Simon Cook [00:00:00]:
they don’t realize necessarily that it is a potential springboard into a bigger attack, right? That is a network device. If it’s not updated, if it’s not secured, if it’s not protected, it’s potential for a nefarious actor to get into the network and do more damage. That is the problem that we face. I don’t care, it’s a camera. It is what it is. Well, yes, it is a camera. Yes, it sees an office space. No, no one really cares, but it’s actually an attack springboard for someone to utilize.
Karissa Breen [00:00:32]:
Joining me now is Simon Cook, Director of New Offerings at Genetec, and today we’re discussing navigating GDPR on IRAP and global standards in physical and cybersecurity. So Simon, thanks for joining me and welcome.
Simon Cook [00:00:59]:
Thanks for having me, Karissa. Great to be here.
Karissa Breen [00:01:01]:
Okay. So one thing I’m really interested to know from yourself, Simon, and it’s something that I’m hearing a lot about actually in the market from a media perspective in my interviews is really the intersection between physical security, cybersecurity, technology, et cetera. And what I’m really curious to hear from your viewpoint is What do you believe has fundamentally changed even in the last like 3 to 5 years that’s really forced vendors like yourself at Genetec to rethink how it’s all being done?
Simon Cook [00:01:33]:
Yeah, so I think the easy answer really to that is everything has changed, right? In the last 3, 5 years. I mean, ultimately with the post-pandemic world, you know, the remote world that we work in now, systems are opened up. There’s far more devices on the networks, you know, the attack surface for cybercrime has just got so much bigger. I mean, if we look at the amount of devices, if we think back to 2020, there was maybe 10 billion devices connected to the internet. If we look today, we’re about 18 to 21 billion. And a lot of those devices are physical security devices. So cameras, you know, door controllers, et cetera, et cetera, IoT boxes. And these are all, you know, connected.
Simon Cook [00:02:11]:
There’s huge benefits, but ultimately, you know, all of that connectivity in this new remote world that we work in, you know, brings a lot of huge risks. Then we add to that great tools like generative AI. We can use these for so many things, right? We can rewrite our code, we can rewrite our presentations, but also, you know, the attackers are using this to rewrite their hacks. So ultimately, you know, the attacks are getting smarter and faster. Two key things that have changed. Then we look at obviously with that growth of cybercrime, you know, you have cyber insurance premiums going up. So they they’ve doubled or even tripled in the last couple of years alone. So ultimately, from a corporate perspective, cybersecurity, physical security were two separate camps.
Simon Cook [00:02:51]:
They were then pulled together. And cybersecurity really now actually is a business risk. It’s not just a problem that’s left to the IT team to handle. It’s actually a business risk because the business have to pay these huge premiums for cyber insurance. And then we get onto things like GDPR becoming more mature. We have the, you know, the assessments and the frameworks like IRAP and, you things like that. So they become far more common for us as vendors to have to navigate and understand how they work, how we work around them, how we get certified, or, you know, how we actually work within the confines of GDPR, for example. And ultimately, a lot of this means that from an end-user perspective, they go to zero trust, right? And that’s really the way that we want to look at everything is that zero trust approach.
Simon Cook [00:03:37]:
But for manufacturers like Genetec, we have to think about how do we manufacture something that supports the customer in that zero trust journey, keeping them GDPR compliant, conforming to IRAP and things like that. So the question, what’s changed? Everything. The game has changed, the rules have changed, the laws have changed. And really, security, it’s not just a trust, don’t trust, it’s a whole architecture approach for a manufacturer. It’s now not just an afterthought, right? Used to be the case, well, as I say, IT cybersecurity, they can worry about that. Physical and cybersecurity have collided. Where I used to talk, I mean, I’ve been in this industry over 20 years, where I used to talk to security managers about cameras recording this and this and retention and frame rate and resolution, I’m now talking about compliance. I’m talking about data ownership.
Simon Cook [00:04:25]:
I’m talking about sovereignty. It’s a different conversation now. And ultimately that trust isn’t a grant-once decision now. It’s a constant discussion, a constant negotiation, and a constant design principle for us as a manufacturer.
Karissa Breen [00:04:38]:
Okay, this is interesting. So what I want to know more about is the convergence between the two. So like physical and then cyber. So even when I was in my cybersecurity days on the client side, we had a whole physical security team, didn’t sit on our floor, you barely spoke to them. In terms of skill set though and knowledge, when people think— and I’m just going to say it to make it easy— people are going to think like physical security, some security bouncer dude at the front of some pub somewhere, right? That’s like the physical area of it. And then cyber is like some technical dude, like, with his laptop. So how do these two worlds collide? Because again, there is probably an element of a little bit territorial around, like, I’m the physical security person and I’m the cyber person. How do they start to work together? Because one without the other does lead to other issues.
Karissa Breen [00:05:29]:
So a lot of things can start from a physical problem that lead into cyber, vice versa.
Simon Cook [00:05:35]:
Yeah, absolutely. I mean, and this is something, again, for the time that I’ve seen in this industry, there have been sort of two disparate camps, right? You have your, and in this case, you know, obviously the cyber team and you have your security team and never the twain shall meet. They stay separate. They have their own budgets. They have their own approaches. They have their own, you know, mindsets and everything like that. But again, as technology has evolved, you know, we had IP cameras 25 years ago, something like this, right? For the IT guy, they got it. It was just an endpoint, a network endpoint.
Simon Cook [00:06:02]:
For the security guy, everything changed. You know, that transmission of that signal from the camera back to its recording mechanism changed. So they have started to cross, but more so these days, you know, an IP camera is effectively a computer, so it’s susceptible to hacks, to attacks. And security operators and security managers and, you know, directors and that, they know that and they do want to work more. But again, it’s those two worlds, it’s those two backgrounds, those two mindsets. And there is still that concern that you know, IT are going to come in and take over. And I think that is part of the challenge that we deal with as well, is how do we actually balance those conversations? How do you talk about cyber threats to someone that hasn’t had that cyber background? And how do you talk about physical security? You know, and, you know, the analogy used as the banks of the doorman is right. You know, that’s the perception of you’re not getting into my building, and if you are, we’re watching you, to actually the value of what physical security can actually bring.
Simon Cook [00:06:57]:
So, yeah, I mean, I spend a lot of my time talking and bridging that gap And, you know, we want to, from a Genetec perspective, become that kind of trusted advisor in those conversations, you know, like mediate between those two teams, if you like, and have the ability to sort of converse and convey the messages that are relevant to both parties at the table.
Karissa Breen [00:07:16]:
Okay, so I wanna go down this rabbit hole a little bit more because I do think it’s something that in the market, I don’t know if people are fully addressing it. So I’m curious to sort of, you follow my talk track, ’cause I know you’ve got like an engineering background, right? So you understand the mechanics of how these things work. What do you think, Simon, people just don’t get about the convergence between these worlds? Because like physical security— and when I did a, like, bit of a stint working in a shopping mall, I worked with the physical security guys, and I guess that’s why I became interested in cyber. Still very different outlooks on things. So it’s like when you’re doing physical stuff, you’re looking for like a physical threat and how, like, if someone going to— is this person going to steal something from a shop? There’s similar attributes to it, but it’s still very different. So How, what do you think people sort of miss though when they’re trying to come together?
Simon Cook [00:08:05]:
I think it’s just a lot of the time it’s a lack of understanding of the other side of the fence. Let’s put it like that. Right. And again, there has over the years been some concern. Yeah. When I talked to sort of physical security managers, directors, et cetera, you know, there is that concern that they’re losing a piece of their world. If they give too much up to the cyber guys, they’re going to lose their value or sort of lose their area at the table or whatever it is. And, you know, there are still those that look at cyber risk as an IT issue.
Simon Cook [00:08:36]:
So it’s the other side of the fence. We have to focus on protecting the perimeter, protecting, you know, our staff, protecting our assets, whatever it is. And the network guys, they’re the ones that tell us that we can’t use this product because it doesn’t adhere to this, or they’re the ones that tell us that we can’t add this camera to the network because XYZ. And it does sort of start to generate a little bit of animosity. But I think the good thing, if you go back to, you know, that original question of what’s changed over the last 3 to 5 years, I think that is changing, right? I think there is that kind of idea now that actually we, you know, we do actually, we are susceptible to an attack. You know, a camera like a door controller, if it’s IP, if it’s network enabled, it is susceptible. And we don’t want to be the reason that our company was hacked because our cameras weren’t running latest firmware version or because the cameras weren’t, you know, secured behind XYZ, you know, authentication. So I think honestly it is changing, but it’s not as quick as perhaps the hackers, you know, are running.
Simon Cook [00:09:30]:
So again, it’s going back to that, as I said earlier, that trusted advisor side from a Genetec perspective, and by virtue our partners that we work with to sort of try and nudge that along. And I spend, or we spend, a lot of our time kind of building that education around that because it is, it’s not going to change overnight, right? There is still the old guard that say, right, this is my hill and you stay off my hill kind of thing.
Karissa Breen [00:09:52]:
So one of the things that’s been apparent to me is in cyber, we want the business to understand about cybersecurity. But one thing that’s been illuminated to myself and to others that I’ve spoken to on this show is, yeah, but does the cyber person really know how the business makes money? And then therefore there’s a gap. So what I mean by that is, do you think that, for example, the physical person doesn’t understand perhaps elements of cybersecurity? Now, I’m not saying they have to talk about fiber optic cables and get into it, but at a high level of appreciation for the mechanics. And conversely, does a cyber person understand the mechanics of how physical security works, like from a high-level architecture perspective? Do you think that is where some of it’s falling down?
Simon Cook [00:10:34]:
Absolutely. I mean, yeah, they’re two completely different mindsets. They’re two tracks. I mean, with the invent of the IP camera and the IP door controller, it’s starting to veer far more towards, you know, the network side. But the mindsets are still, the physical security industry is a very traditional industry, very sort of set in the ways to some degree, mindsets, approaches, attitudes, see what works, don’t change it, et cetera, et cetera. So I think there is very much a case of, you know, not understanding the other side of the fence. And it goes, that goes both ways as well. I saw it when we were sort of migrating from the analog camera to the IP camera, the camera, the physical security guys understood the camera side, what it did, what it could see, the lighting conditions, how far it could see, all of these things that you had to know to get a camera positioned accurately.
Simon Cook [00:11:24]:
But what they’d never understood was what an IP address was and what subnet mask was and why you need those things correct for the camera to actually communicate to the head end. And there is elements of that. And thankfully, you know, the newer generation coming into industry do have that sort of, you know, they’ve grown up around more technology than traditional folks and they are starting to change that. But yeah, I mean, it’s different mindsets, different backgrounds, different approaches, different day-to-days. And I think that, that will still stay with us. But again, it’s just how can we get those two sort of types of people working together in a way that’s beneficial for everybody.
Karissa Breen [00:11:57]:
So you said before the physical security industry is quite traditional. Do you think it is getting a little bit more progressive though? And what I mean by that is this morning before I spoke to you, I saw something and it’s like in China that now they’ve got this robot that’s acting as some like police guard to like direct traffic or something like that. So something like that goes wrong and you’re directing traffic in a place like China where there’s literally billions of people, that’s a bit catastrophic. So now we’re getting a little bit beyond, hey mate, you can’t come in the pub to, hey, I’ve just randomly redirected traffic and now there’s a huge incident.
Simon Cook [00:12:32]:
I think you’re 100% right, but I think actually, you know, technology is, I wouldn’t say forcing, I’d say encouraging that change, right? And from a physical security perspective, it used to be a case you just had the cameras, the door readers, the license plate cameras, you know, you had a set of devices and they were the ones that were used. But actually technology is evolving physical security from a reactive application to a proactive application. And what I mean by that is, let’s say for example, let’s take, you know, the sort of analogy of the doorman, a nightclub technology now in physical security, you have analytics that can detect the threat rising in someone’s voice, right? The stress or whatever it is. And actually an alert can be sent to an operator. Before a potential fight kicks off or before, you know, something happens. There’s a lot of technology coming in and, you know, AI is helping this as well, you know, behavioral analytics, all of that kind of stuff is growing. So those requirements are coming into the systems to change and improve the operator and the approach. And that then, of course, drives those technology conversations to understand, right, that’s the outcome.
Simon Cook [00:13:34]:
We want to actually reduce the fight before it happens. We need the technology to do that. So now we need to understand what do we need to run that technology? So it kind of, you’re stepping back through the process to get to the technology discussion, to get the outcome of reducing the fight before it’s even started. So I think, yeah, technology and that kind of proactive approach to security is facilitating and driving those conversations as well.
Karissa Breen [00:13:58]:
So then talk me through the right to be forgotten. So I’m aware that this is no longer just a legal concept, but a product and architecture challenge for physical security providers. What’s going on here?
Simon Cook [00:14:09]:
Yeah, so, you know, look, the right to be forgotten used to be like, you know, privacy law and like internet search engine stuff, but last few years with the invent of things like GDPR, it certainly becomes far more of a challenge for us as manufacturers. You know, it really becomes a product and architecture problem. For example, I mean, if you look at traditionally video, video surveillance, you’d be just recording things and, you know, you had access control to open doors, but then now we actually want more technology, we want to bring more value. So you had biometrics, you have cloud services, you know, you have a whole different type of physical security, AI, facial recognition, those behavioral analytics that I mentioned. That then ultimately makes us as a manufacturer potentially custodians of people’s data, right? So, and if you look at video footage as a prime example, it’s not designed for that selective deletion, that right to be forgotten, requires. You know, you can’t simply take a video file and just cut bits out of it, you know, edit it down because you’re potentially corrupting timestamps and metadata and ultimately the integrity of the evidence that you’re providing, right? So therefore it’s unusable in court. So now we as manufacturers have to think about how we actually, how we do that, how we manage videos, how, you know, individuals in a video might be indexed, how the footage can be redacted, blurred out if you’re looking at a suspect, but you’ve got other members of the public in there and how do you do that? And How long is it retained for and how do you share it with third parties? If I’ve got some footage that I want to share with the police, how do I know that, you know, once the footage has left me that they’re using my data and my— because obviously that person, that right to be forgotten, it goes all the way through anyone that handles that footage, right? And if you look at then a cloud platform, that problem becomes even bigger because ultimately the data might live in multiple places. So we have to sort of look at how we build our solution to support that, to work around it.
Simon Cook [00:16:04]:
Privacy isn’t now just a policy checkbox. Box, you know, we used to sort of see questions in requests back in the day where it just said, are you privacy compliant? Do you manage privacy securely? Blah, blah, blah. And it was a tick box from that, you know, the way that we look at building those platforms now, it’s actually a competitive differentiator for us. We actually try and focus on that privacy by design architecture. So it’s not just after the fact compliance, you know, hey, we’ve had this product out there for X amount of years. We now have to think about, oh, right, you know, if they want rights forgotten, how do we actually deal with that? We actually build that in. It’s not an after-the-fact compliance. It’s actually built in by design from the ground up.
Karissa Breen [00:16:42]:
Okay. So one question that I’ve got that maybe sounds a little bit rudimentary for someone like yourself, but I’m curious just to understand and provide a little bit of context. So I live here in the US. One thing a lot of people have are those Ring cameras or security cameras, whether they’re at a house or they live in an apartment. And I interviewed someone maybe about a year and a bit ago, and they spoke a lot about where these devices are manufactured. And I think places, countries like Germany don’t allow you to buy it from certain countries like China with the risk of like spyware and stuff like that. But the challenge is when people can go on Temu and they can buy something for $10 Australian, which is like, I don’t know, $6, $7 US versus something that is manufactured in Germany, it obviously costs more, right? So how does that like balance out? I’m just giving a very basic example so people can understand. I’m curious then to see how that sits with you.
Simon Cook [00:17:35]:
Well, that, that’s, uh, an interesting question. I mean, yeah, there is a lot to be said about devices from nefarious actors, or however you want to call it. We don’t typically sort of deal in that space. We deal with enterprise, government, etc., etc., military, police, and we want to ensure that any customer that we’re talking to understands the risk of using devices that might have an impact on them, whether it’s a cyber attack, whether it’s hacking into the camera to view the feeds, whatever it is, and actually use cameras from trusted brands because ultimately we are part of a solution. And typically Genotec is the front end. It’s the bit that people see. So if you look at your analogy of the door cam, that application that you would look at to see that camera, that’s, that’s the front end. That’s what we do.
Simon Cook [00:18:20]:
So we want to make sure that when we’re providing a solution or when we’re talking about a solution to a customer, to an end user, to a consultant, whoever it may be, that they understand the implications of using devices that, you know, are from less trusted sources, let’s say. And, you know, the industry press is full of articles where cameras have been accessed by third parties, hacked, open back doors, etc., etc. And those cameras, those cheaper-end cameras, that are typically the most susceptible to them. I mean, there’s websites you can go on that literally have every camera in the world that isn’t password protected or has a backdoor and you can see video feeds from them. You know, this is what we’re dealing with, right? So it’s that kind of thing of providing trust and also being part of a solution where you’re building a trusted solution and that includes the camera.
Karissa Breen [00:19:09]:
Yeah, so I think that was just probably more my example just for context, but then getting back to your point around the enterprise space that you guys sort of play at, do you see, do people get it though, at your level? Like, obviously at a consumer level, people just don’t get it, right? They’re like, oh, well, who cares? I don’t care if someone sees my front door with my dog or whatever, right? But people would care if it’s something that’s like a consulate, for example. They don’t want nefarious countries, nations looking through from that perspective. So do you think with your experience, people do understand the benefit though? Like, we’re not gonna go down, like, perhaps a not as desirable route because that could have other impact that then has flow-on effects to the cybersecurity sort of thing.
Simon Cook [00:19:52]:
So, and that I think is the bit they don’t understand, right? So there are cameras out there that are, you know, from brands that may have backdoors or may have workarounds or to access those cameras, et cetera, et cetera. And we have those conversations with customers and they, you know, they say just that. So, you know what, I don’t care if someone sees my office space because at the end of the day, what they’re seeing And that’s not the point. The point is that is a device on a network that is susceptible to an attack, you know, whether it’s denial of service, whether it’s whatever, it’s a surface attack for a hacker to actually access. And arguably, I would say perhaps 6, 7 times out of 10, the person isn’t interested in what the footage is, what’s on the other end of that camera. It’s an office space, it’s a front door, it’s your dog, it’s whatever. They’re actually interested in what they can do with that device. It’s a springboard into the network ultimately.
Simon Cook [00:20:39]:
There was an attack on Target in the US, you know, the big retail chain over there years ago. And it was a huge attack. And basically it was, the source of the attack was through an unpatched heating and ventilation panel. It was an IP device that was just another network endpoint. And they got in through that and they got into Target and they got through the financial, the POS system with all the customers’ financial data. It cost the company fortune in damages, but also the reputational damage as well. So, And I use that as an example because ultimately it’s not about the footage, it’s about that device being open and susceptible to, you know, a potential attack as opposed to what it’s actually looking at.
Karissa Breen [00:21:17]:
So you said before, Simon, customers are still like unsure about certain things. Is it that they don’t understand the attack path? So it’s like, yeah, okay, it’s just a camera, but these are all the things it could lead to. I think there was another incident like, I don’t know, 10 years ago about casino that had a fish tank that got hacked, and then obviously that opened up a bunch of other problems.
Simon Cook [00:21:38]:
Absolutely. Yeah.
Karissa Breen [00:21:40]:
So what parts specifically would you say they’re not quite understanding in your experience?
Simon Cook [00:21:46]:
They don’t realize necessarily that it is a potential springboard into a bigger attack, right? That is a network device. If it’s not updated, if it’s not secured, if it’s not protected, it’s potential for a nefarious actor to get into the network and do more damage. It’s Again, I think that is absolutely a lot of the discussions I have. That is the problem that we face. I don’t care, it’s a camera, it is what it is. Well, yes, it is a camera. Yes, it sees an office space. No, no one really cares unless of course it is in a consulate or it’s facing somewhere that is of significant interest.
Simon Cook [00:22:20]:
But it is a, it’s actually an attack springboard for, for someone to utilize. And that I think is the misunderstanding, going back to what we said earlier about the lack of cyber experience or understanding of the cyberspace, cyber world, cyber threat, that that’s where it sort of comes in. It’s just a camera as far as a security operator or manager is concerned.
Karissa Breen [00:22:40]:
Do you still think though, just given like everyone’s got phones, laptops, they understand how connected things are today, so do you still think they’re like— it just, it does perplex me to be like, are people still thinking like they’re still isolated though? Only because like, I mean, I don’t have a dog. Well, a lot of these people got these dogs and then they buy these cameras and then they view it on their phone. Like, it’s like, wouldn’t you think there definitely is some attack path there? Or I know that I’m thinking like a cyber person, but I just still think that given that you can watch something on your phone on the other side of the world because someone’s house sitting and they’re looking after your dog, I’m really curious to understand perhaps the thinking behind that.
Simon Cook [00:23:21]:
We live in a world where, you know, we love to have access to stuff. Obviously technology is making our lives easier, it’s making our lives better, more efficient, et cetera, et cetera, right? I can check in on my dog at doggy daycare from this website, seeing this camera, et cetera, et cetera. There is value in technology to make things better, easier, faster, whatever it is. But again, you don’t necessarily understand. And, you know, I think we as a people, you know, if you think about the fish tank that you sort of mentioned about the casino as a prime example, right? You know, you can endpoint anything, you know, your fridge, your toaster, anything like that. And there was something a little while ago, someone had one of those smart fridges and someone had actually hacked into their fridge and changed their display and just kept cycling through different things and the person had no idea what was happening or how it was happening or what they could do to stop it. Again, it’s that everything that’s connected, if it’s not protected, updated, etc., etc., becomes that springboard for an attacker. I mean, you know, if I look at my home router logs every now and then, the amount of attacks I see inbound, like looking for ports that might be open or something like that, That’s just a home router.
Simon Cook [00:24:25]:
All these different things connected. It’s just another potential surface attack. And there is that thing of like, you know, ignorance sometimes is bliss. If you don’t understand the implication of the impact, then, you know, you don’t have to worry about it. Someone else is taking care of it. And, you know, in the enterprise space, from a security perspective, it’s IT’s job to take care of that. My camera is on a corporate network, therefore IT are looking after it. Well, you know, IT might not necessarily know about that camera on the network.
Simon Cook [00:24:50]:
We’ve seen that as well. You know, cameras are being added to networks. The IT might not have an idea that’s an old camera that’s running out-of-date firmware. It’s no longer supported. And all of a sudden it becomes a vulnerable device in the network that they had no idea was there. So technology is great, but it comes with its challenges when you look at the cyberspace.
Karissa Breen [00:25:07]:
So I wanted to shift gears slightly and talk about GDPR. Now, people in the space think GDPR is a European regulation, for example. They also think it comes with limited global impact. So why is that mindset risky from your perspective on the physical security front?
Simon Cook [00:25:27]:
Well, it’s risky for a bunch of different reasons, but ultimately, I mean, you’re right. I do hear and see, we don’t have to worry about GDPR. It’s a European law. It’s not going to impact us. Ultimately, anyone that’s in Europe, anything they have any interaction. So if even if one of their customers’ cameras users, if they interact with the system from Europe, you’re in scope for GDPR compliance, right? And especially now in these days, when you think about the prevalence of cloud platforms, you probably don’t even realize it. You know, if you’re headquartered in US or Asia or whatever, you don’t care about Europe, it’s not part of your remit. But ultimately, from a cloud perspective, you may well be in Europe and not even realizing it, right? So, but I think actually more so what I’m seeing now for, you know, countries that don’t have the same laws as GDPR, actually it’s becoming a bit of a global blueprint.
Simon Cook [00:26:17]:
So we are starting to see in many different countries, actually, they don’t have necessarily the same laws, regulations, whatever it is, but ultimately they’re looking at GDPR and what you do as a manufacturer to help companies stay inside that as a blueprint on what they need to do when they’re rolling out a new solution. And again, I mean, ignoring that, pleading ignorance, it has a massive financial impact because it’s 4% of your global turnover as a company. You could be fined that 4% or €20 million, whichever is the highest, right? So to ignore it, to say, yeah, it’s just a European thing, actually could have significant impact. And a lot of those things, actually, it’s not just about the cost. It’s about the reputational damage as well. If you’re found to be outside of GDPR as a global company, but you’ve had some interaction in Europe and you haven’t managed data correctly. And you haven’t kept inside the parameters of GDPR, then you are still impacted. And that reputational damage is the challenge.
Simon Cook [00:27:15]:
That’s the harder thing to build up. So really what we see, what we try and do is look at how we as a company can, you know, can help that, can show what we do to protect, you know, data, to manage it, to give you certain guidelines. And again, you know, we’re starting to see that changing. I mean, Brazil has what’s called the LGPD and China has PIPL and in the US, for example, some of the states, but ultimately we’re starting to see that change. And that’s the big thing really is, you know, it was a, I think when it first came out, there was this kind of perception, oh, it’s just for Europe to worry about. We don’t have to worry about it. But now I’m starting to hear and see, okay, so, so how do we work alongside it? How do we, you know, what do we need to do to follow the same standards? What do we need to do to make sure that we’re safe or we’re secure or whatever it is that we need to be? And that, you know, again, ultimately is where we like to sort of come in and play that trusted advisor role with the customers to make sure that if they do have any sort of touch in Europe, that they are protected.
Karissa Breen [00:28:14]:
What do you think people worry about more, the reputational side of it or just like the €20 million fine that people are going to deal with?
Simon Cook [00:28:20]:
I guess it depends on who you’re talking to in the business. I’ll imagine the finance guy is worried about the, the €20 million. And I would imagine the, the leadership team are probably worried about the reputation. Reputation. But I think it, they go hand in hand, right? Again, it’s like any, you know, any breach that happens, you read in the news that this company was hacked and that’s hacked and this is how much it’s cost them. You know, it’s always a cost to the business of it was the €20 million, right? But the trust in that brand is really what’s impacted in the longer term. Yeah, €20 million or, you know, 4% of your global turnover. And if you’re a big company, that could even be more, you know, a lot more than €20 million.
Simon Cook [00:28:54]:
But that reputational damage, that’s the thing that’s hardest to get back, right? The cost associated to that in the longer term is the bigger impact. And that’s what bigger enterprises have to grapple with.
Karissa Breen [00:29:04]:
So what do you think people are proactively doing to say, okay, well, this is what’s happening in Europe. We need to make sure we don’t get the fine, for example. And there may be things that we can learn that can be disseminated across other parts of the world in the US, Australia, etc. Are people starting to do this or is it still in relatively early stages?
Simon Cook [00:29:23]:
It depends. I mean, I see both sides, right? I start to see more pull-through, and I don’t think it’s necessarily specifically GDPR compliance, right? It’s just some of the guidelines or some of the, you know, the impacts that GDPR has, some of the encouraging the mindset around how a manufacturer might handle your data. What, you know, what as a manufacturer we can see, how long it’s retained, who else has access to it, how is it shared, how is it deleted? All of that kind of stuff. We’re starting to see those questions come up, right? It could be from the GDPR kind of mindset if the enterprise has a European office, but it is just, you know, hey, we’ve read that this is what’s happening over there. What can we do to make sure that our data is accessed in the right way by the right people? You know, it’s minimized. If there is an issue, what, how do we deal with it? What happens with the footage? You know, what happens if someone says to us, what do you, you know, show me all of the footage you have. How do we actually do that? What are the features in the platform that, you know, that you can show us that actually says, right, someone comes in and says, hey, show me all the footage you have on me. What do we do? And then what are you doing with that footage? Who else is seeing that? How do we prove that? How do we show it? And I think those questions are starting to be asked more and more now, you know, by countries outside of Europe that don’t have GDPR.
Simon Cook [00:30:41]:
Legislation to have to go through. But I do think ultimately, as I mentioned, Brazil, China, the US, Canada, starting to build these types of either, you know, laws, frameworks, whatever it is to say, right, we are moving into a connected cloud world where data is everything. How do we actually manage this in a sensible, secure way? And how do we actually make sure that that data is protected and because obviously it is personal data, right? I mean, video access control, biometrics, having your mobile credential, so, you know, your access control card now on your mobile phone. So think about maybe your apartment block has it, maybe your gym has it, whatever it is, you know, that’s another stamp on who you are, where you’ve been, and what you’re doing, right? So it’s data that someone is holding on you. How do you make sure that’s being managed in the right way?
Karissa Breen [00:31:31]:
So we’ve spoken a lot today, Simon, about what has happened before traditionally, what’s happening now. I want to sort of focus on what’s going to happen now in the future. Obviously we’re in 2026, so what do you think is going to happen this year? What can we start to see happening in the years to follow? Do you have any sort of insight on that front?
Simon Cook [00:31:48]:
Things like GDPR, things like IRAP, things like NIST 2, you know, these kind of laws, frameworks, certifications, assessment frameworks, they are going to grow, right? Because ultimately we are moving more into that cloud world. Everything we do these days Security is like the last, physical security is like the last bastion that is, you know, not going towards cloud as, as fast as the rest of the world. But ultimately everything is in that cloud connected way. So therefore those laws, those assessments frameworks, everything like that are changing to evolve around that. You know, how do we manage data? How do we handle data? How do we secure data? So that’s changing. And I think, you know, from a technology perspective, you know, I mentioned earlier the fact that physical security is a reactive platform, right? Something happens, show me the video, show me the report, show me what happened, and I’ll deal with it, raise a case with the police, whatever it is. We are looking at moving into more of a proactive world now. And again, you know, when you look at things like AI coming into play, when you look at those analytics that I mentioned earlier, those behavioral analytics, when I look at cameras getting smarter, generating metadata, and more analytics, technology is going to drive that application, you know, the physical security application into more of a proactive approach, telling operators, users, you know, organizations that moving to something’s about to happen versus something’s just happened and you have to deal with it, right? We want to know real time that there’s a situation and how do we deal with it, and then actually proactively telling the operator, helping and guiding the operator through what actually they need to do in that situation.
Simon Cook [00:33:22]:
That’s key for us ultimately, is making that sort of more proactive approach, you know, from a security perspective and working with those outcomes. You know, an organization has a challenge that they face. How do we actually use the technology to overcome that challenge? So yeah, so I think we’re going to see changes around laws, legislations, frameworks, and we’re going to see far more technology-driven approaches to physical security and Hopefully it drives that kind of relationship between, you know, the cyber folks, the IT folks, and, you know, and the security folks.
Karissa Breen [00:33:53]:
And so just lastly, do you think, going back to your point around being proactive, do you think it’s because people, if they’re forced from legislation, that sometimes it’s like, well, do you attract more with vinegar or honey? So sometimes it’s like, well, when I’m forced to do something, I’m doing it, but maybe it’s like not super into it versus Hey, I’m doing this because of these reasons, right? And you sort of understand the mechanics of the reason. Or do you think it just doesn’t matter and it’s a moot point? Doesn’t matter if there’s vinegar or honey, it’s just we need to get the outcome.
Simon Cook [00:34:24]:
I think it’s a human condition, right? When we’re told that we have to do something, we don’t want to do it. It’s simple. No one likes, you know, having more laws, having more, you know, rules that you have to follow, right? And I think that there is perhaps part of it or you know, no one wants to be the first to do something, right? Let’s just step back and see what happens there. So, you know, Europe have got GDPR. Let’s see what happens and how they play out, and then we’ll just, we’ll come in a bit later on and we’ll tweak it and tune it. I think there are other people that actually, you know what, we do need this because I want to be sure that my data is handled correctly and, you know, legally and fairly and trustworthily. And it is that whole conversation of trust from us as a manufacturer has changed, right? If you think about back in the day, it used to be, you know, hey, I trust that company, I trust that salesperson, I trust that person just on face value. Whereas now, you know, we as a manufacturer have to constantly show that we’re doing all that we can to make sure that your data as a customer of ours is as protected as it can be.
Simon Cook [00:35:22]:
We are managing it as securely and privately and etc., etc. It’s kind of a mix of both worlds, right? We’re going to have those people that kind of go, yeah, no, this is not impacting me, I don’t care, I’m not going to do it until, you know, someone forces me to. And then we have others actually see technology as a driver and say, well, actually, yeah, that can help me because I do have this challenge or this outcome I’m trying to get to. And actually technology can help me get there. So I’m going to do what it takes to get that technology, but also make sure that my data is secure while I’m using that technology.
Karissa Breen [00:35:52]:
And Simon, what’s one thing you’d like to leave our audience with today?
Simon Cook [00:35:57]:
When you’re looking at physical security and cybersecurity converging, you know, there’s a lot of companies now that are focused on that. We’re handling data that is sensitive. It’s video, it’s biometrics, it’s facial recognition, it’s personal identifiers, right? When you’re assessing these companies, you need to move away from just that trust that I mentioned about, you know, trusting that salesperson, trusting that brand because you’ve always trusted it. Actually look at what that company is doing, you know, that defines that trust, right? For us as a manufacturer, for example, you know, we put this front and center As I mentioned, we have that kind of secure by design logic, you know, trust for us is a design principle all the way through our organization to, you know, right to support when the system is deployed. You know, we go through certifications as a product, as well as an organization, things like ISO 27001. We put all of that information front and center on a publicly accessible website that talks about all of our certifications. So, you know, our recent IRAP assessment, you know, our GDPR compliance, our SOC. All right, so we put all that front and center.
Simon Cook [00:36:57]:
We put all of our pen testing information for our cloud services front and center because for us, ultimately that trust, we don’t want you just to accept it. It’s not a set and forget situation. It’s dynamic and it’s constantly evaluated, you know, to make sure that we’re conforming to the latest and greatest. So really the takeaway for me is when you’re assessing a company, a physical security company, what are they doing to make sure that you have that continual trust. It’s not set and forget, let’s just do it once. It is constant evolution, much like technology is a constant evolution. So yeah, look at trust as what is that company doing to actually give me that feeling of trust, and they can actually show it as trust as well.
