Industry sign banking hawaii contract secure
think take away civil engagement lives here hey welcome back to the think tech studios this is security matters Hawaii I'm your host Andrew the security guy and I am here today with mr. Gordon Bruce and we're gonna kick the can on the role of the security consultant in a security project but first I like to ask my guests being a short term security gasps North only 40 years of experiencee 50 years of experience what what keeps you up at night sir these days um what keeps me up in this particular in this particular space I would say the lack of understanding that commercial property owners have when it comes to physical security on their premises like shopping centers office buildings even schools we start looking at the school systems and so on and the way the industry it has evolved in is evolving and the way that the criminal factor within this country has increased to a level like we've never seen in our lives there's still a lack of really understanding of how important it is now that to secure properties yeah and and the people that are not only working there but those that are visiting there as well the guests on the other side yeah there's uh interesting we finally we're seeing a big push out here in Hawaii from DHS and there we had a you know a big meeting there just a last month and it was it was gratifying to see maybe 200 of Hawaii's security people in the room finally with DHS starting to give some education and there's there's a level of understanding that's raising finally and I agree with you that it's been sort of sorely lacking here we've sort of been like let's put more guards exacting keeps our tourists comfortable but there's a lot of technology we can use to help those guards you know respond better respond quicker and it's been a slow roll out in Hawaii for sure yeah you know no no offense on the guards but these are not exactly the $75 an hour individuals there you know the police department in Hawaii especially they're understaffed yeah and you're like a ham like a thousand their shoes short so it becomes the citizens responsibility to sort of take this this on doesn't mean you become a police officer or a guard because there's technologies out there that can help you augmented your company or your facility or whatever yeah it's kind of like the whole seesaw if you see something say be be a part of the solution right they'll just turn your eyes and walk away that's a that's a good point you make good you know if you're if you're out there and you see something crazy going on you know say something to somebody because you may be saving someone else and you know no one wants to be a victim of crime yeah so I was thinking that just got a little bit about some of your history here in Hawaii I think you brought some of the very first ATM technology it was ever delivered that got me to thinking about security right you you probably had a security component maybe if anyone thought about it but when did you see Swindon's security ever come into that realm because I'm sure the first one that rolled out they probably just chained it to the floor so I'm not even physically thought about that got bolted to the concrete sidewalk and you use a plain old telephone line okay it was just a pot line to communicate to community came was that was a got a funk over the phone line there was no internet there was no internet you used that to connect back to a router that was the size of a two wind to door refrigerator that ran at 300 baud which is 30 characters per second in a data center that was connected to an IBM mainframe Wow and and IBM mainframes even to this day are still one of the most secure hardware platforms out there if not the most but security wasn't per se first in mind at that time now during that year when we put up the first ATM I was actually with an employee and I wrote access control software in assembler for green screen computers okay because there was no PCs so you had to sign on to the network so so and that was the food bank of Hawaii and I wrote that code and that was they used it for years no there was a little bit of accent was it smart enough to know if the device went missing no none of that and there was no portable devices these were CRTs but wait about 20 pounds ATM was no the top of the terminal sitting on your shirt sitting on the on the employees desk right and so and used to go and you just turn it on and you'd start getting into whatever you needed to get into the banking part okay well I wrote a front front end that required them to sign on to that machine before they could then get in wide open before it was wide also but on the deployed the 18th of 8 Jim still sitting there full of money so you thought but so the ATM technology was asynchronous right so it it was but if the somebody took the ATM and ran away with it the lion didn't know it was missing on it but no way the line knew it was missing but you needed a forklift and because ATMs back in those days were not like I said there was a size of a refrigerator in and the computer technology inside of them weighed a ton Wow you know not a ton but we weighed a lot so wasn't something like the ones you see when you go to the pizza place and they got a portable ATM sitting in the corner that was not the case these were these were pretty heavy-duty the physical security in them was the fact that they were made out of Steel and they were like five or six hundred pounds Wow okay so and so there's a there's an element of security to it anyway but no cameras none of that kind of snow there was no camera in that in the in the ATM so so you've been a consumer you've been an adviser you don't had a lot of these roles and more different security consulting heads when did you when did you start to see security be part of like IT projects or part of property management projects or healthcare projects no you know Eddy County project city and county projects and I was when I was at Queen's Medical Center getting back then I think that the catalyst that really pushed it initially was email when email started to come out there was it wasn't there wasn't like phishing attacks or anything like that yet but used all of a sudden you realize you were pushing information around okay the when you know the internet browser came out the Netscape Browser came out I guess never remembers people saying why do I need a browser why do we need the Internet who's gonna use this thing okay so but then that was that was really the the catalyst of at least the the I'll call it the soft security side or the cyber sea which is now known to cyber security second the physical Syria side hadn't really matured I'd say until it maybe the last 10 12 years so it's still a relatively new phenomenon if you will yeah and the blending of cyber and the blending of physical is a new phenomena as well so fortunately for me I've been involved from the ground up when these things were all starting you know the military DoD all of those they're very secure conscious when it comes with physicals sampling prisms you know those kinds of things initially if everybody just threw guards at it and then they threw cameras at it okay and VCRs yeah that didn't work yeah and they threw more cameras at it and more screens that no one looked at right so and that became that became the solution and I hate to say this so kind of like the mindset right now for Hawaii for physical security people at commercial entities oh well just throw some more guards at it and we'll throw some more screens but no one's watching the screen yeah and you don't and you know they just don't and there's no way of knowing stuff what's going on but the technology enables you do that plus the other pieces now the architects want these to be pleasant yeah and not invasive into the into the designs of buildings and things like that so that's another piece that gets that I get brought into is OK with working with the architects and they want to know well how can we put this in and make it invasive into this nice retail space or in this nice commercial location make it not threatening to the client when they walk in the door which kind of leads to a lap my last piece is that low voltage is just like low low voltage communications is is the thing now okay look how much things are on low voltage now cameras access controls television sets nurse call systems HVAC systems all of those are all all on low voltage E and and it's the wild wild west out there and what's and what I've been able to been able to do is help large projects consolidate all of that low voltage work monitor it get it all standardized get it and built in so that it's in a nice clean infrastructure not taped up all over the place and so on and easily them easy to manage and secure because as you know you can hack into those advice devices I mean and one of the vulnerable ones is mechanical systems mmm yeah so the target if you look we're both in InfraGard you'll get the papers that are coming up from the FBI and such so that targeted mechanical systems that are running wastewater plants water systems office buildings you'll fuel lines your line train lines straight lines they're all the lines of supply that are being hacked now they're the big targets yeah it's it's a that's a scary situation and the physical security of those devices a piece of it that also you know cut does ship with vulnerabilities right though you know we've discussed yes so what's your is this so you think the end user like if I were a property owner a property manager around a mall run a hospital do you think the end user is just overwhelmed you know the ones when you talk to them do they is is there too much guidance you know they can go on google and find out all kind of stuff is it just blow them away or they can walk into Costco and say wait I can get a camera system at Costco and and that's consumer grade and I'll pop that up in my commercial enterprise because it's inexpensive and then makes you know I'm getting a call saying you know we put this in and I know obviously I didn't recommend it can you come and look at this and I'll come and look at what you have but I'm not going to fix fix what you have here you're running a professional organization it might be OK in your house but definitely not something that I would put in my shopping center yeah there's some liabilities if you're a business owner you're live building your business owner and things like that so so it's it's I tried to get them to understand that I've got four layers of security like you've got you've got CCTV cameras you've got guards okay you'll have that you have limitations of where you can go okay right barricade and then and then you're going to throw in access control okay am I using fobs badges whatever male one that drives me crazy is the five I'm not a big fog fan okay I mean this is the they're easily lost they're not easy to control I'm being on badges okay with photos on them like on a property the under property so you know we all can identify that you you belong here at a glance you said it earlier you see something say something you see someone and you then just they're supposed to be wearing their badge mm-hm then you know as a as an employee or whatever you should remind them they need to be wearing their bad like the hospitals sure people walk you through hospitals mm-hmm you know look at the stuff that we've done in the industry to prevent babies from being taken away yeah baby guards and all that stuff that's happened in that yeah in abduch cities these come infant abduction I think another common infant IPs infant protection systems right abduction word was just so not very good right so Revere selling weeding wordsmith it but just all of all of those kinds of things and the things that we can do with credentials are just phenomenal now and I have one client that you know totally went away from fobs and their entire employee base are now on our own ID credentialed ID with access controls to communications closets data center FM 200 rooms and fire closets I mean because it there's people wandering the halls right it's a hospital yeah and they can open a door and go into it you know they could go into the broom closet and they imagine managing all the keys for all of this mm-hmm and a new play comes in and another employee leaves is that a is that a thing do you get that often where they don't understand the cost of like key replacement Lock replacement and whether what you see them using hard keys even you know cuz actor we knew we have now electronic lock sets have gotten really elicited from an industry perspective you know for some hundreds of dollars you know you can avoid that you have to replace everything because the master keys got to re cylinder everything or we're and that's a I still see some of the campuses and things out here periodically issue RFPs for you know complete key replace and I'm just a cringe every time because our taxpayer dollars going but you know every every three years they just got to do that because the master keys are out there floating rile you so that's an interesting problem use an example City & County of Honolulu when I was there we converted from a keys from keys to federally compliant credential for all employees okay so if anyone gets on the bus and you see the badge that the bus driver is wearing it has a color it's all that meets a fit that badge meets a federal standard okay her met a federal standard you see a city employee or someone with the Board of Water Supply or whatever their wearing a federally approved credential at the police department you'll look at the police departments bat card and it looks very similar to the bus color differences but you know there's there's their meaning they're meeting a federal standard well that eliminated thousands of keys now thousands of keys and I remember one of the things that we it was 1,400 I won't name the entity that was one department had 1,400 unaccounted for keys I came so what and once we put in these this credentialing people could no longer get into buildings that they were not allowed to get into yet they had a key for it ah and so that that came to light that worked and then we then one of my favorites was in one of the buildings was the the vendor lockers I know it was like what vendor lockers but you go down by the elevator and there was a bank of maybe 50 lakh boxes all along bolted on the wall went for all the vendors so they would come into the facility no vaginal signing in go down to the elevator basement they would unlock their lock and get their key to take them to wherever they were allowed to go oh my god but what if you were in a former employee yeah you think they changed those combinations on those lock box right over 20 years they did some of them didn't even know they had lock boxes down the house so that was all uncovered so and so I'm always every time I look in walking to large shopping centers and so on I with elevators and escalators and I'd like a go okay boy I wonder where the vendor lock boxes are and what's in there and what you don't know what you don't know that's what we're talking about and we'll be back in a minute with talking about security consulting gotta pay some bills we'll be right back thank you Aloha my name is mark glove I am the host of think tech Hawaii's law across the sea walk across the sea is on think Tech Hawaii every other Monday at 11 a.m. please join me where my guests talk about law topics and ideas and music and Hawaiiana all across the sea from Hawaii and back again Aloha hi I'm Pete McGinnis mark and every Monday at one o'clock I'm the host of think tech whose research in munnar and at that program we bring to you a whole range of new scientific results from the University ranging from everything from exploring the solar system to looking at the Earth from space going underwater talking about earthquakes and volcanoes and other things which have a direct relevance not only to Hawaii but also to our economy so please try and join me one o'clock on a Monday afternoon for think tech Hawaii research in Manoa and see you then hey welcome back to security matters I'm here with Gordon Bruce and we are kicking the can on security consulting today we were talking about we had
bunch of vendor lockers with mechanical lock she found in the city no tracking on those mechanical systems no accountability you know your point was Ella employees would still know the combination could come in roam around the place who knew really what was going on the answer's no one no one no one with access control you're able to and we changed all of that so people go to City Hall now if they walk down there they'll notice that they have to go through the guards they have to show their ID they you know they're and it does a number of things one it it ensures people know who's coming in and out of the building if something was to happen in the building and they needed to get people out they would know that you were there visiting and so you're accountable for that the employees have to be have to have their ID and know that they've been badged in again for that same situation so the you know if a threat happens of some kind the employees protected you know it's not the track that was to make sure the employees protected and the visitors are protected so city's done a good job when it comes to that aspect of securing their their various campuses sure and such when it was it with standard credentialing and such elimination of keys you know when all those kinds of things so like I like seeing that kind of thing happen a lot yeah it's good that it's it you know I remember when some of those projects started it's been quite a lot and we start with like wastewater treatment so it was a big concern from a terrorist perspective especially in Hawaii if we had a similar to attack our wastewater treatment facilities and kind of shut the city down if you can't use the toilets right I mean that becomes a big problem very quickly we have how many tourists here at any given time yeah yeah so you can imagine if the sewers quit working I'd be a problem and that was that was the one good thing is not many good things came out of one good thing about when we had that sewage the sewer line break and Waikiki forty million gallons of raw sewage gets dumped into the ocean the question was do we let it flow or do we block it and let it back up into the hotels oh right whoa so that became what was the issue it's like you can stop it right here but that means every toilet gets flushed everything that happens in the hotels are all eventually going to back up into the hotels themselves so the decision had to be made to let it go but that brought to light the issue what if they said someone was able to shut down your wastewater treatment facility yeah people couldn't flush their toilets so that that helped you know and Hanuman was visionary enough he said we can't let this happen we need to make sure that we've got the right security things in place and it helped escalate it to get to be a priority and we got federal money for it in that instance you were actually you were a customer so you used a consulting you went out and got it like an a big consultant exactly the big boy brought it into town you brought it into town and got I heard them as a consultant to help us review all the different opportunities they didn't sell a particular product yeah as I don't I don't I don't represent any vendor line I don't sell a particular product I know what I like but I but every client is different sure and each each I give each one when I when I do the studies for them I try to give them three options to look at and then and they can and they can kick the tires on it and see which one fits best for their environment and how they and how they want to operate their protocols and then with them through that then negotiate the deals and so on but I don't take any Commission checks or of that I mean I represent the client yeah exactly and that is that's an important point that people should understand when if you don't know what to do when you get a consultant he's gonna be on there on your behalf that's super important a lot of times they will call us and want us to like give them advice well you know I'm gonna give you the advice that works for our companies not necessarily your what works best for you and so it's best you know if if we don't have a trust relationship with someone already that they get a third party to help audit that or or at least give them that input you know I mean you know we represent most of the stuff that's really good out there we've got 20 years of experience but I always advise people to get extra quotes you know talk to our competitors you do things like that and there's different models you know different competitors have different you know you have ways that you do it in a certain way there are other other providers out there that they their models a little bit different yeah and again you go back to the client they might like that they might like the operational model of this particular provider of physical security sister and I'm again that's the client just represent the client I just make sure that they get the right product it gets installed properly they get properly trained and the services are in place to keep to keep this thing up and running as opposed to the old days where people were just selling this stuff out of the back of their truck yeah and they drop it and then you're gone that would to be it you'd never see them again this is this becomes almost IT like it becomes an ongoing relationship you have to work with the IT departments I mean I have interesting discussions with the IT departments you know they call them call them affectionately bandwidth Nazis yeah because they're not putting cameras on miking Network and I'm gonna agree oh okay then so lets us come up with a way of doing this so that it's not on your network or if it's it is it's segmented and secured on your network yeah and not not filling your your bent your bed with up with stuff that's now making your system no traffic video traffic megapixel protective cameras so you know I've got so that it's sitting and working with this typically you don't see the IT departments that involved yeah it's been difficult for sure it more and more today we do get that interaction we you know I don't really ask for that interaction you know but oftentimes facilities and IT when we ask them to get together it's the first time they ever done a project together yeah it's because we're we're saying that you've got to have ID here you know this is an IT system right and well who's gonna make you know I see because you know these systems are running on you know they're running on the cloud they're running on servers you know depending on the flavor of what you want sure workstations that you want do you want it on your network or not on your network how is that network being secured we got to stay on that that piece as well so you've got to bring IT in and in some cases of a button one of the models I'm liking now is managed service physical IT and what that means is the IT department happily says wait I don't have to touch any of this it's on its own network and you're and someone else is gonna manage those routers switches and everything else and yes and we're not going to touch your banking system network or your healthcare system network this is all gonna run over here so the cameras are here the access controls HVAC is all over here mm-hmm all of those things are all segmented physically segmented from your network now when you're doing new facilities and new campuses it's a lot easier to do renovations not too bad if it's existing old school stuff and then it requires some thinking and you spend limit of money more I t's got to let you get on that pipe and that they're not necessarily gonna be all that happy and supportive is um how how often now do you is is a lot of your IT experience brought to the fold when you're talking about physical security is that a piece that you bring that the typically the end users just don't have it they don't understand the IT requirements of our systems yeah fortunately for me typically most of the physical security consultants out there have not come from within by tea world mhm yeah right physical and then they're learning the ITU I grew up in the IT world and then got married into this over 15 years and now I've been doing the physical side but you know coming in and coming in and get married into this side so I always say okay I need to meet with our IT department you know why I need to talk with the IT department to see what their standards are make them aware what we're going to be doing and whether we are not going to be on their particular network or are we going to do something different because you know many cases there's already a physical network in there that's not on I t's Network sure and we can we can modify that so that it works that way but if I like to buy routers and switches that meet the standard of the IT department even if the IT department doesn't support it manage it or manage it at least they've said okay we like to use X Y Z these configurations and we go I go okay then then rest assured that that's what we're going to spec no matter who the vendor is that will be the spec for what goes in that particular gives them some comfort when they know it they know if they end up having to inherit it was IT sometimes gets given stuff that you know like all of a sudden like oh well you have to help us with this so they'd like to know that they they would understand them I'm familiar with that idea as well is the how much how much does the cloud impacted the the consulting that you're doing you know we've moved a lot of systems into the cloud today and we have a good percentage of our clients are now doing cloud-based systems so how's that been for you yeah I'm looking at right now that the clients that I've been advising are about 50/50 right now good so not all not all the manufacturers are up on the cloud yet some are you know scheduled to be on the cloud you know first quarter of next year and those kinds of things so they still got the physical servers and you know in the locations which some clients want some still want to have that physical device they still want to have it again you go back to like what's what does what's the client want yeah but I'm seeing a lot more going under the cloud it certainly makes a lot easier from a monitoring standpoint I have one client that they don't want any of the guards in the security office they want them roving share on the move and they're they're gonna walk around with a mobile device and on that device are the cameras not only are the cameras for that particular area that they're roving in they can get access to the cameras on another Island awesome so now all of a sudden the the guard company is more productive right they get alerts boom I could be on one side of the campus and boom I see something here not you know I'm not I'm you have 20 guys driving around in their golf carts taking a break and whatever I've got people getting alerts things that are happening there's a whole bunch of new things coming out with analytics oh yeah I'm looking at getting excited for so the cloud is really helping to make the guards more effective and more efficient the client more comfortable that you know they've got the right things in place they know when cameras are down remember the common complaint my camera's been down for a month I didn't know it sure right yeah oh wait you've got guys sitting there money they never changed but now you've got cameras that give an alert say you know that you know that they're not there the camera it's not happy yeah and so you can get in it quickly yeah you've got companies like yourself can be alerted to know that the cameras having problems you can get it or fix it before the client even knows it yeah so that's the next piece that's happening it's good stuff awesome so be proactive go out there get a security consultant if you don't know what you're doing and you need help with your project because security matters thanks a lot for tuning in we'll see you next week Aloha [Music]