ISC West 2017 – A Study in Lost Opportunity

Future of Physical Security

Regardless of a forward thinking agenda, how can our largest trade organizations (Security Industry Association (SIA) and the American Society for Industrial Security (ASIS)) actually influence the direction of the industry toward relevance and growth? Is a shared vision important to our success? Can a trade that is so fragmented survive in it’s current form? I guess I am old school. I still believe in giving back to an industry that has helped support my family for over 30 years. I have no idea who will listen to me, but here it goes…

ISC West 2017

This was a conference marked by forward thinking education in an industry woefully far behind. There were many speakers presenting Cybersecurity topics, but I could not find even ONE CYBERSECURITY RELATED VENDOR on the show floor. This isn’t the fault of SIA, it is a reflection of an industry in denial. This is a trade where the majority of contractors have virtually no understanding of basic threat analysis and risk assessment, so cannot effectively provide a needs-based approach to their clients. Even worse, is  our failure to catch up to the IP network space. Physical Security is an enormously competitive and fractured space. We have Security Contractors, Burglar Alarm Contractors, Security Integrators, Fire Alarm Contractors, Locksmiths, Door Hardware Dealers, Network Contractors, Structured Cabling Contractors, Building Automation Contractors and A-V Contractors all fighting for their slice of the Video Surveillance, Access Control and Intrusion Alarm markets. Which provider is offering the end-user a preferred value message?

The two hottest topics for end-users today is: Cybersecurity and Integrated System Interoperability. Little was shown on the show floor in either of these categories. How could there be such a disconnect between users and manufacturers? Simple… Information Technology is now driving the future of the Physical Security space and no one is willing to accept this truth.

I presented at ISC West with an educational program that included Integration and Cybersecurity topics. Around 40 attended and by show of hand, roughly 35 were I.T. Directors, or I.T. Department Heads of some kind. This same presentation drew over 200 at the Winter National Bicsi (Structured Cabling) Conference in Tampa earlier this year. An I.T. Director approached me after the ISC West presentation and asked if I could refer a Security Contractor that actually new what the “I” and the “T” in I.T. actually stands for!

The Psychology of Failed Business

I have run businesses before. I understand all to well the critical nature of driving revenue and protecting profitability, but if we don’t stop for a second and look-up and forward… we may find the company we thought was humming along has suddenly lost its legs! I realize these are new influencers affecting buying decisions and we don’t know their world… I get these are scary solutions that hold unforeseen margin loss in their depths, but what happens if we do nothing? I will tell you – Physical Protection Systems will become an IP Network (data) function! The concept of “Physical Security” will become a specialty consulting field working for I.T. Directors!

I have been watching fear destroy businesses for almost 20 years now. I have seen macro-economic forces impact businesses (the Great Recession), but also factors that could be controlled, like: material distribution companies that have failed to transition to installation contracting models, or mechanical solutions companies unable to grasp electronics. The examples are all around us today.

IOT, Cloud Computing and Mobile Data

These issues are not going away! Denial is not a business strategy. We all have personal electronics that make it very clear where this is headed. So, stop for a second… and look-up. Train your sales people in I.T. Infrastructure Hardening strategies and Network Data Security. Pursue consultative relationships with your clients. Lead the industry and keep us relevant. If there is anything I can do to assist, please reach out.

If you would like to discuss this, or other topics, please contact me via LinkedIn. Also, take a look at my LinkedIn Discussion Board Security Convergence, or Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be a personal professional blog. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Technology | Leave a comment

#ISCWest Education Session

If you are attending #ISCWest, please stop by room 307 and join me for the session: Information Security Convergence: Defining a New Business Model. See you there!

Posted in Technology | Leave a comment

Trends in F500 Business Practice

more-detail-needed-in-plan

Generations Y & Millenials

As large corporations struggle with changing demographics affecting both their workforce and clients, younger generations Y and Millenials are bringing different attitudes and values to the workplace. In response, large corporations are experimenting with unconventional business practice. I see the struggle with effective motivation, leadership and how to define success and failure in this new environment. Where is this headed? Could companies be changing practices critical to profitable operation, rather than simply modifying work environments? Basic and reliable business principles are being overlooked in this transition. I see deliberate movement towards consensus decision making, homogenization, and continuity as being more highly valued than creativity, initiative and personal achievement.

Emerging Non-Traditional Business Practice

There are advantages to this thinking. In a new world of teams spread geographically, and/or highly specialized roles asked to contribute to team outcomes… we need more modern rules of engagement. The problem is: managers are now being asked to implement traditional business principles utilizing non-traditional business practice. How is individual performance measured in this environment and when do goals translate into profits? In the end, moving Op Profit dollars to the bottom line is the job of every business.

In a career that has comprised positions with F500 size corporations only in the last 12 years, I have seen this perspective change gradually. The Buck-Stops-Here Leader and rewards for Thought Leadership are becoming incompatible with these new organizational philosophies. As companies grow and reach F500 size today, is candidate acquisition changing to limit personnel searches to only those with the ability to succeed on narrowly defined terms? Will there be room for unique talents and insights? This narrowing of vision is moving sales and customer service management strategies towards a controlling and rigid mindset and a perversion of recent management theory has supervisors driving a mantra requiring front-line employees to be “on-mission” and “on-message” at all times. I see managers guiding business development towards strategies that may only be implemented, if reproducible across the entire organization.  Can flexible consultative sales strategies survive this trend? This employment environment is asking for an entirely different set of skills than was sought 15 – 25 years ago, when Tom Peters and Peter Drucker were the major business thought leaders. At times, I wonder if the ideas “people do business with people” and “what cannot be measured, cannot be managed” can survive?

Acquisition & Consolidation Factors

Is corporate acquisition and consolidation building organizations so large that HR Business Theory is being forced to overreact to these generational changes? Can the marketplace see the value in companies being nimble and opportunistic again… trumping economies of scale and logistics as business drivers?

Impact on Corporate Culture

I have struggled with many of the forces driving these changes, even when working for small business. Implementing new Gen Y & Millenial management ideas will change company cultures. Can successful companies survive this re-imagining? In past years, this type of business environment would just accelerate company failures and start-ups, but today in our “too large to fail” world… does that consequence disappear?

If you would like to discuss this, or other topics, please contact me via LinkedIn. Also, take a look at my LinkedIn Discussion Board Security Convergence, or Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be a personal professional blog. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Business | Tagged , , , , , | Leave a comment

Impact of Disruptive Tech on Business and the Workforce

Is Working Hard Good Enough?

We all have a tendency to keep our head down and live in our own discipline, or trade, ignoring the impact of related technologies and/or related industries. After all, most of us were taught focus = results. Here is the rub: what if while we are focusing on succeeding with the business at hand, our technology becomes outdated, or another industry finds a way to deliver the same product/service more efficiently? Whole industries have disappeared almost overnight, because of a failure to keep our heads up and look at the marketplace around us. I can think of many examples: typewriters, roll photographic film, rotary phones, etc. The Information Technology space likes to call these emerging product/solution categories – “disruptive technologies”. Have you stopped to consider the impact of disruptive technologies on your industry?

Service businesses aside, manufacturing, distribution and supply/installation models are being heavily impacted by disruptive technologies. The most evident example is the effect of web-connected cloud & mobile IP data communication on virtually every electro-mechanical product made today. As little as 20 years ago automation was very expensive. Automating processes required numerous relays and/or logic circuits… occupied too much space and could not offer inexpensive remote management. Today, virtually any device can easily connect to a data network via IP solutions. You can incorporate a NIC (network interface card) an Ethernet Jack or WiFi Antenna in almost any product/device today. Some simple examples that are very real today:

  • I met a diabetic recently that uses a bar code scanner installed in his refrigerator connected to his home network to keep track of dietary requirements and create shopping lists. Could you imagine your fridge connected to your home network? What if the average person used a similar solution to automate ordering groceries over the internet? How would that change the retail grocery industry?
  • The devices connected to just my personal home network that can be remotely controlled by my smart phone/tablet are: cable TV box, thermostat, door entry lock, light fixtures… How do you think that functionality is changing those industries?

Internet of Things (IoT) & Change

This tech discussed above is part of a broader category called the Internet of Things (IoT). It is estimated that 3 billion new IP addresses will be required by the general public by 2020 to accommodate consumer demand for this automation. Have you taken a moment to think about how this emerging trend/technology is affecting the company you work for? Your chosen industry? Will your career training effectively enable you to weather these changes?

Maintaining a Successful Career in the New Paradigm

I had to re-train myself twice in my career. Once in the mid 1990’s to move from mechanical to electronic security and again in the mid 2000’s when analog data and serial network solutions were superseded by digital data, HD video and IP networks. IOT has the potential to cause another such disruptive age for technology. In the physical security systems industry our next challenge will be to learn encryption strategies and hardening of infrastructure. This change will affect more than just one product category. How do career professionals face such a challenging landscape? The new needed attribute will be a focus on life-long learning and the flexibility to change. Certainly, universities are testing too much on knowledge and not enough on skill-sets that can enable nimble, flexible workers in a future labor force. Knowledge-based testing should be the role of trade organizations offering industry specific certifications, NOT institutions of higher learning.

Welcome to a new age, when the criteria for hiring in tech based fields has to change. I just hope we can all keep up…

Posted in Technology | Tagged , , , , , , , , , , , | Leave a comment

Re-Imagining Low-Voltage Power Distribution

the-lab_new-idea-cartoon-20130520181426

In my work activities, I often feel constrained by conventional expectations, similar to the idea depicted above in this cartoon. The so-called “Real World” factors limiting our ability to implement outside-the-box thinking… but for one morning, I am going to throw that barrier away and bring you into the realm of the possible, when RE-IMAGINED…

Delivering Low-Voltage Power Via Network Cabling

Power-over-ethernet (PoE) is a technology that was first commercially deployed not quite 15 years ago. At the time, it was very limited in application and very few saw the real potential. I just recently returned from the Fall Bicsi (www.bicsi.org) Conference in San Antonio and discovered that potential realized.

Lab research and testing has proven that CAT 6a 23 ga. cabling is capable of delivering up to 140 Watts of power AND IP data, without dangerous radiant heat levels, or data loss. A new cable category with an associated UL listing has been released called Limited Power Cable (marked: CMP-LP). This cable is listed with options based on temperature and amp ratings. Why should you care? Re-imagine the future of IoT (click – Internet of Things) appliances and their application…

Powering IP Addressable Devices with Ultimate Flexibility

Devices capable of being powered by up to 140 Watts would include:

  • Laptop Computers
  • HD Displays & TV’s
  • LED Lighting
  • Phones
  • Thermostats
  • Speakers & Microphones
  • Security Cameras & Access Devices
  • Intelligent IP Controllers
  • WiFi (& other tech) Data Access Points
  • IP Relays & Switches
  • Small Electro-Mechanical Motors & Solenoids
  • You get the idea…

How would using PoE to power these devices make a difference in your life?

AUTOMATION!

All Electronics Connected Via IP Data

Think of the flexibility of powering devices by cable, rather than electrical outlets… IP Addressable devices could be moved anywhere on a whim (click – Web of Things) and controlled from personal devices (i.e. watches, smart phones, tablets). Automating remote access to your network security, lighting controls, heating & cooling controls, access & video security devices, intercoms… think even more granular… your stereo & home theater, alarm clock, etc.

PoE Impacts Carbon Footprint & Sustainable Energy Solutions

If you have any concerns about fossil fuel depletion, global warming, or just resource management and cost… think PoE! If any of you live in a neighborhood where the local electrical utility has started installing intelligent meters… you should be aware of the energy savings of MANAGED power distribution.

Transformers & Power Loss

Every building in the U.S. currently uses un-managed step-down transformers to change power from The Electrical Grid to usable low-voltage current for small devices. These transformers deliver as little as 2% efficiency, in terms of power consumption versus actual use. They draw grid power continuously, lose up to 20% of the current upon conversion and dissipate large amounts of heat in the process. Additional air conditioning capacity is required to account for transformer heat-gain in warm climate areas.

PoE is MANAGED Power Distribution!

By definition, PoE switches offer cost-effective power management. These appliances can utilize software to auto-negotiate voltage levels and deliver power only when required in the specific amounts needed for each use. Many PoE appliances are up to 98% efficient in terms of overall current utilization.

PoE Compatibility with Sustainable Energy Generation

The sustainability goal for many buildings being designed today has been to lower dependence on The Grid. It is very common for buildings to be constructed with Solar and Wind generation options to lower dependence on power utilities and reduce operating costs. Alternative sustainable energy sources must produce power in a Direct Current (DC) format. This power is then typically converted to Alternating Current (AC) for use in building power distribution. That conversion causes the loss of up to 20% of the power originally generated! If the architectural & engineering community is to design with efficient sustainable energy strategies, they must consider including DC Mini-Grid solutions. This would allow direct utilization of DC power produced by sustainable power generation sources. PoE is a DC format power distribution technology – eliminating the need for power conversion.

Barriers to PoE Adoption

Only recently have modern building codes begun to address formalizing PoE technology as acceptable power distribution. The next issuance of the National Electrical Code (2017 NEC) will codify PoE solutions and define them as Class 2 & 3 circuits. Electrical engineers will have to stamp design documents with PoE solutions soon and building code officials will be required to familiarize themselves with this new technology. The International Brotherhood of Electrical Workers (IBEW) has already begun defining PoE circuits as part of their scope of work. Classifying PoE as Class 2 circuits (or greater)  will cause state contractor licensing boards to begin requiring low-voltage licensing for trade contractors installing PoE solutions. Electrical, cabling and low-voltage contractors are jockeying to include this new power distribution technology in their scopes of work.

What Will Personal Device Automation Look Like in the Future?

The definition of “Smart Home” will change with the advent of this technology. There will be an explosion of “Internet of Things” (IOT) devices in the home and personal electronic devices will control them all. Others, with imaginations much more active than mine, will have to build that vision for the future. My mind is unable to fathom that reality 10-15 years from now. Rest assured, we will all be struggling to re-learn new ways of interacting with our devices and ultimately even our communities. This enhanced connectivity will allow real-time TWO-WAY communication via web-connected devices. I don’t know about you, but I just decided to spend only an extra $20/month to purchase an additional 1 TB/s of bandwidth from my internet service provider (ISP). Unlimited data pipe to my house and all of these future devices!

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Power Distribution, Technology, Technology Convergence | Tagged , , , , , , , , , , , , , , , , | Leave a comment

System Design Best Practices for Consulting Engineers

unleash cartoon

The disconnect between design professionals and their clients has been an aspect of project delivery that I have lived with most of my career. I never truly understood the cause, but I understand better now… in retrospect. My recent consulting activities have brought me a seat at the table with the Owner and their design professionals much earlier than I experienced previously: as early as program development. The new insights have changed my entire perspective of the project design process. I have learned how important it is, letting go of the need for control and cutting the metaphorical leash we sometimes unknowingly impose. We are compensated for our experience, knowledge and judgement, but these must facilitate the design process, not dominate it. Be confident, relinquishing control to a project team will produce better communication and more desirable results.

Developing a Design PROCESS as a Consulting Engineer

End-Users and Architects hire design consultants to provide expertise. Our ability to apply that expertise is significantly impacted by the level of familiarity with the Client’s organization. Depending on the time available, we often face the problem of accepting contributing information during the discovery process that seems to be incorrect, or at least, represents limited insight. Let’s discuss a different perspective…

  • Discovery and needs assessment is NOT the first step in the system design process. It should be Client EDUCATION!

End-Users  are capable of  making their own decisions when provided access to the knowledge required to do so. I have been amazed at the difference in the quality of project delivery recently when I have required the first design meeting be exclusively focused on Owner education. Reviewing best practices across the country with similar organizations, providing technology education and even product/software demonstrations PRIOR to design has proven to be invaluable in improving the quality of the needs assessment process. This also significantly improves recognition of unique project challenges AND validates prioritization of funding. I believe, the best design delivery comes from educating and then trusting client input!

solution-problem cartoon

Defining System Design as a Solution

I must admit, as a person who enjoys designing with leading edge technology, I do run the risk of being too focused on exciting new features that are changing the industry. The educational process discussed above reinforces the discipline to develop deliverables that address clearly defined needs, not the typical system design in a vacuum that ASSUMES value for the client. Until the problems/needs are properly vetted and validated, it is a waste of time to design solutions that may not be perceived as valuable. I can’t tell you how many times I have caught myself mistakenly assuming that features I felt provided clear benefits, were not valued by the client after an educational presentation.

Building a Process With Milestones

I spent the time to create my own security design checklists and milestone schedules. I have found them to be invaluable during the client review and approval process. Including an explanation of the design process, goals AND the schedule for completion of tasks adds significantly to a comfort and confidence level built with the end-user. Share the process with the client and the balance of the design team. Understanding your itemized task list will help to enlist their participation, cooperation and support.

Trust Decisions Made in a Team Environment

As a system designer, very often I catch myself prioritizing spend based on best practices and while there is a solid foundation found in this kind of thinking, it does not deal properly with accommodating limited budgets. Sometimes, hard decisions have to be made regarding needed functionality. There are industry specific design guidelines I can reference for many different kinds of projects, but should that really be the criteria? I have learned to place these decisions in a team decision-making environment If the team is under-educated and unable to develop an overview of the topic, I ALWAYS take the time to educate. Yes, sometimes I get push-back and comments about wasting time, but afterwards, the value is almost always recognized. Team discussions like this produce better decisions and help the client to feel their ideas are being included.

Benefits

For those comparing this as an alternative process, think about your experiences with project delivery. I see so many engineers being tasked to design in a vacuum… today, I look back at my early career on the contracting side and wonder whether those systems added value. The quality of my services is the only differentiator I can offer to clients and I am always looking for process improvement.

If you would like to discuss this, or other security topics, please contact me via LinkedIn. Also, take a look at my LinkedIn Discussion Board Security Convergence, or my Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Consulting Engineering, Physical Security, Technology | Tagged , , , , , , , | Leave a comment

How is Security Consulting/System Design Changing?

331-security-breach

Is Security ONE Discipline?

In speaking with end-users, I never cease to be amazed at the expectation for a consultant’s knowledge-base and skill-set. I have been working in physical security for over 30 years and I feel just recently I have begun to grasp the full picture in the overall security category. When I share this observation, the response is often surprise.

Physical Security is impacted by threat assessment, risk analysis, vulnerability assessment, formulation of mitigation strategies, development of processes and procedures, changing technology, network infrastructure, information security, system design, etc. How does one person gain an “expert” level understanding of all these elements?

Who are “Security” Consultants?

  • Physical security threat and vulnerability assessment is often handled by Ex Law Enforcement/Intelligence Personnel.
  • Risk analysis is usually performed by legal counsel and/or insurance actuaries.
  • Mitigation strategies and physical security processes and procedures are best devised by physical security specialists (CPP).
  • Physical protection systems should be designed by security engineers (PSP).
  • Technology management, planning and data infrastructure is best handled by automated systems engineers: Electrical Engineers (EE), Professional Engineers (P.E.), Network Infrastructure Engineers (RCDD).
  • Information security and hardening of data transport should be handled by system software and coding/encryption experts (nod to CISSP).

In even three lifetimes, I am not sure one person could put this kind of experience together.

End-User Discovery & Needs Assessment

The critical developing need is for an individual who has enough experience to provide program management for all these disciplines. I have begun creating design development tools… there are too many related concerns that must be incorporated into integrated security design: checklists, process schedules, best practices review, etc.

Honestly, I am not sure the program manager role would be best handled by my discipline, but then who should it be? Can architects and/or construction managers offer this capability? Maybe, by assembling massive teams… but this approach is not financially viable for any other than the largest projects and corporations. So, which discipline will become the project leader capable of providing a cross-discipline needs assessment and assist in funding prioritization? This may be where some of you can help me? I have seen a new class of consultant pop up, calling themselves “Technology Consultants” and offering design services for ALL low-voltage automated systems (security, fire, A-V, telephony, etc.). These companies are growing out of construction engineering consulting and industrial automation engineering firms.

Convergence

All these different disciplines are growing together, being driven by end-user need. Personally, I have learned more about data technology and security in the last year, than in the previous thirty combined. It has been out of necessity. I am being asked questions by I.T. Directors that I have never heard before:

  • Have your IP controllers been penetration tested?
  • Can your IP controllers support typical network encryption strategies?
  • Are your drivers and firmware using open source-code and if so, has it been properly vetted?????????

Speaking to other security industry professionals here… continuing education is a bigger priority than at any time I can remember. It will be critical to learn not just your area of specialty, but also an overview of related disciplines. Client patience for excuses in this area has been precious little.

If you would like to discuss this, or other security topics, please contact Doug via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be a personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Information Security, Physical Security, Technology, Technology Convergence | Tagged , , , , , , , , , , , , , | Leave a comment

Evolution of Cybersecurity & Countermeasures

TEC-2016-Header_1282-x-400

Just returned from speaking at the annual PSATec Conference (www.psasecurity.com) and was thoroughly surprised by the strong emphasis on Cybersecurity… For those that don’t know PSA, it is an organization that supports a large national group of physical security integrators. While there, I had the opportunity to speak with industry experts to build on my understanding of current trends. The two topics most interesting personally came from David Wilson, CISSP, a lawyer providing professional services relating to InfoSec liability and best practices and Per Bjorkdahl of Axis Communications representing ONVIF (www.onvif.org).

DR-logo

Cyber Event Impact

My conversation with David was fascinating and ranged across a broad array of topics, but the greatest impact came from a discussion of current Cyber vulnerability mitigation strategies. The content of our discussion prompted me to do some research online. I subscribe to a newsletter published by Information Week that I find covers important current topics relating to Cyber (www.darkreading.com). Recent articles confirmed the conversation with David at PSATec. The current thinking is to move away from prevention and towards CONTAINMENT. Here is a link to an upcoming webinar on the topic: Dark Reading Webinar. This was shocking to me. This represents a veritable open admission that Black Hat Hacking is pervasive AND attacks are inevitable! I had previously thought the threat was moving slowly to the private sector and primarily to global enterprise. This conversation blew a hole through that fantasy!

Cyber Liability

As a trained Cybersecurity professional (CISSP cert) AND lawyer, David has a fascinating perspective on Cyber liability issues. I find it interesting to watch Information Security (InfoSec) issues mature in our legal system. The path has been similar to the same evolution experienced with physical security. Those that have been through a lawsuit know, the legal measure of culpability is tied to “reasonable” efforts at prevention and response. In the physical security realm, we have several decades of case law to define these parameters. InfoSec is too new and the legal guidelines are still being developed today.

Defining “Basic” Cyber Prevention & Response

This is a new age of responsibility for stewardship of online data. Private enterprise will be completely liable for the resulting impact from these attacks: theft of personal data, user access to personal data, shareholder fiduciary responsibility, etc. As our legal system would, consider defining Cyber liability based on recent real attacks and the developing countermeasures currently being developed. David’s presentation attempted to define the current standard for “basic” Cyber attack countermeasures. Follow this link to a presentation excerpt regarding “basic” (reasonable?) Cybersecurity measures: Wilson Presentation. Please contact David via LinkedIn, if you would like to explore this with him further and utilize his services.

I suggest keeping an eye on this evolving area for current protection strategies and the impact on related systems.

ONVIF

Cyber Standards

This is the other emerging area… certifying software, firmware and IP addressable equipment for compliance with minimum reasonable Cyber STANDARDS.

Underwriters Labs (UL) purchased InfoGuard last year, the leading company working in this discipline. I thought this would be the harbinger for the evolution of such standards with the subsequent development of UL 2900, but UL had a hiccup with the roll-out: “UL Refuses to Share Cybersecurity Standard“.

ONVIF is a consortium of 500 (or so) manufacturers attempting to voluntarily create a universally accepted standard for inter-operability in the physical security industry. This Cybersecurity presentation at PSATec was not an effort to lead, but more a cry out to the industry for leadership from an organization capable of tackling such a daunting task. In talking with Pers, it appears manufacturer members are seeing this uncertainty as a revenue opportunity… individually developing commercially viable solutions for competitive advantage. I would expect nothing else. It is too much to ask for such a standard from an organization of competing companies promoting voluntary adoption.

RSA-logo

Cyber Standards Leadership

So, I asked Pers, where will the leadership come from? He also did not see UL being effective in this area. His response was surprising: RSA Security! For any of you not familiar with RSA, they are the organization that came from the Black Hat / White Hat hacking community. Their primary role has been development of encryption and encryption standards. Looking at their current website, it appears they are much more now… but I have to tell you, RSA moving into the physical security industry, really?

If RSA dives into physical security, that will be the beginning of “HYPER-CONVERGENCE”. You think technology is driving change now, this happens… and you won’t recognize the security industry in five years!

Challenging Times

These are exciting AND challenging times for the security industry. I wonder where these issues will take us? The change is happening SO FAST, I can’t even guess where we will be 2-3 years from now!

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Information Security, Integration, Physical Security, Technology, Technology Convergence | Tagged , , , , , , , , , , , , | Leave a comment

Encryption – THE Constitutional Issue of Our Day

LimitedGovernment

I know the majority of folks holding positions in our public legal system and in law enforcement are good people trying to do what’s right… and I badly want to believe Police Departments and District Attorneys will be responsible with their use of – and prevent public access to – seized personal Information… although I can’t help but think of people in authority like (recently voted out of office) Sheriff Arpaio -Maricopa County, AZ with little regard for personal rights and freedoms. Is skepticism healthy?

Legislating Unconstitutional Rights for Search & Seizure and the Elimination of Personal Privacy

Federal and local governments are beginning to introduce legislation to outlaw proprietary encryption. As usual, then only criminals will have proprietary encryption. Hackers for hire will then build private encryption for use by criminals. My guess is someone has already developed an app capable of customizing an algorithm for individual use. These three news releases are examples of this ongoing barrage:

http://thehackernews.com/2016/04/anti-encryption-bill.html

http://thehackernews.com/2016/04/microsoft-gag-orders.html

http://thehackernews.com/2016/04/blackberry-encryption.html

The Future of the U.S. Constitution

I am not sure where all this is heading. Has fighting terrorism become the excuse for relinquishing all personal privacy? I have had this discussion with many friends and associates and several have shot back at me: “What do you have to hide?” Nothing, but doesn’t anyone remember their U.S. history and the principals under which this country was founded? We might as well remove the 4th & 9th Amendments. I don’t know about you, but I am of the Baby-Boomer generation and we were taught at a very early age to understand and appreciate the greatness of the American ideal that founding fathers like Thomas Jefferson and James Madison put into words so eloquently. Is Mankind always destined to make the same mistakes over and over again? Our country was founded by men of vision with a passion for protecting human rights and justice. Today, it almost feels like sedition to be touting the importance of the U.S. Constitution. I see on the news too much talk of “updating” our Constitution. I don’t know whether to feel outrage, or just pity for future generations…

If you would like to discuss this, or other security topics, please contact me via LinkedIn. Also, take a look at my LinkedIn Discussion Board Security Convergence, or my Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Information Security, Technology | Tagged , , , , , , , | Leave a comment

Innovation – Are You Listening?

Innovation cartoon

What is Innovation?

Is innovation simply developing NEW products? We are told, new products are the result of the innovation process. So, how does this thinking apply to the Security Industry?

True innovation requires insight, vision and APPLICATION! The insight to recognize the underlying need. The vision to imagine the solution and the knowledge and skills to design the product(s). Think of defining security as – securing environments: virtual, and/or physical. The process should begin with recognizing evolving threats, their severity and then defining scenarios to mitigate the associated risk, before investigating a new commercially viable product. Are you asking your customers to share their concerns? Do you actively listen and bring back the market intelligence to discuss the associated business opportunities internally?

Threats Forcing Convergence

Earlier this year I attended the largest physical security trade event in the U.S., the 2016 International Security Conference West (ISC West) sponsored by the Security Industry Association (SIA). It was very well attended and I think a productive event for most vendors with a presence… but I was personally very disappointed.

In my recent experience, the security topics end-users and consultants want to discuss today are being driven by the challenges emerging from Information Security (InfoSec) concerns. The growing influence of Chief Information Officers (CIO), Chief Information Security Officers (CISO), Chief Technology Officers (CTO) and I.T. Directors is changing organizational security practice and policy. Those concerns are impacting physical security systems design and building a business case for emerging areas of convergence: Encryption, Penetration Testing and Identity Management (authentication).  It is time for growing awareness to be leveraged into solutions… finding equipment, systems and the expertise to design, sell, deploy and service them.

ISC West Trade Show Floor

I walked every foot of the enormous ISC West show floor and found only two manufacturers showing serious IPSec/InfoSec solutions. Internet-of-Things (IoT) devices are forcing a growing demand for products and services that address the security of data in this new network environment.

I am just one voice yelling into gale-force winds. Large companies, even when recognizing the need, find it difficult to turn on a dime and pursue emerging business opportunities like this. Honestly, in many conversations with PSP, RCDD and CISSP certified individuals recently, they were not aware of available physical security technologies to address these concerns, let alone solutions ready for deployment. I will continue to bring the message of security convergence to the different disciplines and encourage their cooperation and mutual effort to provide solutions for use in this new emerging area.

Two IPSec/InfoSec Solution Providers Showing at ISC West

Here is a quick shout-out to both Quantum Secure (www.hidglobal.com/quantum-secure) and Stratus Technologies (www.stratus.com), acknowledging their foresight to invest in their view of future convergent solutions:

  • HID Global offers Quantum Secure, a powerful identity management tool that can incorporate Active Directory (AD) integration via LDAP protocols already being used by virtually every IP data network designer. One day, AD (or something like it) will be used by ALL intelligence associated with IP Addressable appliances. The threat of unauthorized access to data networks is becoming too great a risk to ignore the need for a common identity management solution across all IP connected devices and applications.
  • Stratus Technologies has been evolving their Sightline Assure application from an industrial automation tool to an ACTIVE  (not passive) network security tool. This solution includes a redundant server fail-over system for use with critical infrastructure. These types of products ensure continuous operation of critical automated systems. I have worked with solutions like this before. As interesting as it is, their real innovation comes from the associated dashboard that can be used to monitor data traffic across individual segments of the broader network. The application:
    • Think Distributed Denial of Service (DDoS) attacks, or for that matter, any unauthorized use of private network bandwidth. If you could monitor real-time fluctuations in data network traffic, set thresholds and provide alerts (text/email)… DDoS would become a thing of the past.
    • Now, let’s take this a step further… What if, upon recognizing a spike in data traffic, you could lower the available bandwidth for that network segment? Next, what if you could re-route that network segment through a virtual switch instance, segregating the traffic from other network resources and assets?

If you would like to discuss this, or other security topics, please contact Doug via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be a personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Identity Management, Information Security, Integration, Physical Security, Technology | Tagged , , , , , , , , , , , , , , , , , , , | Leave a comment