The physical security industry is running hard and fast in the in security bull market—and all signs point to continued, steady growth. According to Imperial Capital, Los Angeles, a full-service investment banking firm specializing in physical security, it’s the 11th year of the industry’s economic rise, which is the longest ever with a strong outlook into 2020.
That being said, it has become increasingly complicated to run a successful and profitable security contracting business—especially with regards to compliance, legislation, cybersecurity and privacy. But the market is clearly moving fully onto the network and embracing the digital transformation, with data and integrated technologies fundamentally changing how contractors provide service and giving them the ability to deliver additional value to customers.
Utilities and critical infrastructure
If you’re working in the critical infrastructure market providing services to utilities, water, energy companies and others, mandates such as North American Electric Reliability Corporation (NERC) and Critical Infrastructure Protection (CIP) are adding requirements. More than a decade ago, the NERC approved CIP standards CIP-001 through CIP-009, which are designed to provide improved regulatory accountability. NERC-CIP carries two primary purposes. The first is to provide a cybersecurity framework to identify critical cyber assets, and the second is to protect those assets. Critical assets, as defined by the standards, are those systems, equipment or facilities that if affected by destruction would be detrimental to the reliability or operability of the Bulk Electric System (BES). Since the mandate hit the books, some companies have struggled to comply with the three most critical areas of the NERC-CIP standards: CIP-001, Sabotage Reporting, CIP-002, Critical Cyber Asset Identification, and CIP-004, Insider Threat.
CIP-003, Cyber Security-Security Management Controls, is set to roll out in 2020. This standard is designed to specify and maintain security management controls that establish responsibility and accountability to protect BES cyber systems against compromise.
The good news for electrical contractors serving these mission-critical customers is that compliance can now be part of an automated physical identification and risk management platform. Software for access control and identification incorporates business processes, automated compliance controls and human resources functionality. Now, identification and access management solutions provide an experience to the workforce, while employers gain controls that integrate and automate everything from credentials to terminations to expired credentials and meeting compliance mandates such as NERC-CIP, in the process.
Cybersecurity can’t be ignored
As NERC-CIP adds cybersecurity standards, and with integrated and internet of things (loT) devices reaching into the billions, this is area of concentration can’t be sidestepped. From breaches into home security and baby monitors to ransomware attacks at public safety departments, no sector is unaffected, and customers want to be sure their data is safe and protected.
In its 2020 “Security Megatrends,” the Security Industry Association (SIA), Silver Spring, Md., has identified and forecasted cybersecurity as the top factor influencing the industry for the second year in a row.
According to Scott Schafer, chairman of the board of SIA, there’s increased risk and frequency of cyberattacks today. “Systems integrators and product developers are working to make sure security solutions meet or exceed an organization’s cyber-preparedness standards. In addition, we also see the trends of artificial intelligence (AI) and facial recognition [that] will dramatically impact the industry in coming years. Both AI and facial recognition are experiencing clear advancements, and new technologies are positively impacting the value of companies in the industry,” Schafer said.
Opportunity in AI deployments is substantial for security contractors. AI in cameras can result in having to deploy fewer devices because it pinpoints specific activities and thresholds while proactively alerting security operations center personnel of anomalies or potential threats. When the industry can better pinpoint and harness specific data, the opportunities widen further.
“AI is shifting the modern landscape of security and dramatically changing the way users interact with security systems,” said Alex Asnovich, vice president, Global Marketing & Communications, Avigilon, Vancouver, Canada.
While many are focused on AI’s potential, it’s already helping solve problems.
“The fact is that today there are too many cameras and too much recorded video for security operators to keep pace with. On top of that, people have short attention spans. AI is a technology that doesn’t get bored and can analyze more video data than humans possibly could,” he said. “It is designed to bring the most important events and insight to the user’s attention, freeing them to make critical decisions. As AI technology evolves, the rich metadata captured in security video—like clothing color, age or gender—will add even more relevance to what operators are seeing. This means that in addition to detecting unusual activities based on motion, the technology has the potential to guide [the] operator’s attention to other unusual data that will help them more accurately verify and respond to a security event.”
Today, with vast, interconnected networks, IP devices, intelligent technologies, open systems and data accessibility, we keep pushing boundaries further. Emerging applications present great opportunities but also raise ethical questions, especially around the public use of AI and facial recognition. Those concerns have manifested in growing local, state and proposed federal legislation banning or limiting the use of facial recognition. San Francisco and Oakland, Calif., were the first cities to prohibit facial recognition. Recently, citing legal implications arising from the EU’s General Data Protection Regulation, France announced it is prohibiting facial recognition as a school access control solution, even with the consent of students. This decision follows Sweden’s similar response.
George Oliver, chairman and CEO of Johnson Controls, Milwaukee, said the digital transformation has had a monumental effect internally and on the customer and their markets.
“There’s a fear that, because of data privacy, [facial recognition] will create so much risk that it will hold the technology back. How do we educate others, so they understand that it’s going to enhance what we do? We need to educate the user and drive that—and then it’s a huge opportunity moving forward,” he said.
There’s also the interim rule banning certain camera manufacturers that weighs heavily on the physical security industry. The ban prohibits the purchase and installation of video surveillance equipment from specific Chinese manufacturers in federal installations as part of the National Defense Authorization Act, which went into effect August 2019. In conjunction with the ban’s implementation, the government also published a Federal Acquisition Regulation that outlines interim rules.
Not yet finalized, the rules call for a provision that would prohibit government agencies from accepting bids from contractors that leverage equipment and services from the cited companies. The most immediate impact is the need for contractors to certify whether or not they are providing the covered products or services to the government, especially those with standing GSA/Federal Supply Schedule contracts. In addition to Hikvision and Dahua, AI and facial-recognition firms on the list include Megvii Technology, SenseTime, Yitu Technologies and Yixin Science and Technology Co.
It’s becoming increasingly clear that in the security contracting business you need to navigate the growing world of regulations, compliance and other forces reigning down on the industry.