If you’ve read any security forecast in the past few months, chances are it mentioned cybersecurity. There are many reasons for this: convergence trends are on the rise (meaning cybersecurity is now a physical security issue), and IT teams are now heavily involved in security conversations, if not the primary contact for security integrators when discussing solutions with end users.

“As the legacy IT leadership team is taking over these legacy physical security networks, they’re bringing this expectation of cybersecurity to the forefront,” says Dan Higham, senior director, New Era Technology, an integrator based in New York, N.Y.

Convergence trends are making waves in video surveillance. Remember the recent Louvre incident? A simple mishap cost millions of dollars, all because the password to the museum’s video surveillance system was easy to guess. A few intentional, cyber-focused steps taken by the physical security team could have prevented this incredible loss.

Priya Serai, chief information officer, Zeus Fire & Security, Paoli, Pa., says convergence is making cybersecurity in video surveillance uniquely challenging and fascinating. “Physical security, IT, cloud and AI are colliding,” she says. “Cybersecurity isn’t static, and neither is leadership in this space. The integrators who will thrive are the ones who understand that trust is now part of the product they deliver.”

In the past, the results of physical security and enterprise IT not talking to each other weren’t pretty. “Early in my career, I saw video systems treated as ‘set it and forget it’ infrastructure,” Serai says. “Cameras went up, passwords stayed default, firmware never got touched, and no one could clearly answer who owned the risk. That might have worked 10 years ago. It absolutely does not work today.”

For integrators like Zeus, cybersecurity within a video surveillance system is designed from the onset. Cameras are endpoints, VMS platforms are applications and video is sensitive data. “We emphasize secure-by-default configurations, network segmentation, credential hygiene and disciplined patching,” Serai says. “A video system that can see everything but protect nothing is a liability, not an asset. Remaining cyber-secure isn’t optional anymore; it’s table stakes.”

Integrators like Portland, Ore.-headquartered Cook Solutions Group view cameras as IoT devices. “You have to look at how you set that up inside of a network,” says Levi Daily, chief technology officer, Cook Solutions Group. “Most of our customers, being large commercial data centers or banks and credit unions, lead with security first. … But you’ll still see a legacy system connected to the internet, and you see the customer … open ports in their firewall and allow data in, and that might be the worst thing that they can do. We lead foundationally with cybersecurity first, and we have policies and procedures on how we act as a company, but then also how we set up these systems for our customers. We have plans and books on exactly how we’re going to set those up for our customers.”

Any network-connected device can be targeted, so systems must be designed securely with proven equipment and implementation coordinated with customers’ IT teams. “We thoroughly vet all manufacturers and products before they are approved for use, with a strong focus on proven products with strong cybersecurity protocols,” says Robert Ford, general manager, Security 101, West Palm Beach, Fla. “We avoid non-NDAA-compliant products and do not compromise on this standard. Cybersecurity risk is ultimately business risk, and our responsibility as an integrator is to reduce that exposure as much as possible.”

Keeping up With Cyber Vulnerabilities

From an integrator perspective, keeping up with the rapidly evolving security space across all verticals can be extremely difficult. “When we look at physical security, it’s evolving quickly ... especially when we take into consideration adoption of cloud and introduction of AI,” says John Ringis, national director, physical security global enterprise, New Era Technology. “It’s a little bit of a Wild West. It’s becoming very difficult for people to keep hold of and to manage ... what’s going on in the cybersecurity side of the space.”

Adding cybersecurity into the mix is making the evolving landscape that much more complex. “Legacy systems are the biggest challenge, and I don’t just mean old hardware — I mean old thinking,” Serai says. “What’s made the biggest difference for us is building cybersecurity into our operating rhythm. Vulnerability awareness is part of our change management process, our vendor reviews and our system lifecycle planning — not a once-a-quarter exercise.”

Often, the evolution of video environments happens organically (i.e. different vendors, different generations of cameras, inconsistent standards and minimal documentation.) Over time, this will create a patchwork ecosystem, where no one has full visibility and risk hides away. “Waiting for a ‘major incident’ before acting is a mistake,” Serai says. “Many of the most damaging breaches don’t come from sophisticated attacks, they come from known vulnerabilities that were never patched because no one owned the follow-through.”

Security 101 addresses issues like these by enforcing secure configuration standards, recommending lifecycle replacement for unsupported devices, segmenting surveillance networks and providing clear guidance around patching and upgrades. “Just as importantly, we avoid low-cost or poorly-supported products, even if they appear attractive from a feature or price standpoint,” Ford says.

Another major pain point is the gap between physical security teams and IT teams. “I’ve seen environments where IT assumes security owns the cameras, and security assumes IT is handling cyber risk. That gray zone is dangerous,” Serai says.

From Zeus’ perspective, combatting this means standardizing architectures, clearly defining ownership and treating video systems as part of the broader enterprise security posture. “The goal isn’t perfection; it’s transparency and control,” Serai says. “If you know what you have, where it lives and who owns it, you’re already ahead of most organizations.”

Three years ago, as convergence trends began spreading through the industry, New Era Technology formalized its approach to end-to-end security by aligning its physical security and cybersecurity divisions. “We needed to be able to have these additional capabilities to be able to bring the power of a complete ecosystem to our customers within the marketplace,” Higham says.

Cook Solutions Group also developed a dedicated cybersecurity team. The company even outsources with third-party cybersecurity to ensure investment in cyber remains a priority. “It’s about process and awareness for us,” Daily says. “We track vulnerabilities across the board.”

Having separate physical and cyber teams that work closely together can help break down some of the barriers that make keeping up with the evolving landscape difficult. “We have an internal team of engineers that take responsibility for all of our system configuration, commissioning and security protocols,” Ringis says. “They’re trained to make sure that these pieces and parts are in place and that every one of these systems are set up and configured correctly.”

User behavior is another key challenge. If credentials are exposed, which often happens because of user error (i.e. default or easy-to-guess passwords, successful phishing attempts or other social engineering techniques), even the most hardened system can be compromised. “We address this by prioritizing user education alongside technical controls,” says John Petruzzi, CEO, Unlimited Technology, Herndon, Va. “Training users to recognize suspicious emails, texts, phone calls and other attack methods significantly reduces risk. Cybersecurity is not just a technology problem; it is a people and process challenge as well.”

For as many vulnerabilities as there are, though, there are processes and technologies available to combat them. Take AI’s role in video surveillance, for example. “Organizations are looking at AI as a business imperative because they don’t want to be left behind in terms of their innovation. The same is true within cybersecurity,” Higham says.

Though AI can ‘help’ bad players perform their bad acts, it can also help organizations remain cybersecure. “You have to use AI and AI security to be able to defend business and organizational operations within the environment,” Higham adds. “If you’re not using AI to help defend operations from being disrupted and disrupting cyber criminals that are out there, then you’ve already lost the game as well. We’re already using [AI in cybersecurity] because we have to.”

Unlimited Technology leverages automated security tooling, particularly endpoint detection and response platforms, to continuously scan for vulnerabilities and apply patches on a regular cadence. “This allows us to stay proactive rather than reactive, especially when critical vulnerabilities are disclosed,” Petruzzi says. The company also relies on a combination of manufacturer advisories and trusted third-party intelligence sources, i.e. alerts from equipment manufacturers, the Cybersecurity and Infrastructure Security Agency (CISA), MS-ISAC and CVE databases.

Partnering with the right manufacturers is a key method of staying current and enhancing cybersecurity postures. Security 101, for example, maintains strong relationships with manufacturing partners and participates in security briefings to stay ahead of emerging risks. “Before any firmware or software update is deployed, it is tested by our manufacturing partners in a controlled environment to ensure it resolves vulnerabilities without introducing new issues,” Ford says. “This disciplined approach helps ensure that updates improve security without compromising system stability or performance.”

New Era Technology prioritizes aligning with manufacturers that share the same philosophy and approach to cybersecurity. “There are a lot of manufacturers in the space. There are a lot of individuals making product, and not every one of those manufacturers puts cybersecurity at the top of their to-do list or their importance list,” Ringis says. “We really try to focus on the manufacturers that share that philosophy, that have a track record of being secure and trusted in the space.”

Offering Cyber Services to Customers

Most clients don’t want to be sold on fear or worst-case scenarios. Rather, end users want to know what will specifically impact their businesses and what requirements will meet their specific needs. It’s imperative to meet clients where they are, whether they aren’t even thinking about cybersecurity, they have an outdated system or they’re ahead of the game. “Cybersecurity conversations work best when they feel collaborative, not corrective,” Serai says. “I frame cybersecurity as protecting uptime, operations, people and reputation. Once you connect it to business impact, the conversation changes.”

Daily agrees that the best way to approach cybersecurity conversations is to keep it simple. “We 100% lead with cybersecurity, but we still have a lot of customers that don’t keep it top of mind,” he says. “In fact, we used to offer our cybersecurity services a la carte. Even over the last few years, we’ve changed our message; it’s less a la carte, and we require these things. If you’re going to do business with us, we’re going to manage, maintain and keep the systems up.”

Documenting risk is critical. “When tradeoffs are clearly outlined in a written risk assessment, decision-makers are better equipped to understand the implications of choices like not using multi-factor authentication. Having leadership formally acknowledge accepted risks often changes how those decisions are viewed,” Petruzzi says.

Being consistent is also critical. “Cybersecurity is an ongoing process, not a one-time project,” Petruzzi says. “As AI continues to evolve, both defenders and attackers will gain new capabilities. Staying vigilant, adaptable and disciplined is the only sustainable approach.”

From an operational standpoint, Zeus Fire & Security upholds cybersecurity practices by embedding secure configurations, access controls, network segmentation guidance, credential policies and patching strategies that align with customers’ IT standards.

“Many of our most productive engagements happen when we sit at the table with the customer’s IT and security teams,” Serai says. “We translate video surveillance into their language — risk, controls, compliance and operational impact — so it integrates cleanly into their existing cybersecurity framework.”

Cook Solutions Group provides a complete managed service for its customers powered by its in-house network operations center. “We deliver firmware updates; we deliver software updates,” Daily adds. “That’s one of the biggest requirements that you have to have on any of these devices, is manage those and keep their firmware and software up to date. We also monitor all of our cloud and our systems using a SIM and a SOC through our cybersecurity team.”

New Era Technology’s overall security offering, known as SecureBlu, is designed to promote the end-to-end philosophy of security. “What we bring to our customers is an approach that has a team focused on physical security and a team focused on cybersecurity that are aligned with this philosophy of end-to-end security,” Ringis says.

Higham adds, “We see data breaches all over the place. … We want to use protocols that are much stronger and much more resistant to things like social engineering attacks. We want to use protocols like FIDO and those types of things that really make it hard for an attacker to be able to compromise a device within the environment. On top of that, you have to make this automated and easy user experience.”

Even if integrators don’t directly offer cybersecurity-related services yet, there is still opportunity to work closely with the IT teams that handle these services. “That collaboration is critical to maintaining a secure environment while still delivering the operational and safety outcomes customers expect from their surveillance systems,” Ford says.

Amplified Risk & Opportunity Ahead

The future of cybersecurity in video surveillance is a balance of amplified risk and opportunity due, in large part, to advancements in AI and cloud adoption. These innovations bring tremendous value, but engaging with them requires greater discipline on the integrators’ part around architecture, governance and ongoing monitoring.

The attack risk surface expands as video surveillance evolves alongside AI analytics, cloud, hybrid deployments, deeper integration with enterprise systems and other trends. “Our primary concern is ensuring that these advanced capabilities are deployed responsibly,” Ford says. “It’s important to ensure that any deployments are vetted through our manufacturer partners to ensure analytics, cloud and integrations have been tested and have the proper security measures in place.”

Through all recent and future development, basic cyber hygiene remains the most important factor. This includes things like strong passwords, user education, adherence to standards and regular audits. No matter how strong or complex technology becomes, these fundamentals will remain just that — fundamentals. “AI presents a dual challenge. It can significantly enhance threat detection and system monitoring, but it also lowers the barrier for bad actors by making sophisticated attacks easier to plan and execute,” Petruzzi says. “At the same time, cloud migration is accelerating as organizations seek scalability and cost efficiency. This makes vendor due diligence critical. Ensuring cloud providers follow current cybersecurity best practices is just as important as securing on-prem networks and endpoints.”

Serai’s main concern is not with the technology itself, despite the rapid speed at which it is moving — far above organizational readiness. “AI features are being turned on before customers fully understand their implications for privacy, access and security,” Serai says. “My biggest worry is complacency. If the industry treats AI-enabled video as ‘just another feature,’ we’ll repeat the same mistakes we made with early IP cameras, only at a much larger scale.”

Daily predicts, in the future, the “just another feature” concern will go away because AI could become the primary alarm system inside of a branch or a building. “What you can do with AI is pretty crazy,” he says. “That, again, puts another emphasis on keeping your video surveillance system secure and protected so that none of that gets intercepted.”

Physical and cybersecurity intersect at the operational technology space. “You can’t secure physical environments without securing their digital identities, and you can’t secure digital identities without understanding the physical environment,” Higham says.

Secure Yourself First

For integrators who want to extend cybersecurity offerings to customers, securing their own organizations is the first step. “Building internal discipline, standards and expertise is essential,” Petruzzi says. “If cybersecurity is not already a priority, start now. The risks of inaction include reputational damage, loss of business, regulatory penalties and ransomware exposure. As requirements such as CMMC become more prevalent, cybersecurity will increasingly be a prerequisite for doing business, not a differentiator.”

As it stands, being a cybersecurity expert isn’t a requirement. However, having an effective cybersecurity posture does require discipline. “Standardize your architectures. Eliminate default credentials. Document your systems. Train your teams. Partner with IT instead of avoiding them,” Serai says.

Cybersecurity comes in many different forms, all of which are important for integrators to look at from a layered approach. “Start with architecture, look at your default configuration and then really make sure what systems you’re providing as an integrator to your customers, that you’re vetting out those systems and you’re vetting out those third parties. You’re not just selling anything off the shelf,” Daily says.

The secret is treating cybersecurity as a core design requirement. “Standardize on NDAA-compliant, security-focused manufacturers; document secure configuration baselines and partner closely with IT stakeholders,” Ford says. “Integrators who take a disciplined, repeatable approach to cybersecurity will be better positioned as systems become more connected, more intelligent and more critical to business operations.”

Finally, don’t be afraid to have conversations with customers about their current cybersecurity strategies and what they should be thinking about. “Find the courage to have these conversations with your customers,” Ringis says. “What is their cybersecurity protocol? How would they like passwords managed? How would they like the system configured? Make the attempt to connect with whomever is responsible for cybersecurity on that end user side. Make some active investments in either aligning with or educating yourself on day-to-day cybersecurity protocols and where the industry is heading.”