 I'm John Harris, and this is Security Matters. I'm happy to be here with you today, and I have two great panel members, Tim Sutton and Drake Jamali, and we're going to be talking about security in the cannabis industry. And we're going to be walking through the regulatory frameworks that are in place, the security technology that is used and how that works into application to the cannabis industry, and then diving into some best practices and common challenges and issues that both of our guests have seen in this industry, in their experience. So let's start. We're going to jump right in and we'll have the guests introduce themselves briefly and then we'll jump into the regulatory side of things. So Drake, welcome to the show. I want to tell us a little bit about you. I appreciate it. Thanks, John, happy to be here. And again, my name is Drake Jamali, a manager of government relations with the Security Industry Association, and I kind of focus on our state portfolio and getting our members engaged on state issues and local issues that impact them. And just a few of those issues that we're kind of focusing on in the 2021 legislative cycle, school security, biometrics technology and now cannabis security as well. So happy to be here and have some employees and have a discussion. Awesome, appreciate it. And Tim, why don't you tell us a little bit about yourself? Oh, I am the cannabis practice leader for Guidepost Solutions, a security consulting and technology consulting firm. I work within the cannabis industry in preparing security plans for applications, technology plans, security operations and management plans. And basically anything that any cannabis organization needs in the way of security, we can help them. I've worked all over the country and I look forward to talking about this today. Awesome, appreciate it, Tim. Well, again, thanks for being with us here guys and let's dive right in. So let's start with the regulation. And Tim and I, we've had some conversations on juxtaposing Canada and the US with their regulations because Canada's got one clean federal like black and white and the US is all over the place. It's, you know, 50 different states, 50 different approaches, you know, it's tough. It's challenging and it's confusing. And Drake, you've done some research in here, see has put out some great content. Tell us about the regulations, tell us about the frameworks that are out there and let's hear a little bit about what that is. Sure thing. Yeah, so let's say we put out a cannabis security guidelines document over the summer just to kind of really delve in and then kind of cut through a lot of the red tape that we've seen and some of these cannabis regulatory bills over the past couple of years. And this guideline kind of focuses on, you know the federal laws, the state laws and kind of what are the security requirements within those states that have legalized recreational use of cannabis and the sale of cannabis. And so just briefly on the federal side, just as you mentioned earlier, you know, Canada kind of has a clean cut approach. The US unfortunately kind of has left it up to the states to decide at this point and they kind of decided that over the course of the last decade. So they first had the Rohrbacher Farm Amendment in 2014. This was passed by the US House of Representatives and signs of the law. It's a required annual renewal and it prohibits the DOJ or Department of Justice from interfering in implementation of state medical laws. And then after that, you had a 2018 farm bill which legalized the sale of low THD hemp nationwide and effectively took it off the scheduled hemp derived or CBD oil list. And so from that, you kind of saw this proliferation from other states who were a little worried about being, you know, kind of in the crosshairs of the Department of Justice and so you had Colorado and 2012 that was the first state to legalize recreational use of marijuana. Now today, April, 2021, it's 17 states plus the District of Columbia. You had New York recently, Virginia and New Mexico which just recently legalized recreational use just a week ago. So you're kind of seeing a green wave that's kind of what some people are calling it across the US. Again, like you mentioned, it's a 50 state quilt, you know what kind of patches and we're trying to find a thread. So we've seen that they kind of combine three requirements. So it's on video surveillance, access control and alarm systems. And that's kind of the thread that we've seen a lot of these states creating this patchwork around the US. And we're just trying to help folks who want to get involved in the industry kind of cut through these 100 page bills and just understand how they can get involved. Right, appreciate that. Great overview, Drake. And I recommend anybody who wants to get a crash course and everything that Drake just talked about. If you're a Cia member, you can download it. It's free for members. There's a cost associated with it. If you're not, we go to the website and check it out. It's great information. So Tim, what does that mean for security practitioners? What does that mean for companies, for integrators, for security service providers? Like, you experience with this, you're working in different states all over the place dealing with this. You know, a dispensary or cultivation center in Illinois is not the same as Missouri is not the same as California. You've done it everywhere. Kind of what do you see and how do the regulations either help hinder or encourage from the security side? Well, first, you are absolutely correct that the regulations are completely different in every state. No two states have the same regulations whatsoever. The Cia's guide that they put out is an excellent opportunity to express that and a quick reference to see what it is in the particular state that you're curious about. Trying to keep them straight is the most difficult thing working within multiple states. So I could not tell you today right now if you were to ask me in particular states that I've recently worked in, I might know, but if it were to go to plenty other states, I'd have to look it up myself because I've quit trying to keep up. Not only are they all different as they come on board, but they change. Colorado, for instance, started out very loose. Oklahoma is still nothing, basically. It is extremely light in the requirements, but then again, Colorado started out loose, now they're tightening up. California did the same thing. They started out very loose, now they're tightening up. Some states started out a lot tighter and by that, not necessarily really major changes coming out, but video retention especially is something that three years, a year, 90 days, 30 days, the whole spectrum is there and what is the right number? No one really knows, but when you combine the fact that, or when you take a look at that, you're looking at retail, you're looking at agriculture, you're looking at several different types of markets and types of the verticals that are all wound up into this industry. You gotta draw upon your past experiences and the best practices that you can find within those other industries and try and do the best you can, more so than what is just required by law. Try and do the right thing for security and get it right. You just done something and I didn't think we're gonna go here, but I wanna go there because you brought something that's really phenomenal. The operational makeup of the cannabis industry is unique because like you said, it puts together all of those different, it's almost like supply chain, manufacturing, retail, office front, you're distributing out of a storefront. And so there's not like a one-size-fits-all, even in that value chain of the cannabis industry. And some states do it a little bit differently, where they distribute, and this is a question, Tim, so correct me if I'm wrong, they distribute licensing into those different areas and you may have all of them or you may only get a piece of them. And so does that part of the regulation throw another wrinkle in where it's like, well, I don't have a grower's, I only have sale or dispensary is that, and that seems to be different across the board too. So is that an accurate assumption? Yes, absolutely. Let's take Illinois, for instance, their medical program, when it came out, they had two licenses. They had a cultivation license and they had a dispensary license. The cultivation license allowed an organization to grow, to process, to harvest process, and by processing that is converting it, extracting oil, infusing food, making your gummies and your other edibles. And transportation was also part of the cultivation because they transferred it all to the dispensaries for sale. The dispensary license, all they do is sell. It's kind of like a Walmart or a Walgreens pharmacy. It has to be packaged, labeled and ready to go and that's what happens at the dispensary. When Illinois became recreational recently, they changed that and they separated the transportation license to a separate license. That is interesting and I don't know why. It worked well the way it was and Illinois also requires contract security to be used. So everybody that had proprietary had to make some changes. Again, it is confusing why they make some changes but trying to keep up with them is what you gotta do. That's interesting and you just took one state over a three-year period and walked through some dramatic licensing and regulation changes that had true impacts on how you manage security for that industry, both from a service provider and an end user. All of a sudden there could be companies that do nothing but do transportation for cannabis. Like that's a niche now in Illinois and there's security requirements associated with that. Like that's fascinating. Absolutely, but Illinois complicates things even more with who regulates the industry. The cultivation side is regulated by the Department of Agriculture and then Illinois State Police on top of that. The dispensaries are regulated by the Department of Professional Regulations and Finance or Finance and Regulations, I'm sorry, and the Illinois State Police. So you have different sets of rules too. They're not the same. The dispensaries, the biggest difference would be the video requirement. They both require video to cover every square inch that is allowable by law. So no restrooms, no locker rooms, which makes sense. But the retention, the video retention for cultivation center is 90 days on site and an additional 90 days off site. For dispensaries it's 90 days on site. And cultivation, it is also, it can record at three frames a second on alarm on motion. A dispensary is required to record 24 seven every time even though the dispensary is closed at eight frames per second. It may be seven, I could be confusing that, but regardless it is not three on motion and you can't, and so everybody, and that was a change, that was a stipulation. It came out after the permits were issued and after plans were made, technical drawings or all of your technology was bought and installed and they're ready for their final inspection and they come and inspect and a few permits were issued and then they decided to change it up to, instead of recording on motion, make it a constant record and at eight frames a second or seven, whichever it may be. Don't know where this stuff comes from. Yeah, yeah, it's interesting. We can do a whole hour on just like the regulatory and the disconnect between actual applicable security requirements and why you go one way or the other, why would you record nonstop 24 seven in an unoccupied place and just waste time and money and value for that owner who has to pay for that, storage costs money and that creates its own challenges. So speaking of that, speaking of that topic of the cost of the security technology, let's go there and let's talk about the technology in place. Now, Drake, you mentioned this, most of the regulations, if not all, stipulate three general technology types that have to be contemplated, access control, video, intrusion detection, pretty standard three in our industry. So from your perspective, when you're looking at that and you're doing the research or what you've seen, is it like the application of the technologies and the requirements, is that as inconsistent as some of these other things? Are there generalities that are consistent across the board or what's your view or sense of things as you've looked at this topic and specifically honing in on how the technology is applying? Right, so yeah, what we've seen and kind of just picking up on what Tim was mentioning that in Illinois, they had kind of the cultivation facilities and then they had a dispensary. So a lot of states kind of have free buckets. They have the growers, the manufacturers and the dispensaries. So it's kind of like they're bringing in those three as well as the transit of the products to the manufacturers, to the dispensaries and they're kind of looking at it. So if you're on a grower facility, you're outside, you have to have a fence that's a certain height that has certain cameras that can watch certain corners to make sure the only authorized personnel are there. And you see that in most states, the video surveillance requirements for these type of facilities. Now, getting to the technology, I know that some cameras in some states have to be at least 1280, 720p, whereas I believe in Michigan, it's only 720p resolution. So some states have those kind of mechanisms to have lower quality cameras in certain areas. But as Tim was saying, that they do have to all be functional and constructed and required universally in any areas where marijuana is handled and on the access control front, you have some states that require facilities have two alarm systems just so that in case the power goes out, you have another backup system so that in case someone's trying to get in to avoid loss prevention and to avoid loss of this substance that is highly regulated in a lot of these states. So you're seeing some similar themes, but again, as Tim was mentioning, it is very patchwork-y. And I think it's because it is still a nascent industry. I mean, the first recreational cannabis state was just Colorado in 2012. So it's only been about a decade. So I can see that as the industry keeps growing and as states to start delivering more licenses for these facilities that people can kind of access. And as it grows and demand increases, I think you might see something more similar to regular common security requirements across the board. But again, that's just speculating at the moment because usually these people who are kind of regulating this don't tend to see it on the ground. They kind of have a bird's eye view and they tend to be general in a lot of these regulations. Can I add to that? Yeah, let's go. Not just general, but they take concepts that they've seen like on CSI maybe even, that you need to be able to identify everyone from video. And the cost of that and the style of cameras and the placement would be unbelievably expensive to be able to do some of the things they request. For instance, I had an Illinois State Police Inspector in a cultivation center on a weekly inspection. That you thought you needed to be able to see and read on camera whatever the name badge was that was being worn, the identification card. We have to be able to read that on the video. Ridiculous, I don't know anyone that can do that. The alarms, Drake mentioned the alarms, two systems. Generally the second system would be on the vault, secure storage area, possibly even including the records that need to be kept sometimes offsite with a third alarm system. And all of these systems have to be installed in at least one state. They require all of the systems to be installed by different alarm companies and monitored by different alarm companies. So it's treating it, they're taking a concept from a jewelry store and doing the dual alarm and the dual company, which is highly secure. Yet they're not telling you that the vault needs to be a vault and actually built to DEA regulations for a schedule one vault. They're just allowing you to use secure storage. Video will not tape over things. Like I said, there are so, and D1 on a resolution, I've seen some of these rule people that are involved with getting these rules written. I really, really wonder sometimes where this stuff comes from. I've never sat in on that. So I don't know, I'm sure a lot of it has to do with somebody has to get their thing in there or they're not gonna vote for it or whatever it may be. But some of these rules and regulations are really, they don't make sense for security. And others are just cost prohibitive, really. That's a great point, Tim. And that's gonna drive us into our, and the best practices discussion that I wanna go next. But there is an excellent point is that some of the work I know you've done and you and I have discussed previously, the requirements just, it may keep people out of the industry because or require, I think a lot of just generally, security isn't on the forethought of a lot of folks when they're putting a business together. And so I have to spend money to add something to my operation, which is gonna take away from my revenue. And I have to do it in such a way where I have to pay three different alarm companies. I can't get the magnitude of scale of going with three contracts with one. And how does that make sense? And what other industries do that? You brought up jewelry. And that's an interesting juxtaposition of like high value, easy to kind of steal and move type of product. That's a connection I never made before. So that's really interesting. So Tim will follow up with you on this around, in my opinion, the company should be, whether it's cultivation, whether it's distribution, whether it's a sale front, they should be building security into their operational needs and not just following the requirements. You have personal experience in this. Let's talk a little bit about that, about how you're ticking and tying security technology and application and procedures and protocols to the actual operation needs and not just saying, using the regulations as a checklist and saying, yeah, I'm done. Sure, well, access control, I have never seen a requirement anywhere in Drake. Please let me know if you have that requires access control to be tied and integrated to alarms or video, either one. Why you wouldn't do that and utilize that operationally to reduce the amount of hours of someone looking at entries and reports and this and that. Why you wouldn't utilize a spot monitor with motion or some AI if you are gonna use some analytics of some sort. Why you wouldn't be able to reduce your cost on security? For instance, 169 cameras in a cultivation center. I had six 57-inch monitors on a video wall. How many people do you think are monitoring that system in a cultivation center, the 72,250 square foot? I was the director of security. I had one person in there and they could handle it. They could handle it because we utilize the technology together to operationally manage our security program effectively and efficiently. We didn't need to have three people sitting and trying to watch all these cameras and are all 169 up? No, and why would they be? An inspector wants to see all the cameras up, but they don't have any concept of operation. So trying to manage all that in, yeah, absolutely. It's important and it's something that unfortunately, a vendor and integrator generally doesn't understand how they can make it work for the company to reduce the cost of security personnel if nothing else, as well as to make it more efficient and effective for the company. That's great insight. And I think some parting nuggets of wisdom, if I can kind of synthesize what you're saying there is that you need some partners that know what they're talking about to get with you in the beginning as you're putting this together. And it's not something you're just gonna throw in at the end because it's gonna cost you 10 times as much in total cost of ownership and operating. And it's not gonna be in the DNA of your operation. It's not gonna help you be a better company and be more effective and efficient. No, spot on. So Drake, in addition to that, any thoughts you have best practices you've seen as we're coming to a close here or challenges or issues that you've seen or you've talked to folks that they run into that you wanna touch on? Sure, I think one of the challenges, at least just from researching and reaching out to the other groups about this is the issue of states and having only a small amount of licensing that they actually distribute to cultivation facilities, dispensaries. I mean, just the state of Washington, good example, they don't actually have any more licenses to give out. So you kind of say that there's a backlog of people who wanna get in the industry, but they can't. Also, Vermont's another good state. They only have four licensed operational facilities in the entire state. Now, granted, it's a small place, but if you kind of wanna expand the industry as a whole, you're gonna kind of have to have more licenses to dole out. And I think that's an issue that people are gonna face, especially as more and more states legalize recreational use and distal use and as demand continues to go up as we see it across the nation. Great point, Drake, excellent points. And it's just interesting, right? Cause it's like this infant thing that's growing and exponentially and what's so cool about it from my perspective is just how embedded security is with it and how important it is. There's not many other industries outside of like, high security industries, hence the name of our podcast here. And it's also not lost on SNS420 that security is required to be predispatory in this field. And so you have to embrace it. It's right there in the regulations. It has to be a part of it. It's also federally illegal. So there's this weird juxtaposition between our security industry, which is driven a lot by kind of formal federal employees and militant, like, you know, we got drug tested when I was in the Army so that we made sure we didn't use this stuff now. It's a whole different world 20 years later. So, you know, that whole thing is a whole another topic we could unpack and is interesting, but that's the time we have for today, guys. Drake and Tim, thank you so much for participating in this conversation. We could go on for, you know, I think another hour and dig in all these and maybe another place, another time, another venue. We can expand this conversation and go deeper. But real quick, I wanna highlight the Security Matters episode was brought to you by RISE, which is the Young Professionals and Emerging Leaders Subcommittee within SEA. Go to our website that was just flashed up on the screen. There it is again, the Accelerize Event 2020. It's gonna be a virtual event this year. We just had our call for speakers. You're interested in participating, either as an attendee or as a speaker, take a look, sign up. We'd love to have you there. And we're looking forward to it. So, so Tim and Drake, thanks again, appreciate it. Love to having you on and appreciate your time today. Thank you for having me. Happy 420.