Driven by the rapid pace of technological innovation, the separation between cyber and physical security is continually narrowing. But many integrators are ill-prepared to safeguard their company’s digital assets, let alone provide that service and reassurance to their clients.
Chimera Integrations, based in New York State, is getting ahead of the curve after purchasing a cybersecurity firm, AlchemyCore, last year. The purpose is two-fold: building a comprehensive cybersecurity program for Chimera and serving as a cybersecurity reseller to integrators wanting to offer a total building security portfolio to their clients.
AlchemyCore remains a separate business, but its platform was changed significantly to position itself as a national or global tech provider, rather than just a regional MSP, said Chimera Vice-President and Co-Founder Justin Stearns.
Many MSPs, including some Stearns has worked with, are offering cybersecurity services in addition to access control and video surveillance products they source direct from manufacturers. Stearns also sees more MSPs bidding against his company for projects, which is a competitive concern.
Even though MSP referrals are very lucrative for his company, Stearns says he’s nervous about how his company’s expansion will be viewed by other MSPs. So, Chimera opted to keep AlchemyCore a separate entity.
Liability Concerns
Stearns asserts that many integrators are working with clients’ networks but don’t understand the implications or the liability that comes with that. For example, they have logins to hundreds or thousands of different security systems, so how their technicians manage that information is key.
Through this acquisition, when integrators approach Chimera intending to offer cyber services to their portfolio via AlchemyCore, Stearns says they first must go through an internal vulnerability assessment before talks go forward.
“You can’t sell what you don’t practice and don’t believe in,” Stearns says. “We will do some tabletop exercises, which more and more organizations are required to do but, for some reason, integrators are not. What happens if you do open a phishing scam and get malware on your network as an integrator, and now you can’t access databases and all their data has been released?”
“Are they using the right apps for password management? Are they using a virtual machine to log into their client's databases? How are they setting up their VPNs? There's just so many unknowns, and again, integrators are often doing this with very little knowledge of the liability they're creating for themselves and their clients,” Stearns says.
Through the acquisition, Chimera offers a virtual Chief Information Security Officer and a Security Engineer as a Service.
The Remote CISO
The virtual CISO provides expert guidance, risk management and compliance assurance. SEAS allows businesses to outsource their cybersecurity tasks to external specialists or firms, allowing companies to leverage cybersecurity knowledge and skills without hiring full-time security engineers.
Chimera, through AlchemyCore, can also offer end-point detection and response, mail hygiene and cloud security, and continuous vulnerability scanning and management.
One factor that made this venture worth the risk is the hefty cyber regulations rolled out by New York State for certain institutions. For one of their clients, a hospital, Chimera’s company went from offering surveillance, access control, nursing calls and fire alarms – bringing in about $200 a month – to offering a full slate of cyber programs that increased their RMR by $10,000 a month.
Chimera is also working with a small but growing regional credit union to provide similar physical security services managed through the cloud. Bringing AlchemyCore into the fold for that client brought their RMR from about $200 monthly to about $1,000 monthly. and that was only for doing penetration testing.
“Let’s say for example you're going in to put a whole new rack in your customer's building. You're going to put in switches. You're going to put other network devices. It’s just a simple addition to the bottom line to add extra assurance and a more holistic approach to security for the customers, and it’s a differentiator compared to other integrators.
Having a cyber firm on board augmented the capabilities of Chimera’s personnel without having to spend more money on staff.
Stearns says his company took its time in the acquisition process, vetting each interested firm and getting competitive quotes to see if an acquisition would be a superior way of providing differentiating services beyond Chimera’s limited cyber offerings. Then came the task of putting the proper personnel in place.
“Since the acquisition, we’ve been hiring more technicians with a hybrid background. We recently brought in somebody who worked with the Department of Defense and has an extensive cybersecurity and integration background. We’re trying to find people that kind of fill both of those roles well and round out that expertise,” Stearns says.
John Dobberstein is the managing editor of SecurityInfoWatch.com and oversees all content creation for the website. Dobberstein continues a 34-year decorated journalism career that has included stops at a variety of newspapers and B2B magazines.
