Thousands of security professionals gathered Nov. 14-15 at the Javits Center in New York City to explore new products, solutions and technologies, network with security luminaries and obtain high-quality industry education. ISC East, sponsored by the Security Industry Association (SIA), is the Northeast’s largest security industry event; more than 7,000 security professionals attended or exhibited at this year’s conference. Following day 1 of ISC East, SIA gathered industry luminaries and experts for SIA Honors Night, an annual event featuring a cocktail reception, a gala dinner benefiting Mission 500, engaging entertainment and an awards ceremony recognising industry leaders. Sold-out event SIA Honors Night 2018 was a sold-out event held at the Current at Chelsea Piers. The awards presented at SIA Honors Night 2018 were: SIA Progress Award (presented by SIA’s Women in Security Forum) – Eddie Reynolds, president and CEO, iluminar Inc. Women in Biometrics Awards (co-founded by SIA and SecureIDNews and co-presented with sponsors FindBiometrics, IDEMIA and SIA’s Women in Security Forum) – Kelly Gallagher, senior account manager at NEC Corporation of America; Lisa MacDonald, director of the Identity Management Division in the Office of Biometric identity Management at the U.S. Department of Homeland Security; Colleen Manaher, executive director of U.S. Customs and Border Protection; Lora Sims, senior biometric examiner at Ideal Innovations, Inc.; and Anne Wang, director of biometric technology research and development at Gemalto Cogent SIA Insightful Practitioner Award – Guy M. Grace, Jr., chair of the Partner Alliance for Safer Schools Steering Committee and director of security and emergency planning for Littleton Public Schools in the Denver suburb of Littleton, Colorado Jay Hauhn Excellence in Partnerships Award – Larry Folsom, co-founder and president, I-View Now George R. Lippert Memorial Award – Pat Comunale, retired security industry veteran, former member of the SIA Board of Directors and former CEO and president for Tri-Ed Distribution, an Anixter company Standout keynotes SIA Honors Night also highlighted Mission 500, a charity that advocates for children and families living in extreme poverty in the United States Honors Night guests enjoyed keynote remarks from Bonnie St. John, a Paralympic ski medalist, Fortune 500 business consultant, Rhodes scholar, former White House official and best-selling author. St. John discussed her journey to become the first African-American ever to win medals in Winter Olympic competition despite having her right leg amputated at age five and shared her top lessons from mentors and her advice for cultivating resilience. SIA Honors Night also highlighted Mission 500, a charity that advocates for children and families living in extreme poverty in the United States; each year, SIA Honors Night raises funds for Mission 500. SIA presented 26 engaging education sessions through the SIA Education @ ISC East program, including two standout keynotes and four hands-on workshops. Hundreds of conference attendees participated in these sessions, with impressive speakers like Valerie Thomas, ethical hacker and executive consultant at Securicon; Pierre Bourgeix, president at ESI Convergent; Scott Swann, president and CEO of IDEMIA National Security Solutions; and Jumbi Edulbehram, regional president – Americas, Oncam. SIA sponsored Infosecurity North America’s Keynote Stage, the central hub of the event Confronting emerging threats Highlighted education sessions at this year’s conference included: Friend or Foe? Technology Disruption and the Physical Security Industry, a keynote address by Philip Halpin, senior vice president and head of global security at Brown Brothers Harriman, one of the country’s oldest and largest privately held financial firms 21st Century Best Practices: Reporting From the Front Lines on How Law Enforcement and the Security Industry Are Confronting Emerging Threats, a keynote address by James A. Gagliano, a retired FBI supervisory special agent, CNN law enforcement analyst and adjunct assistant professor at St. John’s University Cybersecurity professionals ISC East 2018 was co-located with two additional conferences – Infosecurity North America and Unmanned Security Expo Additional cutting-edge topics covered in the education sessions included the move to smart cities, convergence in the security industry and the use of artificial intelligence in video analytics. ISC East 2018 was co-located with two additional conferences – Infosecurity North America and Unmanned Security Expo. SIA sponsored Infosecurity North America’s Keynote Stage, the central hub of the event, which featured a presentation from world-famous hacker Kevin Mitnick, insights from Dave Hogue of the National Security Agency’s Cybersecurity Threat Operations Center, a discussion on the cyber skills shortage gap and ways to attract, develop and retain talented cybersecurity professionals and more. Handle sensitive data Additional events at ISC East 2018 included: A breakfast presented by ISC Security Events and SIA’s Women in Security Forum featuring a panel discussion celebrating women in security and supporting the participation and advancement of women in the industry Paid hands-on workshops providing cutting-edge information and valuable insights on the most current business trends, technologies and new developments in security Free exhibitor product training sessions sharing live, in-depth demonstrations A meeting with SIA’s Data Privacy Advisory Board, which provides information and best practices to help SIA members handle sensitive data in a safe and secure manner to protect the personally identifiable information of their employees, partners and customers from potential breaches
Cybersecurity talk currently dominates many events in the physical security industry. And it’s about time, given that we are all playing catch-up in a scary cybersecurity environment where threats are constant and constantly evolving. I heard an interesting discussion about cybersecurity recently among consultants attending MercTech4, a conference in Miami hosted by Mercury Security and its OEM partners. The broad-ranging discussion touched on multiple aspects of cybersecurity, including the various roles of end user IT departments, consultants, and integrators. Factors such as training, standardisation and pricing were also addressed as they relate to cybersecurity. Following are some edited excerpts from that discussion. The role of the IT department Pierre Bourgeix of ESI Convergent: Most enterprises usually have the information technology (IT) department at the table [for physical security discussions], and cybersecurity is a component of IT. The main concern for them is how any security product will impact the network environment. The first thing they will say, is “we have to ensure that there is network segmentation to prevent any potential viruses or threats or breaches from coming in.” The main concern for IT departments is how any security product will impact the network environment”They want to make sure that any devices in the environment are secure. Segmentation is good, but it isn’t an end-all. There is no buffer that can be created; these air gaps don’t exist. Cyber is involved in a defensive matter, in terms of what they have to do to protect that environment. IT is more worried about the infrastructure. The role of consultants and specifiers Phil Santore of DVS, division of Ross & Baruzzini: As consultants and engineers, we work with some major banks. They tell us if you bring a new product to the table, it will take two to three months before they will onboard the product, because they will run it through [cybersecurity testing] in their own IT departments. If it’s a large bank, they have an IT team, and there will never be anything we [as consultants] can tell them that they don’t already know. But we all have clients that are not large; they’re museums, or small corporations, or mom-and-pop shops. They may not be as vulnerable from the international threat, but there are still local things they have to be concerned about. It falls on us as consultants to let them know what their problems are. Their IT departments may not be that savvy. We need to at least make them aware and start there. Wael Lahoud of Goldmark Security Consulting: We are seeing more and more organisations having cybersecurity programs in place, at different maturity levels. At the procurement stage, we as consultants must select and specify products that have technology to enable cybersecurity, and not choose products that are outdated or incompatible with cybersecurity controls. We also see, from an access control perspective, a need to address weaknesses in databases. Specifying and having integrators that can harden the databases, not just the network itself, can help. The impact of physical security products on the network environment was a dominant topic at the MercTech4 consultants roundtable discussion The need for standards on cybersecurity Jim Elder of Secured Design: I’d like to know what standards we as specifiers can invoke that will help us ensure that the integrator of record has the credentials, knows what standards apply, and knows how to make sure those standards are maintained in the system. I’m a generalist, and cybersecurity scares the hell out of me.We’re not just talking about access to cameras, we are talking about access to the corporate network and all the bad things that can happen with that. My emphasis would be on standards and compliance with standards in the equipment and technology that is used, and the way it is put in. It can be easier for me, looking at some key points, to be able to determine if the system has been installed in accordance. We are seeing more and more organisations having cybersecurity programs in place, at different maturity levels"I’m taking the position of the enforcement officer, rather than the dictator. It would be much better if there were focused standards that I could put into the specification— I know there are some – that would dictate the processes, not just of manufacturing, but of installation of the product, and the tests you should run accordingly. Pierre Bourgeix: With the Security Industry Association (SIA), we are working right now on a standard that includes analysed scoring on the IT and physical side to identify a technology score, a compliance score, a methodology, and best-of-breed recommendation. Vendor validation would be used to ensure they follow the same process. We have created the model, and we will see what we can do to make it work. Terry Robinette of Sextant: If a standard can be written and it’s a reasonable process, I like the idea of the equipment meeting some standardised format or be able to show that it can withstand the same type of cyber-attack a network switch can withstand. We may not be reinventing the wheel. IT is the most standardised industry you will ever see, and security is the least standardised. But they’re merging. And that will drive standardisation. Jim Elder: I look to Underwriters Laboratory (UL) for a lot of standards. Does the product get that label? I am interested in being able to look at a box on the wall and say, “That meets the standard.” Or some kind of list with check-boxes; if all the boxes are checked I can walk out and know I have good cybersecurity threat management. IT is the most standardised industry you will ever see, and security is the least standardised" The role of training Phil Santore: Before you do any cybersecurity training, you would need to set the level of cybersecurity you are trying to achieve. There are multiple levels from zero to a completely closed network. Wael Lahoud: From an integrator’s perspective, cybersecurity training by the manufacturer of product features would be the place to start – understanding how to partner the database, and the encryption features. We see integrators that know these features are available – they tick the boxes – but they don’t understand what they mean. Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organisation. That would be a good starting point. The role of integrators Wael Lahoud: Integrators like convenience; less time means more money. So, we see some integrators cut corners. I think it is our role (as consultants) to make sure corners are not cut. If you rely solely on integrators, it will always be the weak password, the bypass. We have seen it from small projects to large government installations. It’s the same again and again. Even having an internal standard within an organisation, there may be no one overseeing that and double-checking. Tools will help, but we are not there at this point. I will leave it up to manufacturers to provide the tools to make it easy for consultants to check, and easier for integrators to use the controls. Cybersecurity is a complex topic, and the risk aspects and maturity levels vary by organisation - so training is very important The impact of pricing Pierre Bourgeix: The race to the cheapest price is a big problem. We have well-intended designs and assessments that define best-of-breed and evaluate what would be necessary to do what the client needs. But once we get to the final point of that being implemented, the customer typically goes to the lowest price – the lowest bidder. That’s the biggest issue. You get what you pay for at the end of the day. With standards, we are trying to get to the point that people realise that not all products are made the same, not all integrators do the same work. We hope that through education of the end user, they can realise that if they change the design, they have to accept the liability.It’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it" The big picture Wael Lahoud: The Windows platform has a lot of vulnerabilities, but we’re still using it, even in banks. So, it’s not just the product that’s the weakest link, it’s the whole process from design to securing that product and launching it. That’s where the cybersecurity program comes into play. There are many vulnerable products in the market, and it’s up to professionals to properly secure these products and to design systems and reduce the risk. Pierre Bourgeix: The access port to get to data is what hackers are looking for. The weakest link is where they go. They want to penetrate through access control to get to databases. The golden ring is the data source, so they can get credentialing, so they can gain access to your active directory, which then gives them permissions to get into your “admin.” Once we get into “admin,” we get to the source of the information. It has nothing to do with gaining access to a door, it has everything to do with data. And that’s happening all the time.
ONVIF, a global standardisation initiative for IP-based physical security products, has announced that it will be presenting at TechSec Solutions 2018, as part of a panel discussion on trends in new technology in access control. Bob Dolan, who sits on the ONVIF Technical Services Committee, will be one of four panelists discussing ‘Access Control Holds the Keys to New Tech'. The panelists will examine how far access control has come, where it is headed, and how it will help to shape the future of the physical security industry. Dolan, who also serves as the Director of Technology, Security Solutions at Anixter, will provide perspective on how standards such as those provided by ONVIF can extend the possibilities of access control through interoperability with other technologies. Smart building environment “Access control technology is poised to play a pivotal role in the future of our industry, as physical security continues to integrate with other technologies in a smart building environment,” said Per Björkdahl, Chairman of the ONVIF Steering Committee. “Bob will provide insight on the importance of standardisation and how ONVIF specifications can assist in implementing access control in conjunction with new technologies, including data analytics, biometrics, IoT and building automation.” Other panelists include Rob Martens of Allegion, Gary Larson of AMT and Peter Boriskin of ASSA ABLOY Americas. The panel will be moderated by Pierre Bourgeix, President of ESICONVERGENT.