Building the Bridge Between Physical and Information Technology

When it comes to convergence, the struggle is very real for utilities. The path forward to securing both physical and cyber infrastructure is riddled with challenges. As technology expands and interconnectivity becomes ubiquitous, so too does the risk landscape.

At Convergint’s Unite event, I had the opportunity to speak with Genetec’s Andrew Elvish and Convergint’s Joe Young about the evolution of unified platforms, how artificial intelligence is reducing the “noise” of surveillance, simplifying regulatory compliance and the critical importance of thoroughly vetting security solutions.

Curtis Marquardt Jr.:
I’d like to talk about the partnership between Genetec and Convergint. How has then been beneficial to both respective organizations?

Joe Young:
Oh, man. Genetec’s always been a longtime partner. Earlier, I gave a presentation on the evolution that’s happening around us—this evolution of the marketplace, or the evolution of the channel. And right now, we have to double down on working with our partners.

As technology modernizes—and it is fundamentally modernizing—the threat landscape is evolving, and stakeholder expectations are changing. Those three things combined are driving this evolution of the channel.

It’s creating what I call a blurring between the traditional roles and responsibilities of a manufacturer, distributor, systems integrator and a typical end user. When those lines blur, that’s where this partnership comes into play.

This is purpose-built by Convergint, with a commitment to collaborate on being the customer’s best service provider. Everything we do here is grounded in being the customer’s best service provider.

I love the relationship with Genetec. I think Genetec sits in a really interesting spot because the product complements our go-to-market capabilities.

Their product fits across global and enterprise: federal, utilities, healthcare, data centers, finance. So it’s vertical agnostic. Their unified platform helps us deploy a true layered security program based on a risk assessment for a customer. We can seamlessly bolt different systems of record or sensors or applications into that single platform, delivering a next-generation experience.

Their platform unlocks the future of how we’re going to be able to deliver services. When you start to look at cloud-managed, cloud-enabled solutions—that unlocks differentiation. We can get asset inventory, understand if a device goes offline and then remotely triage it.

And if we can’t triage it remotely, we can send the right person to the right place at the right time, with the right part and the right certification. That’s a mouthful, but that’s the collaboration and orchestration that can happen across a partnership like this.

Andrew Elvish:
Well, of course, I agree with everything Joe mentioned. Convergint has a very specific and complex task to take care of—especially when you’re looking at critical infrastructure and utilities. These are customers who are very demanding, high-risk. Failure is really not an option.

If failure happens, it can be very, very, very not good—let’s put it that way. Our relationship with Convergint has grown because they have this single-minded focus on being their customer’s best service provider.

That means they really zoom in on understanding the Genetec platform so they can bring it to their customers in a meaningful way for the type of deployment that they need. Working with them is really important to us because we spend a lot of time developing the unified platform and all of the integrations to the different types of devices that might need to be ingested.

We don’t know precisely what Convergint’s customers will ask for. They may be asking for LiDAR. They may be looking for radar tracking or fence integrations. So we have to provide them with a toolkit they can take advantage of.

Convergint is unique in their ability to work with complex, high-risk, high-impact customers. If something goes wrong, they know how to deliver projects that both maximize the platform we’re bringing to market and their value as a trusted advisor to the customer.

We’ve structured ourselves to spend a lot of time focusing on anticipating what they may need. And they, as Joe has already articulated, focus on being that best service provider. That means they’re going to make the customer happy—not at all costs, but with smart, value-driven delivery.

It’s not just about us geeking out and creating stuff and them shoehorning it into customer environments. They’re running a business. We’re running a business. We want to make sure our product delivers the most margin for every dollar.

We want every ounce of effort they put in to build their business—so they’re not rolling trucks needlessly, their customers are happy and they’re not dealing with a flood of calls. That means an unhappy end user. It also means a partner who is spending a lot of money to support a product.

We’ve built this relationship over many years so they can go into these complex accounts with confidence—knowing they can not just catch every ball thrown at them, but hit it out of the park.

Curtis Marquardt Jr.:
So, let’s talk more about your unified platform. Why is this an important solution that utilities should be looking at for their security?

Andrew Elvish:
Sure, I’ll start. A unified platform—something Genetec has uniquely led the way on for years—brings together all the different aspects of the physical security experience and parts of the cybersecurity experience into a common operating picture, or single pane of glass.

This is hugely important for operators dealing with risks that could have a severe impact—like in critical infrastructure. If you’re moving from system to system, context switching eats up cognitive bandwidth. You’re not able to stay in the thread when you’re trying to resolve a situation.

The Genetec platform is a huge aggregator of Internet of Things (IoT) data—whether that’s from fences, heat sensors, water sensors, cameras, or access control points. But it has to do so in a way that allows the operator to take action. It can’t just be noise.

When you start moving between contexts in an integrated system—often glued together by agreements like, “We promise to support two versions back”—it’s risky. You get breakdowns. You have different learning curves. It’s expensive to maintain because you have to train operators on different systems.

With the Genetec platform, especially in the way a sophisticated partner like Convergint deploys it, you get things like standard operating procedures, workflows and edge-device integration—for example, like using iPhones as mobile cameras.

It’s a rich platform. If you look specifically at utility security—look at NERC regulations—they’re putting a lot of pressure on operators to maintain a full chain of custody of data. That’s when a partner like Convergint can take full advantage of the Genetec stack, including our digital evidence management tools.

That’s when the unification really comes alive and delights the customer. They don’t have to leave the platform. They learn one way to work, and it works efficiently.

And all of this is underpinned by cybersecurity—by design. We track firmware updates, patches, CVEs. We provide notifications. We use something called security score that gives a rating out of 100 for your patching, firmware status, and so on.

Joe Young:
I think the alignment with the risk-based approach is obviously super fascinating to think about. Most critical infrastructure customers—whether it’s the National Institute of Standards and Technology (NIST), the Federal Information Security Management Act (FISMA), the International Organization for Standardization (ISO) or the Risk and Insurance Management Society (RIMS)—they all have their own risk assessment methodology.

They’ll stack, rank, score and build minimum controls around that. Once that’s packaged up, we can build it inside of the Genetec security center and create specific threat levels. And when something happens, the system behaves completely differently. During normal operations, it handles one way. When an elevated threat happens, it handles it in a completely different way.

So I think there’s a fascinating connection there with utilities. The public-private Convergint piece is super fascinating, too—the ability for a customer to seamlessly share information back to local law enforcement.

At the end of the day, it’s all about the customer. So if we deliver a platform that helps them mitigate risk by connecting all these different sensors—and we can shorten law enforcement’s response time because we’ve built a digital workflow that says: “Once this happens, do this, notify this person, dispatch police,”—that’s cradle-to-grave incident lifecycle management.

And there are very few partners that have a true platform that helps us shield customers from the complexity of all those different systems.

Genetec’s platform is different. It surfaces the right information to the right people at the right time—so they can make the right decisions. There’s always going to be a human in the loop.

All the amazing things you’re doing on the law enforcement side lend themselves well here—the LPR, the mobile capabilities. There’s a lot of overlap between public and private sectors. And I think Genetec has a world-class platform that helps Convergint better deliver outcomes to customers.

Curtis Marquardt Jr.:
I’m going to bring up the topic you both mentioned earlier: cybersecurity. Andrew, before we started this interview, you told a really interesting story about the FBI and cameras. Can you share that again?

Andrew Elvish:
Sure. So, back in 2016, we were talking about supply chain risk very early on—largely because partners like Convergint were demanding that we take it seriously. They’re sophisticated and deal with end users directly, and we’re listening to what comes up through those channels.

A consultant called us and said, “You’re talking about the risks of state-manufactured cameras from China being used in critical infrastructure, military, and government installations—but how come those cameras are still on your supported device list?”

Our president got asked that question and immediately stepped off stage and called me. He said, “Let’s take those camera manufacturers—two of the biggest in the world—off our supported device list.”

I was like, “Did you think this all the way through, Pierre? Really? That’s a huge chunk of our business.” Because our model is based on attaching cameras to our platform—and partners buy licenses for those. So we were essentially choosing to cut off a major revenue stream.

He said, “The risk is too big. We’re doing it. It’s the right thing to do.”

So we took that step. And as we predicted, things started heating up. We were invited to the Hoover Building—the FBI headquarters—to talk specifically about supply chain risks related to CCTV cameras.

A lot of people don’t realize: CCTV cameras are little computers. They have IP addresses. They sit on your network. They can be used for lateral movement, data exfiltration—all kinds of wild stuff.

We saw it happen—actual issues in airports and government facilities where, late at night, all these cameras would simultaneously start phoning home and spike in data uploads.

So we took action. And later, the U.S. government—through the National Defense Authorization Act (NDAA)—banned those cameras from use in government, military, and critical infrastructure.

The FCC has since broadened the ban further. And those two companies are now shadows of their former selves in North America. We’re seeing similar action in the United Kingdom, Australia and Canada. Governments are starting to take this very seriously.

Our concern was that those cameras could be deployed—certainly not by Convergint—but by someone who didn’t know better, in a critical infrastructure space. So this was an important guardrail.

It also launched what we called the Security of Security Roadshow—where we took cybersecurity training directly to physical security professionals. Back then, we saw a big knowledge gap between the two. But now, we’re seeing IT and physical security coming together—better understanding risk across OT and IT.

Curtis Marquardt Jr.:
Great story—really appreciate you sharing that. Joe, can you talk a little bit more about what Convergint does to vet equipment and ensure it aligns with cybersecurity best practices?

Joe Young:
Yeah, I’ll share what I can. We have a comprehensive Third-Party Risk Management (TPRM) process that we follow when identifying and vetting different partners. The vetting process varies based on the type and complexity of the partner. The way we assess a metal enclosure supplier is very different from how we assess someone providing network-connected software.

We work closely with our global sourcing and procurement teams—and what we call our Global Partner Development Council. That council brings together colleagues from across the globe who interact with partners. We’ve centralized and really doubled down on this in the past few years.

The evolution of technology has changed everything. The pandemic changed everything. Suddenly, systems that used to be air-gapped got plugged into networks. And when you can’t go into the building, people start saying, “Let’s just plug it into the network,” and you’re like, “Holy smokes—what just happened?” The attack surface grew wildly!

So now, we have a diligent process for how we vet and intake partners. And we continuously monitor that. It’s not a one-and-done process. If you’re working with Convergint, you’re getting highly vetted, qualified partners. And it’s worth noting—we have declined partnerships with vendors who don’t meet our baseline risk standards.

Sometimes, red flags are raised. We work with those partners to close the gaps. But our standards are our standards. And then there’s a second layer when we introduce that vendor to a customer. We go through their IT vetting processes to make sure the solution complies with whatever ISMS or security frameworks they follow.

We also follow NDAA guidance. We have our own internal controls. We work with manufacturers to harden solutions during implementation. We ensure there are CSPs—customer support programs—or maintenance agreements aligned with the vendor’s best practices.

Sometimes, the customer asks us for enriched data, added tasks or special service level agreements. That all gets rolled into a comprehensive plan. Risk management is a complex, multi-layered process. But hopefully that gives you a glimpse into how seriously we take it.

It is. It’s a highly complex industry. And everyone wants to talk about AI and new capabilities—but we’re also seeing more and more threat-specific solutions popping up. When you get black-and-white about saying, “This will detect this,” there’s extra diligence required.

We have a special pre-clearance team I work with—amazing people across the organization. And out of that, we build special handling instructions—basically guides to help colleagues do the right thing when a specific solution could introduce extra risk.

We do that because we’re committed to being the customer’s best service provider. That means being clear about what a product does, what it doesn’t do and what the customer is receiving.

Part of the evolution we’re seeing is vendors overpromising what their products can do. And when the product gets installed, it turns out it’s not really built for that. So we have to be thoughtful in how we design, install, service and manage. Vetting, TPRM, and how it all flows into our last-mile delivery platform—it all matters.

Curtis Marquardt Jr.:
So I have one final, fun question: Imagine you’ve just been granted a superpower of being able to see into the future. What does the future of security in the utility space look like? What are the new threats and new solutions you anticipate?

Joe Young:
We’ll tag team this. Who knows what the threats will be? They’re always evolving. Today’s threats won’t be tomorrow’s threats. Technology will keep advancing. It’ll keep getting better. And it’ll continue to help us protect whatever our customers are trying to protect.

We’re seeing a big shift toward operational insights—beyond just physical security. We happen to be the world’s largest sensor integrator. And those sensors unlock tons of data.

So I think the future is more connected—less siloed. Instead of having physical security and IT be separate, maybe we’ll all be one big happy family delivering a comprehensive, next-gen layered security program. I gave a presentation earlier today—we’ve been navigating change for more than 20 years. From analog to IP, through the pandemic, through supply chain issues, tariffs, and now AI.

Whatever comes, if you’re customer-obsessed and understand their needs, you just keep building the right offerings. AI is exciting—but also terrifying. It’s a new threat vector in itself. But we’ve got amazing partners to help guide our customers into the future.

Andrew Elvish:
Yeah, that’s a nice vision. I like it. It is all about convergence—in Convergint. But also actual convergence. We’re seeing it in all the research we do—with end users and channel partners. The lines between physical and information technology are blurring.

It’s creating new expertise, new expectations. In the next five years, users will demand more—from platforms, from integrators.

People don’t want a big divide between their home tech and their B2B tech anymore. They want seamless, intuitive, consumer-like experiences—plus AI and machine learning that actually do something.

Convergint pulls together massive numbers of sensors into the Genetec platform. Their customers are going to demand more insights and smoother experiences. Without giving too much away, in the next 18 to 24 months, you’ll see a lot more from Genetec and Convergint on that front.

And my one wish for people in critical infrastructure and security: Think about cybersecurity like a gym membership. It only works if you keep flexing the muscles. You have to go back. You have to keep doing the work. It’s never a one-and-done.