Each year since 2005, SecurityDreamer blogger and industry analyst, Steve Hunt, conducts surveys of end user security executives, tracking trends related to the business of security. We cover physical security and IT security equally at SecurityDreamer, carving our unique niche in the industry. Here is a taste of our findings. Sorry, the complete findings are not available except to Steve Hunt’s consulting clients and participants in the research.
I find that narratives yield more insight and are more accurate than statistics. Therefore, the SecurityDreamer approach is to conduct dozens of personal interviews, by phone, email or in person. Each interview covers a subset of topics. Data gathered is generally qualitative and anecdotal, rather than quantitative.
Consultants, Use of
Identity & Access Management
Operational Best Practices
Physical Information Protection
Strategy & Planning
Technology Lifecycle Management
Approximately 50 companies participated in the survey, representing 11 industries.
Summary Findings from the SecurityDreamer Research
While operational security budgets saw little growth across all industries, spending for new projects increased steadily in Energy, Finance, High-Tech and Entertainment. New IT security and physical security projects most notably included
- Security operations centers
- Virtual command centers
- Security information management systems (SIEM, PSIM)
- Networked cameras and sensors at high-risk facilities
CSOs and CISOs complained that their greatest business challenge is metrics: Normal operational metrics, such as improved response time to security incidents, or numbers of malicious code detections are not compelling to business leaders. Security executives seek better ways to calculate ROI, justify purchases, and measure the success of deployments.
Most Surprising finding of 2012
Collecting Company Wisdom. Far more companies in more industries are documenting processes than we’ve seen in previous surveys. Continual Improvement (a la Baldrige, Kaizen, Six Sigma, etc) appears to be the primary motivation. Security executives realize that much of the know how of security operations resides in the heads of its local security managers. In a hope to benefit from the sharing of this business intelligence, companies are using a variety of techniques (surveys, performance reviews, online forms) to gather it.
Least Aware of This Threat
Physical threats to information rose to the top of the list of issues about which CISOs and CSOs know the least. Every security executive we interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.
Least Prepared for This Threat
Two related concepts represent the threat for which nearly all security executives feel least prepared to address: Social engineering and physical penetration. Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.). Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by
- an unauthorized visitor tailgating into the building
- an attacker bypassing security controls at doors and fences
- rogue employees or contractors
- an internal attacker of any type
I hope you can catch me this week (September 19-23). Either attend a webinar on secure uses of the Cloud, or grab my lapel as I walk the show floor at ASIS in Orlando.
Here’s info on the webinar. Wednesday, Sept 22, 1-hour Webinar titled “Xerox and Cisco: Partnering in the Cloud”. I’ll be speaking along with Bill McGee from Cisco, and RG Conlee from ACS, a Xerox Company. I’ll explore the true benefits of using the cloud, understanding and mitigating the risks of the cloud, and how to best prepare for using the cloud. I hope you can join me.
At ASIS – the largest physical security professional conference in Orlando – this week I will be speaking at several private company events, but you can still find me on the floor. I’ll be excited to tell you the developments of the first venture-funded convergence consultancy I’m now heading.
Secure the Business!
What a successful SecurityDreamer Chicago Event last week! Thirty men and women from a cross section of Chicago’s IT and physical security communities, end users and service providers, gathered for a fun evening of information sharing, new research, fine art, yummy wine and stimulating conversation.
The event was held at the exquisite David Weinberg Gallery in the art district of Chicago near downtown. David Weinberg was on hand to talk about his art. The photographs lining the walls of the the three room gallery were provocative and powerful. David said his art was inspired by his childhood and colored by his years owning a technology company that he sold some years ago.
We were able to afford a beautiful and unusual venue because of our visionary sponsors, BRS Labs and Inovonics. I’ve mentioned BRS Labs in the past. I have such appreciation as a technologist for innovative companies, and BRS Labs is one of them. The company re-thinks video analytics and approaches the challenge in an entirely new way. While the “video analytics 1.0″ vendors battle it out, BRS Labs quietly amazes it’s customers and confounds its competitors with a “2.0″ solution. Thank you to BRS Labs for sponsoring SecurityDreamer Chicago.
Rethinking solutions was the theme of the event. I shared some research Hunt Business Intelligence recently completed on trends in critical infrastructure technology adoptions by the largest companies in the world. It turns out that non-security executives, like CEOs and CFOs, are steadily losing confidence in security executives.
Part of the reason for that loss of confidence is that security executives continue to think like security wonks and do a poor job running security like a regular business unit. A security professional should be able to analyze, measure and create value, and not merely avoid risks.
Inovonics helps its customers create value. Its line of wireless life safety technologies, led by its flagship RADIUS product, leverages existing network infrastructures to provide superior service. Imagine integrating a wide variety of sensors, including people-location, around your facility built around a single architecture of standard wireless networking. It is life safety information management at its finest. Thank you to Inovonics for sponsoring SecurityDreamer Chicago.
We are now planning SecurityDreamer New York, SecurityDreamer Houston and SecurityDreamer Orlando (at ASIS). Drop me a note and tell me a bit about yourself if you want one of the limited invitations.
At my SecurityDreamer event at the Hard Rock Cafe in Atlanta a few years ago I discussed the idea of the difference between video analytics one-dot-O (1.0) and video analytics 2.0
The idea I wanted to get across was that popular video analytics vendors at the time were already appearing stuck in processor-intensive analysis of pixel changes. Video analytics products that were fashionable then, such as Object Video, ioimage, Cernium, Vidient and others had products that were limited by the specific algorithms they used, the types of cameras or images they supported (day/night/indoor/outdoor/scope/frame rate/etc), and the amount of configuration and tweaking once deployed. Unless a video analytics product was perfectly matched with the optimal camera, environment and algorithm, the results were always disappointing.
That description of video analytics sounds very similar to the way the first computer-based access control products of the 1980s were described. It is similar to the first firewalls and IT-intrusion detection systems. It sounds just like the first Microsoft Windows operating systems. In other words, It had all the characteristics of a “version 1.0″ technology.
1.0 is always exciting. 1.0 introduces new ways of solving problems, opens new avenues and gets our creative juices flowing. 1.0 gets us turned on and many of us want to use the technology because we are fearless or desperate for some solution. But 1.0 always comes with a price of inefficiency and ineffectiveness. 1.0 always makes us long for a new version that will achieve the desired end less painfully and more effectively.
2.0, in an operating system, IT software, or any technology generally represents a quantum leap forward. A rethinking of the problem and an entirely new approach. Consider the breathtaking difference between Microsoft DOS 3.3 and Windows 95. It was like the PC had been reinvented. Suddenly processes that took dozens of configuration steps were automatic and graphically appealing. DOS 3.3 became obsolete.
Video analytics 2.0 had that same promise – the attractive idea that the headaches and misfires of video analytics 1.0 would be replaced by an automatic, intuitive system. The company that seemed to have a true video analytics 2.0 approach at the time was BRS Labs – A startup in Texas that had yet to be proven. The BRS difference was its use of machine learning. An analytics system that was self learning seemed to be exactly what the end users were hoping video analytics 1.0 should have provided. Those who were not exposed to BRS scratched and clawed their way through video analytcs 1.0 deployments, steadily reducing their expectations. Today Video analytics 1.0 vendors have happy customers – customers who expect little and receive what they expect.
Fast forward to today and we see Vidient out of business; Object Video is no longer a technology competitor and has instead reoriented it’s business to patent protection; other analytics vendors are selling very specialized solutions. And then there is BRS Labs – making money, growing every quarter, and silently showing the world what video analytics 2.0 truly represents. As more prospective customers see what video analytics 2.0 represents, the 1.0 vendors will drop like flies.
Video Analytics technology has struggled over the past decade with products that require expensive and time consuming installations, high ongoing maintenance costs, and unacceptably high false alarm rates and overall poor operational performance. In short, traditional video analytics technology has not proven viable and the market, as all markets do, requires innovation. The market craves an operationally effective solution and innovation is the key to satisfy market demands. As I have said since 2008, the learning approach taken by BRS Labs is ushering in video analytics 2.0. The broader market is now coming to this same realization.
SecurityDreamer Events are Back!
We bring together end-user executive decision-makers and influencers from important corporations and public organizations in cities around the world. Hunt Business Intelligence shares recent research findings and everyone learns and laughs together.
Did you miss SecurityDreamer at the Hard Rock Cafe in Atlanta? Did you miss the SecurityDreamer PSIM work group in DC? How about SecurityDreamer at the David Burke Restaurant in Vegas or at Margaritaville, The Botanic Gardens, Around the Coyote Art Gallery and many more interesting fun venues.
SIGN UP. If you are interested in attending our unusual, invitation-only events, tell me a little about yourself in an email steve (dot) hunt (at) huntbi (dot) com.
For several years I’ve thought Verint had the best slogan: Actionable Intelligence. I also thought that Nextiva, Verint’s flagship video surveillance product, could not really live up to the slogan. Adding Israeli software vendor Rontal to the portfolio certainly gets Verint’s technology closer to the promises of the marketing department.
In the past I have resisted placing Rontal in the PSIM category. It always struck me as a tool for improving incident response but fell short of the information analysis I like to see in a PSIM solution. Nextiva + Rontal does it for me. The various components of Nextiva, when combined with Rontal, tell a satisfactory security information management story.
There is a problem with honesty in this security industry of ours. Far more of a problem in the physical/homeland security indsutry than IT/cyber security. the difference? Critics.
The IT/cyber security industry has dozens of knowledgeable, influential industry analysts constantly pushing end users, VARs and manufacturers, (vendors) to higher levels of performance, quality and customer service.
The physical security had none before I showed up on the scene when I directed my research team at Giga Information Group (later Forrester) to begin tracking trends in physical security in 2000. I kept thinking I would spark industry improvement in physical security and homeland security by inspiring dozens of industry analysts to cover the huge industry. Instead, vendors reacted with their panties in a bunch and most consultants I spoke to were chicken-shits, with not enough balls to tell Lenel or SoftwareHouse or Bosch when they smelled snake oil, or when product development aimed low.
So in 2005, I left my job as head of security research at Forrester and opened the first industry analyst firm in physical security – thinking for sure that THAT would start the trend.
I was partly right. A few “analysts” popped up afterwards. Forrester and Gartner dabbled in physical security half-heartedly for a few months after I left. Frost & Sullivan later beefed up their particular brand of analysis combned with their trademark (and dubious) “awards.” More on that another time. INS also started making noise.
Finally, some “serious” critics emerged. Jeff Kessler, the long-time Lehman analyst, brought intellectual rigor to financial critique of the entire industry and specific niches. And John Honovich carved a niche for himself becoming the preeminent critic of IP video solutions.
I am very grateful for John and Jeff. They largely validated my belief that the physical security industry had room for and could benefit from piercing, honest criticism. But I’m sad that there are only three of us. John critiques vendors in the IP video arena on his website, Jeff now works for Imperial Capital and focuses is on numbers, and I focus on best practices for end users. Three different niches, but it’s just crazy that a $170 bn industry supports only three guys doing real industry analysis.
I’ve criticized Frost & Sullivan and INS elsewhere, not to belabor the point here. The shortcomings of their analysis in this industry are obvious to any observer and I don’t need to harp on them. In a nutshell, I’m disappointed when any analyst relies on the word (or dollars) of manufacturers. It is an obvious conflict of interest, and the so-called analyst quickly becomes a shill for vendors, whether they intend to or not. (Hint: they usually intend to.)
If an analyst performs paid work for a vendor, it should be with the sole purpose of helping that vendor improve its products or solve specific customer problems. It should also be done privately.
For example, I’ll allow vendors to pay me to critique and plan their product development road map or marketing strategy – but I don’t write publically available white papers and will never publicly trade whatever I’ve discussed with vendor clients privately. I share my end user research findings with my end user- and investor-customers only.
Analysis should be derived from the analyst’s professional experience with the subject he is analyzing, or by analyzing the experiences of end users. I believe John touches or in some way directly interacts with with every product he writes about, and then bases what he writes on his highly technical knowledge. Jeff is similar. He performs primary research, writes his own analysis of his research based on his extensive knowledge and experience with financial and market analysis, and critiques secondary research. I talk to hundreds of end users each year and systematically analyze best practices (and worst practices) among the users of just about every kind of security technology.
I still think there is plenty of room for honest critique in the physical security industry. If only someone else with the guts would step up.
Last month Martha Entwistle, editor of Security Systems News posted an interesting article commenting on the nature of PSIM (physical security information management) and a new report by IMS Research. First I’ll comment on the content of the report, and then I’ll comment on the origin of the term PSIM (which she credits to me).
Thanks for writing this article, Martha. As a security industry analyst for the last 15 years, I can say I’m not surprised. I’ve seen reports like IMS’ before. You can’t blame them for confusing the issue, really. Young researchers with no field security experience partially digest and regurgitate conversations with paying vendor marketing executives who have tremendous stake in the status quo.
The article here says “IMS’s Wong notes that products such as VMS and ACS software, which meet some, but not all, of the criteria above, are not considered to be PSIM for the purposes of the report.”
Hmm. I read these functional descriptions and think to myself that simply combining any popular VMS and ACS and you’d have 80% of the functionality IMS declares to be PSIM. So what does that mean? a solution has to have 100% of these technical requirements to be considered PSIM? Does it mean that “real” PSIM is actually and merely the 20% delta of functionality between an access control/video solution and the remaining functions?
Regarding the term PSIM. Yes, I was the first person to publish the term PSIM and launch the global discussion on physical security information management. When Chuck Teubner, CEO of VidSys, was CEO of e-Security (around 2003-04), he and I sat in the e-Security offices and discussed a new idea I was working on in my research: Security Information Management (SIM) for the physical security world. At that time, SIM was a popular concept in IT security management. Sadly, after I left Forrester and could no longer control the Forrester-Gartner debate on the topic, the acronym degraded to the current, utterly ridiculous SIEM. Anyway, I digress.
About the same time, Kobi Huberman of NICE and I drew a PSIM-like diagram on the back of a napkin in London. He was the VP of corporate strategy for NICE. Shortly thereafter, Arcsight, a leading vendor in the IT SIM world, contacted me and we brainstormed about SIM for the physical security world. Then NetIQ guys started talking about a similar concept.
When Chuck Teubner called me again in 2006 and suggested that we name the new concept, PSIM was born. I published it on my blog then. I can also say definitively that VidSys was the first company to clarify the PSIM vision and set the standard for PSIM definition and execution.
As a footnote, NICE later got into the PSIM game by acquiring PSIM vendor Orsus in 2009. NetIQ guys started PSIM-vendor Proximex. ArcSight, dabbled in PSIM but has not yet come up with an effective strategy to penetrate the market.
Please watch securitydreamer.com for more to come on PSIM.
I feel like a proud Papa. NICE acquired Orsus, one of the hot new players in the PSIM (physical security information management) space. Why do I feel so happy? Because a major vendor in the security business demonstrates a savvy far beyond its competitors – the savvy that I've been talking about since I first introduced PSIM on this blog back in 2006. PSIM is simply the physical security version of the larger, more important business issue: IM – Information Management. By acquiring Orsus and creating a new strategy around its entire portfolio, Nice is the first major security vendor to become a full fledged Information Management vendor.
Nice is now a business solutions provider, while its competitors remain security solutions providers.
So what? The implications are huge. Now, discussions that begin with security, segue easily into discussions about business information – business intelligence. After all, the stuff of security (video streams, alarms, intrusion events, etc) are all simply data. When that data is organized, analyzed and correlated with other data, it becomes information – information, which may be used to inform business decisions.
The PSIM vendors (Orsus, Proximex, VidSys, CNL, Vialogy and others) have done a great job making this point and educating us on the business value of security data. Nice now can put this intelligence engine at the center of its portfolio and turn every security conversation into one that deeply concerns the senior executives. Nevertheless, the independent PSIM vendors I just mentioned will also benefit from the Nice move. They will become acquisition targets of Nice's fast-follower competitors, and they will enjoy the greater buzz and legitimacy Nice's investment causes around PSIM.
The deep pockets and global reach of Nice are the differentiators, though. Nice can afford to bid on and support Information Management projects worldwide, while the smaller, independent PSIM software companies rely on a variety of partners to get implemented.
Nice is doing the right thing, but it won't be a cake walk. The company still has to execute on this transformation and train its sales channel and its customers that security is not the point. This will be tough, since so many people think of security and surveillance when they think of Nice.
I have faith in Nice, though. Any company visionary enough to build a portfolio of business intelligence solutions within the security milieu is clever enough to reinvent itself from a marketing view, too.
In one of his first blog posts on the just-launched "Cyberia" site, famed industry analyst, Jonathan Penn, explores the Value of Security with the question "Is the value of security really "making nothing happen?"
That's a question I've tackled before, too. Welcome to the blogosphere, Jonathan.