Providing Cyber Ready Solutions for Successful Lifecycle Project Implementation
For the first time at PSA TEC, the PSA Committees came together for a joint session including all five of PSA’s Committees: Cybersecurity, Leadership, Project Management, Sales & Marketing, and Technical. In this panel discussion, PSA committee members discussed a comprehensive approach to addressing the impact of cybersecurity on the physical security industry.
The physical security industry provides solutions that help companies protect people, assets, facilities, and information. Security integrators need to be equipped to handle the increasing importance of cybersecurity risks when implementing projects. Unfortunately, many security products out there today have vulnerabilities and were never built with cybersecurity in mind. Today, many clients are investing in cyber groups and building teams to address and mitigate their cyber risks. Integrators need to be engaged with these groups and provide solutions and support their needs. End users expect security providers to be responsible for failures and vulnerabilities that are found in or caused by the devices installed.
Moderating the panel as a representative of the PSA Leadership Committee was Bill Bozeman, President & CEO of PSA Security Network. The representative from the PSA Cybersecurity Committee was Andrew Lanning, Co-Founder of Integrated Security Technologies. Representing the Project Management Committee and author of this session, was Robert Flynn, Senior Vice President of Operations for Aronson Security Group. Representing the PSA Sales & Marketing Committee was Sharon Shaw, Client Development Manager for Tech Systems, Inc. The representative for the PSA Technical Committee was Dr. Chris Peckham, Security Consultant.
To kick off the session, moderator Bill Bozeman asked the panel “What are some of the largest cyber risks that our industry is not addressing?” The panel agreed that most security products being used today have vulnerabilities and that many of these devices were built without cybersecurity in mind.
The panel was asked to discuss how they educate their internal organizations as to the risks, responsibilities, and opportunities as related to cybersecurity. As Robert Flynn noted, most attacks come from within an organization. Many large clients are investing in cyber groups – the security industry needs to be educated and prepared to work with these highly cybersecurity-educated clients. Some easy steps to be smarter in deploying projects include changing default passwords, updating firmware regularly, educating your organization on these processes.
The audience was then asked “Has your company experienced a cybersecurity breach?” The majority of the audience claimed yes, they had experienced a data breach, a small percentage said no, they had not experienced a data breach, and one respondent said they did not know if they had experience a cybersecurity breach. This was a good indication that the security industry is now assuming they have been or will be breached at some point, a much different perspective than we saw just a few short years ago.
Bozeman then asked the panel “How do you convince reluctant clients of the value and need for a cybersecurity program?” The panel stated that you must make sure the client is willing to pay for it up front and convince them through education if they are a less knowledgeable client. A special note from the panel was that the end users look to security professionals as the expert, having all the liability of being the expert. The client will expect any fixes needed to be completed and that the costs and liabilities will fall on the security integrator not the end user. For this reason, security professionals need to communicate with the multiple departments (IT, contractors, C-Suite, etc.) and ensure cybersecurity has been budgeted into the overall project costs.
The next question posed to the panel was “How can security systems integrators realize financial rewards from cybersecurity?” The panel emphasized the importance of building your cybersecurity services into the contract. From password changes and updates to device firmware and software updates – build this recurring monthly revenue (RMR) into your contracts and budget.
Lastly, the panel discussion concluded that it is an industry-wide effort that needs to be made in order to protect our clients and companies from a cyber-attack. Manufacturers need to be providing equipment designed with cyber protection along with cyber hardening guides. The security integrators need to have a standard of product they are using and implementing with clients. The end users need to be better informed on the need for cyber services and protection for their businesses.