Cyber security has been top of mind for the physical security industry for the past few years; but often the conversation begins and ends with how to harden systems you are installing on a client’s network. According to many experts, that leaves a lot of potential opportunity on the table. Monetizing cyber — in the form of cyber services — is something few integrators are doing yet. But those that are see a golden opportunity.
What’s more, curated solutions are starting to be offered through some vendors and organizations, making this the perfect time to start thinking about it.
The market for cyber services is not only vast and growing, it is critical, says Chris Davis, CTO, Star Asset Security, Orlando, Fla. “One statistic I have seen is that the opportunity for the good guys will be $250 billion by 2023. That’s the good part. The bad part is that the other side of the industry will be at $2 trillion. For me, that means if you don’t take this seriously there is so much motivation for people to do this, and they are not getting caught. There are entire companies in other countries just like mine but they are being hired to run cyber attacks. That blows my mind. It is like hiring a hit man.”
Dan Dunkel, managing director, PSA Security’s Managed Security Solutions Program (MSSP), Westminster, Colo., echoes that sentiment. “One thing that is rather obvious is there is a huge deployment of devices on the internet, the IoT model. If you listen to research organizations, they will tell you there are 10 billion devices today and 20 billion in the next few years. That is a ton, no matter how you look at it, and the vast majority of those are not secure. At the same time 5G networks are starting to be deployed that are 10 times faster. If you just take those two facts into consideration and think about hackers … the threat surface is absolutely huge, with all these unsecured devices. It is perfect for hackers.
“If you understand that, you also understand that cybercrime is far and away the largest category of criminal activity in the history of mankind. It’s pretty easy to say this will continue and maybe get worse before it gets better and you must ask yourself, ‘How is that going to impact my customers and what opportunity can I leverage for my own business?’”
Yet, while the need is evident and the interest is there, many security integrators have stayed away from monetizing cyber, preferring to get their feet under them with regards to their own cyber hygiene and those of their vendor partners. While this is a smart first step, to make it easier on integrators to take the next logical step, PSA recently rolled out a managed services program that includes two cyber security solutions that integrators can offer to their clients without having to create anything from scratch themselves, or attempt to hire talent from a shallow pool.
“In cyber there are a million jobs not being filled and there will be two million within two years,” Dunkel says. “The large enterprise folks and high-tech companies are paying significant amounts of money to hire everyone they can, which means small and medium businesses are struggling because they can’t find people to hire. That’s where managed services is very powerful because you can partner with a firm that has resources you need and offer them to your customers. It is a revenue opportunity, but also gives them the access to the infrastructure they can’t hire themselves.”
It is also the reason most experts in the physical security industry recommend that security integrators stay away from trying to create cyber security solutions themselves — unless they are very large with deep pockets and the in-house expertise to pull it off.
Joe Gittens, director of standards at the Security Industry Association (SIA), Silver Spring, Md., cautions, “Don’t get too ambitious. Without a security operations center in place, security integrators should really not put themselves into a position where they are handling enterprise cyber security response. Enterprise data security is best handled by the providers of those services.”
But that doesn’t mean the opportunity is out of reach, Gittens adds. “There is a lot of low-hanging fruit that security integrators can really offer to their customers. There should be a baseline level of cyber security responsibility on any integration job … but there can be levels of protection that can be upsold.”
Where to Begin
In any new venture sometimes the hardest step to take is the first one. For security integrators considering adding cyber security services to their tool belt, those who have already done it or organizations that offer solutions to resell are the best places to look for advice.
The most common ways security integrators begin with cyber security services are to: 1) acquire or partner with an IT services company; 2) find a solution to resell from a third party; or 3) develop the talent and resources in-house. No matter which approach you feel is best for your company, there are common threads in how to go about finding the best solutions.
Star Asset Security acquired an IT managed services company, Davis says. “[They] were servicing Star Asset already and they were looking at that opportunity,” he says. “By acquiring it, we spent the last five years getting integrated with the physical security side and seeing how to productize that and bundle that.”
Convergint Technologies, Schaumburg, Ill., chose to develop the capabilities in-house, starting about three years ago, says Brian Lipscomb, manager, advanced cyber solutions. Lipscomb says there are three types of “appetites” for cyber security from physical security integrators; step one is to figure out which one your company has. “One is none, and they want to stay away from it. If you don’t have an appetite for it, don’t do it. Then there are organizations that want a toe in the water to test it and in those situations it is better to partner with an organization and integrate that with what your organization can provide. The third is a voracious appetite where we know we want to get ahead of it and that is where you need to take a leap of faith as we did and make an investment.”
While Convergint, ranked No.1 on SDM’s 2018 Top Systems Integrators Report, has the resources to carry off appetite three, PSA President and CEO Bill Bozeman acknowledges that the vast majority of security integrators do not. “Most physical security integrators are not close to being positioned to provide legitimate high-end cyber security offerings to their end users. But this isn’t the end of the world. They simply need to partner with vetted partners and therein lies the challenge. The devil is in the details. This being a relatively new business, the channel is immature and the providers of cyber services don’t understand or respect the physical channel.”
That is why PSA elected to take on the vetting for integrators by finding solution providers that will agree not to go around the channel and offer solutions that take the weight off the integrator, beginning with two cyber security providers — Essentire and Panda Security. “We have vetted partners that we have taught the channel to, and they have agreed to our terms and conditions. They will in turn go to the end user as a team and this is, after all my studying, the best way for the physical security integrator to participate,” Bozeman describes.
Boca Raton, Fla.-based ADT chose to acquire its own IT managed services provider, says Larry Cecchini, ADT’s vice president. The company purchased Secure Designs Inc. in August 2018. “ADT has always been a ‘trusted advisor’ to our customers, and we’ve earned that status by listening and understanding how we can help them be successful. Cyber security is one of the top concerns we see.
“SDI had a successful niche but needed a catalyst for growth. ADT was looking to acquire established expertise in SMB cyber security that could scale to a national level. As ADT Cybersecurity, our expertise, enhanced resources and expanded infrastructure, layered on top of our vendor-partner SonicWALL’s solutions, are a winning combination,” Cecchini said.
Whether going all in with a host of solutions or selecting one to try on a smaller scale, vetting solutions on your own requires careful consideration to details or you could lose that trusted provider status, says Jon Williamson, director of cyber solutions for global product security, Johnson Controls, Milwaukee. “They need to be careful on the partners they select because a lot of this is new technology. While the customer base is becoming more receptive to it and wants these types of services, if the wrong threat detection solution is used, it could be so unusable or provide so many false positives that the customer ends up disabling the services and being reluctant to resume, even if you change partners.”
Johnson Controls is in the process of evaluating solutions to offer; while they haven’t finalized their decision yet, it is a good idea to check with your preferred vendors to see if they do have one, or are close to selecting something. “A vetted solution — whether they are running through their own qualification process or trusting an organization [like PSA] or working with their established vendor like Johnson Controls — can take some of the risk out of the process,” Williamson says.
Lance Holloway, director, vertical technology, Stanley Security, Indianapolis, agrees. “An integrator who is new to cyber security should partner with an industry expert to gain the competency for understanding their fit in the industry based on their customers’ needs … It’s always important for integrators to sustain partnerships with subject matter experts as the technology needs can vary based on both the customer and the vertical.”
The Protection Bureau, Exton, Pa., found its first cyber solution at a Sedona conference, says J. Matthew Ladd, president. The personal identity information (PII) program appealed to Ladd, but he also made sure to vet the program after the conference. “I knew our company needed to protect the personal information of our clients and we were seeing more and more contracts coming from clients about it, so we did some research about who they had done business with before. I also did it myself, signing The Protection Bureau up. When I took the [introductory] test I thought we were pretty cyber tight. I was amazed at some of the things I found we were not doing. That is why I chose the product.”
On any new solution, Ladd suggests looking at several aspects in the vetting process: “Who else is using it? Where have they had wins and losses? Then run it through your test process just like you would a new product.”
Make sure any potential partner is committed to helping you succeed, Dunkel adds. “First and foremost make sure the potential partner is committed to support and education. This is a market that is new to physical integrators and they need training and support because they won’t have expertise in-house.
“When they vet a partner they have to understand what that partner brings to the table. Will they come help sell it or do a webinar on it? Will they be able to remediate and make it right if there is a breach?”
Equally important is to make sure you understand what the customer wants, Holloway says. “There are many options in the market, so you need to validate what your customers’ needs are. If you can’t visualize your value, cyber industry advertising just becomes noise and it may be hard to determine where your fit is … Navigating the cyber landscape means finding useful information you can trust. The offerings can often look the same from the top layer, but it may not meet the depth of the customers’ needs. Decide to investigate what your customer needs are and make an actionable decision to do your homework based on feedback from the market.”
Selling Cyber Solutions
You have chosen a solution, either on your own, through an independently selected partner or through an organization or vendor. Now what? There are many ways to incorporate and start marketing and selling it to your customers. Sometimes the partner dictates that; other times it is up to you, or more importantly, your customer’s level of need or awareness. While larger end users are increasingly aware of cyber risk, that is not universally the case.
Much of what Star Asset’s Davis finds his company doing is education, particularly in the SMB space. “We offer managed IT services so in that realm we have SMB clients that needed an option or weren’t taking it seriously enough. We had to develop these services and then draw a line in the sand and say, ‘We have these services and either you take advantage of them, or if you get an infection it’s not covered … We have the solution and can train your staff, but it costs money. Either you do that to avoid the risk or my bill will be a whole lot larger.’”
To that end, Star Asset decided to bundle the cyber services with the physical security side, essentially making the end user opt out if they don’t want them. “We are not going to ask,” Davis says. “If you want us to manage your physical security environment we are going to put these in place. When you let them choose, they will risk everything for $10 a month.”
Ladd’s PII solution is also an opt-out service, which he found unusual in the beginning. “When I first got this I thought this was the craziest thing I ever heard,” he recalls. “But what it does is creates a conversation that gives us the ability to talk to the customer.”
The results have been impressive, he adds. “We have had about a 75 percent adoption rate. It was [perfect] for companies like ours that have a lot of RMR and you roll it right into their monthly fees as an add-on.”
Convergint started by managing the cyber hygiene of the security systems they were putting in for their customers, Lipscomb says. “They are services that need to be done because these are IoT devices that have software and firmware and they need to be continuously managed … What we are seeing in the marketplace is cyber security staffing is at a significant deficit and they don’t have enough employees to manage all the vulnerabilities that occur. They need external assistance to keep those devices maintained and we are able to augment their staff to keep hygiene at optimal levels.”
For Convergint, this was just the beginning. Cyber security services are never static, he says, and customer needs change. “You never really know what the market is asking for, so while we have built this capability internally, we are always looking for service providers that can enhance or improve or expand our abilities. There are limits to what our team can do so we are always open to opportunities. It is a little bit of a shotgun approach. You go to market, present different service options and figure out what resonates. There was no silver bullet that we said, ‘We know the market is asking for this.’ We developed the capabilities and evolved them to new customer demands.”
This approach also has had the benefit of easing the integrator into cyber, starting with what is most familiar. “I think the biggest lesson I have learned is there is a limited understanding of cyber security and people tend to overcomplicate it … They give up before they get started. But if you start with what you do know, it is not nearly as complicated as you might make it. We deploy physical security systems. If we just focus on cyber hygiene of physical security systems, that is enough. Then as we get an understanding of cyber in this domain, it exposes us to the next domain and adjacent technologies. Start with what you do and what you know, and as you progress you will naturally gain more knowledge about what cyber is in adjacent technologies.”
This is very similar to Dunkel’s No. 1 piece of advice when it comes to offering cyber security services. “From a cyber perspective, the easiest and most sensible way for them to embrace this is to secure what they have already sold.”
That turns it into a business risk discussion, he says. When looked at this way, cyber security services are really much more familiar than you might think.
“What I see in the physical integrator community is they incorrectly believe that this is an in-depth discussion when, in fact, it is a business risk discussion and at the end of the day they have every right to have that conversation,” Dunkel says. “You don’t have to go out and reverse-engineer malware. You just have to say, ‘We have been securing your company for 10 years and as business becomes digital you have a new group of threats you have to be aware of and we can help you protect against those, too.’ If you have a partner through a program like MSSP, you are able to answer that need and make some money doing it.”