Hard to believe it is that time again, but in a few short days the calendar will flip and we will be in 2022. I have been fortunate to work with virtually all parts of the physical security industry, from A&E firms, integrators, manufacturers, and multiple types of end users (ranging from multiple Fortune 100 organizations to a family-owned self-storage company); all which shared valuable insights throughout 2021.In this column, I’d like to share my perspective of what will likely be the key issues and challenges we all will face in 2022.
1. Cyber will bring physical security issues into the boardroom
Gartner predicts that by 2024, 75% of CEOs will be personally liable for cyber incidents. Cyber incidents involving physical security and IoT devices are on the rise, and the trend in threat actors exploiting these systems are headed toward more devastating consequences. Efforts like SIA’s recent certification program on cybersecurity (SICC) is a good start towards your team being prepared for those board-level discussions, but in 2022 security leaders must also ensure that they have data, processes, and tools to support cross-functional board-level interactions.
2. Bringing IT skills into physical security teams drives hiring
Clearly more IT skills are needed with modern physical security systems, but also clearly there are labor shortages that present challenges in accomplishing this. In 2022, this may force a new tier of physical security worker, with pay and responsibilities that are competitive with the broader IT market. Such workers will be needed to bring physical security into broader IT initiatives like Zero Trust. By creating career paths within physical security tied to the broader IT market will attract new talent that otherwise may have felt physical security to be too limited for them. If your organization is already doing this or headed in this direction, let others know about it through LinkedIn or at industry events.
3. New service models will emerge
The industry’s direction toward more managed services will continue and become a differentiator between integrators. Whether it is remote guarding, cyber hardening, service assurance, or compliance, the variety and “a la carte” managed services offerings will bring new customers to integrators. Many organizations that manage physical security with internal resources will see the benefits of offloading specific functions, like firmware updating, to an integrator offering that as a service. In 2022, the “as-a-service” concept should be evaluated across all parts of the physical security landscape, as it will lead to less expensive and more efficient ways of deploying and managing security operations.
4. Deepfakes will get more attention
Fundamental to use of video surveillance is the ability to use that data as evidence and being able to prove a chain of custody. The growing sophistication of deepfakes combined with lax procedures over that chain of custody is a recipe for 2022 to call into question whether video data can be trusted. To prepare for this organizations must ensure their devices and data have not been tampered with, including replacing real data with fake data. Methods that can track the integrity of the data being stored (and that the data is kept unchanged for the required retention period) will be needed to keep video surveillance data relevant and effective.
5. More focus on knowing your physical security asset inventory
As physical security teams become closer partners with the cybersecurity, IT and compliance functions within their company, the starting point for those relations is having a strong handle on what assets they have and what the status of those assets are. We saw in 2021 the need to remove certain brands from being used (under NDAA 889), and the difficulty in determining if those brands were present because of the multiple OEM and other rebadging of equipment that goes on. Even seemingly innocuous devices like inexpensive badge printers purchased on Amazon could be the Achilles Heel in your physical security network. It is imperative you know the source and integrity of every single device that is plugged into your network. In 2022, organizations should be better prepared by having up to date inventories including firmware versions being used and original equipment manufacturer.
6. More mandates from U.S. federal government that impact physical security
In 2021, there were multiple directives and mandates that touched physical security (NDAA 889, CMMC, CISA directives, etc). Likely in 2022 these will be added to, especially around firmware updates and password management. The fact that many physical security devices are not updated (let alone still use default passwords) creates an opportunity for them to be used in exploits like phishing attacks, delivery of ransomware and malware, and planting of deepfakes. The threats from this go beyond any single company, so having more government action and focus on these attack vectors will likely bring more requirements to operators of physical security systems. Prepare by making sure you’re able to update firmware quickly and have a process to track the firmware versions in all your devices.
7. Slowdown on facial recognition
2022 will likely be a year where organizations carefully evaluate and implement facial recognition solutions as the legal and operational aspects of this technology still get worked out. Facebook’s decision to shutter its facial recognition software (but still continue technology development of it) speaks to the need to match privacy and societal concerns to the deployment of new security technologies. However, there has been a marked rise in the development and deployment of face as a credential solution for highly accurate and secure touchless personal identification and authentication. In addition, laws like Europe’s GDPR (General Data Protection Regulation) put responsibility onto physical security operators to be able to remove or limit information on a specific individual – a task best served by the automation provided by facial recognition
. If you don’t already, consider if your company needs a policy on legal and ethical use of facial recognition.
8. Training and certification of physical security salespeople will gain momentum
As physical security systems become more complex, so does the knowledge required to specify and sell systems. The front line of those efforts is the salespeople working with customers to define the best possible system for their needs. More focus on training and credentialing salespeople will become a differentiator between security integrators, and a path to ensuring physical security professional development for more people within the profession. If you’re an end user, ask your integrator if they’ve considered this, or if you’re involved with SIA and ASIS, recommend they pursue this.
9. More focus (and revelations) about who has backdoors in physical security equipment
For many years the source of physical security device components, who designed them, and how they are combined with software to make products like IP cameras and card access systems has been a non-issue. Yet in almost all parts of the supply chain there is now greater scrutiny over where and how vulnerabilities are introduced, making it likely that in 2022 there will be more revelations on what really is designed into physical security systems. The past couple of years there have been active bans on equipment from specific manufacturers because they are known to contain backdoors. Prepare for this by establishing a “zero tolerance” policy and by implementing fundamental best practices like changing default passwords on devices and updating firmware, to protect your existing investment in physical security cameras and other endpoints.
10. Insurance will incorporate physical security data in policy pricing
Many organizations have been faced with a significantly higher amount of data requested by insurers in order to price (or even be offered) cybersecurity and general business liability insurance; in 2022 this will also encompass physical security information and standard operating procedures (SOPs). For many organizations who work with integrators, engaging with them now and discussing how to maintain current information needed for insurers can help to get ahead of this issue. Best way for organizations to be prepared is to prepare documented SOPs, detailed inventories of devices, and metrics around their operations to show that your organization is in control.