 There, I know you guys are all sitting at home locked away and you just couldn't wait for this episode of Security Matters to stream to you live out of the Think Tech Hawaii studio. So I hope you're joining us today. My guest today is no stranger to this industry and I'm sure probably not a stranger to most of you. Pierre Bourgex is brilliant by almost every measure and we've had some great conversations and I wanted to get a conversation today, get an episode going around what our industry sort of done right and what are we still doing wrong around this whole idea of convergence. You know, we've talked about it for many years and I don't think we're, I don't think many have really started down the path to be honest with you. Pierre, welcome to the show man. I really appreciate you taking some time out to join me. I know you're a busy guy writing and I don't know if you're traveling much these days but maybe you're getting some right gun. Aloha. Aloha. Hey, you, you and I have, have talked quite a bit about about this, the problem and let's, I'll keep it, we'll start it simple and try to keep it around people processes and then maybe we'll beat up on products a little bit if we have time. On the people side, you know, we started with awareness and education, I think four or five years ago at PSA, and I know C is working hard to put together a package for integrator education for for technician education around cybersecurity. But on the whole, I, I feel that we haven't moved the needle much with, with people. What, what's your take on it man you you're on the main a lot more than I am you know I'm kind of isolated out of here on my little rock. So, tell me what you, what do you see you know what are people gravitating to what's, what's, what's good. Then we'll, we'll talk about what's lacking. Well, I think, I think generally, the industry has progressed, maybe about 5% it should end on 100% scale years, but not there. I think that people think they are based upon a lot of the conversations that have taken place. I think, matter of fact, maybe have have secured cameras, they've added STP they've done certain things which, which I commend to a certain degree. However, when we talk about people, and that inevitably becomes the big problem is most integrators, even consultants, design engineers, have not taken the time to educate themselves on the true problem of it infrastructure security and cybersecurity as a whole. What is cybersecurity, what is it security, what is it infrastructure really mean to the security into the physical security industry from video cameras access control the sensor to fire, etc. So, what it boils down to is that, like most people in life, you know, we're all looking for the easy answer, you know that old easy button, there is a button, it takes time and effort, research, spending your time to define, you know, what is, you know, the how does it infrastructure play in the role of designing a security, you know, the camera system, you know, what does that mean, what is segmentation really mean to the business, what type of business are you working with you know, are you asking the right questions. I think we've talked about this right I think the problem is that I don't typically see us asking the right questions. You know, we talked about this three over four years ago, a consult I think when it first started it could have been three years ago. You know, and Greg Norman brought in the concept of, you know, well, you know, IT security, physical security, right, the assessment side, what is your current state how do you define it. Well, now it's even operational technology so he's got three domains now that we still don't know what we're doing. And it's because we just don't want to learn. That's it. I hate to tell you but it's laziness. It's pure laziness it's you know, they had they've had a good for you know the integrators are doing extremely well. You know there's a lot of business and of course now we have coronavirus and now we're going to see a slowdown and the economy is going to slow down. We're going to have a big robust, you know, return. So, I guess I've given you a little bit of good and a lot of well we got a lot to work on. Well, we, we talked about laziness and I do you think that our success as an industry is a contributor to the lack of burger education. Yeah, 100%. I mean, I think that we've gone through so many years of good, right. It's hard to like come back to an integrated. And they're looking at their balance sheet and go well you know I'm doing pretty good. I'm like, I get it. You're not going to deny that I can't deny that I can't even deny that to consultants because consultants are busy. The checkbox assessments are ranging and you know the the design engineering is well you know off the shelf and they're good. I think unfortunately is that you're going to reach a wall where technology is going to surpass the people's capability of positioning solutions or designing the proper solutions because technology is going to afford people to be more more edge based much more, you know, less less fixed to the to the to the the panels on the wall than to the cloud infrastructure that they they were not paying attention to. That's an interesting point. Do you think that that has a potential to devalue what it is that we do. Do you think they'll always need us at the door or will it just be an electronic lock set that you can get it lows and you know, Well, you hit the nail on the head. I wrote an article that really, you know, typified that just recently about the integrator, you know, and, you know, are they going to be the integrator of tomorrow, or simply an installer of parts and pieces. You know, the value for the integrator is to be, you know, part of the trusted value to the to the client right. So ought to should be the consultant and inevitably the design engineer. That means you've got to make an effort to actually create that value. And unfortunately, many times what ends up happening is, you know, they say, Well, it's not in my scope. I shouldn't be asking those questions. I don't want to do that, or it'll interfere with the sale of that product. Oh, God, I don't want to talk about that because it's going to confuse the end user and we're going to end up not getting the deal closed this quarter. Look, I get it. You know, I completely understand it. But unfortunately, who are you serving? Are you serving the client? Are you serving yourself? And nine times out of 10, yeah, frankly, they're serving themselves because here's the problem. I get the triage. I get the problem after the fact and I get people who are frankly upset that why didn't somebody tell us that it says, Well, you know, I don't want to say that well they should have but the reality is they should have. And unfortunately, the reason why they don't a they didn't know. So I don't blame them there because they didn't educate themselves. Why do but anyway, nobody's listening to that. They should be more honest, as honest to the client in regards to what they should be doing. And frankly, unfortunately, and I'm going to say it in front of everyone is, look, you're not, you're a Honeywell shop. You sell Honeywell, you're a Linnell shop, you're selling Linnell, you're not going to sell anything else. And frankly, if you do value the maturity of your client and you understand what level of maturity they're in and what industry they're in and what they need. And sometimes that's the shoe that doesn't fit. Maybe you have to give them something that is different but unfortunately if the integrators making that decision. Well, they're not going to tell them the other side of the story sometimes and that's, that's a danger. Right. And especially when things are beginning to get more edge based and we see much more nimble systems, you know, compression at the edge, you know, security and we've got a lot of things going on right now that make systems much more resilient over time, you know, future proofing. And it doesn't incorporate your old technology. So, you know, you got to watch out. So I got to say, you got to watch out. If, do you, you know, I'm a, I'm a pretty passionate about national security in our, on our, our place I want our industry to be in it. Do you find a great awareness for the guidance that's given to across the sectors, the NIP sectors? RM, we know we have a new risk management framework that came out last year, you know, RMF two after having RMF one for about 20 years. I mean, the guidance is there. It's written. It's, it's well written, I think, in fact, and it's quite detailed on the things that we ought to be, the discussion we should be having with our customers prior to designing anything. Do you think much of that's happening with that as its basis of guidance? Or is it, is it just, okay, this guy knows how to make the equipment work so we'll trust what he says. Well, so here's the thing. Converge gap assessments in regards to the understanding of every environment, ITOT physical security when I say I, you know, information technology, operational technology physical security is when you're doing a converged assessment you're asking questions in regards to resilience you're asking questions based on operations. So if you're getting into the nitty gritty of how you're going to support your systems, and what is the most appropriate systems that you require, you're going to ask what their IT infrastructure looks like, you're going to ask where their IDFs and MDFs are in their, in their infrastructure, you're going to ask all the right questions if you do this converged assessment. And I can tell you right now that Ben Butchko, you know, I've been working with him closely we're, we're really tied at the hip right now in a lot of projects. You know, his, his resilience model and his concept. You know, we followed that in IT world and in the cyber world, and we're matching those up to really help clients and I think where that comes to most consultants have an opportunity to do that too. I mean, you know, you know, control can't do that. They sure can't. But here's the point. You know, have you, have you read those standards. Have you applied the concepts of those standards. Do you understand that these have been written for 1520 years I mean just I can and five can for God's sakes it's just, it's real simple right now, learn that identity, learn about access for permission sets. You know if you really are deploying an access control across an enterprise environment, you know, understand you know what are the what is, what is a kill chain to cyber is as a kill chain to, to physical, you know, operationally what, what are the things that are not going to be supported if something goes wrong like, say, a pandemic, you know, working from home 70% of your, of your force now is there. Did you, did you have this in your coup plan, your continuity of operation plan that was written years ago by the federal government to, to support, you know, companies, you know, out of fizma and out of 911. But look, you know, shame on us if we're not doing these things to help our clients. That means the consultant has to become better has to become more, you know, unified in regards to understanding that, you know, even though it's not in your scope and don't get me wrong, I get it you're not getting paid for some of this stuff, but frankly if you're not asking the questions I don't think you'll ever get paid for that is a great point and I, I definitely see the sentiment on the, on that consulting integrator is sort of just left to deliver whatever's been drawn up and that's his job. Good food for thought right there let's take a break this is a good spot I think, and we'll pay some bills and we'll be back with Pierre Boisex in about one minute. I was the head coach for the Punahou Boys varsity tennis team for 22 years, and we were fortunate to win 22 consecutive state championships. My show is based on my book also titled beyond the lines, and it's about leadership, creating a superior culture of excellence and finding greatness. I feature a wide range of amazing guests who share valuable insights about how going beyond the lines leads to success in everything you do in life. I'm looking forward to you joining me every Monday at 11am. Aloha. Hey Aloha welcome back to Security Matters. I am online today with Pierre Boisex. We are both sequestered in our caves, but we are getting the information out as quickly as we can about what's wrong and what's right with the convergence that our security industry has been working on. We were talking about people and without, I'll go there anyway, don't be lazy. There's a lot to learn and don't stop learning it. That's what needs to happen on the people side of the house, period end of sentence. What are the processes? Pierre I know you have a great expertise in the OT as well as the IT and obviously the physical side. What are the process problems that give you the most pause, the process pieces that aren't part of spec, that aren't getting brought up to the clients either by the integrator or the consultant? What's wrong with that piece of our puzzle? I think one of the biggest challenges for our entire industry is the fact that we are looking at more multi-purposing of systems than we've ever seen before. Corporations as well as government agencies are looking at operational environments, their controls basically, and trying to ensure security, trying to ensure protection. But what happens is that we have this disconnect between my IT as well as physical security, not recognizing that how this is affecting operational environments. From pipeline security, I mean the GAO report from a year ago basically defined how unsecure their pipeline infrastructure was, and much of the budget was relying on the substation side and not really the pipeline side. And so PLCs were unprotected, SCADA controls were unprotected. So what happens is that the domain of security is everything today. It's no longer segmented to silo. And I hate to tell people, but if you don't correlate those environments, you're leaving your behind unprotected. And I tell you something that last thing you need is an ambush. And that's what we've got today. We've got nation states hacking our infrastructure. They're going after the crown jewels through that operational environment. You know, listen, ransomware is being used against cities like New Orleans and Baltimore, Maryland. And those are tied directly to operational environments, meaning use of the technology that we're adapting to either be access control or video and linking that information directly to say a flat network that we should have been saying, guys, you can't put this on the network because you're going to be, you know, you're going to end up having vulnerabilities. And this basically lies in wait for the tiers of businesses that are small and mid cap that really feel like, well, I'm too small and I'm not a problem. Let me tell you something. If you're working for a large agency, okay, a government agency or a large enterprise, you are the problem. Inevitably, what you're going to find is people will be able to use you as the agent of, you know, unfortunate attacks. Yeah, it's not that difficult. On the process side, I saw the recent GAO report about just access control and FISMA, you know, roll out across the Fed, which is very, very slow. You know, I think 20 years and the findings are still terrible. 15% of the stuff's covered adequately or whatever. And now we have OSDPs, we need to go back and retool anyway. On the process side, is it your experience that the customer, because the customer doesn't know his risk or, you know, his greatest risk, he doesn't have a risk matrix built that the consultants and the integrators are afraid to get engaged with that discussion, because the customer really doesn't know the answer either. And as you know, it's a whole lot of work to sit down and take someone through a full blown risk assessment, you know, enterprise, ERA or whatever it is. What's your sense of the integrators in there? We've already talked about maybe they're lazier, they're lacking some responsibility there, but is it because that process is also daunting to the customer that we don't want to bring it up? Oh, totally, totally. It gets in the way. I mean, you know, unfortunately, there's no way to make it simple. I told you this initially is that we've got to try to make it simpler for them. And I think that inevitably that's, you know, our job. You know, as educators and people that really want to improve our industry, we're going to have to try to make that information more available to the integrator, and as well as the consultant and the consultants responsible. The consultant's responsibility is to understand what risk means today versus what it meant 10 years ago. Our focus has always been one dimensional approach. We are now a multi dimensional approach to risk. It incorporates many different vectors. And if we don't understand that as a consultant, then what we do is we fall short of the required expectations to get to the proper technology. And that's where we have to ensure that there's a roadmap. I believe strongly that we're moving into a world today that that doesn't allow the consultant to be, you know, third party navigator, they're going to have to be part of the equation. And I don't think that's a comfortable place to be in for most of them. That means they're going to have to learn about technology. That means they're going to have to be more adept at how to define what a good roadmap means for a client technologically as well as operationally. So, you know, I'm not saying that that consultants in general do a poor job, but they don't do a good enough job now. And I think that's where we're failing. I mean, it went through that. You know, the mad rush back in the 90s and the early 2000s mid 2000s, you know, I mean, my God, you had a you had a whole slew of consultants. And, you know, after 911 you started seeing cyber consultants right and you had a whole slew of those by 2005 2006. So when the guys realize, well, wait a minute, you've got to create value, you have to really final finalize, you know, what is the expectation roadmap of a client to get them to a desired state they can reach. And that's the hard part. That's where we're consultants are today. And that's where the integrates have to take on that because they're going to have to basically take what the new brand consultant in the converged worlds is giving them and be able to apply technology to that and install it appropriately, configure it appropriately, program it appropriately, softwares, you know, infrastructure, not hardware infrastructure, cloud infrastructure, not on premise infrastructure. It's a hard, it comes it goes from the edge device all the way to storage. It's no longer is as easy as I used to have plug and play. And is, do you think it would be who consultants and integrates both to get really specific knowledge in a certain sector instead of trying to go out there and sort of be everything everyone because it is a lot to learn you know you and I. It's tens of thousands of pages if you really want to understand what what you drive your discussions from a national security perspective anyway, you know for tier one tier two facilities and on down you know they're all they're all important. Is that something would that be a good thing you think if are we all just to cocky and we want to be the smartest guy in the room so we don't want to partner up with with other subject matter experts in certain sectors. I'm not sure what that problem is. I think you're right on target. I mean, look, it egos the biggest problem facing most industries but security industry is full of ego and then it and it's always been that way. Okay, I mean, you know, the guy with the gun, the intelligence officer, the, you know, listen, it's just it's a natural transition and I, you know, listen, we have to call it we have to call our baby ugly sometimes to get to the real issue. You know, you keep on talking about how great it is you never find what what the problem is and you know maybe that's why I write some of the articles that are right. You know, it's to it's to awaken us out of our symbiosis that you know or some form of sleep retardation that we're in sometimes we got to get out of that and and now we're in a position we don't have a choice. So yeah with with systems becoming more intelligent with machine learning and and, you know, cognitive synthetic cognition or like AI whatever you want to call it. You know, this is what's what's going to be driving, you know, the industry very soon, you know, and we are and the client is getting more intelligent about that they're beginning to understand this it's coming them and saying why aren't we doing it this way. I can tell you right now. The, the industry, as it is, is stymied by the fact that technology is surpassing our capabilities. And if we get to a point where we try to put everything in our own box. Well that box is going to get crushed by the by the sure weight of the nimbleness of technology into the near future. And that's where you have to be worried because if you're not ready for that title wave. You're going to get crushed by the effect. Yeah, I 100% agree. I, I hope it's my sense that I mean we work hard to raise the raise the level of our industry and I want us to have a place at the table and national security. I want us to be a part of that solution. But but we will have to continue to gain extra expertise. We're going to have to push ourselves or we will get pushed aside I crushed in a box however it happens it's going to happen I agree with you 100% love that perspective. That's a minute and a half left. Final thoughts are what's the, what's the challenge you would throw out to the industry to go get it right. So I think my challenge for the industry today is, we must, we must not only challenge ourselves in regards to learning and adapting to the technologies of tomorrow, but understand how they apply to the businesses. In other words, in the environments, meaning, not just thinking about technology as a patch as a bandage, but as a process within their business. You know, it's not all about us. It's about them. And I know we always want to say that we never really buy it. I mean, I've said I've heard many people say that but I just don't see it sometimes and I can tell you right now that probably you will be the witness, you will be the victim, and you will end up holding the bag if you're not doing what's right. Yeah, as an industry we are our industry above all is one that's designed to serve others so please, please get out there. Get get yourself familiar with this documentation that's available, have the difficult discussion, work on risk with your customer first before you get some some technology into them that that's, you know, maybe a few years or needs but really doesn't do everything it's supposed to care. I really appreciate the conversation today man stay safe over there and everybody out in the audience stay safe will be back next week I might have been Ben's coming on soon that might be next week I'm not sure. But anyway, here we'll talk again soon sir and all y'all take care out there. Aloha.