The rise of Security 4.0

YARMOUTH, Maine—The state of cyber- and physical security convergence has been one of the hottest topics in security for good reason, as it is changing the way security integrators provide and manage programs, technology and services. The rise of Security 4.0, driven by the digital transformation, is creating opportunities as well as challenges, particularly with the vulnerabilities emerging technologies and IoT devices are creating on the network.

G4S VP of Integrated Security Solutions, Rachelle Loyear, has a unique perspective on the topic, having been at G4S for five years, and prior to that, 13 years at Time Warner Cable as director of Enterprise Business Continuity. She is also an active ASIS member who serves as the program manager for the ASIS Enterprise Security Risk Management (ESRM) program.

SSN: Looking at the state of security convergence today, where do you see the industry when it comes to this cyber-physical convergence?

LOYEAR: Cyber- and physical security are converged at this point, including access control, video management, visitor management — all of these things that we have in security today — they are converged; you cannot get away from cybersecurity. But, unfortunately, we are still mentally siloed. People who are interested in having cool new physical security devices are taking those and putting them on the network, so we have to look at the risks that we are acquiring through that convergence of functional technology versus information technology.

We still think of cybersecurity as a thing that surrounds information, but information is the asset and cybersecurity is the environment through which one can safely access and manage that asset.

We here at G4S have been working on this question of convergence and a risk-based approach as it relates to security risk management for more than a decade. To me the question of convergence is over from a political standpoint, as the world has converged. Now it is recognition of it, and a solid look at the risks that are associated with it.

SSN: A lot of the conversation today is around what is being called the digital transformation. Can you talk about this Security 4.0 concept and how G4S is embracing it?

LOYEAR: In the last year we have really been focusing on this question of Security 4.0, to align it with the business popular language of industry 4.0, and to try and get people to understand that security is moving into a new connected age as well now. We need to be sure we do not follow the manufacturing industry, which moved gangbusters into that connected age and took advantage of all the cool new technology, and then found out that they had vulnerabilities and holes and gaps that they weren’t thinking about because it was just cool.

We are really at — or at the cusp of — Security 4.0: Everything in your security program will be connected. Cameras will talk to access control. Your visitor management system at some point should be able to recognize the visitor coming through the door using analytics on your camera, having facial recognition, pinging your manned guard on their device saying to greet that visitor if that is needed, for example. But all of these things in this connected environment are risks sitting there, so we want to make sure we embrace the digitized movement while understanding the challenges created in doing so.

We as a security organization and G4S need to make sure that we are cognizant of the potential gaps and pitfalls and problems — and everything that goes along with it — so we aren’t just going along with the desire to be cutting edge without making sure that we apply all of the appropriate security and risk management techniques to that. We are taking a much more holistic approach to managing security.

SSN: Where are companies on this digital transformation journey?

LOYEAR: We may only be halfway there but it is where everybody sees that we are going, and all of the CSOs and CISOs see it coming and are planning around it and budgeting for it. The awareness of digitization as an impacting factor for security programs is very high as well, so I think the industry knows it is coming.

In the next decade it will be hard to find an enterprise-level security program that is not digitized. By giving people a good pathway and guidance on potential issues, we can avoid them and allow the industry to embrace the advantages of digitization without running into the brick walls that Industry 4.0 ran into, which is the target hack where someone gets into a casino, for example, through their fish tank thermometer. We have a lot of lessons learned from Industry 4.0.

SSN: What successes are you seeing from early adopters? What are some of the key advantages of digitization?

LOYEAR: There are the obvious ones such as speed and efficiency that you get with digitization, but the biggest advantage is also its current biggest downfall and that is the current amount of information that these systems can provide will change our world. We will be able to understand so much about how systems are being used, how people are interacting with those systems, how systems are interacting with each other, that we are going to be able to get actionable information, and it is not just security at this point.

Security is going to become an enabler of the business through every data point that we collect. Retail is a good example — seeing traffic patterns so human resources can figure out key times to staff, as well as better understanding what customers are interested in, for example.

One system that would have typically been cameras with someone watching to see if something bad happens suddenly becomes a vast portal of information for the entire organization, which is great and amazing and provides so many benefits to so many people, but on the flip side is the noise that is created; it is overwhelming to us as humans the amount of noise that comes along with all of this.

I believe that the winner of the contest of the security industry is going to be the company that can handle that noise, and a lot of what we talk about at G4S is ways that we can handle that noise — the ways we put analytics in place, the ways that we tie responses to the value of the location. It is actually a complex undertaking to reduce the noise that you get as an organization.

As machine learning comes online and gets better and AI gets better, I think that being overwhelmed by the noise will settle down for the industry. So the tactic we take is how we can filter the noise to make sure that you are getting the right information and not just piles of data.

SSN: What are some of the emerging technologies to help filter that noise?

LOYEAR: Analytics are super exciting and something that we are really getting into right now. Our AMAG Technology group is doing some really exciting things with analytics around their set of products. With their Symmetry suite, they are layering in these analytics that will flag for the customer any unusual behavior, or behavior that is not in keeping with the norm, such as a longtime employee doing something that he doesn’t usually do at a certain time of the day.

Being able to point things out like that and as we tie in access management, both physical and data network, and flag and compare activity on both — these are the kinds of things that we are starting to build on and really dig into so we can think future state. As part of the innovation team, we don’t just want to stop at that; we want to really be able to assist with what else we should be looking for.

There’s so many ways that we can tie asset protection to the complete risk picture. The AMAG Risk360 product, which is an incidence-tracking tool, comes to mind, as you are able to tie incidence metrics into system metrics. If we underpin it with understanding the customers’ assets, values and risks, giving them their complete security picture, including what their security program is doing for them, that not only empowers the direct customers of the security department, but it also empowers them to have that conversation with their business partners as well.

SSN: What is the Holy Grail for security and how long before we get there? Is providing that single pane of glass key?

LOYEAR: The Holy Grail, like 10-15 years from now, is the end user moving beyond the single pane of glass. Today, I think single pane of glass is absolutely where people need to be but not just a pane a glass but one that I can look at that only has the information that I need, which is a major piece to that. A lot of people can put all of the technologies into one unit, but putting them into one unit that only shows me what I am concerned about — that is the Holy Grail!

If I am sitting in my corporate security office, I don’t want to ever have to see an alarm that isn’t important; I don’t want to ever have to see a data point that doesn’t drive value to my security program. Value is directly tied to securing assets, or promoting the value of some of their assets, so for me it is the single pane of glass, but also the directed audience-curated single pane of glass that we need to get to as an industry. It is great that you give me graphs and charts but if I don’t know what they mean, or they have no impact on my business, then you are not helping me.

It is possible to do this with machine learning, with AI, if as an industry we focus on that. If you ask any CSO, what do they want to see, they will say, “That which matters to me.” And I think as an industry we can get there, and make sense of all that noise. So that is the Holy Grail to me as well — not wasting people’s time with stuff they don’t need.

SSN: Can you talk more about how a risk-based approach is key to the G4S strategy?

LOYEAR: What we are reaching toward at G4S with our risk-based approach, coupled with this conversation about Security 4.0, is really not wasting customer’s resources and honing in on the right set of programs and things to do that is specific to them. Beyond that, you must constantly revisit what you are doing, the solutions in place, using the data points that are coming in to take a lifecycle improvement approach in that model as well, which is really driving what we do for our customers using this approach: protect the right things from the right things with the right things.

We do not want to put things into the system that are not protecting assets and providing value, so ultimately it comes down to the million-dollar question: 'How do we best protect it, as there are so many systems and ways to go about that?' Got to have the why you are doing something, which analytics can help with.