The Canary in the Mine

Phil Aronson

Canaries can have a short but significant life in a coal mine. Significant because, in their traditional role, they were used to identify the dangerous and costly fumes known as methane and carbon monoxide which could cause the loss of the business of the mine, the brand of the mine owners, and the skilled human assets of their workers.

Since canaries are extremely sensitive to small traces of the costly fumes, if they were singing, the business of the mine was okay. If they were dead, then it was a strong critical indicator that your business assets would be impacted with the degree of impact determined by the process and actions of the people to the data.

Although canaries are no longer used, the metaphor has lived on. And how it is expressed has powerful meaning to the state of our industry.

The phrase “Living like a canary in a coal mine” usually is expressed as the ultimate harbinger of a future event that can have meaningful opportunity or risk implications.

We have been collecting information and receiving feedback from the security industry through our strategic partners and our clients. Through this input they have acknowledged that there is meaningful and measurable data that they may not be able to collect. However, that data could help them recognize opportunities to improve the performance of the business and security’s role in it. By carefully observing these ‘canaries’ we believe organizations can avoid major failures down the road or capitalize on opportunities for their business.

We have been told by CSOs and security managers the following:

1. Security’s value is difficult to measure

2. The Performance metrics related to their people, process and tools are difficult to acquire

3. Budget demands are increasing pressure to deliver services at less cost and to know which services really add value

4. Technology is changing the operation of business, and, by extension, security. New tools can disrupt old processes and roles.

5. Security is part of the IT architecture for delivering critical services to the
company.

6. The balancing of old and new risks. The tools that are described in #4 and #5 create new risks as well. Those risks may not be able to be mitigated or contained with traditional approaches.

7. And, finally, finding intelligent, savvy partners to help navigate the change, provide tools to help measure and provide strategies to take the measurements and build a strategy and business case are not readily available or obvious. There are too many niche players that a security executive must evaluate and then manage in context of their strategy, which only incurs time and cost, both of which are increasingly difficult to bear.

All of these are ‘canaries’ in the coal mine, pointing to a deep need for a new coalition working under a unified definition of value and risk. A coalition that can provide:

• The deep domain knowledge of existing and emerging technology,

• The due diligence around effective benchmarking of those technologies both directed (in a lab) and applied over time (through experience),

• The identification of the business mission and goals (the language and business model of the organization) with the quantification of risk,

• The vertical market knowledge to identify regulatory mandates and how to manage them toward the mission of the organization,

• Authentication of their competencies and practices so that the outcomes from their services can be measured, managed and predictably assured.

The challenge our industry faces from your questions and needs clarifies our purpose. Every tool you buy, every service you engage, must create a performance value that can be measured. And that value premise must have a tangible outcome to the business.

If you are an ‘integrator’ then it is no longer enough to be a certified installer of a particular product. Nor is it enough to look at your client as a ‘project’. You must earn the right to be heard as an advisor. To do that you must have the knowledge base to move from product knowledge to business process and metrics knowledge. And you better know their business. As well, you better be as comfortable with the IT executives as you are with physical security executives. In most cases, integrators have failed to do this.

If you are a manufacturer, you must determine your long term product roadmap through better communication with your end users and the new integrators described above. Some of you will be out of business in the next few years or marginalized because you frankly are not listening.

If you are a security executive, you must enhance your professional status by going beyond your traditional methods for professional certification by participating in new knowledge communities that have emerged over the last few years. For example: the Security Executive Council has several membership programs that provide a disciplined approach to organizing, leveraging and syndicating knowledge from some of the leading security knowledge leaders in the industry. And they are advocating new coalitions as described here. One of them is The Great Conversation^™: a coalition of security integrators, security executives and manufacturers that is envisioned to act as an aggregator and syndicator of the most prominent issues and answers of the day.

Canaries are singing and dying across our security industry. Tread carefully and work diligently to find the ‘seams’ of value while navigating the signs of failed business models, ideas, systems and tools.

About the Author:

Phil Aronson is CEO of Aronson Security Group (ASG), an independent integrator of enterprise security solutions. Building on a strong reputation for engineering and service for over 45 years, ASG provides engineering excellence, world-class service, and security expertise to premier regional and national organizations. This year ASG’s annual Security Summit & Expo is a qualified Great Conversation Event providing both physical and logical security leaders from virtually all industries including healthcare, government, retail, transportation, manufacturing and critical infrastructure the opportunity to leverage and learn from the knowledge and experience of industry thought leaders as well as their own peers. Backed by the Security Executive Council, a global network of security executives, and PSA, the largest community of security integrators in the world, The Great Conversation™ brings together a global security network in a series of events anchored by an online conversation platform. These events facilitate the sharing of ideas and experience between security practitioners, integrators and manufacturers that enhance the value of security in participating organizations. To become a part of this organization or learn more visit their website at www.greatconversationevents.com.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.