PSA Security Network has for several years spearheaded the charge of cybersecurity awareness among the physical security integration community. Way back in 2014 – perceptibly ahead of the coming wave of attacks and solutions – PSA CEO Bill Bozeman was asking “Who is at fault if physical security devices are hacked?”
Fast-forward three years to the 2017 PSA TEC conference and cybersecurity absolutely dominated the show’s educational program, with 16 individual sessions on the topic. PSA now has a fully functioning Cybersecurity Advisory Committee – comprised of a grouping of integrators, security vendors and IT experts – that has created a “cybersecurity playbook” for use by its integrators (see more at www.securityinfowatch.com/12243056).
Certainly among PSA security integrators, cybersecurity is no longer something to scoff at or reserve for the IT geek squad; however, as awareness has increased, so has their demand for solutions. This is the crossroads that PSA stands at now – where awareness and adoption meet. I sat down with Bozeman at PSA TEC in May to discuss PSA’s effort to vet and approve cybersecurity products and services that the integrators can put into daily use for their clients in an exclusive SD&I 1-on-1 interview. Here’s what he had to say:
SD&I: How is the cyber awareness campaign moving along?
Bozeman: The Cybersecurity Advisory Committee is very active and very aggressive – I am not afraid to admit that I have even had a few of our partners come up and say “enough already…you’re driving me crazy, Bill! We get it!” That’s how much we are pushing it, because we just feel it is so incredibly important.
I don’t think there are any PSA members who don’t have a concern; who think that it is nonsense or that it is not going to impact them. We did surveys yesterday in some of our meetings, and when we asked which integrators were concerned about cybersecurity, 100 percent said yes; so that part is finished, and we move on to the big challenge: How does PSA provide not only education, but products and services as well. That challenge is quite difficult, and actually our committee is not enough; so we are reaching out to other consultants and partners for assistance with the due diligence process – that’s the next step.
What makes cybersecurity product vetting different than physical security or A/V?
(Cyber) is very different than the A/V market that PSA just expanded into. First of all, the A/V market is very similar to the security market, in that it is mature. There are rules and regulations. There are channel management disciplines – those don’t exist in the cybersecurity market. It’s still the Wild West. I saw the CEO of FireEye this morning on CNBC, and he said “we still aren’t making money but we are doing better – we only lost a billion.” So the market needs to mature a bit – we are trying to use the same dynamics that we use for A/V and security, but we are probably going to have to loosen those standards up. You may see us partner with companies that haven’t been in business for 20 years; that do not have a rock-solid balance sheet; that do not understand the channel.
There is no standard, which is part of the reason it has been such a challenge for us to provide products and services. There are standards in physical security and Pro A/V – we know who the solid companies are, we know who the rookies are, we know who the people who are just coming into the country and don’t understand how it works…we know all that. Cybersecurity is not so easy.
What is the goal of the vetting process?
We are trying to find a play for the security integrators – not just to protect themselves and not just to protect their end-users, but to actually provide a product and service that they can profit from. That’s our goal, but finding those products and services has been a bear.
How exactly do you vet a cybersecurity product?
It’s nothing like a physical security product because the problem is, we really don’t know enough ourselves to do it alone. Here’s how it works: The PSA management team vets the business – and we have been kind of the deal-killers because we can’t take a risk on a couple of young guys who went in the business 18 months ago, who don’t have any money, can’t pass a drug test, but have a real good idea. It’s just too risky. We can also figure out the channel. We can say we really like the product but the way they want to go to market doesn’t work with how PSA or our integrators work.
So we have half of it covered – the other half is the box, or the software, or the cloud delivery system. How does that work? Does somebody else have something twice as good at half the price? That’s why we are putting this team together now of people who are in the field who can look at and test these products and potential services.
What’s the timeline for actually integrating the cybersecurity products and services into the PSA offering?
I’m putting a lot of pressure on our internal team and the Cybersecurity Committee. We have three potential partners who are all interested in working with us to help us do the vetting and the due diligence, so actually I think we are getting pretty darn close. The problem with cybersecurity for a lot of vendors is that it’s money out with nothing coming back. For the CEO of FireEye, things are great if they might be profitable next year – I don’t have that luxury. That said, I am confident that we will have products and services. We have 170 vetted physical security products and about 60 pro A/V products – we won’t have that many in cybersecurity; I’m hoping that we have five or six in different areas. We just have to find them.
What about insurance for integrators who want to provide these products?
We also had polling question on insurance yesterday, and 70 percent of the integrators said they already have some cybersecurity insurance. So then we asked, do you understand your coverage, and the vast majority said no. We have a great partner in the insurance industry, BB&T, and we simply want to provide a product to our integrators that has been vetted. They are mature, trusted, they know what they are doing, and they have specific policies for each instance. So there is cybersecurity insurance available, the concern we have for our integrators is when they think they have everything covered, but in reality the coverage is minimal at best. It’s just complicated, so we suggest going to a specialist who can explain what the situation is on a case-by-case basis.
Paul Rothman is Editor in Chief of Security Dealer & Integrator (SD&I) magazine. To access SD&I's current issue, archives, subscription links and more, visit www.secdealer.com.