Integrators Reach the IT/Physical Crossroads

June 14, 2021
Veteran integrators and consultants explain why enterprise integrators who do no adapt to the new demands of cybersecurity and operational technology will be left behind
This article originally appeared in the June 2021 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.


As 2021 rolls forward amid not only one of the greatest health calamities in modern world history, but numerous socio-political challenges as well, we find ourselves at a security crossroads – one that has been brewing for more than 20 years.

The transition from traditional wired infrastructure and analog systems are finally taking hold, as cloud, cellular and IP infrastructure systems have become the norm. As costs for these advanced security systems become more reasonable – and integrators increasingly become more adept at installing them – consultants are now finally comfortable specifying and designing more modern, resilient, and secure systems, and end-user are more willing to give the green light to these deployments.

“Even before the pandemic, I had already embraced the characterization of integrators as ‘goalies on dart teams with no pads,’” explains veteran integrator Jim Henry, who has seen the industry evolve for more than 40 years in his positions running integration firms from Henry Brothers, to Kratos, to Securitas. “For the past 20 years, integrators have had to keep up with exponentially increasing threats and advances in technology, and during the last five years, catastrophic threats and disruptive technologies have become the new normal.

“Granted, the pandemic has been enormously disruptive to our economy and to the way integrators
have had to adapt to survive. That said, I believe the level of adaptation integrators must now embrace and implement to stay relevant in 2021 is greater than even what they encountered with the pandemic,” Henry adds.

Sounds morbid? It does not have to be. “Many integrators are resilient and are good examples of the old adage, what does not kill you makes you stronger,” Henry says. “Most importantly, they have the foresight to understand and adapt to how business is changing with the convergence of IT, OT and physical security.”

The Integrator/IT Connection

As we have moved into a converged and interconnected world, many end-users are faced with systems that are future-proofed for integration into IT, OT (Operational Technology) and physical security. With that in mind, the systems are no longer built to live strictly in one silo. While technology tends to be able to be managed by one division at a time, the policy and procedures surrounding corporate governance tend to be converged in the modern business model.

Silos may be managed separately, but they are all intrinsically connected by the technology and the policies; therefore, the question is: Are integrators truly aware of the complexity and liability of integrating these interconnected systems, and are they prepared to connect them together securely?

Manufacturers are developing converged applications and selling systems to the global marketplace that espouse greater connectivity to endpoints while being interconnected to operational and IT infrastructure. This is one of the most consequential issues that faces the security industry since the advent of IP infrastructure.

The merging of infrastructure across IT, OT and physical security connects an organization’s operational needs. The issue is greater than simply dealing with technology advancing faster than the capability of the integrator – it is the expectation that technology will be applied to everything that is connected.

Bringing Big Data into the equation adds requirements which generate more challenges. From compliance requirements to privacy restrictions, we are no longer dealing with a one-dimensional issue; rather, it is a multi-dimensional landscape – which is what today’s enterprise integrator must be prepared for.

“Integrators and end-users are best served when they look at solutions from an integrated and value-
generating perspective,” explains veteran security consultant Ben Butchko of Butchko Inc. “When solutions are envisioned, designed and planned for maintainability, operations and technical risks are most successfully viewed from a converged framework. Where at one time, IT, OT and physical security technology could be assessed and designed independently, the interdependencies common today make traditional views fraught with risk.”

Many integrators have recognized the need to understand IT infrastructure and have competent installers and programmers to aid in deployment, but do not have the depth to adapt to a converged world that needs critical thinking and business operational understanding so that the systems they integrate satisfy the customer’s business demands. From cameras to access control, these are no longer used as standalone systems; instead, they are part of a unified platform which derives correlated event tracking as part of its overall function.

Andrew Lanning, co-founder of Hawaii-based Integrated Security Technologies, has been one of the leaders in the security community when it comes to evangelizing the importance of IT and OT awareness in the integration community.

“From my perspective, as the opportunity for increased physical security system integration into IT and OT equipment, environments, and processes is presented to our integrator community, the risk commensurate with those opportunities also increases,” Lanning says.

To date, the physical security ecosystem of manufacturers, consultants, integrators, and clients have been slow to assess these risks in the performance of their projects. “Our manufacturers have not, for example, settled on any standardized or transparent supply chain risk management (SCRM) practices for the development, manufacturing and delivery of their hardware and software products,” Lanning points out. “Our customers are still left ‘holding the bag’ for product vulnerabilities that get introduced prior to the installation and integration process. Our integrations add to that complexity, and thus, to the risk of breach or failure. Our customers are not typically aware that those vulnerabilities can and do exist.”

Lanning says consulting and integrator community partners have begun to educate themselves about
data protection within their own business operating systems. “The uptick in knowledge these past few years is commendable, but the lack of adoption of any auditable protection standards among these groups leaves our customers vulnerable,” Lanning says. “Customer security plans, networked equipment information and logical network diagrams and descriptions – i.e., Controlled Technical Information (CTI) – are open to theft by cybersecurity criminals who are actively seeking to leverage these types of information for profit, or for additional cybersecurity vectors into our customers’ operating environments. Few of our ecosystem partners are prepared for the reputation risk commensurate with this type of exposure, or the liability lawsuits that their clients may engage them in if their negligence results in the loss of a client’s intellectual property, operating capability, or the cost of their business systems recovery.”

From the perspective of the integrator, consultant and end-user, it becomes obvious that we are at this fork in the road, and many will take the wrong direction. This misstep could lead to dire consequences for many of the leaders in this space.

The Next Steps for Enterprise Integrators

“2021 could be a successful year for integrators who are willing to be open minded and try new things,” advises Matt Barnette, the new CEO of PSA Security Network. “Security integrators can play a large role in rethinking and securing spaces as we return (to normal). Those who explore new product offerings or partnerships could be successful. A pitfall for integrators will be not adapting service offerings: cloud-based offerings that lend well to a recurring revenue model and require less truck rolls will be more prevalent. Those who continue to focus on the box sales won’t have as much business opportunity moving forward.”

Butchko advises that the first step integrators should take in embracing the world of converged physical and cybersecurity is education. “Achieving understanding requires the ability to communicate with others in areas that are historically outside of the security integrator focus,” Butchko says. “They must be able to discuss the interactions and interdependencies of IT networks, OT systems and procedural implications, and how the information exchange with these systems – either via personnel communication or electronic interface – impacts the requirements of historic physical security technologies. Gaining the level of knowledge required is not trivial, but fortunately can be obtained through partnerships as well as internal development.”

Henry sees three key actions for enterprise integrators in 2021 that are essential for both survival and growth:

  1. Implementation of cloud services
  2. Attain and maintain cybersecurity certifications
  3. Effective and repeated communications of both of the above to industry stakeholders, including consultants, manufacturers and end-users.

As for certification, a variety of IT and OT data protection standards exist among industries that procure physical security systems and services – for example, the healthcare, financial, education, chemical, and the Department of Defense (DoD) sectors. DoD, in particular, recently implemented an IT audit program for its supply chain members called the Cybersecurity Maturity Model Certification (CMMC). This program (read more at www.securityinfowatch.com/21159058) is poised for expansion, as other federal agencies have already announced CMMC adoption, and expansion to critical infrastructure facilities – both government and commercial – are anticipated as well.

The Security Industry Association, with the input of PSA Security Network, Security Specifiers and others, has also unveiled its Security Industry Cybersecurity Certification (SICC) program (read more on page 52).

In 2021, cybersecurity requirements will finally be audited for compliance; thus, the remainder of 2021 should be viewed as the year that all physical security ecosystem partners begin to budget for the assessment and implementation of cybersecurity and SCRM policies, procedures, controls, automations, monitoring, and reporting standards for people, systems, and the equipment they provide.

Baseline implementation strategies should align with the programs that are rolling out in our customer-facing sectors – led currently by the DoD – with anticipated adoption among other sectors during 2021 and beyond.

“Auditing and compliance will never mean that security is guaranteed, but it will mean that the people we work with use sound practices to handle critical client information,” Lanning says. “I, for one, am a fan of that, and I recommend the National Institute for Standards in Technology (NIST) 800-171, and NIST 800-171A (assessment) guides as a starting place for everyone.”

Good or bad, the siloed principals that allowed for years of protected domains are gone. A new era is upon us in converged and interconnected infrastructure, and the integrators who will be able to survive this converged world will be the ones who recognize that a mediocre understanding of IT simply can no longer be accepted.

The key, Butchko says, is to appreciate the need and accept the challenge for improvement as a fundamental requirement to stay relevant in technology’s dynamic world. “Long gone are the days of simply sliding tab A into slot B and everything would work,” he says.

Pierre Bourgeix is the CTO and founder of ESI Convergent, a division of consulting firm Butchko Inc., focused on helping companies assess and define the use of people, process, and technology within the physical and cybersecurity arena. Learn more at https://butchkoinc.com.