november 2025
// Convergence
Taking the Right Steps for a Unified Cybersecurity Posture
Physical and cybersecurity are no longer siloed — they are one and the same. And security integrators need to be prepared for what that means for their business today and in the future.
by Karyn Hodgson, SDM Editor
Dan Krumme, president, Cam-Dex Security Corp., says his company is in the process of getting its Cybersecurity Maturity Model 2.0 Certification (CMMC), which will be required for all Department of Defense (DoD) contractors beginning in November. Bio image courtesy of Cori Krumme. Background image courtesy of Ismagilov / iStock / Getty Images Plus / Via Getty Images
SHARE
Cybersecurity convergence is a term that has been bandied about the security industry for some time now. But what is it, really?
“Cybersecurity convergence means treating physical security and cybersecurity as one risk surface, with shared governance, architecture, and operations,” says Justin Stearns, vice president, Chimera Integrations, an East Syracuse, N.Y.-based company named SDM’s 2024 Systems Integrator of the Year. “A weakness in one is a weakness in both. The goal is a unified posture, where identity, network, and data controls span cameras, access control, servers, and cloud services.”
Priya Serai, chief information officer, Zeus Fire & Security, Paoli, Pa., adds, “Cybersecurity convergence, to me, is simple: physical and digital security are no longer separate worlds. A camera isn’t just a camera anymore — it’s an IoT [Internet of Things] endpoint. A badge system isn’t just access control — it’s an IT system. Convergence means treating all of that as one ecosystem. It’s about strategy and response that cut across silos. A cyber-attack can take down life-safety systems, and a physical breach can be an entry point for digital compromise. In our industry, convergence is how we deliver resilience, making sure people, property and profits are protected seamlessly, whether the threat comes through a firewall or a front door.”
Virtually everyone contacted for this article agrees that convergence is not a future trend: it is already here, whether the security integrator community is ready or not.
“This convergence is happening now,” says Wayne Dorris, CISSP, program manager, cybersecurity, Axis Communications, Chelmsford, Mass. “It’s worth noting that the physical security industry has generally been slower to adopt this practice. If you have not started yet, it’s imperative to begin. For those already on this path, it’s crucial to continuously assess and adapt, as security practices are constantly evolving. Staying ahead of the curve is essential to safeguarding your assets in an increasingly connected world.”
Dan Krumme, president, Cam-Dex Security Corp., Kansas City, Kan. (featured on this month’s cover), says his company is trying to do just that, and is in the process of getting its Cybersecurity Maturity Model 2.0 Certification (CMMC), which will be required for all Department of Defense (DoD) contractors beginning in November. “I think, as a whole, the industry has become more aware and done a better job of discussing the topic, but I still think we are behind,” he says. “There are still quite a few lagging. For our company, I would say we are positioned in the middle. I wouldn’t say we are behind, but there is more to do.”
This is the case for the majority of integration companies, adds Michael Kobaly, executive vice president engineering, AMAG Technology, Hawthorne, Calif. “In practical terms, convergence expands the role of our integrator partners,” he says. “They are now expected not only to install card readers or cameras, but also to ensure those systems meet the client’s cybersecurity policies and network requirements. … We see this as an opportunity: our integrators can provide greater value by bridging the gap between IT and physical security, ensuring that the systems they deploy are resilient against cyber threats and aligned with the organization’s overall security posture. Ultimately, convergence means a more unified defense, where data and threat intelligence are shared across domains and both cyber and physical vulnerabilities are being addressed together.”
Kobaly says even cybersecurity and hacking industry conferences such as Black Hat are now featuring sessions on breaking into access control protocols, and new hacker tools are targeting IoT-based security devices.
“All of this means that integrators can’t treat cyber-physical security integration as a future issue; it’s a present reality,” he says. “In our view, everyone in the security industry should be addressing it today. Those integrators who are proactive in embracing cybersecurity now are positioning themselves ahead of the curve, whereas those who ignore it will increasingly find themselves at a disadvantage.”
Serai also sees convergence as an opportunity for security integrators to stay relevant and connected to their customers. “To me, the near future isn’t about whether convergence happens, it’s about who is prepared to design with it in mind,” Serai says. “Building cyber in from day one, not bolting it on later, is how we keep customers safe, keep systems resilient, and protect the trust that underpins our entire industry.”
“A camera isn’t just a camera anymore — it’s an IoT endpoint. A badge system isn’t just access — it’s an IT system. Convergence means treating all of that as one ecosystem. … In our industry, convergence is how we deliver resilience, making sure people, property and profits are protected seamlessly, whether the threat comes through a firewall or a front door.”
— Priya Serai, Zeus Fire & Security
AI’s Impact on Cybersecurity Convergence
Just_Super / E+ / via Getty Images
Like every aspect of the security industry, AI is affecting the convergence space as well — both positively and negatively.
“What’s changing fast is AI,” says Priya Serai of Zeus Fire & Security. “Traditional risks like unpatched firmware or default passwords are still critical, but now we’re facing new attack surfaces: prompt injection, data exfiltration through AI models, and even model poisoning. These are risks the security industry hasn’t had to deal with before, and they’re reshaping how we think about governance.”
This is something Krumme worries about as well. “I just heard a couple of weeks ago at a government briefing that the newest cyber threats are using AI and embedding malware within AI, which is super scary,” he says.
But Krumme also wonders whether AI might be used as a valuable tool down the road — in a similar way to what it has done in the video surveillance space. “All these tools and software, AI can help make them not only smarter but automate a lot of processes and procedures,” he says. “When you think of a cyber breach and the amount of time it takes to analyze and figure out where the breach occurred, that can take days or weeks now. … How can AI help with that? It can automate a lot of that remediation.”
Krumme acknowledges he doesn’t know if anyone is using it that way yet, but it is only a matter of time.
For now, Serai notes that it is important to treat AI-based data the same as any other security data in security. “We layer in AI carefully and securely,” she says. “With ZeusAI, analytics data is handled with the same discipline we’d apply to financial or healthcare data — encrypted, access-controlled, and monitored. We see AI not just as a new feature, but as a new responsibility when it comes to cyber and governance. … In the age of AI, cybersecurity isn’t just patching devices, it’s protecting data, models, and trust.”
Technology Factors
Cybersecurity convergence is truly a multi-pronged effort requiring ongoing attention from every stakeholder in the ecosystem. But for the security integrator, one of the first and most critical places to start is with technologies they are recommending, designing, installing, and maintaining at a customer’s site. Some of the first steps are fairly easy to implement.
Dean Drako, founder and CEO, Eagle Eye Networks, Austin, Texas, breaks it down in terms of the biggest mistakes integrators need to avoid: “Poor password practices and weak credential management; re-use of passwords across customers; failing to regularly patch and update systems; incorrect network and firewall configuration, leaving unnecessary exposure; and not following vendor hardening guidelines or aligning with end-customer cybersecurity policies.”
Simply avoiding these common missteps are a good start, Krumme adds. “All systems and technologies are vulnerable … in the world we live in,” he says. “One thing that can be done is putting in practices and procedures internally to mitigate that cyber risk. Some of the simple things are changing default passwords, updating firmware on all devices including cameras, card readers, servers and running patches, and updates on any sort of client machine that accesses those systems.”
From a security technology perspective, it’s widely perceived that video surveillance systems have the most vulnerability, but the reality is a bit more complex.
“The truth is any device or system that is not properly hardened and maintained is vulnerable,” Dorris says. “We often hear about cameras being the most vulnerable, but that is because they tend to outnumber other security devices in most businesses and are easier to misconfigure or leave un-updated.
“From an industry standpoint, it’s highly beneficial for physical security systems to natively integrate with IT infrastructure such as PKI, certificate authorities, Active Directory, SIEM and SOAR platforms,” Dorris adds. “However, integration is often challenging because many physical security devices run on custom Linux kernels, which can complicate compatibility and standardization.”
Serai says that while cameras can come with more risk due to a “set it and forget it” mindset, in reality, all networked security systems as equally at risk. “The most vulnerable systems today are the ones we connect the fastest — video cameras, access control, and IoT endpoints in general,” she says. “A camera is no longer just ‘a camera on a wall.’ To attackers, it’s a network gateway. Access control systems are the same: when they aren’t hardened, patched, segmented, and properly managed, they become direct paths from cyber into physical.
“At Zeus, we treat every system we install as part of a digital ecosystem — not just a piece of hardware on a wall,” Serai continues. “That mindset changes everything about how we approach cyber. First, we’ve built a cyber-hardening playbook that is standard across deployments. That means no default passwords, enforced encryption, proper network segmentation, and patching cycles that are tracked and audited. We don’t roll out a system and walk away; we build processes to keep it secure over its lifecycle.”
Stearns says of Chimera’s process, “We run a pre-install vulnerability scan to baseline risk and a post-install scan to prove we left the environment more secure. We align early with IT/MSPs on network segmentation, identity, logging, and update policies. Up-front planning can add time, but it prevents rework and speeds commissioning. … Our industry can do some basic things to ensure proper respect is given to cybersecurity: secure-by-default devices, documented patch cadences, SBOMS (Software bill of materials) and disclosure programs from manufacturers, and integrator standards like VLAN/ACL segmentation, 802.1X, cert-based authorization, and encrypted streams (TLS/SRTP). Third-party risk mitigation matters, too! Target’s famous HVAC vendor breach proved that.”
Serai agrees, noting that vendor and supply chain security are a critical step. “Not just the manufacturer, but all third-party software, SDKs, or cloud integrations used by camera and access systems need to be vetted,” she says. Other important steps she is starting to see more in the security industry include firmware management and immediate vulnerability disclosures from manufacturers; out-of-the-box secure defaults; network segmentation/isolation with limited access to the rest of the IT network; and continuous hardening and monitoring efforts.
Many security integrators who don’t have the in-house expertise in cybersecurity choose to partner with others who do, whether a fellow security integrator or a managed service provider. Image courtesy of metamorworks / iStock / Getty Images Plus / Via Getty Images
“The truth is any device or system that is not properly hardened and maintained is vulnerable. We often hear about cameras being the most vulnerable, but that is because they tend to outnumber other security devices in most businesses and are easier to misconfigure or leave un-updated.”
— Wayne Dorris, Axis Communications
Cyber Certifications Help Win Customers
There are a number of cybersecurity-related certifications to be aware of, both for your own company and for any vendors you choose to work with. While they are primarily there to establish standards for cybersecurity practices, these certifications can also help win projects.
“We lean heavily on standards and certifications because they take cybersecurity out of the realm of opinion and make it objective,” says Priya Serai of Zeus Fire & Security. “At Zeus, we align with frameworks like NIST and AICPA Trust Services Criteria, and we require our key vendors to meet SOC2, ISO 27001, or NDAA compliance, depending on the system.”
Beyond just protecting your company and customers, having these types of certifications makes business sense, Serai adds. “It changes the customer conversation. Instead of just saying, ‘Trust us, we’re secure,’ we show them how our deployments map to established frameworks. For enterprise customers — especially retail, healthcare, and government — that’s the difference between being considered and being chosen. We’ve won jobs because we could demonstrate that our solutions weren’t only functional but certifiably resilient and compliant.”
This is why Cam-Dex is currently going through the CMMC cybersecurity model being pushed by the DoD, Dan Krumme says. “As of November 10, all DoD contractors must provide a self-assessment score. … By next year, all DoD contractors on any new contract, you will have to have CMMC 2.0 as a default.”
Krumme says the CMMC certification is important to consider for any integrator operating in any government space, and eventually even beyond that. “This is starting with DoD, but we will start to see more agencies adopt it,” he says. “The VA has already said it is coming. Eventually, it will trickle down into all federal agencies within the next five years or so. We are already seeing it in the private sector with companies demanding documentation that is, in part, derived from CMMC. … Eventually, in my opinion, we will see it across the country in the government sector as well as the private sector.”
Krumme views going through this intensive process as an eventual differentiator for his business and is planning to roll it out company-wide by early 2027.
Chimera Integration’s Justin Stearns says his company also sees certifications as both protection and opportunity. “We align designs and processes to NIST CSF and CIS controls, prefer vendors with SOC 2 Type II/ISO-27001 for cloud services, and invest in relevant professional certifications on our team. That credibility resonates with engaged IT/MSPs that work with our customers and has absolutely helped us win competitive opportunities.”
In short, Serai says, “Standards are more than checkboxes. They’re a way to prove discipline, build trust, and win business in a marketplace where cybersecurity is no longer optional.”
Prioritize People & Partnerships
Ask any cybersecurity expert what the No. 1 cybersecurity risk is, and they likely won’t point to any of the above-mentioned technology issues. It’s people — both on the vendor/integrator side and on the customer side — not following protocols, falling for phishing schemes, holding doors for people, and a myriad other human foibles. For integrators, the people part of the equation not only involves in-house training, but also includes effective communication with the customer, as well as partnering with the right experts to fill in the knowledge gaps.
“For us, on a typical project, it is more planning and communication with the customer,” Krumme says. “It starts in the sales process, and, nowadays, we have multiple stakeholders involved. Also, I think the conversations have changed. We have to help educate some customers on cybersecurity and how systems will impact their networks.”
While enterprise and government customers often come prepared with a list of cybersecurity requirements, as the issue of cybersecurity has become more widely publicized, Krumme says more small- and medium-sized customers are receptive to it, but don’t have the expertise to dictate what needs to be done. But neither do a lot of integrators, he says.
“I am not going to tell you I am a cybersecurity expert, but we surround ourselves with those sorts of people,” Krumme says. “I don’t think you can be everything to everyone. This subject is too broad and too much.”
Some security integrators do choose to grow their talent internally, AMAG’s Kobaly says. “We’ve found that the cybersecurity savvy of integrators has been growing steadily, though it does vary across the industry. Many of the integrators we work with have made significant investments in this area; some even have dedicated cybersecurity teams or specialists on staff, which is a testament to how seriously they’re taking it. We are seeing more and more integrators who are quite fluent in cybersecurity terminology and practices. They understand concepts like encryption, least privilege access and vulnerability management, and they are actively discussing them with clients. On the other hand, there are still a good number of integrators who might not have the same resources and not all of them are fully aware of every emerging threat or the latest best practices. But, importantly, we see a real drive to learn. Many partners are proactively educating themselves by taking courses, reading up on new vulnerabilities, and partnering with consultants to improve their knowledge base.”
Krumme suggests “knowing what you don’t know,” and having two or three MSP-type consultants (managed service providers specializing in cybersecurity) on speed dial for those situations.
This can sometimes be a touchy subject with some integrators who view these companies as possible competition. “In this day and age, there are a lot of managed service providers that dabble in our world,” Krumme says. “That is something you have to think about: are they potentially your competitor? But, at the end of the day, depending on the opportunity, if you can work out a deal, it can be a win-win for everyone.”
One such expert is SDM’s Cybersecurity Chronicles columnist, Chris Maulding, security engineer and CEO of Plattsburgh, N.Y.-based AlchemyCore, a managed security service company that was acquired by Chimera Integrations in 2024, and also assists other integration companies on cybersecurity issues.
“Many security integrators continue to lag in cybersecurity knowledge as they strive to remain current with the extensive tasks they are tasked with implementing,” Maulding says. “These firms should look to partner with an MSSP firm to reach that level of expertise and to ensure they are not putting their own company or their customers in harm’s way. It is a crucial step for integrators to collaborate with a knowledgeable MSSP or to employ an individual who can work alongside their installation technicians.”
Chimera’s Stearns adds that whether you feel cybersecurity is a core competency for your company, or whether you seek outside consultants or rely on manufacturing partners for training, it is critical to treat cyber maturity as a “living program, not a checkbox.”
This means training — both internally and for customers — and it needs to be ongoing.
“We run recurring phishing simulations, tabletop exercises, and role-based training on credential handling, change control, and incident response,” he says. “Anyone who slips gets targeted refresher training.” The company’s dedicated cyber team also tracks vendor advisories, shares updated industry guidance and updates, and helps the company keep its cybersecurity playbooks current.
Zeus also does a lot of in-house cybersecurity training, Serai says. “I’d put Zeus in the ‘very knowledgeable and constantly learning’ category,” she says. “Cybersecurity isn’t new for us — we built a framework years ago and it’s part of how we operate.
“We’re intentional about how we do it,” she continues. “For technicians, we don’t hand them abstract cyber training. Instead, we train them on the systems, processes, and best practices that are directly tied to their work. … Beyond the field, we make cybersecurity a company-wide responsibility. Our project managers, customer service, and even sales teams go through awareness training so they can speak the same language with customers and recognize risks.”
That last point is key, especially as integrators are now often speaking simultaneously with both physical and cyber/IT stakeholders. It is more important than ever to be fluent in both — bilingual, in a sense. Otherwise, it can lead to issues down the road, Dorris says.
“One of the biggest mistakes integrators can make is not asking customers for their cybersecurity requirements for their systems or devices at the start,” he says. “When customers provide these from the beginning, integrators tend to do well addressing the specific protocols or features the customer wants as part of their policy. However, if these details are not provided, integrators may do a standard installation that does not address the customer’s specific needs. Integrators also need to ensure they explain and train their customers on where and how to update their systems and devices. This ensures that their software remains updated, and cybersecurity capabilities are enabled.”
Finally, it is important to make sure that you are doing a “clean handoff” at the end of the project and communicating clearly with the customer, Dorris adds. “These deliverables should detail the current cybersecurity configuration, the software revision running, and where to find updated software. A clean handoff is key to maintaining a good cybersecurity posture.”
Serai agrees. “My advice is simple: stop treating IT and physical security as separate languages. In a converged environment, you don’t win by being an expert in just locks and cameras — you win by speaking the language of uptime, compliance and data governance alongside coverage, access, and monitoring,” she says. “That starts with how you show up to a project. Bring IT to the table early. Don’t wait until the last week to ask for a VLAN or firewall rule. Make cybersecurity part of the design, not a bolt-on. And document everything — patch cycles, access controls, failover processes — because IT leaders expect the same rigor from us they demand internally.”
And this comes back full circle to training, she says. “Invest in your people. Train project teams not just on product features, but on secure processes and best practices. Test new products centrally before they ever hit the field, so your installers have a hardened, proven playbook to follow.”
Cybersecurity is a moving target, requiring constant learning, evaluation and updates. Image courtesy of MTStock Studio / E+ / Via Getty Images
“I am not going to tell you I am a cybersecurity expert, but we surround ourselves with those sorts of people. I don’t think you can be everything to everyone. This subject is too broad and too much.”
— Dan Krumme, Cam-Dex Security
The Vendor’s Role in Cybersecurity Convergence
Here are some of the ways physical security vendors are keeping their products cyber-secure and helping their integrator partners.
“We’ve embraced external certification and verification, examples being SOC 2 Type 2 qualified, having regular penetration testing, and employee education programs,” says John Gallagher, vice president, Viakoo Labs, Viakoo Inc., Mountain View, Calif.
“We take a security by design approach to our products and practices,” says Michael Kobaly of AMAG Technology. “We rigorously test our Symmetry software. In addition to our internal QA, we bring in third-party experts to perform regular vulnerability assessments and penetration tests, and we issue timely software patches to address any issues. … This proactive stance, combined with a “security-first” development mindset, helps us stay ahead of evolving threats. In fact, our development lifecycle includes static code analysis, dependency vulnerability scans, and careful review of open-source components to ensure there are no hidden weaknesses. We are also ISO 27001 certified and SOC 2 compliant.”
Dean Drako of Eagle Eye Networks offers a checklist of items his company incorporates from the very beginning:
- “Cameras are isolated from the internet — eliminating common username/password and remote access vulnerabilities.
- Encrypted connections are authenticated by digital certificates, and regular security patching is managed from the cloud.
- We provide two-factor authentication for user access, along with comprehensive audit logs for accountability.
- Security updates are delivered centrally to ensure all systems are protected against the latest threats.
- We provide camera cyber lockdown features to prevent exploitation of devices by botnets or malware.
- Our open platform provides integration points with typical cybersecurity analysis systems and protection systems.”
Wayne Dorris of Axis Communications adds that it is important to keep the entire product lifecycle in mind. “We ensure that cybersecurity is built into the product from the beginning, with a plan to support it until its decommissioning,” he says. “Additionally, we follow Secure by Design (a protocol developed by the Cybersecurity & Infrastructure Security Agency) throughout the process. We are always adding new capabilities and improving our overall cybersecurity posture.”
It is also important to help integrator customers, Kobaly says. “Beyond product design, we work closely with our integrator partners to ensure they deploy and maintain our systems securely. We provide a detailed hardening guide for security installations. For instance, we strongly recommend network segmentation to isolate the security system from other critical networks. … In short, we ensure our products are built to be cyber-resilient, and we empower our integrators with the knowledge to install and service effectively.”
Dorris adds, “Our integration partners play a crucial role in keeping customers’ devices cybersecure. We provide our integrators with a variety of tools, software and services to help them implement our products into the customer’s cybersecurity environment. … We also provide general cybersecurity training and embed cybersecurity best practices into our product-specific training sessions.”
In the increasingly networked and open world of security systems, it is also critical for manufacturers to vet any partnerships they enter into with fellow vendors, Kobaly says. “Ensuring end-to-end security means paying attention not just to our own products, but also to how they interact with third-party systems. As a manufacturer, we prioritize partnerships with other technology providers who also uphold strong security standards. We test our integrations to verify that data hand-offs are secure and that no new vulnerabilities are introduced.”
Advice & Opportunities
There is one thing that is consistent about cybersecurity and cybersecurity convergence: they will never stay consistent.
“The minute you think you’ve caught up, there’s a new vulnerability or a new attack vector, especially now with AI in the mix,” Serai says, adding that the above-mentioned advice about people and partnerships and continuous learning and vigilance are some of the key ways Zeus stays as current as possible. “How do we stay up to date? By combining external intelligence with internal discipline. That’s what keeps us one step ahead in a field where the goal posts are always moving. Cybersecurity isn’t a quarterly update — it’s a daily discipline.”
Kobaly stresses the importance of ongoing learning. “Invest in continuous cybersecurity learning and adopt a proactive mindset,” he says. “The threat landscape is always evolving, so integrators should stay curious and up to date. This might involve getting professional certifications or training that focuses on cybersecurity. … Overall, the awareness level today is much higher than it was a few years ago. Most integrators now recognize that cybersecurity is a core part of their job. … Many of our partners are knowledgeable or actively building the necessary knowledge. Of course, cybersecurity is a moving target, so even the best integrators need to continue to learn and adapt.”
This mindset is what has driven Krumme’s company forward with CMMC 2.0 certifications, not just for the personnel who deal with DoD projects, but eventually for everyone. “We are doing a phased approach,” he explains. “At first, it will just be for a handful of people working in that CMMC environment, but, eventually, the end goal is to have all networks certified to CMMC 2.0 … and all will be working at that level. Once we get there, we will market that to the private sector, which will be a selling point for us. It is a huge investment, but it is an important differentiator, even in the private sector. It says we take cybersecurity seriously and know what we are doing.”
This is true for Zeus as well, Serai says. “We see this convergence play out daily. When we deploy cameras for a retail client, for example, it’s not just a physical install. Those cameras tie into our central station for 24/7 video monitoring, and, through ZeusAI, we layer in analytics — foot traffic, checkout efficiency, even management activity. Suddenly, a project that started as ‘threat protection’ is also delivering revenue-driving insights back to the customer. Their IT department cares about the network health and data security; their loss prevention team cares about shrink reduction; and their operations team cares about sale conversion — all from the same converged system. … Convergence isn’t just about stopping threats anymore — it’s about unlocking insights that grow the business.”
Cybersecurity convergence isn’t easy, but if you make the effort, partner with the right companies and manufacturers, and do the hard work of ongoing training and maintenance, the rewards are a differentiating competitive advantage and a satisfied customer.
“Reframe your value,” Serai concludes. “In a converged world, you’re not just selling systems — you’re selling resilience and intelligence. … Don’t fight convergence — embrace it. It’s not just about protecting doors and networks anymore; it’s about becoming a trusted technology partner who can secure people, property and profits all at once.”
SHARE
