IT trends, technology-enabled business trends and an evolving cyber threat landscape have created a time of transition for the electronic physical security industry. As technology keeps advancing and businesses look for added value from all technology systems – including electronic physical security – how can integrators establish an appropriate level of IT capability?
In the 1990s and 2000s, the requirements for integrator IT capabilities revolved around servers, workstations, databases, LANs and corporate enterprise networking – the underlying security system technologies. The focus was primarily on infrastructure cabling requirements, product deployment expertise and follow-up service. Today, on the other hand, organizations focus less on IT infrastructure and more on applications to drive business value.
For complex large-scale deployments, IT infrastructure expertise is still needed; however, the consumerization of information technology, the minimization of customer-owned IT infrastructure, the commoditization of security products and the arrival of cloud-based systems have changed the technology landscape for security integrators. Five impactful trends are:
1. Tech Simplification: Cyber-secure, self-configuring cloud-based systems are beginning to simplify the deployment of electronic security systems, requiring only consumer-technology level skills (Editor’s Note: For more, see Mr. Bernard’s recent articles, Are Integrator IT Skills Overblown? at www.securityinfowatch.com/12351012; and Artificial Intelligence Transforms IT Capabilities at www.securityinfowatch.com/12361545).
2. Cloud-Based Integrations: Cloud-based security applications and business applications have started a fundamental shift that moves primary responsibility for LAN/WAN communications security (encryption), database management and maintenance, OS and application software maintenance, and systems integrations away from security integrators and onto cloud-based system manufacturers.
3. As-a-Service IT Business Model: The shift to “as-a-service” information system offerings is moving IT infrastructure into the background and putting applications front-and-center – with one result being that businesses no longer own their IT infrastructure, minimizing the in-house need for IT infrastructure skills. This business model goes hand-in-hand with cloud-based systems and is a key requirement for the success of IoT in facility physical security – with service providers assuming full responsibility for the installed technology, including feature and cybersecurity updates.
4. High-Business-Value Data from Intelligent Systems: Intelligent retail video analytics and intelligent transportation systems are two such classes of applications, and others will appear based on emerging big data sources and IoT systems.
5. Cybersecurity Risk: Cyber threats are growing, and with them the requirement that networked and Internet-connected products and systems of any kind have strong cybersecurity features. An integrator’s potential liability resulting from selling and installing non-cybersecure networked products or systems can be devastating.
Integrator IT Requirements by Businesses Type
SMBs: Most small businesses have no internal IT function or IT infrastructure; in fact, most of their business systems are in the cloud. Many consumer-grade and small business security products – especially for video – are low cost and generally not cyber-secure.
That said, some security system technologies are emerging whose components are self-configuring or simple to configure, and have appropriate cybersecurity technology built in. These technologies are intended for deployment under a cloud-based as-a-service model, because that is the only feasible way to keep cybersecurity features updated. Right now, this is the direction of only a small portion of the emerging technologies.
Enterprise deployments: Deploying security systems for medium and large businesses with an internal IT function and IT infrastructure requires security integrators to possess strong IT capabilities, especially for cybersecurity. This particularly applies to markets such as healthcare, retail point-of-sale, government and critical infrastructure, which generally feature highly regulated IT systems and have specific, often standards-based or regulatory-based cybersecurity requirements. The PCI DSS 3.0 standard for point-of-sale retail systems is an example.
With the two major types of businesses outlined, it is vital that integrators match up their IT capabilities with the requirements of the particular security system deployments – including cybersecurity. Here are a few ways to accomplish that; although each has unique challenges:
- Add or build in-house expertise. In-house techs should have appropriate IT certifications and experience at the level required for your target markets, with products that are well documented and have strong technical support and professional services available. This option includes the possibility of becoming a “hybrid” managed service provider with a strong technical staff, offering services for electronic physical security systems and corporate network services.
- Partner with an IT firm. Find and collaborate with an IT services provider whose capabilities meet or exceed the highest security system deployment requirements of your targeted markets.
- Partner with the customer’s IT department. A large enterprise’s IT capabilities and staffing levels make this an option. The more modern the customer infrastructure is, the more workable this approach.
The Integrator’s POV
For most integrators, the next few years will be a challenging time of transition for IT and managed services provision capabilities, and also for integrator business models. Which of the mentioned methods of adding IT capabilities works best? It makes sense to ask your peers who have already gotten their transition off the ground.
“For the past 5 or 6 years, we have worked on building our in-house expertise in IT systems and services,” says Wayne Smith, president of Georgia-based Tech Systems, which has expanded its business model to include managed IT services. “Expanding into IT services helped us keep our IT personnel fully productive, and broaden the number of products and services that we offer.”
Phil Aronson, CEO of Washington-based Aronson Security Group (ASG), has pivoted the business model of his organization. He explains: “Integration is something we do – it is not who we are. We have moved to a market category we call ‘Security Risk Management Services (SRMS).’ The old model is definitely getting displaced, but we are not simplifying; in fact, we believe there is more complexity being created with the need to aggregate data from IP devices and software, manage it, leverage it into specific workflows as well as overall operational and risk dashboards. The key to a SRMS company is to study the behaviors of people performing roles in the primary processes that are currently driving program performance.
“‘IT skills’ is probably an incorrect term,” Aronson continues. “What we need are solution architects, program and technology business consultants, and a benchmarking capability to ensure we help the end-user with a scorecard for evaluating the technology use case.”
Read more about Aronson’s new approach at www.securityinfowatch.com/12208390.
“A few years ago, we began to feel a divide coming in the electronic security systems integrator space, based on the IT competencies and IT appetites of different companies,” explains Andrew Lanning, co-founder of Hawaii’s Integrated Security Technologies Inc., and one of the founding members of PSA Security Network’s Cybersecurity Advisory Committee. “Our regulated industry clients began flowing their IT regulations downstream to their suppliers – including us – so we needed to serve them as IT partners and become fluent in the regulatory requirements impacting identity management, encryption and authentication schemes.
“As regulated industries flow IT requirements up and down their supply chains, the integrators that serve them need to function as IT partners,” Lanning adds. “Our staff training and education budgets are increasing substantially every year. We are also hiring IT experience in our sales, engineering, project management and installation departments, which is a real change.”
Tully Zipkin, owner and president of Massachusetts-based Global Integrated Technologies, began offering cloud-based security systems at the request of a customer whose business IT model is primarily cloud-based. Working with the client, a cloud-based solution was chosen as being most in line with their other business systems, based on both economic and functional advantages of cloud-based electronic security.
“Although we have in-house IT capability, partnering with IT services firms seemed to be the fastest, sound approach to providing fully-qualified delivery and support for cyber-secure deployments,” Zipkin says, noting that since completing the initial phase of the cloud-based system installation, the company has embarked on two more cloud-based security system upgrades. “As cloud-based offerings become more mature, and as clients become educated to their advantages, they are embracing the new technology.”
Heal Thyself
Yet another often-overlooked aspect of the cybersecurity and IT services evolution is the need for security integrators – especially those moving into the IT managed services space – to secure their own internal networks as well as those of their customers. One resource is the aforementioned PSA Cybersecurity Advisory Committee; however, specialized firms are also emerging to specifically help integrators.
California-based Kepler Networks, for example, is an IT security firm focused on supporting the security and life safety dealer/integrator channel. “Cybersecurity is a paramount concern,” says Gavin Bortles, Kepler’s owner and president. “The liability potential for installing non-secure systems gets very little consideration, relative to the potential consequences for customers and integrators.”
With the help and experience of U.S. government-trained cybersecurity professionals, the company helps its partners develop an internal cybersecurity protocol that includes internal processes and controls to both mitigate the risks for the dealer/integrator while fostering an environment of proper cybersecurity hygiene by technical personnel. The firm provides complete NIST RMF certification and accreditation for its integrator and vendor partners.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and is an active member of the ASIS International member councils for Physical Security and IT Security.
