterrence, detection, and prevention—accompanied by the type of “turnstile” and its capabilities. This breakdown can help the integrator to confidently address an end user’s request for a “turnstile,” and then recommend a solution that truly fulfills their security goals. 2) Explore options for crowd control Typically seen in stadiums, amusement parks, universities, and fitness centres, tripod turnstiles are considered a low security solution for crowd management. Designed for counting employees or slowing down high traffic volume to collect tickets or payments, tripod turnstiles are built to withstand the most abusive of conditions. Here’s what security integrators should know about tripod turnstiles: Low capital cost, but high annual operating cost due to needed 24/7 guard supervision Lack of sensors can lead to defeat – turnstiles can be crawled under or jumped over without alarm/notification to guard staff Little to no metrics capabilities available – no sensors or alarms if defeated High throughput, handling 30 persons per minute in one direction Full height turnstiles are a tall, robust solution for perimeter fence lines, metro stations or parking garages 3) Choose an effective deterrent A physical deterrent to infiltration, full height turnstiles are a tall, robust solution for perimeter fence lines, metro stations or parking garages. While full height turnstiles do physically stop tailgating (an unauthorised person following someone in the next compartment), they have no means to prevent piggybacking. Two people in collusion can gain access through the full height turnstile by badging once and then squeezing into the same compartment. Here are some other things to note about full height turnstiles: Low capital cost, low annual operating cost Guard supervision is up to the user Little to no metrics capabilities available – no sensors or alarms if defeated Moderate throughput, handling 18 persons per minute in one direction 4) Ensure your chosen turnstile can detect tailgating A staple in lobby security to accommodate visitors, optical turnstiles utilise complex sensors to detect a tailgating attempt. Most models available today offer sliding or swinging barriers. A very common assumption in the security industry is that optical turnstiles prevent unauthorised entry, which isn’t true. In fact, once the barriers are open, a second user can slip through. Or, in the case of a wide lane for disabled use, two people can walk through side by side. In either case, an alarm is generated and supervision is therefore essential in order to respond swiftly. The cost of 24/7 supervision must be factored into the security budget. Here are some other points to make note of: Moderate capital cost, but high annual operating cost due to need for 24/7 guard supervision Sensors detect tailgating and sound an alarm for post-tailgating reaction, but turnstiles can still be defeated Moderate metrics capabilities available (for example, # times tailgating occurred, passback rejection) High throughput, handling up to 30 persons per minute in one direction 5) Determine prevention tactics for staff and visitor safety The entry solution of choice for Fortune 1000 companies, security revolving doors and mantrap portals completely prevent tailgating due to their working principle, ensuring the safety and security of staff and visitors. Commonly used at employee-only entrances, security doors are an unmanned entrance solution that cannot be defeated; sensors in the ceiling prevent tailgating (following in a trailing compartment). Optional piggybacking detection systems are also available (preventing two people in the same compartment from entering). The benefits of utilising a truly unmanned door are unparalleled: guard staff can be reduced or reallocated, and this entrance offers an ROI of just 1-2 years. Here’s more information security integrators should know about security revolving doors and portals: High capital cost, low annual operating cost due to no required guard supervision Sophisticated metrics capabilities available, allowing the end user to prove the value of their security investment Security revolving doors = 20 persons per minute, simultaneously in two directions; Security portals = 6 persons per minute in one direction Biometric devices and bullet-resistant glass can be incorporated for an even higher level of security As we’ve demonstrated here, “turnstile,” in the eyes of an end user, is a complex term that can range from a low security, crowd control solution to a high security, tailgating prevention entrance. Security integrators need to first accurately determine the security goals of their customers and then break down the “turnstile” barrier of confusion to recommend the best solution for fulfilling those goals.

Why customers should buy products and services from SMBs
Why customers should buy products and services from SMBs

In 1973, a brilliant economist named E.F. Schumacher wrote a seminal book titled ‘Small Is Beautiful:’ taking an opposing stance to the emergence of globalisation and “bigger is better” industrialism. He described the advantages of smaller companies and smaller scales of production, highlighting the benefits of building our economies around the needs of communities, not corporations. In almost every industry or market that exists in the world today, you're likely to find a difference in size between companies. Whether it’s a global retail chain versus a small family-owned store, a corporate restaurant chain versus a mom-and-pop diner or a small bed and breakfast versus a large hotel chain — each side of the coin presents unique characteristics and advantages in a number of areas. Disparity in physical security industry Customers are drawn to products and services from large enterprises as the big names typically imply stability This disparity very clearly exists in the physical security industry, and differences in the sizes of product manufacturers and service providers could have important implications for the quality and type of the products and services offered. All too often, customers are drawn to products and services from large enterprises, as the big names typically imply stability, extensive product offerings and global reach. And that's not to say that these considerations are unwarranted; one could argue that larger companies have more resources for product development and likely possess the combined expertise and experience to provide a wide range of products and services. But the value that a company’s products and services can bring isn’t necessarily directly related to or dependent on its size. In an age where the common wisdom is to scale up to be more efficient and profitable, it’s interesting to pause and think about some of the possible advantages of small- and medium-sized businesses (SMBs). Typically, “small” companies are defined as those with less than 100 employees and “medium” with less than 500. Providing social mobility  Schumacher argued that smaller companies are important engines of economic growth. Indeed, according to the Organisation for Economic Cooperation and Development (OECD), a group of 36 member countries that promotes policies for economic and social well-being, SMBs account for 60 to 70 percent of jobs in most OECD countries. Importantly, SMBs provide resilience in that there are often large economic and social impacts when big companies fail. Smaller companies are better for regional economies in general, as earnings stay more local compared to big businesses, which in turn generates additional economic activity. SMBs are also better at providing social mobility for disadvantaged groups by giving them opportunities and enabling them to realise their potential. Smaller companies are often more innovative, bringing to the market novel technologies and solutions such as Cloud, analytics, AI, and IoT New companies introduce new technologies There's no denying the role of start-ups when it comes to innovation. In the security industry, many new technologies (e.g. Cloud, analytics, AI, IoT) are first brought to the market by newer companies. In general, smaller companies’ products and services often have to be as good or better than others to be competitive in the marketplace. They are therefore often more innovative, bringing to the market novel technologies and solutions. And these companies are also more willing to try out other new B2B solutions, while larger companies tend to be more risk-averse. Customer service Aside from the quality of products and services, arguably one of the most important components of a security company’s success is its ability to interact with and provide customers the support that they deserve. Smaller companies are able to excel and stand out to their customers in a number of ways: Customer service. Customers’ perceptions of a product’s quality are influenced by the quality of support, and smaller manufacturers often possess a strong, motivated customer service team that can be relatively more responsive to customers of all sizes, not just the large ones. A superior level of support generally translates into high marks on customer satisfaction, since customers’ issues with products can be resolved promptly. Flexibility. SMBs have a greater capacity to detect and satisfy small market niches. While large companies generally create products and services for large markets, smaller companies deal more directly with their customers, enabling them to meet their needs and offer customised products and services. And this translates to adaptability, as SMBs become responsive to new market trends. By having a pulse on the market, smaller companies have much more flexibility in their supply chain and can adjust much faster in response to changing demand. Decision-making. Smaller companies are much more agile in decision-making, while larger enterprises often suffer from complex, tedious and lengthy decision-making processes. Communication is easier throughout SMBs, as smaller teams enable new ideas to flow and can solve problems faster. Job satisfaction Employees working for SMBs connect more directly with the company's goals and objectives, which in turn increases motivation and job satisfaction Employees working for SMBs connect more directly with the company's goals and objectives, which in turn increases motivation and job satisfaction. SMBs are also generally more connected to local communities and participation in community activities leads to a greater sense of purpose. Additionally, SMBs have a much smaller impact on the environment, which is increasingly becoming an important consideration for today’s employees and customers. Though Schumacher's book takes a much deeper dive into the large global effects of scale on people and profitability, the general impact of a company’s size on its products and services is clear. It’s important for all players in the security industry to remember that the commitment and dedication to product quality can be found in businesses of all sizes. Ensuring safety of people, property and assets Large manufacturers may catch your eye, but small business shouldn’t be forgotten, as they can offer end users a robust set of attributes and benefits. While all security companies are aiming to achieve a common goal of providing safety for people, property and assets, smaller businesses can provide extensive value when it comes to driving the economy, innovating in the industry, providing quality employment and offering superior customer service.