Last month in Dallas, the Security Industry Association (SIA) and PSA hosted the Cyber Secured Forum, an event that spotlighted the converging worlds of physical and cybersecurity and those solutions providers that play in that space. Perhaps no group is more impacted by the challenges cybersecurity poses to their clients than the systems integrator, a fact that Steve Mains, the CEO and Managing Partner at TechMIS conveyed in his presentation, “Integrating and Monetizing Cyber and Physical Security Offerings.”
Mains, a cybersecurity expert experienced in combining behavioral science and computer science to identify risk and develop appropriate training, processes, and technology to eliminate that risk, asked the simple question to his audience, “Can integrators monetize cybersecurity by offering managed security services that provide long-term security for their clients and a steady revenue stream for their integration business?”
“There is much hype surrounding cybersecurity, but the threats are real. They just are not like anything seen in popular entertainment. Cybersecurity is straightforward for most companies and includes deciding what data to maintain and how to protect it, turning employees into human firewalls through regular threat updates, applying software patches, running up-to-date endpoint security and preventing insider attacks,” says Mains. “No system is foolproof, but like running from a tiger, most companies only have to outrun their competition to prevent cyber-attacks.”
How to Define the Nexus of Physical and Cybersecurity
Mains works from the premise that cybersecurity already mirrors many of the physical security services systems integrators are providing clients. He contends that integrators can play off their bread and butter technology expertise in access control, perimeter monitoring, video surveillance, industrial controls and fraud prevention, in addition to other cerebral services like vulnerability and risk assessments of existing and future technology deployment.
“We do the same thing in cybersecurity -- we prevent people from getting in, that's access control. We do interior monitoring. We look at where the digits are flowing around the system. Fraud prevention, that's phishing attacks, if you will. People will get in and try to trick your finance people to pay invoices that they shouldn't,” Mains says. “All of those sorts of things are about maintaining a customer’s reputation. If you have a Capital One (credit) card in your pocket, you're feeling a little less good about Capital One today than you did yesterday. All your data that was on Experian and Equifax is out there, somewhere on the dark web and being sold.”
And for Mains, the strategies for protecting that cyber data and the steps taken to implement a physical security plan possess a natural nexus. The analogs are there if an integrator is savvy enough to understand that access cards, physical perimeter barriers, guards and motion sensors are in concept no different from constructing a firewall or providing activity monitoring on the network – services an integrator can handle.
“What's a firewall? That's a fence that keeps things from coming into your network, no different than that. Activity monitoring, that's watching the rhythm of life inside your network to see what's going on. In the physical world, the equivalent would be somebody showing up in the middle of the night, logging into the EAC by swiping their access card, but then goes into an area that he doesn't normally go and then leaves. If you pick that up with activity monitoring, that's a security alert you can act on,” Mains explains, adding that the same analogy can be applied to training – another service the integrator can offer. “It's the same analog in the physical world compared to the digital world. IT professionals perform network analysis and phishing training, while we have evacuation drills, fire drills on the physical side. What happens when you have an active shooter inside your building? That same training should go on in the cyber world with that phishing training.”
The bottom line for Mains is that every technology and assessment service that integrators have been performing and monetizing in the physical world has an analog in the cyber world. It is up to the integrators to understand what products match these cyber threats and when you finally decide you want to market your firm as a trusted source to sell cybersecurity services, what sorts of things are you going to sell?
Understanding the Cyber Threats and Identifying a Revenue Opportunity
Taking the mystery out of cybersecurity for a client is a crucial first step in gaining a trusted partner status says Mains. He admits that to those clients that aren’t blessed with a large IT staff or network infrastructure still can succumb to the same vulnerabilities as any Fortune 500 organization. Again, being able to equate a physical security analog to a cyber threat increases the comfort level of all concerned when conducting an assessment.
Discussing the ins and outs of something as basic as cyber penetration testing across a client’s various web and systems networks is not unlike going through a facility and rattling all the doorknobs seeking an unsuspecting access point according to Mains. That physical analogy can help take the mystery out of it. The same analogies can be applied to other potential cybersecurity services like pinpointing potential endpoint security weaknesses, data exploitation scenarios like ransomware, internal and external data theft threats and data encryption strategies.
“As in the physical world, you don't have to be Fort Knox, but you have to be a little bit stronger than the guy down the street. When the hacker looks around for an organization to attack – and a lot of this is automated now -- he can look at a bunch of different places all at the same time and go after the easier targets,” says Mains. “Your goal as an integrator is to come up with that plan which makes your client’s network and data just as secure as his physical systems.”
So, Where’s The Money In Cybersecurity?
The most obvious question posed to Mains from systems integrators is how I make money in the cybersecurity space. After talking about the how and why of investing in this sector, understanding monetization models in a good start says Main. He likes to break them out into three models: I know a guy, I have a guy and finally, I am your guy.
- I know a guy – Meaning, that your firm works with various tech and service vendors. So, you, Mr. Client go out there and pick one of our suggested vendors and they're going to be a great fit for your cyber needs.
- I have a guy -- This is probably the model that most of integrators are currently using in the physical space. It would be akin to you not being the fire alarm guy, so you bring the fire alarm guy in and you make him part of your team. Conversely, you have a guy you will bring in to do cybersecurity.
- I am your guy: You bring cybersecurity expertise to your client with in-house staff. You are the complete expert.
“How many people go out there and talk to a client; the client says, ‘Yeah, you know, I need to improve my security posture.’ And you say, ‘Well, I know a fence guy. This guy is the world's expert in building fences. And I know an alarm guy. Yeah, a different guy, but he is the world expert in building alarms. And I've got a concrete guy. Boy, he can build you some barriers like you cannot believe. All right. Here are their cards. Here's a flyer from them. Tell me how it works out.’ Nobody does that,” chides Mains.
He stresses that is a broken model, yet one some integrators still push.
“If you're just saying, ‘Hey, there's an endpoint security guy, there's a phishing simulation guy and if the client takes it seriously at all, you aren't going to get any money out of it because they're the integrator. They're doing the integration; they're doing that work. Why do they pay you? So, this is a broken model,” he says.
When you get to the “I have a guy model,” integrators that want to talk data security with a client will bring in their contracted cyber expert which allows them to manage the project and still receive an ROI from it.
“As far as I’m concerned, if you're bringing in your guy that's an expert in monitoring, and cameras, fire, and barriers, why not expand your portfolio and bring in that cyber expert now? This way when you all sit around the table and you build this integrated security solution for the client, it’s your firm providing the integration and profiting from the collaborative effort,” adds Mains. “When I say you provide the integration, you're integrating with everything else and it’s your cyber guy that's talking to the endpoint security company, and the phishing simulation company, and he's the one that's integrating all of it. This approach offers a low cost of entry because you don't have to have all those skills on hand. But you're going to get some of that managed security service provider (MSSP) commission.”
For Mains, this second option is probably best suited for today’s physical systems integrator. While being “The Guy” presents the most potential for revenue and is a business differentiator, it is also the most expensive option.
“You're the man for model three. You assess the client's needs, you ID the security package, you deploy it, you ensure it works and that it fits the client's needs as they evolve. And, you provide all the integration and the expertise. However, this is the most expensive tact,” he concludes. “So, I suggest you go with model two. It's a familiar approach, because it's exactly what you're already doing with your clients. It's low investment, since that cyber integrator should be working on commission just like your fire alarm guy. And just like everybody else, you're not paying them a fixed rate, you're paying them out the fees. Bottom line, it's a low investment. It leverages your current clients because you can build into a current client or client that you've talked to or the potential client that you've talked to in the past.”
About the Author: Steve Lasky is the Editorial Director of SecurityInfoWatch.com Security Media, which includes print publications Security Technology Executive, Security Business, Locksmith Ledger Int’l and the world’s most trafficked security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 27-year member of ASIS. He can be reached at firstname.lastname@example.org.