 This is Think Tech Hawaii, Community Matters here. Hey, Aloha, and welcome to this Christmas-y type episode of Security Matters Hawaii. We're live from the Think Tech Hawaii studios. And today our guest is Ray Colom, President of Security Specifiers, and one of the sort of lead consultants out there in the industry, Ray's well known, and we're really happy to have him on the show. Welcome, Ray. Thanks for joining me today. Hey, Andrew. Aloha. Hey, you look good there. Got a nice screen. I'm here. Is that your home office? Yeah, this is Command Central right here and in Rhode Island, so I'm looking at a different ocean that's a heck of a lot cooler than yours is out there right now, I'm sure. Yeah, it's that time of year where you guys actually have a real winter. We just get a hat, you know, maybe a little time at the beach. Well, we'll make our own merriment, right? Nice. So anyway, you know, we talked about putting this episode together when I was a consult at this event that you've held last few years, bringing sort of the integration community and the consulting community together, typically groups that sort of maybe talk before projects and then once projects get going, things can come apart and they don't get to talk unless they have to come back together. There's sometimes a GC in the middle sort of insulating them from talking. So I thought we'd kind of spend this episode talking about all that goes into it, you know, from that consultant side, you know, all the stuff that they have to do to kind of get the project right, you know, at the final deliverable stage because there are many changes that occur along the way. So we'll get into some of that. I like you, if you can, give our audience a little bit of your background as much as you care to share and we'll go from there. Okay. Well, just briefly, because we want to get to the important stuff, you know, here pretty quickly, but I've been in the industry for probably over 30 years. I've started or helped to start a number of companies in the space. International Fiber Systems helped get that going. I was in the early stages of Fiber Options. I was a co-founder of Cypix Networks that Cisco acquired as their first foray into the business and various and sundry other enterprises, but fortunately none of those has gone south. But it was about eight years ago as I left Cisco that I decided to do something that was more than a product company, that it would be something that would address a real need that I spotted in the marketplace. And that is to work in that consultant and manufacturer interface. And consultants are one of the great mysteries in our market, you know, because you really can't, you can't pigeonhole them. They can be sole practitioners. They can be a cadre of people in a large engineering firm and anything in between. And they're really not that well understood by and large, but from any manufacturers in particular, they're real target because they influence the sales of products. But I think what's important is that most large projects of any substance here in the security business have a specification and probably have a security consultant involved. So they matter. The average consultant influences about $3 million worth of product sales every year. So I thought, you know, it just makes sense to try to make this community more visible, to work with manufacturers to let them know who actually these people are and what they do. And so as we've evolved from a, just an online subscription database, you know, we've got a full blown website with resources. I work with manufacturers with a mission to help them put their best foot forward to the consulting community. And then as you mentioned, we started an event called consult to really address another need. And that is, how do you get consultants and a large number of industry people, mainly manufacturers, but a few integrators together in one spot to do something that's meaningful? Because the dilemma the consultants have is they only have so many billable hours. They only have so many events they can go to. Manufacturers are fighting for their time. And it's just difficult for them to balance all of that. And for the manufacturers, it's a different animal. One is getting the consultants to come to their events because of that time restriction, but also there's a cost associated with putting these things on. So I said, well, look, let's time share and cost share something and get the right people in the right place for an event that is quite a bit different. And I guess we'll talk more about that as we go along. And so that's how we sort of evolve in security specifiers to now where I think we have something that is really providing value, not only to the consultants, but to the industry in general. So I've been at this a long time, more than I care to admit, but it's like people like us, we don't retire, we just kind of fade away into the sunset at some point. Yeah, I did talk about that quite a bit actually, that our industry has a lot of experience, right? So the folks that are experienced, and we had some panels of folks that are, you know, I'm 55, there's some folks on the youngest guy on the panel. And then we've got the new up-and-comers who typically tend to go out and get their teeth cut, but oftentimes end up moving into a consulting role, rather they're with a consulting firm, like you mentioned, or they end up getting enough experience on their own, they're confident enough to, you know, there's a gap in their own market where they can go out and start to offer their services. You know, we had a few hundred folks there, I think 150 consultants maybe at this recent event. No, it was really half that number, it was about 75, but about 200 people in general came to the event. Okay, and 75 consultants. So I didn't see a whole lot of really young faces. I mean, in your estimation, what's the sort of average level of experience that a consultant hits the market with? Are they 10 years in the industry? Have they come from other types of consulting like AV and they get into security? You know, the things you need to know about our industry are fairly specific, and we could talk a little bit about master format if you want to, but you know, what's your feel for how, how'd you guess who to invite, maybe it'd be a question, you know? Who all did you want there? You know, we looked at our database and the thing I should mention is that because we charge consultants something to come to the event, not the full cost, but something that as opposed to the manufacturer events where there's no charge, in most cases, they're flown out and everything is provided for, you know, that right there says, well, you're gonna get people who are really interested and you're probably not gonna get the real junior people there. You're gonna get the more seasoned senior managers. Good example is Jerry Blanchard from POTUS3. He has probably 15 people working in his company and a few are younger and Jerry's the president. He wanted to be there. So I think the nature of the event sort of argues before having more senior seasoned people there. But yeah, you bring up a good point and that is, you know, how do people come into the consulting profession and what's their age? And I think, I should mention as an aside that my son Brian is a security consultant. He was probably the youngest consultant there and he's in the industry because I'm in the industry. As so many of us, you know, across the industry have seen, you know, because multi-generational because from father to son or daughter, you can transmit the excitement, the opportunity that exists in our industry. But for consulting, you know, I don't think anybody sets out to be a consultant. Just like probably a lot of people don't start out, in most cases, to work for a systems integrator. You know, you sort of fall into it. And in consulting, some are ex-police, some are ex-installers, some are ex-integrators. You know, it really does vary. And I think one of the challenges that we have in the consulting world is the same that we have in the security world. How do you bring new talent in? Because right now people are falling into it almost by accident. But I think, you know, there's plenty there to recommend it. There's lots of challenge, you know. Every, first of all, every job is different. Yeah. The projects are complex and it all starts with, in most cases, going in and doing a risk assessment, a site survey, understanding what that client's budget is, trying to have a sense of what's required to address the unique risks that that client faces. And you know, as well as I do, because you're heavily involved in it, now the dimensions of risk expand because of cyber. And also the liabilities that people might have in installing or specifying expand because of cyber. So, you know, you've got, you've got that element. Think of it as kind of solving a puzzle. And so, so you go in, you try to understand the risk involved in the broadest sense possible. And the younger the person, the easier it is to understand the technologies that might be employed to address those risks, you know, particularly the electronic and advanced technologies that we're seeing now like artificial intelligence. And then you step back and then there's a design and engineering component. And along with that, you've got, you've got the specifications that reflect what that engineering design is going to be and ultimately when a project specification comes out and you're briefing the world, you know, body of integrators that come in, you know, with an inquiry or maybe it's a broad-based briefing. And then you've got to deal with the challenges in that. And ultimately assess the bids. And there's, you know, there's another element that would require another half an hour at least of a think tech Hawaii. Now, you know, how do you, how do you get around the low bid to pick that integrator that really can do the job? And what hooks can you put into that project specification to try to assure that? That's a big challenge. There's no certification really that exists for integrators to do that, that's broad-based. You know, you've been part of the discussions as I have to do that. And then, you know, however that integrator is chosen, that you've got the project management process and ultimately the testing to make sure that in fact it does what it's supposed to do. And of course, you know, as well as I do, things do not always go as planned. And it could be anybody's fault. It could be a manufacturer who promises that his software will be here on this date and capable of doing that. And lo and behold, there's been a slip. So there are innumerable challenges along the way. It takes a pretty broad-based, pretty savvy person who's got a thick skin as well as pretty good people skills if he's a really good consultant to do this job right. So it's a full gamut of things. Wow. And certainly, certainly technology's a big component in that. Yeah, I like your point that people, no one grows up going to, I'm gonna get in the security industry and no one even knows about our industry. You know, everyone sort of falls into it. So I'll tell you what, let's, we'll go ahead and do our one minute break and we'll be right back with Ray Colom. Thank you. This is Think Tech Hawaii, raising public awareness. If you're not in control of how you see yourself, then who is? Live above the influence. Truth is, I'm impressed. I haven't been asked such intelligent questions in a long time. Thanks. Aloha. I wanna invite all of you to talk story with John Wahee every other Monday here at Think Tech Hawaii. And we have special guests like Professor Colin Moore from the University of Hawaii who joins us from time to time to talk about the political happenings in this state. Please join us every other Monday. Aloha. Hey, welcome back to the Think Tech Hawaii studios in this Christmas episode of Security Matters Hawaii. We're reviewing the role of the consultant with Ray Colom here. And we're just getting into a little bit of that, understanding what that specification work is. You know, we talked about how people sort of fall into our industry and maybe they've got other industry experience, maybe electrical experience, maybe academic experience, but they come here a lot of ways. At the end of the day, they've gotta take the customer's requirement, maybe based on risk and get a spec written around that or help the customer understand how to deliver to that specification. So, Ray, what are you seeing going on in that spec world? I mean, it's technology evolves quickly. The spec evolves. Sometimes, you know, you bid a job that doesn't get done for five years. So, obviously, the technology changed in that gap. Technology changes every six months, it seems like to me lately. So, you know, when it comes to that specification, you know, you write to a master format that you manage and you got people contributing on. Give us a sense of the role of both the, let's talk master format and then let's get into some of the specifications now. Okay, so master format I think is something that is misunderstood in a lot of quarters of the industry. So, let me take you back a little bit. There's an organization called the Construction Specifications Institute. Yeah. I think their website is www.csi.net.org. Right. And they really exist, you know, well beyond the security industry to try to improve the overall specification bidding and project management process. And they've got some great certifications, by the way. One's called a certified design technologist. Great book behind it that really does talk about the whole construction management, project management process. So, part of that is deals with specifications and putting specifications together. So, imagine on a large construction project trying to put a spec like that together with not only security but, you know, doors and windows and electrical and plumbing and you name it. So, what the CSI did was to create this thing called master format or CSI master format. And I think we're all familiar with SIC codes and NAICS codes, which is a hierarchy of codes. So, master format is literally a numbering system for all the disciplines in construction, all those things that I mentioned plus, you know, concrete and, you know, you name it. And so, each of those disciplines is split into a division and there is a specific division called division 28 that is titled electronic safety and security. And so, if one were to get a hold of the master format document, you would see a number of numerical items there with security related stuff. And so, that hadn't been touched in, oh, since 2004 and about three years ago, I initiated the industry effort and then led the effort to bring it up to date. And we made hundreds of changes. Wow. And so, the main sub breakdowns are what you would expect. There's one for access, one for video, one for security management that picks up intrusion. There's one for life safety that includes both fire and mass notification. We try to split out fire. They said we couldn't do it as part of life safety and electronic safety and security. And then there's one for special topics that picked up things that didn't fit anywhere else. And pieceim by another name was in there and there are other things. Plus, there's just some general stuff in there. So, what happens then is when somebody writes a specification, imagine all these numbers and different people are writing different pieces when that whole thing gets put back together into an overall project spec. Guess what? It's all ordered by numbers. So, there's discipline in that process. And then CSI also has some other documentation that says how those specs really ought to be organized, what ought to be in them, what's fair game. And so, manufacturers, most of them have any spec documents that are put together in that format. And what typically consultants will do is they'll, they'll cut and paste and pull sections out of what's offered by manufacturers. They may have their own master specification document. Some people call it master spec, that that is a template for putting things into something that they can probably put out in the street. But master format itself, it's really a numbering system with a little guidance for what the numbers mean. Yeah, and it's interesting, you know, when you're going through a project, you know that you would, you would hope that all the information you need is in your section 28, but oftentimes there's things, especially for our industry that are spread around. So you've got to go through the entire document, you know, to make sure you're, you're all your stuff's covered. If it's not ref, sometimes it's even, maybe ref on the plans or there's a cloud around an area that's going to be used later on. And so, and so it'll, it'll kick, okay, all the div 28 stuff kicked to that group over there, but maybe it included locksmiths and some of the stuff that got moved around recently. So there's, there's definitely been changes. And there's that necessity for that guidance because it's, it's far more complex. I think people just see a camera on the wall or a card reader on the wall. And they just think it magically got there, but there's a lot of methodology and a lot of organization behind that. And you're right. And just sort of an interesting anecdote with a, with a current one, you know, we took, and the changes made several years ago, we took readers, key pads, biometrics and all that out of division eight, which is called openings. And we put it into division 28, which is electronic safety and security, because normally this stuff interfaces with an access control system or a broader sort of integrated system. And the door industry cried, you know, they cried, they said, wait a minute, you know, our guys aren't going to be able to sell this stuff. And so they went back to the CSI and there were discussions back and forth. And so now we have those categories in both division eight and division 28 and division eight. They are called, for example, access control hardware for non-integrated systems. And in division 28, it's for integrated systems without a definition of what non-integrated versus integrated is. My personal definition is the security integrator is going to touch it. And if it interfaces with anything from a system standpoint, it's integrated. And so, you know, even now it's not clear. And at the end of the day, what's interesting and all of that is that a consultant really has the ability to use any unused number and make up his own titles to fit the need. Nice. So it's, but at least, you know, at least we're a lot closer to where we were. The other thing I'll mention is that for the first time anywhere in master format when we did this thing in 2016, that or 2014, I guess now, we added an element called cybersecurity. So cybersecurity requirements for electronic safety and security. And last year, I tried unsuccessfully to get that same requirement put into every division that touches the network. I said, oh, you got it in division 28 already. And, but division 28 only applies to electronic safety and security. So we're going to go back and try to get them to at least put it into division 27. It's called communications, which, and I don't think we'll get much pushed back there, but now we've got a home for cybersecurity. And people are saying, well, what the heck do we write? And that's another discussion. And it's something that is a work in progress to try to provide some guidance. Because now, I mean imagine just as you, Andrew, might arguably have some liability, cyber liability, if you do something on a job that is clearly bad, you know, bad cyber practice, what happens if a consultant specifies a, you know, a camera or something that hasn't been fully tested for cyber hardening. Is you liable? There's a school of thought that says he is. So suddenly people have to understand this world because it is a different world as you well know, because you're one of the leaders in the industry on Escort. Yeah, so it's interesting how they're, you know, everybody wants someone to be responsible. And this is a cyber service in all hands effort and we've all had these discussions. So it's, I'm happy to know that the consultants have those concerns, you know, that they're interested in being part of that checklist process. Because the worst thing we can do is like ignore it, right? If the customer is not savvy enough to know, hey, who's gonna watch out for that cyber hygiene piece? You know, and it doesn't get brought to their attention, it doesn't get put in. So once we start asking the questions, at least we're taking that step on that customer's behalf and not just leaving them holding a bag of stuff that they're completely unaware of. And I think, I really think that was the state of the industry just a few years back, but everyone's kind of grown up around the idea of cyber network connectivity and we're starting to see these questions asked. I'm seeing that a lot in the DOD, obviously in our critical infrastructure spaces. And I think that's gonna trickle right on down to the full commercial spectrum of installation. You know, I agree. And as you know, that was a, we had a whole session track. We had four sessions in our consult event on this very topic, consultant liability, spec language, what's reasonable to expect of integrators. And I'll just put up, if I may, I know we got a couple of minutes left, a couple of plugs in. One plug is that I'm in discussion with Sia and I've mentioned it also to PSA that we really should have a certification for I would call it secure installation, secure cyber installation that is targeted towards your world as well as the broader security industry. Because if I'm a consultant and I spec a job and I've done my homework on manufacturers and the manufacturers have hardening guides, I wanna be sure that that installer going out there is capable of doing all those things that are recommended to make that a secure installation. And right now there's no measuring stick. You know, CISSP is a certification. That's great, but it's overkill for our guys, the Cisco certifications. I have a CCNA security, or I did, I didn't renew it, that gets added. But there's nothing that really talks about security devices in particular. So, you know, that's something that we're having a lot of discussion on that I think would be just a tremendous thing for our industry so that all of your installers and anybody else who goes out there on the higher level jobs that really demand cybersecurity have at least some credential that says he, you know, he at least at one point in his life showed that he knew this stuff and hopefully we can have a renewal on that. Of course, the other plug is the consult conference. I don't think we have too many consultants here, but you know, I think having an event where people can have real conversation about real issues in a way that's not all scripted and that's not two minutes on a trade show floor or something in passing is, I think it's really valuable. And we get a fair amount of that at PSA Tech, as you well know, where people really have a chance to talk to people about critical issues. We just haven't had enough of that in the industry. I'm glad you got experienced part of that with us. Not that I'm going to scale our event up because I think, you know, keeping things at a certain point creates an intimacy and a familiarity that really does allow people, whether you're an integrator or a consultant or manufacturer, just to talk on a professional to professional basis. So nobody's getting sold to, and we don't even have product displays or booths or tabletops at our event. Yeah, we expect everybody to be in there learning. Yeah, it was very people focused. I love that. Consult 19 is going to be out in Arizona. What's the dates? New Mexico. In New Mexico, sorry, what are the dates? October 19th through 22nd. We are nailing pages, web pages up on attendconsult.com where any, for any consultants listening, please take a look. There's a little video. If you need more information, contact me at rayatsecuritiespecifiers.com. Awesome, thanks Ray, or you can call me Andrew. I'll give you a good plug for that one. That's about all we got time for today Ray. Let's circle back maybe in six months and see how things are going or maybe around consult next fall. I appreciate you joining us today and I really hope you have a great holiday season. Thanks everybody. You too, thank you Andrew. Appreciate all of you tuning in today because security matters, thank you. Nice, we're out, great job Ray. I think you had to play really well. Okay, good discussion. I hope it's what you're looking for and we've got a long time with this. You know that, right? Yeah, we cover a whole lot of ground. So I'll look to plug it back in or if you ever have a particular thing you wanna spend some time on just let me know and we'll fit it in. It's great stuff that people, they don't get this perspective often. They're product focused or they're problem focused but you know, what's the big picture?