The Future of Physical Security: The Decade Ahead

SIA Education@ISC West will provide conferees with more than 70 sessions of valuable information on important topics in the security industry at the Sands Expo in Las Vegas on April 10-12.

Terry Gold, Principal Analyst, D6 Research, will present The Future of Physical Security: The Decade Ahead on Tuesday, April 10, at 10:15 a.m. For our blog, SIA caught up with Gold to learn more about his session. Register for ISC West, and find more info on SIA Education@ISC West class sessions.

SIA: Can you tell us a little bit about your background and how you were inspired to present on the topic of “The Future of Physical Security: The Decade Ahead” at ISC West?

Gold: I started out in information security then got into physical security a number of years ago. I’ve worked for several vendors, mainly helping global companies figure out ways around proprietary technology that was crippling their security and operations. I started D6 Research to dedicate research to new ways for organizations to be highly secure but at the same time unbounded by the limits vendors were imposing and the shortcomings that “common practices” were causing.

SIA: Will the security industry see significant change over the next decade? If so, what are the factors driving that change? How will the next decade be different?

Gold: The running joke in the industry has been that not much changes from year to year. While that’s been generally true in the past, we are experiencing a transformation. At the surface, it’s new concepts like mobile, Internet of Things (IoT) and cloud. However, I think it’s a mistake to endorse those as transformational or you’re going to miss what’s really going in under the surface. Those are just platforms that can be used on the journey to make changes, but they aren’t the destination. They are more like the vehicle than the road—what we may use to get there. Also, we shouldn’t be touting those as terribly new or transformational when IT (and other industries) have been leveraging those platforms for over a decade already.

There is a difference between what’s new to the industry and true innovation that can be measured in terms of how end users experience more predictable outcomes. Without giving it all away, I believe that security will be turned entirely on its head in years to come. In the past, vendors catered to their channels (considered them their customers) and weren’t primarily focused on aligning their solutions to achieve practitioner results. The focus was rather functional, not goal-oriented. So, if the industry looks to outcomes instead of functions and depends on end users as arbiters of value (not the channel), we come up with a whole new paradigm in how security is designed, delivered, integrated, executed, measured and valued.

I know that’s a tough pill for some reading this to swallow. I’m not trying to be insensitive. Everyone will have a role in this—they will just be changing a little bit.

SIA: What is driving organizations to change the way they are thinking about the current offerings and practices of the security industry?

Gold: It’s really about maturity. We’ll see little change in much of the end-user spectrum. People in physical security looking at that side of it won’t move fast enough and will be left behind. The change is being driven by organizations where physical security end users feel are feeling pressure from becoming increasingly accountable to internal peer stakeholders (outside of physical security).

They will need to close the gap to rival the efficiencies and security outcomes that other internal peer departments are demonstrating. If they can’t, they’re not going to be able to justify the proposed investments—and might not even be able to hold onto their job. Organizations are becoming risk-based decision makers and as such are looking at it from an asset and risk portfolio management perspective. The sad fact is that much of how physical security has evaluated risk in the past (what I call “common practice”) is far out of alignment with practices of other stakeholders within the enterprise.

A CISO looking at this risk portfolio now wants to know HOW strong access to their data center is in terms of actual risk, rating, likelihood. The response they will typically get is not compatible with the practices or assurances they require. So as things like this arise (through maturity), they’ll get ironed out. Physical security will need to change in many ways to address this. Legacy practices and technology won’t cut it.

SIA: How do we identify processes and procedures that deliver high value to an organization? Are organizations poised to drive change in security paradigms to receive greater value than they do now? If so, how?

Gold: This is where D6 Research has been focused for the past few years—every day. We aren’t a consulting organization. We don’t install, resell or promote technologies. We’re neither a vendor nor a channel. We spend all our time researching and modeling to two ends of the spectrum fit together—advanced end-user outcomes and methodologies that can achieve them.

So, we’ve spent a lot of time just identifying and classifying those outcomes and methods—how they can be measured and the relationships between them. We come up with algorithms, tools and models; it’s been a fun journey.

Reflecting on the body of work we’ve put together (which we will be releasing in a few chunks in 2018 finally), I’d say the lesson for those that want to think ahead and get to a place where high security and operational efficiency can be achieved is a need to incorporate a different set of practices than much of the principles that have been pervasive in physical security. The good news is that we don’t need to reinvent those principles; other industries are 15 years ahead of us, so we only need to look to the body of work they have already done. And that’s a good thing as it will take the guess work out and accelerate part of our collective journey.

The harder part is the specific application to physical security. We keep making the mistake of creating new specifications for industry consumption, which might help in the short-term but really undermines long-term inclusiveness and value to end users with respect to their investments. We must learn to stop forking specifications and doing it with only vendors in the room. We’re just creating a new set of problems down the road each time that is done.

So, what’s the answer? An example would be instead of working on an identify management integration specification for physical security, we should join and be trying to make what we build work with the existing identity management workgroup specifications that already exist to bring us into the greater (and more pervasive) ecosystem. And this is what some physical security executives are facing from their peers—to come into the fold rather than building a better moat around their department.

SIA: How does the speed and accuracy of information factor into value for organizations and the shape of the security marketplace?

Gold: Honestly, this is a slower cog in the machine in terms of where there is recognition, but is perhaps the most important piece of it. Our research concludes that to achieve high-value security outcomes, the most significant factors are:

1. more information
2. being able to assimilate and contextualize that information quickly
3. being able to orchestrate and react at least in equal time to that of the information coming in

In other words, going from where most of the market is focused today (better reporting) to a more predictive model. Better reporting can only give me a better “rear-view mirror” as to what has already occurred. It has some value but doesn’t really change the paradigm to improve safety and prevent events from occurring.

For that, I need to be able to move to a predictive model that goes beyond data to real-time analysis that can’t be performed manually or with the current systems or infrastructures that vendors are selling today.

The value of this model is high. Information security is already heading here. Physical security will get pushed heavily, and vendors only offering better rear-view mirrors are going to get marginalized—regardless how big their brand has been. Dropping it into cloud doesn’t solve this—that’s just delivering what they have in a different consumption model.

So, what does it really look like? In trying to see the future as much as possible, we have looked to past situations where we stopped an event before it occurred.

SIA: What’s one thing you would like folks to think about prior to attending the session?

Gold: We won’t get here overnight. It will be in steps. We’ll map out some of these outcomes: what they look like, achieve and their value. Then we’ll talk about what the foundation elements are and where they are in terms of maturity.

People that attend will walk away being exposed to a whole new vision of what physical security can/should do, and as a result perhaps go back home and revisit how they are balancing tactical and strategic planning as well as re-evaluating how they define who their partners are.