Specifically Speaking with Rodney Thayer

Your background is in IT security, and your company focuses on cybersecurity and network vulnerabilities in physical security, how and why did you make the move into physical security specifying?

A few years ago I attended a conference sponsored by the local Infraguard chapter that brought together IT and physical security practitioners. They had a “convergence” track and the main speaker was from the physical security world. I was invited to provide a cybersecurity/adversary/hacker view. Someone had car trouble, the speaking order got switched, I gave my talk first. When the physical security guy did his talk and got to the punchline— “and there may be people out there who can hack your network,”—half the audience turned and pointed at me. Several of the speakers at the conference invited me to collaborate on projects. This showed me that there was a definite need for cybersecurity. It also showed me that whether or not the practitioners knew anything about computer networks, they “get it” to worry about security. That is refreshing after the IT world. It's not so fun when you run into a 15-year-old Windows XP system running someone's door locks, but such are the challenges we deal with.

What kinds of clients do you do work for and what kinds of projects do you work on?

I do project consulting for end user organizations and security consultants, and I do technology evaluation, troubleshooting and architecture consulting for manufacturers and integrators. I work on projects with complex networks, projects that have to heavily interact with an enterprise IT organization and projects that use certain kinds of bleeding-edge technologies, like “FICAM” identity management solutions in the U.S. federal market. Since I specialize in complex networking I get troubleshooting gigs. People call me when they add the 13th camera to a 12-camera VMS and the network melts. Integrators and vendors call me if they need someone to work with the customer's networking team, someone who will “make nice with IT” and help figure out how we can make the computers and the networking gear work well together to secure the customer's enterprise.

In your opinion are physical security integrators as knowledgeable about cybersecurity practices as they need to be? What about the manufacturers of physical security products?

Integrators are getting better. It is still the case in 2015 that I'll go to a job site and the fellow I'm working for will discreetly take me aside after a couple of hours and admit he was working on CCTV until last week and barely understands IPv4 addresses. Even after being pulled kicking and screaming out of their “our network is separate—it's OK if we don't follow the rules” bad habits, they are challenged to deploy systems sufficiently hardened to survive a typical enterprise network scan. There certainly are some awesome network-literate integrator teams who know to worry about cyber security. There are too few of them, though. Manufacturers in this space are terrible. In general they are still at the engineering maturity level of the minicomputer companies from last century. Too much proprietary gear, too little attention to standardized system interfaces and a general lack of cybersecurity awareness. Until they get hacked, and then, maybe, they'll take it seriously. My standard comment is: “there will be a quiz, next time you are hacked.” Some folks are ready for that. Too many are not.