Securing ‘Uncle Sam’
Kansas City, Missouri. Edmonton, Alberta, Canada. Nashville Metropolitan Government. And Hennepin County, Minnesota. Four different government agencies that vary in size, physical characteristics, geography, history and culture. But the security directors responsible for securing these municipalities are finding common ground in their unique needs and challenges, which include funding, meeting demanding constituent needs and having the right technology. One important commonality is solid security integrators that help end users with the technology and thus, create important and strategic long-term relationships.
Publications Security and SDM brought together four security end users and three security integrators to discuss the unique needs in state and local government security. The roundtable discussion was moderated by Securityeditor Diane Ritchey andSDMeditor Laura Stepanek.
Diane Ritchey: What are some of the unique needs that are specific to your sector that differ from the needs in the private sector?
Todd Best: I think that we’re probably pretty similar to our private counterparts with the general way that we go about protecting people and property. We all focus on securing our employees, our visitors, our executives and so forth.
But because we in the public sector answer directly to our citizens, we always have to be ready to show the immediate tangible benefits of our decisions. I can make a good argument to support my security video technology, but every citizen has the right to ask how it will improve their lives. So public scrutiny is a part of our daily business.
Diane Ritchey: What about you Dean, do you have those same challenges?
Dean Sydlowski: That’s a pretty decent answer that Todd provided there. I was going to answer along the same lines. I think that we are very similar to our counterparts in the private industry.
Our primary mission at the City of Edmonton is protecting corporate assets and making sure that we mitigate any risks against our employees and the citizens of Edmonton.
But we have probably many more bosses in the public sector than maybe the private sector, which might just be answering to a board of governors or a board of directors of some sort.
We have our own peers and our own bosses that we answer to and we have a city council that plays a huge role in making decisions and prioritizing the funding that we have to implement our programs.
And then we have the general public, and they usually are the ones who make the final decisions for us, especially when something very significant has occurred.. So I would definitely agree with the previous answer and I think that we just have many more bosses than they may have in the private sector.
Kirk Simmons: I mirror the same comments, with the only difference about my particular situation is that organizationally, we’re run differently than other government agencies in that each individual department has a department director and they consider that department director to be the COO of their operating group.
So we typically have to tailor our programs to meet the needs of that particular COO. It makes it especially challenging for us to maintain the security services
Ronald (Red) Robidas: We run across similar challenges as the private sector. Obviously, we’re out there to protect our customers and our properties. We’re structured very much like a lot of the municipalities and government agencies. Some of the challenges within our governing bodies are we have the school district and the Mayor and the Aldermen. Each have 14 elected positions, and they’re really independent of one another, so it brings on challenges when you’re trying to put something in place to meet everyone’s needs.
Likewise, I think that one challenge is that many of our facilities are open to the public. So some of the equipment we may contemplate putting in has to be non-intrusive and aesthetically pleasing. Not that they’re covert in any nature, but they have to blend in with the scenery. And with the limited number of dollars, it’s sometimes difficult to show return on investment.
Diane Ritchey: We’re going to follow up on some of that funding information in a little bit. We’re very fortunate to have some system integrators on the call, and Laura will pose the next question to them.
Laura Stepanek: For the integrators, would you please describe the types of opportunities that you’re seeing that are currently available as a security systems integrator in the state and local government sectors?
Andre Greco: I think that the biggest opportunity we have from a systems integrator perspective is to be able to simultaneously increase the level of security in state and local government. And also help them to drive down their operational costs. What we see all too often as buildings get built and as independent decisions get made via the bid process, 15, 20, 25 years down the road governments end up in a situation where they have a tremendous amount of disparate systems.
As a former chairman of a board of education in the state of Connecticut it would have been great if it had the ability to be able to consolidate all of the multiple systems we had on to a single point so that we could more efficiently and more proactively respond to alarms that were happening in the community, and we were able to put forth a proactive effort relative to the types of response that was put forth.
Vince Piau: We have a lot of opportunities throughout the U.S. and Canada with state and local governments, in particular. These include access control and video surveillance for local municipalities, everything from city wide prevalence, schools and universities and courts. We also find that there’s a lot of interest in integration between disparate systems and in increasing collaboration between agencies and departments such as police departments and schools wanting to be able to share video feeds.
We’re hearing a lot of interest in that regard, and we’re finding that it is particularly important in the state and local government sectors to work with the end user early in the process to help design and develop the solutions.
Troy Conners: To echo the other sentiments, it’s really as a multiple system integrator where we are really seeing the opportunities as disparate systems want to merge together or as the operators want to merge them together. One of the areas where we work well is with public-private partnerships. There’s much more collaboration today, so we have to be involved at every level of that collaboration, including up front in the risk analysis process.
Diane Ritchey: I want to follow up on some of the funding issues that you all must face. Could you please address some specific issues that you have with funding? Are there creative ways to secure funding for new security projects or upgrades?
Todd Best: We’ve had budget challenges in the last two years to meet our Mayor’s reductions across every department. The flood in Nashville last year only added to what was already a tough planning process.
Our organization has a lot of respect for security, I’ll give them that, but the expectations are high, so it does not take long to weed out the wasteful spending in an environment where layoffs can happen and budgets impact the entire community.
We have to show our impact and keep our goals in line with the operations that we serve if we expect to get the funding we need.
Dean Sydlowski: Our structure in Edmonton is six different departments. Security provides advice and consultation to those departments, and they are responsible for their own budgets. So I’m sure that they have some creative ways to secure funding, but from our perspective, our job is in their risk analysis phase. We really need to sell our recommendations to those departments and make sure that we identify the impact, the probability of events and their severity and getting the right people to listen.
Over the past year we’ve moved more to a “one city” approach with a new city manager who wants us to operate as one. Now our job in security is to make sure that we’re prioritizing projects for all six departments.
We need to ensure that one department isn’t getting security that they do not require, especially security that another department absolutely needs.
Kirk Simmons: For us it’s really been about the judicious use of technology. We’ve been facing double-digit budget reductions the past three years. But it’s really a focus of using technology in an efficient way and showing that we either can maintain headcount or reduce headcount. One example is that we just installed security turnstiles on our exits. It replaced guards who used to sit at those entrances. It was a sizeable investment – more than $500,000 to put in the turnstiles – but I was able to show that we’re going to be able to reduce headcount by four people. So the county wasn’t afraid to spend the money. It worked out very well.
Diane Ritchey: Yes, that was a very innovative way of solving that problem. Red, can you speak to some of these issues as well?
Red Robidas: Like most folks, funding is a challenge year after year, and we’ve had to rely on being creative like everyone else in where we find most of our funding sources.
Our straight line item funding has been rather limited, we do get some money through new construction of buildings or renovations of existing buildings or facilities. We also periodically receive some community improvement program funding.
So there are not a lot of direct dollars that comes into our account as a line item because all the departments handle their own line items.
What has been very successful for us has been with homeland security funding. We’ve been fortunate over the past several years to gain substantial dollars, and it’s not often that you hear people say that.
With regards to homeland security one of the limitations is ensuring your planning is compatible with everything else that you have in place. And if it’s not compatible then you lose points in the funding process.
Diane Ritchey: That’s great news. Let’s move on to the next question for integrators. Can you share a recent success story that relates to a specific use of technology?
Andre Greco: I think that a good example was a project that we just recently deployed for the City of Plano in Texas, s good size community with 265,000 residents, who had multiple city agencies and were looking to integrate and manage data from many different sources in to a single point command and control.
So Johnson Controls consulted with the city and worked with them on not only a short-term implementation of a PSIM solution, but we also made sure to scale it so that as additional agencies within the city of Plano wanted to bring their data and information into that single point of command and control, they were able to do. So it was really a collaborative effort, and we were happy that we were able to craft a solution that exactly met their needs, both short term and long term.
Vince Piau: One specific recent case is in the Norfolk, Va. area, where we originally began with a 1,000 IP camera conversion for the public school system across all the schools. Previously had stand-alone analog systems that were not being monitored regularly and also had fallen in to a lack of maintenance and repair.
We tied video into existing buildings within the public works department, and based on the success of that implementation and the platform that we were able to put in, we were approached by the police department. So we expanded the system so that they could use the same system and segment it for the different uses.
We installed outdoor cameras utilizing wireless mesh technology, and this proved to be very beneficial for them, as it resulted in numerous prosecutions and arrests. We also added video analytics, and recently they were testing integration of gunshot detection technology.
What made this particular customer or this case a success is the partnership between the agency and the integrators and the collaboration between the different departments.
Troy Conners: We’re about to deploy an installation with a private company in the New Jersey area that was a collaborative effort with the New York New Jersey port authority as well as FEMA. Siemens worked with this company from the very early stages, specifically with risk analysis, to help them gain the FEMA grant.
This was a facility with more than 600 acres to protect. It’s a critical facility because of the shipping channel and the location of this facility as it relates to not only the port authority but to other businesses in the area.
And on the back end you know we’re more than just the systems integrator, we’re going to work with them on the monitoring as well as the service and maintenance.
Laura Stepanek: Yes, in fact that’s one area that we’re going to talk about a little bit later is going beyond implementing the technology into all the other services that an integrator can provide.
Diane Ritchey: But first, there is a lot of discussion about securing the cloud. Are you and your agencies looking at the technology yet?
Todd Best: We’ve had a few recent challenges with archiving that could make it more of a focus in the future, but at this point we haven’t suggested it to our IT department for any of our security systems.
Dean Sydlowski: It’s fairly new to us at the City of Edmonton as well. We had some of our legal team start doing some research on it, and I think that the preliminary research was indicating that there’s a few security-related concerns, as well as protection-of- information concerns that we may need to overcome.
Kirk Simmons: We’re not using it in any form, but I think we’re looking at it.
Red Robidas: We actually did it in one of the sub agencies to the city about a year and a half ago with one of the products, and we’re looking at a product on the city side as we speak. Some of the challenges appear to be with legal issues. I have a question about the legal issues. If the server is in Wisconsin, but the company is in Minnesota, which laws are applicable: Wisconsin or Minnesota? I think there are issues that need to be addressed that cannot be addressed locally, that have to be addressed federally in federal government regulations.
Diane Ritchey: What about the integrators? Have you been specifically working with end users on implementing cloud security?
Andre Greco: We’ve looked into a bit, but there are some risks. A lot of companies out there are doing off-site storage of data and some of them have the appropriate credentials, others do not.
So for the end users on the phone I would say that they’re going down the right path in terms of having legal and risk management take a look at those companies before they intend to use them.
Vince Piau: I would echo a lot of the concerns regarding the privacy issues with the cloud base. But to me it seems like the federal government is leading the way with those efforts across the board. And state and locals tend to either run in parallel or follow those standards that the federal government sets. And so we’re doing a lot of work with federal government agencies that are now mandated to move to the cloud based security services.
And there are certainly challenges. I think the benefits of cloud based services are compelling in regards to less on-site IT maintenance, fewer data centers and associated space and heating as well as cooling.
And then not only just from a capital funding requirement, end users can increasingly use cloud based services to potentially utilize operating expenses.
We as integrators need to not necessarily oversell the benefits but also make sure that we take a realistic approach and make sure the customers understand the trade offs as well as some of the technological challenges, in addition to the privacy concerns.
We really want to see these solutions be proven, and we want to make sure that end users are comfortable with the way that things are moving. And nobody wants to be the first to do it.
So my opinion is that I think the federal government is really mandating these changes.
Red Robidas: I know it’s off topic but if you don’t mind could I ask a question about the cloud? And if I could pose an example: say the actual data is stored in China and we’re a U.S. account, which laws become applicable to the information?
Vince Piau: Yes, and that’s an excellent question, and you know my opinion is that most likely that is going to be a very big concern. In regards to the government there’s going to be pretty strict regulations and mandates all the way down the line, which would not only include the technology say at your desk, but also where the data is stored.
And there are only going to be certain data center providers, not only for the data, but also the transmission of that data. So it’s not going to be the same, I guess, looseness that you may have with your email right now. There are going to be some strict regulations and only a few approved providers that will be able to have all that information. There will be a check and balance.
So if I had to guess, your data is not going to be in China, but it’s going to be in one of three approved data centers in the U.S. that will be audited and maintained and ensured of a level of security, probably more so than if that server was located on your own network.
Troy Conners: We’re seeing more requests from our commercial customers, and most of our customers are really taking advantage of our access and video monitoring as it currently exists. But to echo Vince’s response, the federal government is very sensitive about any third party accessing their networks. And there’s been a lot of discussion in Washington and among the various defense agencies about how to go about certifying different firms and different technologies to gain access to their network. So it’s our feeling that the state and local government will follow the federal government in that regard.
Diane Ritchey:The next question I want to pose to all of you is that on the surface it may seem as though integrators are only responsible for implementing technology based security solutions. But what’s your role beyond that? For example, do you get into helping an end user develop their policies, their procedures or perhaps their plans?
Andre Greco: We go far beyond just implementing technologies. We have a complete relationship with the end users in terms of doing site surveys and risk assessments, working on designs not only for systems but for processes and policies and procedures, and getting it to budget planning and writing and reviewing specifications.
And what we find the majority of the time is that the end users think they’re in a situation where they have everything covered but as we start digging into very specific details relative to alarm response and procedure, there are some gaps. So we’re certainly able to fill in the gaps with end users and help them to create an all-encompassing security program from the electronics to the integration to the networking and network infrastructure, all the way down to the policies and procedures and how to respond to very specific types of events. So it’s far beyond just the implementation of technology. It’s an all-encompassing relationship that we like to have.
Diane Ritchey: That can only benefit the end user…
Andre Greco: Without question, especially as it relates to where they are today and where they want to go. And what are the steps in between to get there?
Vince Piau: We believe it is our responsibility to work with end users to help develop and enhance their security policy. Technology on its own is not a solution. So before we can recommend technology, it’s critical to understand the unique challenges that each end user agency has and how we can help them address those particular issues now. And with this understanding we can use our expertise and apply relevant technology to develop meaningful changes to the current policy and maybe see some things that weren’t available before because of that technology.
And I’ve mentioned before the case of being able to increase the use of IP video surveillance between agencies with schools and other departments. That enables new technology where police officers are able to see video in the car as they’re pulling up to a scene.
Those things are starting to give people ideas to rethink their current and how they will respond. We really look at the project and implementation as a long-term relationship, so once we’ve installed cameras and alarms, we really have to work with the end user to educate them to respond to hundreds of cameras or alarms that are coming in.
Troy Conners: Systems integrators need to be more than just integrators today; they are really security partners, from the first stages of risk and the needs analysis all the way up to the service and monitoring.
Diane Ritchey: I want to pose the next question to our end users about cybercrime. I know that traditionally this has been an IT role. But many end users that say it’s increasingly falling under their responsibilities as well. Is it your role within your organization?
Todd Best: I work closely with the IT department to consolidate physical and information security. They have a really active comprehensive security program with a lot of initiatives that support law enforcement agencies, for the state as well as directly in the local community. My personal role is just a small part of a bigger design. It’s been really successful here in Nashville and it’s still in the early stages.
Dean Sydlowski: I echo the same sentiments in that we do have a security IT department that looks after most of the technological stuff, but I think one of the number one thing that my area is involved in is the awareness piece to the employees, to send out tips and examples to them, as well as have certified fraud trainers to put on cyber security awareness training sessions for the city of Edmonton on a yearly basis.
I think that maybe the motivation of folks to attend is for their computers at home. But at the same time, if we’re delivering the right messages to them and giving them example cases to prevent the incidents from occurring down the road, I think that we’ve won half the battle.
So we work with our IT security teams to implement physical security wherever necessary and then detect and report incidents to the Edmonton police services and then facilitate and assist with an investigation, providing evidence and then if necessary, even going to court.
Kirk Simmons: We’re not much different than Edmonton. We have a separate security area in IT and my area is responsible for the physical security, so we just maintain good communication with them about different issues and provide recommendations to reduce the risk.
Diane Ritchey: What about you Red, is that your situation as well?
Red Robidas: The actual IT aspect falls to our IT department. My role is dealing with the employees directly, sending them information that’s applicable at work or for their private life to be aware and reduce theft. That seems to be working well for us as far as employee awareness.
Laura Stepanek: And now we’re going to wrap up this discussion with the ideal question: what is on your wish list in terms of technology and/or other resources that would help you do your job better? We’d like all of our participants to address this question briefly, starting with Andre.
Andre Greco: I guess in the ideal world some flexibility is what I would seek. Flexibility to be able to work in a collaborative relationship with end users from state and local governments to allow the end user to determine what business objectives are for a particular project, what they were looking to accomplish, how the outcomes were going to be measured and then to choose an integrator who they felt was going to be able to benefit them in the short and the long term versus creating a request for proposal and sending it out to anyone and everyone. Accepting a proposal from the individual that came back with the lowest price is really detrimental to the owners on the state and local government side, because it ends up in the long run costing them more to deal with inconsistent and disparate systems versus being able to strategically plan and execute the most efficient plan. So given the opportunity, I would say that we’re looking for more flexibility.
Laura Stepanek: Okay great, thank you. How about you, Vince?
Vince Piau: Yes, as we discussed earlier, there’s a lot of interest in the cloud-based security services, but as I mentioned, this requires a shift in the current technology architecture that’s available today, and we as integrators aren’t going to rush in to these types of implementations without a proven solution that we can have absolute confidence in. So we really want to work with our manufacturing partners to help them follow these trends. I will mention that we are excited about this overall trend towards the cloud because we see potential benefits.
For example, at Convergint we have developed a web-based service portal for our customers that allows real time updates, tracking and reporting of all the service calls throughout the U.S. and Canada where we service our customers. It’s a tool that was developed specifically for our customers based on their requirements and their feedback. And I think as an example that demonstrates the tremendous value that we can have with innovative web-based technology if used appropriately.
Laura Stepanek: Okay thank you, and Troy? What’s on your wish list?
Troy Conners: Siemens has a new division called infrastructure in cities where we’re beginning to be more proactive with our customer base, and that means from not only a technology level but a partnership level from all aspects of their business. We currently work on integrating of systems, but I think on my wish list it’s more of a seamless integration into all of the disparate systems that are out there today, including wireless and real time tracking solutions. Those are things that we feel are coming but we’re not quite there yet. So I think integrating to multitude of systems from a security perspective would be on my wish list.
Laura Stepanek: Okay, great, thanks. Three great perspectives from the integrators. Now let’s hear from the end users and Todd, why don’t you go first. What’s on your wish list?
Todd Best: I would like to use our existing technologies better before buying more. We have a new security video system that’s been a real force multiplier for the group. We have a lot of success with it, but we’ve also had some challenges that would have been better served if we had technology. I guess the top of my wish list would be better communication with our vendors and integrators so that I can get the most from the toolboxes that we have. Sometimes that means they need to be more for us, and that means I need to do more homework to understand the technology and how to use it better.
Dean Sydlowski: I have a couple of wishes. Funding was on the top of my list but you said money is no object. So I want to echo what I heard from one of the integrators – the seamless cost effective integration of systems I think is critical and it seems that everybody is trying to catch up right now in bringing all the systems together. But it’s not as easy as it sounds.Currently at the City of Edmonton we do a lot of data management manually. I’m currently working on a tool that would give me daily data on different threats, threat analysis of sites and people, whatever the case may be, and I think that that’s going to be critical to preventing things from occurring rather than reacting to them.
I’ve heard a lot of talk about analytics today, however I don’t have a comfort level with it yet, and I think that that’s going to be something in the future that is going to be on everyone’s wish list.
I think the number one item on my wish list would be governance. I think that there does need to be an overall governing body, whether it’s public or private, to make sure that everyone is complying with security policies, procedures and risk mitigation strategies.
Kirk Simmons: I know I’m going to make everybody sick because I get what I need here. We really do. If I had to ask for something, I guess I’d like an organization that was less decentralized. It makes it difficult for me to work in so many different directions, and I’m not particularly thrilled with our bid process. I think we focus too much on low bid costs rather than the best value. My department that I work for – property services – we’re starting to make some inroads towards changing that philosophy. But we’re still ways out and it’s very laborious to design strategies and then get around a low bid strategy.
Red Robidas: Along the same lines about the seamless transition, I’d like to look at it just a little bit differently if we could versus, the public private sector partnership. I’d like to see business to business partnerships versus proprietary products. I would like to see product platforms becoming more integrated with other products.
As an end user I would like to have more flexibility in comparing products that offer more integration. I believe that would open the field for all of us of to have more competitiveness among the products that are coming in and not throwing away everything we have. Because quite frankly we’re all in the same position; we’re not going to discard everything we put all our finances into over several years just because someone comes in and asserts that theirs is a better product.
Likewise I’d like to see seamless transitions going from analogs into the IP world.