You say you want a revolution?
Remember about a decade ago, everyone was talking about Web 2.0? Does anyone even remember what Web 1.0 looked like?
The revolution – if that’s what you’d like to call it – wasn’t so much one of changing the underlying technologies of the web, but instead it was about changing the way in which websites were designed and the modes of interaction between consumers and producers of information via the web. Suddenly the internet was interactive. Suddenly the whole became much more than just the sum of the parts.
That’s what the security industry needs right now.
To be honest, I have something of a personal and pedantic-sounding axe to grind when it comes to the industry and what it purports to be. If I go to a security company and give them some money, do I receive in return a corresponding quantifiable amount of security? Surely security is something inside me – an emotion, or perhaps more accurately a state of mind – that I will either possess or not possess as a result of how much risk I believe I am exposed to. One person can be sold a burglar alarm and feel secure as a result, whereas another person might receive exactly the same burglar alarm and feel no security at all. If I’m not consistently providing security in return for payment, how can I be in the security business?
I don’t think this is just splitting hairs over ambiguous terminology though, it seems to me like a serious misrepresentation by an industry that people pay a lot of money to, and put a lot of trust in.
I’m actually hard pressed to think of a technology-driven step change over the last thirty years or so that has resulted in improved levels of security for people in general, and if you listen to the message coming from most of the recognised players on the technology side of things I don’t see any sign of these guys upsetting their own apple-carts any time soon. Neither the ever-increasing resolution of surveillance cameras nor the introduction of different biometrics for identity management are necessarily going to change the way security is done, and suing each other over the use of terms like “Trip-wire” and “Federation” seems so far away from what those of us in the risk management world are trying to achieve that one has to question how organisations involved in such antics can be taken particularly seriously.
Many of these companies deal in what I refer to as devices (cameras, readers, locks, motion sensors and all that other stuff that gets screwed to the wall by companies calling themselves security systems integrators), and these can increasingly be considered commodity items available from multiple sources, with comparable features and levels of performance (or are likely to do so within the next few years). These devices are also comparatively inexpensive, and as their volumes increase their prices fall, to the point where they could be included in the standard build of any facility without significantly influencing the overall cost.
Right now we see massive amounts of money being spent over and over by end users on non-security consultants who write tender specifications that focus almost exclusively on the technical performance of the devices, even though this information is essentially the same for every job, whilst ignoring the operational security requirements of the facility. So why not just standardise all of the devices and their infrastructure and have them installed as part of the electrical contractor’s package?
Obviously there is still some work to be done around harmonising the way these devices interconnect and how they communicate, and some brand preferences amongst end-users will remain whilst the commoditisation process bottoms out, but these things can all be handled through standards like ONVIF and with the inevitable establishment of the Internet of Things. So open standards and interoperability, with systems built on infrastructure that is adaptable, scalable, upgradeable and available – that’s where we want to go, right? Provision and installation of devices then becomes an MEP contractor’s function, just like provisioning toilets and light switches, with no distinction made between one device and the next. Economies of scale and single-point-of-purchase makes this a very attractive proposition for end users, with all of their ELV systems installed by one contractor – fire detection, audio-visuals, voice and data, BMS and security…
Oh…hold on a second…did I just wipe out the whole of the security systems integration business with a few strokes of my pen…?
No. What I just did was clear away a tradition that has in the past compelled end-users to engage with a specific type of ELV installation contractor (many of whom describe themselves as security systems integrators), mistakenly believing that they’re engaging with risk management specialists, and consequently getting a bunch of devices installed but not necessarily getting any security. That needs to change, and when it does we’ll be ready for Security 2.0.
Just like Web 2.0, Security 2.0 needs to be a collaborative and interactive place, where data becomes the main ingredient we use in the recipe for security. In a shopping mall the data can be used to manage shopping mall risks, and in a prison the data can be used to manage prison risks. There will be companies who know lots about a specific vertical in a specific geography, and can demonstrate their specialist skills to build tailored solutions that closely match the operational needs of each client. They get to exercise their specialisations without being encumbered by the financial, contractual and resourcing burden of supplying and installing tens of thousands of devices with all of the associated infrastructure.
But it isn’t just about disentangling the contracts side of things. We live in an unsafe world that is constantly evolving, with a future threat landscape that we cannot even begin to imagine. It’s time to stop regurgitating the same tired and ineffective approaches to security that the industry has been churning out for decades – they aren’t working against today’s threats. If we accept that systems that exist inside silos and offer little more than the ability to forensically analyze incidents after they have already happened are all we need, then we are going to have to accept the death and disruption caused by suicide bombs, active shooters, cyber disruption and terror-linked CBRNE attacks for a long time to come; and not just in the far-away countries we see on CNN, but amongst us on the streets of our Capitals.
I for one do not accept that this is the best we can do, and believe it’s time to start moving towards the revolution. Maybe one day we won’t be able to remember what Security 1.0 was like either.