Each year since 2005, SecurityDreamer blogger and industry analyst, Steve Hunt, conducts surveys of end user security executives, tracking trends related to the business of security. We cover physical security and IT security equally at SecurityDreamer, carving our unique niche in the industry. Here is a taste of our findings. Sorry, the complete findings are not available except to Steve Hunt’s consulting clients and participants in the research.
I find that narratives yield more insight and are more accurate than statistics. Therefore, the SecurityDreamer approach is to conduct dozens of personal interviews, by phone, email or in person. Each interview covers a subset of topics. Data gathered is generally qualitative and anecdotal, rather than quantitative.
Consultants, Use of
Identity & Access Management
Operational Best Practices
Physical Information Protection
Strategy & Planning
Technology Lifecycle Management
Approximately 50 companies participated in the survey, representing 11 industries.
Summary Findings from the SecurityDreamer Research
While operational security budgets saw little growth across all industries, spending for new projects increased steadily in Energy, Finance, High-Tech and Entertainment. New IT security and physical security projects most notably included
- Security operations centers
- Virtual command centers
- Security information management systems (SIEM, PSIM)
- Networked cameras and sensors at high-risk facilities
CSOs and CISOs complained that their greatest business challenge is metrics: Normal operational metrics, such as improved response time to security incidents, or numbers of malicious code detections are not compelling to business leaders. Security executives seek better ways to calculate ROI, justify purchases, and measure the success of deployments.
Most Surprising finding of 2012
Collecting Company Wisdom. Far more companies in more industries are documenting processes than we’ve seen in previous surveys. Continual Improvement (a la Baldrige, Kaizen, Six Sigma, etc) appears to be the primary motivation. Security executives realize that much of the know how of security operations resides in the heads of its local security managers. In a hope to benefit from the sharing of this business intelligence, companies are using a variety of techniques (surveys, performance reviews, online forms) to gather it.
Least Aware of This Threat
Physical threats to information rose to the top of the list of issues about which CISOs and CSOs know the least. Every security executive we interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.
Least Prepared for This Threat
Two related concepts represent the threat for which nearly all security executives feel least prepared to address: Social engineering and physical penetration. Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.). Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by
- an unauthorized visitor tailgating into the building
- an attacker bypassing security controls at doors and fences
- rogue employees or contractors
- an internal attacker of any type
SecurityDreamer New York was exciting, with a room full of “A-listers” from the security community. The room was filled to capacity with executives and industry influencers from the New York Metro area who enjoyed some amazing food and wine supplied by Casellula (http://www.casellula.com/). Discussions ranged from PSIM at the port authority, to biometrics on ATMs, to data protection & hackers, to border control & oil pipeline security.
I spoke briefly about techniques for measuring the value of security projects in business terms and thanked the sponsors. BRSLabs and Inovonics showed their leadership again in New York by sponsoring the event. They were joined by VidSys and Neohapsis.
The next morning I spoke at a Department of Homeland Security event hosted at 26 Federal Plaza. I met so many interesting, talented people on that trip, I can’t wait to go back!
More Pics HERE
SecurityDreamer Events are Back!
We bring together end-user executive decision-makers and influencers from important corporations and public organizations in cities around the world. Hunt Business Intelligence shares recent research findings and everyone learns and laughs together.
Did you miss SecurityDreamer at the Hard Rock Cafe in Atlanta? Did you miss the SecurityDreamer PSIM work group in DC? How about SecurityDreamer at the David Burke Restaurant in Vegas or at Margaritaville, The Botanic Gardens, Around the Coyote Art Gallery and many more interesting fun venues.
SIGN UP. If you are interested in attending our unusual, invitation-only events, tell me a little about yourself in an email steve (dot) hunt (at) huntbi (dot) com.
For several years I’ve thought Verint had the best slogan: Actionable Intelligence. I also thought that Nextiva, Verint’s flagship video surveillance product, could not really live up to the slogan. Adding Israeli software vendor Rontal to the portfolio certainly gets Verint’s technology closer to the promises of the marketing department.
In the past I have resisted placing Rontal in the PSIM category. It always struck me as a tool for improving incident response but fell short of the information analysis I like to see in a PSIM solution. Nextiva + Rontal does it for me. The various components of Nextiva, when combined with Rontal, tell a satisfactory security information management story.
From the “Least Surprising Developments” file, the acquisition of Proximex by ADT Security Services was announced this morning. Why did this acquisition, or something like it absolutely have to happen?
ADT Security Services has been very intentionally (if haphazardly) adding wider and deeper services related to security monitoring. If you look at PSIM (physical security information management) clearly, you see it as a set of technologies for more efficiently responding to events, as opposed to merely recording events. That mission has been the stated objective of ADT for some time. Of course ADT would want to buy a PSIM vendor to put some consistency in its otherwise hodgepodge security offering. The question is which one? NICE is too big, publicly traded and not looking to spin out its PSIM product, Situator. One down. CNL has many good points, but not enough customers to prove its versatility. VidSys might have been a good choice. It would likely have been considerably more expensive to acquire, in light of its market penetration and VC funding, but what a boon it would have been for ADT mind-share in the Commercial space.
What about other PSIM contenders? There are some vendors that are not fully committed to the PSIM architecture and newcomers trying to make their name, but trial by fire in real life customer deployments bubbled Proximex and a few others to the top of ADT’s short list. ADT probably looked at Proximex and saw a technology and brand that was just sexy enough and the price was right.
That leaves the question of why would Proximex want to sell. Proximex, like other PSIM vendors, was not growing at the rate its investors (most notably Proximex’s Jack Smith of Hotmail fame) assumed or hoped. There are many reasons for that lack of growth in the PSIM world: misleading and confused marketing, misaligned pricing strategies, missed technology opportunities, poor channel partnerships, and of course challenging market dynamics and fickle customers. For example, when an investor puts a ton of money in a commercial technology, he’ll be inclined to sell it at a high price. Selling something at a high price means marketing it as an “enterprise solution.” An Enterprise Solution requires extremely mature and rich technical functionality, driving more expensive product development and constantly dissatisfied customers. You see? Greedy eyes create an impossible spiral for a fledgling technology segment like PSIM.
I’m happy with the ADT acquisition, and so are my end-user clients, who nearly every day tell me another example of how PSIM technology helps them or would have helped them run a more efficient and effective operation. ADT will find a delighted customer base.
Dan Dunkel wrote a fun article in the February issue of SDM magazine. He proposed that PSIM (physical security information management) be replaced with VSIM (virtual security information management). I assume he’s joking.
Actually, if you read the article assuming he had his tongue firmly planted in his cheek, it’s a fun ride. He brings in virtualization, the IT concept of using software to emulate hardware like servers and storage devices. He also refers to the word “virtual” in the gaming sense, of creating a virtual reality environment.
Dan does a good job of making fun of computer speak in the article. His articles in SDM are always entertaining. The only thing I didn’t like about this article was the nagging feeling that he may have been serious!
PSIM as a concept emerged because end user managers of security environments cried out for a way of better managing security information. They wanted to be able to do with security data what every other business unit does with the data from their respective business units – that is, to make intelligent business decisions.
If Dan is serious that the physical security industry no longer thinks in terms of being physical, then PSIM could be easily shortened to SIM – a moniker used for a decade or more in the IT Security industry.
I attend physical and homeland security conferences frequently and I can tell you in no uncertain terms that these industries dwell almost entirely in the physical nature of security.
If Dan is simply being an apologist (evangelist?) for “the cloud” as so many bandwagon jumpers (especially software manufacturers) do these days, then I’ll make a suggestion.
The cloud is an amorphous (by definition!) concept to describe techniques of managing data. Managing data is exactly what the security executives who gave birth to PSIM wanted all along. So I suggest that if you really want to get to the heart of PSIM, and to the heart of efficient, effective security management, forget about PSIM – and certainly jettison VSIM – and let’s all talk about just the “IM.” Information management and business intelligence is what it is all about.
If you get that, you got it.
Last month Martha Entwistle, editor of Security Systems News posted an interesting article commenting on the nature of PSIM (physical security information management) and a new report by IMS Research. First I’ll comment on the content of the report, and then I’ll comment on the origin of the term PSIM (which she credits to me).
Thanks for writing this article, Martha. As a security industry analyst for the last 15 years, I can say I’m not surprised. I’ve seen reports like IMS’ before. You can’t blame them for confusing the issue, really. Young researchers with no field security experience partially digest and regurgitate conversations with paying vendor marketing executives who have tremendous stake in the status quo.
The article here says “IMS’s Wong notes that products such as VMS and ACS software, which meet some, but not all, of the criteria above, are not considered to be PSIM for the purposes of the report.”
Hmm. I read these functional descriptions and think to myself that simply combining any popular VMS and ACS and you’d have 80% of the functionality IMS declares to be PSIM. So what does that mean? a solution has to have 100% of these technical requirements to be considered PSIM? Does it mean that “real” PSIM is actually and merely the 20% delta of functionality between an access control/video solution and the remaining functions?
Regarding the term PSIM. Yes, I was the first person to publish the term PSIM and launch the global discussion on physical security information management. When Chuck Teubner, CEO of VidSys, was CEO of e-Security (around 2003-04), he and I sat in the e-Security offices and discussed a new idea I was working on in my research: Security Information Management (SIM) for the physical security world. At that time, SIM was a popular concept in IT security management. Sadly, after I left Forrester and could no longer control the Forrester-Gartner debate on the topic, the acronym degraded to the current, utterly ridiculous SIEM. Anyway, I digress.
About the same time, Kobi Huberman of NICE and I drew a PSIM-like diagram on the back of a napkin in London. He was the VP of corporate strategy for NICE. Shortly thereafter, Arcsight, a leading vendor in the IT SIM world, contacted me and we brainstormed about SIM for the physical security world. Then NetIQ guys started talking about a similar concept.
When Chuck Teubner called me again in 2006 and suggested that we name the new concept, PSIM was born. I published it on my blog then. I can also say definitively that VidSys was the first company to clarify the PSIM vision and set the standard for PSIM definition and execution.
As a footnote, NICE later got into the PSIM game by acquiring PSIM vendor Orsus in 2009. NetIQ guys started PSIM-vendor Proximex. ArcSight, dabbled in PSIM but has not yet come up with an effective strategy to penetrate the market.
Please watch securitydreamer.com for more to come on PSIM.