 Hey, welcome back to the Think Tech Studios. This is Security Matters Hawaii. I'm your host, Andrew, the security guy, and I am here today with Mr. Gordon Bruce, and we're going to kick the can on the role of the security consultant in a security project. But first, I'd like to ask my guests, being a short-term security guy, with only 40 years of experience, 50 years of experience, what keeps you up at night, sir, these days? What keeps you up? In this particular space, I would say the lack of understanding that commercial property owners have when it comes to physical security on their premises, like shopping centers, office buildings, even schools. We start looking at the school systems and so on. And the way the industry has evolved and is evolving, and the way the criminal factor within this country has increased to a level like we've never seen in our lives, there's still a lack of really understanding of how important it is now that to secure your properties. And the people that are not only working there, but those that are visiting there as well. The guests on the site. Yeah, interestingly, finally, we're seeing a big push out here in Hawaii from DHS. We had a big meeting there just last month, and it was gratifying to see maybe 200 of Hawaii's security people in the room, finally, with DHS starting to give some education. And there's a level of understanding that's raising, finally. And I agree with you that it's been sort of sorely lacking here. We've sort of been like, let's put more guards that keeps our tourists comfortable, but there's a lot of technology we can use to help those guards respond better, respond quicker. It's been a slow rollout in Hawaii for sure. Yeah, no offense on the guards, but these are not exactly the $75 an hour individuals. The police department in Hawaii, especially, they're understaffed. Yeah, and they're like a half, like a thousand short or something. They're huge short. So it becomes the citizen's responsibility to sort of take this on. Doesn't mean you become a police officer or a guard, because there's technologies out there that can help you augment what you have at your company or your facility or whatever. Yeah, it's kind of like the whole see-saw. If you see something, say, be a part of the solution, right? Don't just turn your eyes and walk away. That's a good point you make. And if you're out there and you see something crazy going on, say something to somebody because you maybe are saving someone else and no one wants to be a victim of crime. So I was thinking that just kind of a little bit about some of your history here in Hawaii. I think you brought some of the very first ATM technology it was ever delivered. And that got me to thinking about security. And you probably had a security component, maybe, if anyone thought about it. But when did security ever come into that realm? Because I'm sure the first one that rolled out, they probably just chained it to the floor. So I don't even know what security thought about. It got bolted to the concrete sidewalk. And you used a plain old telephone line. OK. It was just a pox line. To communicate. The ATM was over the phone. Over the phone line. There was no internet. There was no internet. You used that to connect back to a router that was the size of a two-door refrigerator that ran at 300 bod, which is 30 characters per second, in a data center that was connected to an IBM mainframe. Wow. And IBM mainframes, even to this day, are still one of the most secure hardware platforms out there, if not the most. But security wasn't, per se, first in mind at that time. Now, during that year, when we put up the first ATM, I was actually an employee. And I wrote access control software in assembler for green screen computers, because there was no PCs. So you had to sign on to the network. So that was for Bank of Hawaii. And I wrote that code. And they used it for years. So there was a little bit of access. Was it smart enough to know if the device went missing? No, none of that. And there was no portable devices. These were CRTs that weighed about 20 pounds. The ATM was. No, the terminal sitting on the employee's desk. And it used to go on. You just turn it on. And you'd start getting into whatever you needed to get into the banking part. Well, I wrote a front end that required them to sign on to that machine before they could then get in. It was wide open. Before it was wide open. So on the deployed, the ATM, the ATM still sitting there full of money. So you both. But so the ATM technology was asynchronous. Right. So if somebody took the ATM and ran away with it, the line didn't know it was missing on that. Well, no way the line knew it was missing. But you needed a forklift. And because ATMs back in those days were not. Like I said, they were the size of a refrigerator. I see. And the computer technology inside of them weighed a ton. Wow. No, not a ton. But it weighed a lot. So it wasn't something like the ones you see when you go to the pizza place and they got a portable ATM sitting in the corner. That was not the case. These were pretty heavy duty. The physical security in them was the fact that they were made out of steel. And they were heavy. And they were like 500 or 600 pounds. Wow. OK. So there's an element of security to that anyway. But no cameras, none of that kind of stuff in there. There was no camera in the ATM. So you've been a consumer. You've been an advisor. You've had a lot of these roles in more different security consulting heads. When did you start to see security be part of IT projects or part of property management projects or healthcare projects? I know you had city and county projects. Yeah, city and county projects. And I was when I was at Queens Medical Center again back then. I think the catalyst that really pushed it initially was email. When email started to come out, there wasn't like phishing attacks or anything like that yet. But all of a sudden you realize you were pushing information around. OK. The internet when the internet browser came out, the Netscape browser came out. I still remember people saying, why do I need a browser? Why do we need the internet? Who's going to use this thing? OK. So but then that was really the catalyst to at least the, I'll call it the soft security side. Which is now known as cyber security side. The physical security side hadn't really matured. I'd say until maybe the last 10, 12 years. So it's still a relatively new phenomenon, if you will. And the blending of cyber and the blending of physical is a new phenomenon as well. So fortunately for me, I've been involved from the ground up when these things were all starting. You know, the military, DOD, all of those, they're very secure conscious when it comes to a physical standpoint. Prisons, you know, those kinds of things. Initially everybody just threw guards at it and then they threw cameras at it. OK. And VCRs that didn't work. And they threw more cameras at it and more screens that no one looked at. Right? So and that became the solution. And I hate to say that's still kind of like the mindset right now for physical security people at commercial entities. Oh, we'll just throw some more guards at it and we'll throw some more screens. But no one's watching the screens. Yeah. And you don't, you know, they just don't and there's no way of knowing stuff. What's going on? But the technology enables you to do that. Plus the other piece is now the architects want these to be pleasant and not invasive into the designs of buildings and things like that. So that's another piece that I get brought into is working with the architects and they want to know, well, how can we put this in and not make it invasive into this nice retail space or in this nice commercial location. Make it not threatening to the client when they walk in the door. Which kind of leads to the last piece is that low voltage is just like, low voltage communications is the thing now. OK. How much things are on low voltage now? Yeah. Cameras, access controls, television sets, nurse call systems, HVAC systems. All of those are all on low voltage and it's the Wild Wild West out there. And what I've been able to do is help large projects consolidate all of that low voltage work, monitor it, get it all standardized, get it built in so that it's in a nice clean infrastructure not taped up all over the place and so on and easily easy to manage and secure it. Because as you know, you can hack into those devices. I mean, one of the vulnerable ones is mechanical systems. They're the target. If you look, we're both in infraguard. You look at the papers that are coming up from the FBI and such that targeted mechanical systems that are running wastewater plants, water systems, office buildings, fuel lines, fuel lines, train lines, train lines. They're all the ones that are being hacked now. They're the big targets. Yeah, that's a scary situation. And the physical security of those devices, a piece of it that also does ship with vulnerabilities, right? We've discussed. Yes. So what's your, do you think the end user, like if I were a property owner, a property manager around a mall, around a hospital, do you think the end user is just overwhelmed? The ones when you talk to them today, is there too much guidance? They can go on Google and find out all kinds of stuff. Is it just blow their mind? Or they can walk into Costco and say, wait, I can get a camera system at Costco. And that's consumer grade. And I'll pop that up in my commercial enterprise because it's inexpensive. And then next, I'm getting a call saying, we put this in, and obviously, I didn't recommend it. Can you come and look at this? And I'll come and look at what you have. But I'm not going to fix what you have here. You're running a professional organization. It might be OK in your house. But definitely not something that I would put in my shopping center. Yeah. There's some liabilities if you're a business owner. You're a liability to your business owner and things like that. So I try to get them to understand the four layers of security. You've got CCTV cameras. You've got guards. You'll have that. You're going to have limitations of where you can go, right? Barricades, perimeter type technology. And then you're going to throw in access control. Am I using fobs, badges, or whatever? And the other one that drives me crazy is I'm not a big fob fan. I mean, they're easily lost. They're not easy to control. I'm big on badges with photos on them. Like on a property? On a property. So I can identify that you belong here at a glance. You said it earlier. See something, say something. You see someone, and they're supposed to be wearing their badge. Then as an employee or whatever, you should remind them they need to be wearing their badge. Hospitals. Sure. Look at people walking through hospitals. Look at the stuff that we've done in the industry to prevent babies from being taken away. Baby guards and all that stuff that's happened in there. Yeah, infant abduction. They used to call them infant abduction. I think now they call them infant IPS, infant protection system. Systems, right. Abduction word was just a little bit. Not very good. Right. It's fear-selling thing. We use word Smith. But just all of those kinds of things. And the things that we can do with credentials are just phenomenal now. And I have one client that totally went away from FOBS. And their entire employee base are now on ID, credentialed ID, with access controls to communications closets, data center, FM 200 rooms, fire closets. I mean, because there's people wandering the halls, right? It's a hospital. And they can open a door and go into a, you know, they can go into a broom closet. And then managing all the keys for all of this. And a new play comes in and another employee leaves. Is that a thing, do you get that often where they don't understand the cost of like key replacement, lock replacement, where you see them using hard keys? Even, you know, because we have now electronic lock sets have gotten really expensive from an industry perspective, you know, for some hundreds of dollars, you know, you can avoid that. You have to replace everything because the master key is going to have to re-cylinder everything or whatever. And that's a, I still see some of the campuses and things out here periodically issue RFPs for, you know, complete key replacement. I'm just, I cringe every time. That's our taxpayer dollars going, you know, every, every three years they just got to do that because the master keys are out there floating around. They're floating around. I'll use. So that's an interesting problem. I'll use an example. City and County of Honolulu. When I was there, we converted from keys, from keys to federally compliant credential for all employees. Okay. So if anyone gets on the bus and you see the badge that the bus driver is wearing, it has a color. It's all, that means that badge meets a federal standard or met a federal standard. If you see a city employee or someone with a border water supply or whatever, they're wearing a federally approved credential, the police department. You'll look at the police department's card and it looks very similar to the bus color differences, but you know, there's, there's, they're meeting, they're meeting a federal standard. Well, that eliminated thousands of keys. No. Thousands of keys. And I remember one of the things that we, it was 1,400, I won't name the entity, there was one department had 1,400 unaccounted four keys. I can't even, I can't add them. And once we put in these, this credentialing, people could no longer get into buildings that they were not allowed to get into, yet they had a key for it. Ah. And so that, that came to light. That worked. And then we, then one of my favorites was in one of the buildings was the, the vendor lockers. And I was like, what vendor lockers? Well, you go down by the elevator and there was a bank of maybe 50 lock boxes all along, bolted on the wall for all the vendors. So they would come in to the facility, no badge, no signing in, go down to the elevator basement, they would unlock their lock and get their key to take them to wherever they were allowed to go. Oh my gosh. But what if you were a former employee? Yeah. You think they changed those combinations on those lock boxes? I've tried every 20 years. They just, some of them didn't even know they had lock boxes down there. So that was all uncovered. So, and so I'm always, every time I look and walk into large shopping centers and so on, I'm with elevators and escalators. And I let go, okay, well boy, I wonder where the vendor lock boxes are and what's in there and what you don't know. What you don't know, that's what we're talking about. And we'll be back in a minute with talking about security consulting. Got to pay some bills. We'll be right back. Thank you. Aloha. My name is Mark Shklav. I am the host of Think Tech Hawaii's Law Across the Sea. Law Across the Sea is on Think Tech Hawaii. Every other Monday at 11 a.m., please join me where my guests talk about law topics and ideas and music and Hawaii Anna all across the sea from Hawaii and back again. Aloha. Hi, I'm Pete McGinnis-Mark and every Monday at one o'clock, I'm the host of Think Tech Hawaii's Research in Munna. And at that program, we bring to you a whole range of new scientific results from the university, ranging from everything from exploring the solar system to looking at the earth from space, going underwater, talking about earthquakes and volcanoes, and other things which have a direct relevance not only to Hawaii, but also to our economy. So please try and join me one o'clock on a Monday afternoon to Think Tech Hawaii's Research in Munna and see you then. Hey, welcome back to Security Matters. I'm here with Gordon Bruce and we are kicking the can on security consulting today. We were talking about you had a bunch of vendor lockers with mechanical locks you found in the city, no tracking on those mechanical systems, no accountability. You know, your point was old employees would still know the combination could come in, roam around the place. Who knew really what was going on? The answer is no one. No one. No one. And with access control, you're able to- And we changed all of that. So people go to City Hall now, if they walk down there, they'll notice that they have to go through the guards. They have to show their ID. They, you know, it does a number of things. One, it ensures people know who's coming in and out of the building. If something was to happen in the building and they needed to get people out, they would know that you were there visiting. So you're accountable for that. The employees have to have their ID and know that they've been badged in. Again, for that same situation, so that if a threat happens of some kind, the employees protect it. It's not the track that was to make sure the employees protect it and that the visitors are protected. So City's done a good job when it comes to that aspect of securing their various campuses and such. When it was with standard credentialing and such elimination of keys, you know, and all of those kinds of things. So I like seeing that kind of thing happen a lot. Yeah, it's good that it's, you know, I remember when some of those projects started, it's been quite a while and we started with like wastewater treatment. So it was a big concern from a terrorist perspective, especially in Hawaii. We had to somewhere to attack our wastewater treatment facilities and kind of shut the city down if you can't use the toilets, right? I mean, that becomes a big problem very quickly. We have how many tourists here at any given time? Yeah, you have a million tourists. Yeah, so you can imagine if the sewers quit working, I had to be a problem. And that was that was the one good thing and not many good things came out. One good thing about when we had that sewer line break at Waikiki, 40 million gallons of raw sewage gets dumped into the ocean. The question was, do we let it flow or do we block it and let it back up into the hotels? Right? Whoa. So that became what was the issue. It's like you can stop it right here, but that means every toilet gets flushed, everything that happens in the hotels are all eventually going to back up into the hotels themselves. So the decision had to be made to let it go. But that brought to light the issue. What if they said someone was able to shut down your wastewater treatment facility? Yeah. People couldn't flush their toilets. Yeah. So that helped and Hanuman was visionary enough. He said, we can't let this happen. We need to make sure that we've got the right security things in place. And it helped escalate it to get to be a priority. And we got federal money for it. In that instance, you were actually a customer. So you used a consultant. You went out and got a big consultant. Exactly. One of the big boys brought into town. Brought into town and got hired as a consultant to help us review all the different opportunities. They didn't sell a particular product as I don't represent any vendor line. I don't sell a particular product. I know what I like, but every client's different. And each, I give each one when I do the studies for them. I try to give them three options to look at and then they can kick the tires on it and see which one fits best for their environment and how they want to operate their protocols. And then through that, they negotiate the deals and so on. But I don't take any commission checks of that. I mean, I represent the client. Yeah, exactly. And that's an important point that people should understand when, if you don't know what to do when you get a consultant, he's going to be there on your behalf. That's super important. A lot of times they will call us and want us to give them advice. Well, I'm going to give you the advice that works for our company, not necessarily what works best for you. And so it's best if we don't have a trust relationship with someone already, that they get a third party to help audit that or at least give them that input. I mean, we represent most of the stuff that's really good out there. We've got 20 years of experience, but I always advise people to get extra quotes. Talk to our competitors, things like that. And there's different models. Different competitors have different, you have ways that you do it in a certain way. There are other providers out there that their model is a little bit different. And again, you go back to the client, they might like the operational model of this particular provider of physical security systems. And again, that's the client. Just represent the client. I just make sure that they get the right product. It gets installed properly. They get properly trained. And the services are in place to keep this thing up and running, as opposed to the old days when people were just selling this stuff out of the back of their truck. Yeah, and they drop it in, and it takes care of it. And they've gone. That would be it. You'd never see them again. This becomes almost IT-like. It becomes an ongoing relationship. You have to work with the IT departments. I mean, I have interesting discussions with the IT departments. You know, they call them affectionately bandwidth Nazis, because they're not putting cameras on my network. And I go, I totally agree. And they go, oh. OK. Then so let's us come up with a way of doing this, so that it's not on your network. Or if it is, it's segmented and secured on your network. And not filling your bandwidth up with stuff that's now making your system. Video traffic. Video traffic. Especially in the world of megapixel cameras. Yeah, megapixel cameras. So it's sitting and working with this. Typically, you don't see the IT departments that involved. Yeah, it's been difficult. For sure. More and more today, we do get that interaction. We, as an organization, ask for that interaction. But oftentimes, facilities in IT, when we ask them to get together, it's the first time they ever done a project together. It's because we're saying, look, you've got to have IT here. This is an IT system, right? Well, because these systems are running on the cloud. They're running on servers, depending on the flavor of what you want. Workstations that you want. Do you want it on your network or not on your network? How is that network being secured? You've got to stay on that piece as well. So you've got to bring IT in. And in some cases, one of the models I'm liking now is managed service physical IT. And what that means is the IT department happily says, wait, I don't have to touch any of this. It's on its own network. And someone else is going to manage those router switches and everything else. Yes. And we're not going to touch your banking system network or your health care system network. This is all going to run over here. So the cameras are here. The access controls, HVAC is all over here. All of those things are all segmented, physically segmented from your network. Now, when you're doing new facilities and new campuses, it's a lot of the issues you do. Renovations, not too bad. If it's existing old school stuff, then it requires some thinking. And you have to spend a little bit of money. Or IT's got to let you get on that pipe and they're not necessarily going to be all that happy and supportive. Is how often now do you, is a lot of your IT experience brought to the fold when you're talking about physical security? Is that a piece that you bring that the typically the end users just don't have that they don't understand the IT requirements of our systems? Yeah, fortunately for me, typically most of the physical security consultants out there have not come from within the IT world. Mm-hmm. Yeah, they're physical. And then they're learning the IT. You know, I grew up in the IT world and then got married into this over 15 years and now I've been doing the physical side. But, you know, coming in, coming in and get married into this side. So I always say, okay, I need to meet with their IT department. You know, why? I need to talk with the IT department to see what their standards are. Yeah. Make them aware of what we're going to be doing and whether we are or are not going to be on their particular network or are we going to do something different? Because, you know, many cases there's already a physical network in there that's not on IT's network. Sure. And we can modify that so that it works that way. But if I like to buy routers and switches that meet the standard of the IT department, even if the IT department doesn't support it. Manage it, sure. Or manage it, at least they've said, okay, we like to use XYZ, these configurations, and we go, I go, okay, then rest assured that that's what we're going to spec. No matter who the vendor is, that will be the spec for what goes in that particular. Yeah, it gives them some comfort when they know if they end up having to inherit it. Because IT sometimes gets given stuff that, you know, like all of a sudden, like, oh, well, you have to help us with this. So they like to know that they would understand. I'm familiar with that idea as well. Is the, how much has the cloud impacted the consulting that you're doing? You know, we've moved a lot of systems into the cloud today, and we have a good percentage of our clients are now doing cloud-based systems. So how's that been for you? Yeah, I'm looking at right now that the clients that I've been advising are about 50-50 right now. Wow, okay, good. So not all the manufacturers are up on the cloud yet. Some are, you know, scheduled to be on the cloud, you know, first quarter of next year and those kinds of things. So they've still got the physical servers in the locations, which some clients want. Some still want to have that physical device. Server huggers. They still want to have it. Again, you go back to, like, what's the client want? But I'm seeing a lot more going under the cloud. It certainly makes it a lot easier from a monitoring standpoint. I have one client that they don't want any of the guards in the security office. They want them roving. Sure, on the move. And they're going to walk around with mobile device. And on that device are all the cameras. Not only are the cameras for that particular area that they're roving in, they can get access to the cameras on another island. Awesome. So now all of a sudden the guard company is more productive. Mm-hmm. Right? They get alerts. Boom. I could be on one side of the campus and boom. I see something here. Not, you know, I'm not, I mean, I have 20 guys driving around in their golf carts, taking a smoke break and whatever. I've got people getting alerts, things that are happening. There's a whole bunch of new things coming up with analytics. I'm looking, getting excited for it. The cloud is really helping to make the guards more effective and more efficient. The client more comfortable that, you know, they've got the right things in place. They know when cameras are down. Remember the common complaint? Mm-hmm. My camera's been down for a month. I didn't know it. Sure. Right? Yeah. Oh, wait, you've got guys sitting there monitoring me, right? They never changed. But now you've got cameras that give an alert. So you know that they're not, the camera's not happy. Yeah. And so you can get in it quickly. You've got companies like yourself can be alerted to know that the camera's having problems. You can get it or fix it before the client even knows it. Yeah. So that's the next piece that's happening. It's good stuff. Awesome. So be proactive. Go out there. Get a security consultant if you don't know what you're doing and you need help with your project because security matters. Thanks a lot for tuning in. We'll see you next week. Aloha.