Skip to Content

Inside the Industry’s first cybersecurity standard

Inside the Industry’s first cybersecurity standard

Inside the Industry’s first cybersecurity standard

YARMOUTH, Maine—The announcement in May of the Security Industry Cybersecurity Certification (SICC) – a new industry credential developed by the Security Industry Association (SIA) with support from PSA Security Network and Security Specifiers – is a “giant” step forward for the security industry.

To get a closer look into the industry’s first cybersecurity standard, Security Systems News reached out to some of the key players involved in its development to see how this critically important moment came to be.

“A few years ago, we were approached by Ray Coulombe at Security Specifiers, who recognized a need  for some kind of certification for installers and technicians who were responsible for the integration of security technology and electronic devices that would be connected to a network,” explained Elli Voorhees, Ph.D., director of Learning and Development, SIA. “We recognize that the knowledge and qualifications of those who install and reconfigure these IoT and industrial IoT devices are really important.”

In the fall of 2020, a needs assessment survey was conducted between SIA, PSA and Security Specifiers to gauge key stakeholders’ views on the need for such a standard. “We received really positive feedback in support for the development of a recertification program that would establish some baseline competencies for technicians, installers and integrators,” said Voorhees.

As SIA CEO Don Erickson tells SSN, “We focus on the issues that are the clear business challenges facing our members and the industry. Clearly, cybersecurity, preparedness and having a strong cyber hygiene among businesses, integrators and manufacturers is at the top of the list.”

A Natural Evolution

The coming together of SIA, PSA and Security Specifiers was a natural evolution and fit, as the organizations have been working together for years to bring greater attention for the need for cybersecurity education and training within electronic physical security.

As Erickson points out, PSA Security Network’s former CEO Bill Bozeman, along with current PSA President Ric McCullough and PSA VP of Operations Anthony Berticelli, have worked together over the past few years, most notably to create Cyber: Secured Forum, the industry’s first cyber-focused conference, as well as a number of cyber-focused tracks at SIA events and PSA TEC.

These joint efforts have helped to push the industry forward. In addition, some of the industry’s foremost cybersecurity minds have been part of the process as well, including names like Andrew Lanning, Co-Founder, Integrated Security Technologies Inc., and Chris Peckham, Ph.D., Director of Operations, Ollivier Corp., who both serve on PSA and SIA cybersecurity and other committees.

It’s a natural evolution in an ongoing conversation that SIA has had with PSA, in particular, on cybersecurity,” said Erickson. “You go back a couple of years, Bill Bozeman and I, we obviously have that great relationship. And then we’ve also supported each other’s cyber advisory boards or committees, cross promoting the work of those committees, in terms of best practices and information and content. Bill, being the evangelist that he has been on cyber, this just seemed like a natural progression of those conversations.”

Back to Basics

As Coulombe tells SSN, the idea to create a program designed for security industry professionals that “assesses and validates the core competencies these individuals must possess to effectively perform roles involving key facets of cybersecurity” did not just happen overnight.

“For years I taught basic networking to techs at PSA, so it is an audience that I am really familiar with in terms of their capability and mentality,” Coulombe explained. “There are some really smart techs out there, but what I found is that they had gaps in their knowledge, so I taught a course that tried to fill in those gaps.”

Coulombe also worked with SIA to remake the Construction Specification Institute (CSI) Master Format Division 28, which has guidelines for different areas of access control, video surveillance, fire and Intrusion, so “when project specifications are assembled, they can be together in an orderly, logical and consistent way,” he said.

“I got SIA on board and we approached CSI to redo all of the categories in Division 28 because they were woefully out of date,” Coulombe explained. “And one of the categories that we added was cybersecurity for electronic safety and security; we added cyber for the first time into the CSI framework and started talking about cyber right from the get-go.”

That experience with CSI made it painfully obvious to Coulombe that something needed to be created by the industry and for the industry. Looking at all the constituencies – consultants, integrators, manufacturers and end users – within security that play a role in ensuring that a project is completed successfully, Coulombe began to think about what an industry standard might look like.

“My contention was that there wasn’t an across-the-board strong enough knowledge of either basic networking or cybersecurity,” he explained. “How do we ensure secure network systems if we can’t have some assurance that the people installing and configuring these things have that appropriate level of knowledge?”

Over time, the idea for a credential that could assess at least a basic level of understanding became the logical first goal of the group, and the idea for SICC was born.

“At the end of the day, we want to set a threshold for people’s knowledge because it does impact every facet of the industry, every constituency in our marketplace,” said Coulombe. “From SIA’s standpoint it expands their value and relevance to their members, and from PSA’s standpoint they are going to have a chance to educate a lot of folks in different areas.”

Launch and Adoption

The SICC credential is now available, and as Coulombe points out, the test was created, vetted and assessed by a super group made up of some of the best minds within security. “We handpicked a group made up of consultants, integrators and manufacturers to help develop the test,” he said.

As Voorhees pointed out, while the program is designed to provide and assess a foundational knowledge base, “we can build upon it as changes occur,” she said. “This type of program would provide criteria for manufacturers to use to certify their integrators and ensure their products are being securely installed, while it provides integrators with a competency-based assessment to qualify their employees, and also just giving their customers a sense of confidence that the work being performed is by someone qualified and knowledgeable in cyber.”

She continued, “From the individual perspective, there’s value in becoming certified for career advancement opportunities, but for the companies there is also succession planning, how you’re moving people up. I think that’s important to touch on how each of the players can benefit, from a personal … as well as the enterprise level.”

Coulombe is excited to see where this standard can go, especially once the credential starts to be adopted within the industry.

“This will really start to get some traction when it starts to show up in specifications, so we really need to rally behind this as an industry because ultimately it will reduce everybody who is in the food chain’s cyber-exposure and liability,” he said. “SIA is the right organization to front this and I know Don is committed to making sure this is a certification with teeth and that it is given national recognition. I know he wants to take it there.”

Erickson added, “I think this is a real opportunity … a real opportunity for specifiers to do what they do best, which is to raise the bar of expectations for manufacturers and integrators. For the manufacturer, it’s about aligning with a specific content program around cybersecurity for integrators. To the extent that manufacturers also provide internal cybersecurity training, for example, we hope that training aligns with our certification program, as it helps them design their training.”

While the new credential is “targeted for integrators,” Erickson is excited because it also benefits all security industry stakeholders, including the manufacturer, specifier and end user. “That theme of securing within the entire ecosystem is very important to focus and expand upon.”

Note: Join SIA on July 28, from 1:00-1:30 p.m. ET, for a 30-minute webcast session to learn about the new Security Industry Cybersecurity Certification (SICC). Click here for more info and to register.

Comments

To comment on this post, please log in to your account or set up an account now.