An ominous dynamic has come into view the past few years. Malware, phishing, denial-of-service and other forms of cybersecurity attacks have grown in sophistication and volume while skilled resources needed to combat them has been shrinking.
The financial toll is staggering. The global monetary damages from cybercrime totaled $6.1 trillion in 2021, according to Cybersecurity Ventures. That number is expected to grow 15 percent annually to $10.5 trillion by 2025. As a result, businesses are increasing their cybersecurity budgets. Gartner forecasts that global cybersecurity outlays will increase from $150 billion in 2021 to $172.5 billion this year, eventually growing to $267.3 billion in 2026.
Much of this growth will be driven by spending on cloud security, as organizations continue migrating toward a cloud-first architectural approach. The critical demand around cybersecurity skills places physical systems integrators squarely in the eye of a storm of opportunity.
Ahead, we examine how security integrators can take advantage of their role as trusted advisor with end customers and expand their service offerings to encompass cybersecurity measures.
Alliance Security made the pivot to begin offering cybersecurity and related managed services in 2017. Today, each and every project proposal the company submits include no less than two layers of cyber-resilience measures, such as firewalls and anti-virus protection. // IMAGE COURTESY OF ALLIANCE SECURITY
Fostering Tighter Integrator-IT Relationships
Physical security integrators that can demonstrate cyber IQ are far better positioned to earn a greater level of trust from their existing clientele, as well as with prospective new clients. Doing so can generate new service opportunities as end users from across a range of vertical markets increasingly see value in aligning with third parties that can minimize their exposure to cyber-attacks and meet compliance requirements.
For security integrators, forging strong relationships with an end customer’s IT department is essential so both can work cohesively toward making the entire organization cybersecure. Integrators must consider the expectations of CISOs and IT decision makers, which will likely include integrators assuming responsibility for system updates, patching firmware, among other tasks.
Yet developing and broadening these relationships for the long term can be challenging, if not elusive.
“This is one of the things I spend a majority of my time on when I talk to customers, because I need to understand what matters most to them,” says Jason Christman, vice president, chief product security officer, Johnson Controls, Milwaukee, Wis. “And if I’m an integrator or supplier, how do I design a solution that’s going to meet their needs and not overcomplicate the management and sustainment of that solution over the long term.”
The imperative is to create a mindset that focuses on a holistic ecosystem of players and an understanding for the need of a shared security model. Integrators are well positioned to foster just such an open conversation with the customer to address and inform on their areas of concern. Christman advises that integrators can achieve this by referencing readily available risk management resources by such organizations as the nonprofit Building Cyber Security; the NIST Cybersecurity Framework Guide; and SPIRE, a smart building verification assessment created by UL and the Telecommunications Industry Association (TIA).
Taking ownership of these open conversations can go a long way in proving an integrator’s mettle with CISOs, who oftentimes express a great deal of frustration with integrators, Christman says. “They’ll say, ‘OK, you’re going to sell me something that you say may be secure today, but how do I know you’re keeping up with patches, and you’re monitoring or you’re enabling me to monitor over the long run?’ So it’s got to be a partnership with that IT department.”
Demonstrating a commitment to be that long-term trusted advisor is key and can be accomplished by communicating a clearly defined strategic roadmap.
“Here’s where it maps to meet your requirements, your regulatory and your risk requirements; and here’s where it differs,” Christman says. “And here’s how we’re closing that gap. That will help bridge that relationship and strengthen that relationship over time.”
New research shows there is much work to be done in bridging the divide between physical security and IT — or even forming relationships where they may not yet exist. Constella Intelligence conducted a survey of more than 300 security professionals spanning 19 industries and five regions. Commissioned by ASIS International, the survey discovered that physical and cybersecurity teams are mostly siloed, as only 11 percent of respondents said the two departments are integrated into a single department. Forty percent of respondents said that cyber incidents or threats could have been handled better if physical and cybersecurity teams were more tightly integrated.
“As digital activity and physical events continue to converge, we must consider how to protect organizations and their employees from cyber-physical risks effectively,” said Constella’s director of risk intelligence, Jonathan Nelson. “To ensure a holistic picture of targeted, hybrid security threats, cyber and physical teams need to transcend antiquated paradigms of ‘digital versus physical,’ fostering deeper cross-functional engagement and leveraging unified tools to monitor the surface, deep and dark web for early threat signals.”
Ross Federgreen, CEO of CSR Privacy Solutions, Jensen Beach, Fla., a provider of privacy regulatory compliance solutions, says too often IT departments are overly concerned about losing their influence within organizations. Security integrators can overcome IT’s territorial instincts by forging a collaborative approach and not being perceived as a threat. Integrators need to educate IT on their risk management processes and prowess in order to lessen their apprehension, he says.
“Opening the tent to the camel’s nose, as they say, is always the best approach,” Federgreen says. “The fact of the matter is that the only way these kinds of relationships will be improved is to be extremely open about it, and to allow the integrator’s team to participate in the actual development of the [cyber] program, rather than coming on board and enforcing a particular set of circumstances.”
Not only is there less separation between IT and physical security, but more security systems are now connected to public networks than in the past, explains Kaveh Malakuti, director of Avigilon product management, Motorola Solutions. The legacy defense mechanism of an “air-gapped” security network, one that is physically isolated and not connected to any network, is no longer applicable.
“While IT departments are capable of securing their networks, outsourcing to third-party vendors alleviates the unique challenges of physical security and the time and resources it costs to maintain a secure system,” Malakuti says. “Another trend is that IT departments are increasingly shifting the responsibility for development and management of many of their applications to third-party vendors through the adoption of SaaS and PaaS services. This leaves a gap that security integrators are very well positioned to address.”
Networking should be the overarching pursuit for integrators to initiate and build relations with IT departments, with the goal of sharing best practices and technology deployments, advises Paul Schmick, senior vice president, security & technology, Alliance Security, New York City, featured on this month’s cover.
“This will strengthen the existing relationships and actually create new opportunities as you engage in networking in the space,” he says. “Also, an integrator’s go-to-market strategy should educate clients on their position in the space and underscore their risk-based security strategy. This is a language that’s understood well in traditional IT disciplines. So it will be an easy language; it will prevent language barriers between the disciplines.”
It’s also advantageous for integrators to build credibility with IT by promoting your track record, Schmick says. Explain what you have already accomplished toward helping end customers mitigate threats and risks.
“And then the last point is quantify what success looks like and what failure looks like,” he adds. “It’s important to share both. And you can do that through testimonials and current events to demonstrate organizations that are aligned to preserve their assets.”
Security integrators can install Cloudastructure’s Gearbox at the edge to perform IoT device inventories, risk analysis, compliance testing and rogue device detection. // IMAGE COURTESY OF CLOUDASTRUCTURE
Top Cyber-Related Services for Integrators
Among various factors fueling opportunity — if not necessity — for systems integrators to stake a claim in the cybersecurity space is the seemingly unstoppable trend for a converged technology approach.
Increasingly, the marketplace is requiring outcomes that are data driven. Organizations want healthy buildings. They want smart buildings. They want energy efficient environments, and for their occupants to be safe and secure. Security integrators can place themselves at the center of an ecosystem of players and help drive a shared security model within the organization. These can be lasting relationships that tie the integrator to the organization for years to come, Christman says.
“Cyber is not a one-and-done,” he says. “You don’t just install it and commission it in a building and expect it to be good for the next 10-20 years. You have to maintain it.”
Aaron Saks, senior technical marketing & training manager, Hanwha Techwin, Teaneck, N.J., advises security integrators to work with their existing customers to add line items specifically for cyber-related activities, which allows for the time a technician needs to ensure products are installed and patched properly.
“This time can also be used for consulting services before a project begins to determine what devices are on the network and whether they should be there or be replaced with newer devices. It’s also important to determine if products should be local or cloud managed,” Saks says.
He also suggests offering network scanning services to help determine what devices are on the network to identify old or rogue devices that should be decommissioned. “Discuss an end-of-life plan to determine how long devices should remain on the network and offer patch management services to update various networked device firmware and software,” he adds.
“Some of the things we’re finding that integrators are getting into and providing for their customers — and we try and help them along in that process — is just creating good cyber hygiene,” says Matthew Fabian, national director of sales engineering, for Montreal-based Genetec.
It’s often said that people are the weakest link where it concerns cybersecurity. With that, Fabian continues, comes a particular need for integrators to get buy-in for creating cyber awareness programs and helping develop a cyber-focused type of tech culture within the end-user space. Moving forward it will be key to ensure you are able to have multiple touch points with customers for regular maintenance, upgrades, updates, patches, plus understanding and implementing zero trust environments, he says.
“Doing things like threat monitoring, recording, incident response, and incident response plans are all part of that larger picture of protecting all of these devices and end-user environments,” Fabian says.
Ryan Zatolokin, a senior technologist with Axis Communications, Chelmsford, Mass., suggests a first step for security integrators is to set up the network to utilize tools that can provide visibility of all devices. At a minimum, he explains, such tools are capable of providing an inventory of all devices on the network, reporting their connection status and providing information about what firmware/software version is running, and if updates are available.
“Some modern device management tools allow systems integrators to remotely monitor and manage hundreds, and even thousands, of devices at multiple sites,” Zatolokin says. “As a result, they can efficiently identify devices that require software upgrades and apply cybersecurity controls like user rights, profiles and certificates, as well as update firmware and configure provisioning templates.”
Many end users fail to perform these simple tasks — often due to lack of time and resources — so it’s a fairly simple, yet high-value service that a systems integrator can offer, he adds.
“Today’s device management tools can also help identify which devices will require replacement — devices that may no longer be upgradeable or supported — helping their customer avoid a vulnerability while also proactively planning for replacements and related costs,” Zatolokin says.
Matthew Powell, managing director, North America, ISS, Woodbridge, N.J., a global provider of video management and image analytic software, notes the market is moving so fast it seems a new cyber-related service pops up every day.
“I would say the best thing an integrator can do is test themselves — pen test yourself with a good third party, see how vulnerable you are. Be authentic about it with your team, and tell customers what you found and how you fixed it,” says Powell, who served as principal, infrastructure and construction management, for systems integrator Convergint, prior to joining ISS in June.
“No one wants to admit they are vulnerable, but most organizations, I hope, would rather admit it, and fix it than have a customer find out that they were the vector for their cyber breach,” Powell adds.
For the physical security integrator, cybersecurity represents a recurring business and revenue opportunity that did not exist just 10 years ago, says Jake Cmarada, key account manager, East, Milestone Systems, Lake Oswego, Ore.
Every organization today has cybersecurity vulnerabilities, and the responsibility to proactively monitor devices on their network is, in part, driving the market, he says.
“Year after year this continues to grow,” Cmarada says. “Cybersecurity is a moving target, and it’s a constantly changing landscape, requiring defensive services and proactive reoccurring solutions. Physical security integrators are well positioned to deliver these services, and it’s something they will likely be adding into their business model in future years.”
Steve Kiss, vice president of operations & general manager, IoT division, Cloudastructure, San Mateo, Calif., sees immense opportunity for integrators, especially in the video surveillance realm. “When you think about security cameras, they’re really the first mass deployed IoT device,” he says. “For a number of reasons they have a huge attack surface. So integrators really have an opportunity not to leave this to a cybersecurity expert and move this to be part of their business — to be part of both their operational business and the revenue stream.”
Cloudastructure markets an IoT appliance called the Gearbox, which is installed at the edge to perform IoT device inventories, risk analysis, compliance testing and rogue device detection. It is said to even detect non-compliant National Defense Authorization Act (NDAA) hardware.
“Just from the sheer numbers it’s not uncommon to have 250 cameras on a building. What other subsystem in the building has 250 edge devices today? It’s video surveillance,” Kiss says. “Integrators do not have to be cybersecurity experts. They install the edge, they manage the edge, they communicate to their customers about the edge. So let’s give them some tools. Let’s give them some consultative expertise, and let them work with the customers they are already working with. It is just as simple as that. That is the reason we’re in business.”
Kiss also references providing cyber-resilience for operational technology (OT) as a new opportunity for security integrators to engage. OT is a key component of protecting the uptime, security and safety of industrial environments and critical infrastructure. OT systems use hardware and software to control industrial equipment, as well as building management systems, fire control systems and physical access control mechanisms. The threat attack surface of OT systems can also be immense, Kiss says. Integrators can assist organizations in the manufacturing, food and beverage, critical infrastructure and other industries to safeguard OT systems and processes from cyberattack and comply with strict regulatory requirements.
“OT networks are distinctly different from IT networks,” Kiss explains. “With IT networks you have data, data repositories, and so forth. OT networks are things that provide either sensors or provide measurement in some way. And they can be things like security video, or they can be things like ‘open this door,’ or ‘open this valve’ or ‘measure this amount of fluid in something.’”
Protecting OT systems is an area of cybersecurity that until very recently has not been well understood. However, an increasing amount of hacking in the transport, energy and other sectors is starting to put a critical eye on OT, Kiss explains.
“This means systems integrators really need to start hardening their devices as they install them,” he says. “And at the same time, owners and operators need to make sure that their installations are hardened against attack. This, of course, presents revenue opportunities for the SIs and playing that trusted advisor role.”
Operational technology (OT) cybersecurity is a key component of protecting the uptime, security and safety of industrial environments and critical infrastructure, including physical security systems. // IMAGE COURTESY OF JOHNSON CONTROLS
Strategizing for Cyber Success
Similar to how other cyber-savvy integrators are beginning to evolve their business models, PSA member Alliance Security builds a cyber program into each and every project proposal that goes out the door. This includes at minimum two layers of cyber-resiliency measures. The company made the pivot to add cybersecurity to its portfolio in 2017, and while there were challenges in the beginning, Schmick says they receive very little pushback from clients nowadays in terms of what they are promoting.
“The market emerged for us where networks were converging and we wanted to actually lead with managed services and specifically cloud,” he says. “So there was a lot of [game planning] five years ago in terms of looking at cyber products, as well as cloud. The pendulum has really swung from difficult to deliver and sell to much less challenging, easy and welcome.”
Alliance’s layered cyber approach can include network intrusion prevention, such as a firewall, along with antivirus protection and collective intelligence agents or threat-hunting technologies that proactively look for rogue IPs and other threats.
“We manage 100 percent of those products in the cloud,” Schmick explains. “It gives us the cyber element, as well as the managed service elements. So we’re really attacking it from two positions. In the end, we sell a strategy. We believe in selling that in the cloud. When you position it that way it’s very hard for end users to dismiss that pitch. So that is our go-to-market. And we’ve been fairly successful with that.”
For his integrator brethren just getting their collective feet wet in the cyber space, Schmick advises the easiest path to begin is on the small commercial space. Compare that to larger verticals, such as banking or publicly traded companies, where the larger risk surface can complicate the dynamics of a go-to-market strategy.
Three data points describe the explosive nature of the cybersecurity landscape. First, Cybersecurity Ventures reports the global financial damages from cybercrime totaled $6.1 trillion in 2021. This number is expected to grow 15 percent annually, reaching $10.5 trillion by 2025. Gartner projects that global cybersecurity spending will increase from $150 billion in 2021 to $172.5 billion in 2022, eventually growing to $267.3 billion in 2026. Significantly, there is critical demand around cybersecurity skills. CyberSeek, a joint project between CompTIA, labor analysis firm Lightcast, and the National Initiative for Cybersecurity Education (NICE), shows that there are over 714,500 job postings in the U.S. requesting cybersecurity-related skills. // IMAGE COURTESY OF COMPTIA
“You need a starting point; you need to start small. I would recommend starting on the small commercial side because typically the commercial side is an integrated network,” Schmick explains. “And what you’re hoping is there’s not a lot of PII [personal identifiable information] involved. If a breach did occur and you didn’t get it right, that would really hurt your organization and your brand. So I advise start small and quickly scale.”
Some security dealers and integrators may choose to develop a more robust level of hands-on cyber advisory services for their customers; however, most will want to rely on third-party vendors to be the cyber experts and provide cybersecurity and ID theft protection services, explains Invisus CEO James Harrison. Based in American Fork, Utah, Invisus offers a comprehensive suite of solutions that reduce security risk, protect data and help fight cybercrime.
“Dealers and integrators need to build on the trust they’ve already established with their existing customers,” Harrison advises. “Start by adding a new cyber-protection services section to your website. Provide the customer with enough information so they see how they can get the latest in cyber-protection services from you.”
Invisus specifically targets the custom installation and security integration channel to market its cybersecurity offering via an agreement with AvantGuard Monitoring Centers, a large wholesale central station with facilities in Ogden, Utah, and Rexburg, Idaho.
“Bundling basic cyber protection with current customers and future alarm contracts can be a smart way to integrate cybersecurity into your customer base,” Harrison continues, “and then build on that to upgrade customers into more advanced cyber-protection plans with monthly recurring income to the company.”
Hanwha Techwin’s Saks also recommends that integrators identify a few good software and hardware vendors that are well established in the cyber world and get to know them well. Always look for products that are “secure by default.” Plus, learn how to deploy systems using HTTPS certificates and 802.1x port-based authentication for hardening your network.
“Add base cyber items as standard on all projects to show you’re aware of the importance of cybersecurity and cyber-hygiene,” he says. “While some services can always be offered as an add on/value add, certain items should always be standard on an install.”
In his experience as both an integrator and now as a supplier, Powell says IT departments want to know the company they are hiring is competent and not installing a vulnerability. So, he recommends integrators follow the same resolve ISS does as a software company — show value in securing your own products and deployments.
“Have a cyber plan, secure the product you deploy, secure third-party development relationships, and show the IT client at the end user that you are a safe decision,” he explains.
He continues, “In my opinion, there is a lot of ‘cart before the horse’ with cybersecurity services — companies with cybersecurity offerings, but not a CISSP on staff or a partner with a CISSP that understands the business. Understand how cybersecurity affects your deployment. Is it a password transition plan? Is it disabling all USB ports on publicly accessible devices you install? There are a lot of ways to pass through cyberservices by understanding how to secure your deployment.”
The security companies successfully adding cybersecurity tools to their portfolio have looked to and learned from the managed services IT industry, Milestone’s Cmarada explains.
Installing security contractors are advised to bundle basic cyber protection with current customers, as well as future alarm contracts, as an easy means to integrate cybersecurity into their customer base. // TERO VESALAINEN/ISTOCK / GETTY IMAGES PLUS VIA GETTY IMAGES
“We have seen proactive security integrators retaining IT consultants and cyber-certified professionals so their teams can be educated on behalf of their customers,” he says. “With these new relationships, physical security integrators are tapping into new information and business partners to expand into cybersecurity.”
Will Knehr, senior manager of information security and data privacy for i-PRO Americas, Houston, says a big motivational factor for integrators is to realize the need to acquire at minimum a basic understanding of cybersecurity if they want to continue to selling systems to state, local and education (SLED) government sectors.
Many districts and agencies are moving to adopt standards and best practices created by the National Institute for Standards and Technology (NIST) and they are basing their purchase decisions on meeting those standards.
“The federal government already did this years ago, but I’m really talking about SLED at this point,” Knehr says. “California has passed laws around doing vendor assessments; they’re going to check out cybersecurity in their systems. And that’s for their government purchases and also their school purchases as well. New York has passed similar laws. And they’re actually looking at tightening those laws next year to include more cybersecurity.”
Knehr referenced the recent ransomware attack on the Los Angeles Unified School District, the second largest in the nation, as a shining example of where SLED customers are heading.
“LAUSD ended up calling in the FBI, and the FBI helped them out. The first thing the FBI said is, ‘You need to bring your systems up to NIST standards and to start complying with security frameworks,’” he says. “The revenue perspective creates that ‘reason why’ factor for integrators. But the other thing is eventually they’re not going to be able to do business in the sector without the basic skills and knowledge.”