June 10, 2026

Summary:

This episode explores the convergence of physical security, cybersecurity, and AI, highlighting how integrated systems can enhance safety and operational efficiency. Jeffrey Friedman shares insights from his 20 years of experience in secure facility management, discussing the impact of emerging technologies and the importance of unified risk management.

 

Keywords:

physical security, cybersecurity, AI, risk management, access control, autonomous vehicles, critical infrastructure, zero trust, threat detection, digital transformation

 

Kew Topics:

  • Convergence of cybersecurity and physical security
  • Role of AI and autonomous systems in security
  • Risk management in critical infrastructure

Bio: 

Jeffrey Friedman is a visionary leader driving the digital transformation of physical security, logistics, and facility operations. He has pioneered secure access solutions for some of the most complex real estate and security environments, including the World Trade Center, Hudson Yards, and Time Warner Center. With a background in law, technology, and business development, he continues to lead innovation in trusted access, logistics, and security intelligence.

John Verry (00:00.216)

Hey there, and welcome to yet another episode of the Virtual See-So Podcast. With you is always your host, John Verry, and with me today, Jeffrey Friedman. Hey, Jeff.

 

Jeffrey Friedman (00:22.443)

Hey, how’s it going? Thanks for having me.

 

John Verry (00:24.43)

Yeah, cool. I always start simple. Tell us a little bit about who you are and what is it that you do every day.

 

Jeffrey Friedman (00:30.601)

What do I do every day? Let’s backtrack a bit. So I’m in New York. I’m a labor attorney.

 

I’m always, I was a, you know, it’s a young kid into technology and things like that. 9-11 occurred. I was about 30 years old. I’d been practicing labor and employment law for about six years, but I had a lot of friends who were musicians turned coders. And we sort of came up with the idea of doing something called visitor management, which is basically managing the people who do not have cards going into facilities in New York. essentially New York went through a lockdown period and I, as a labor attorney, was representing a lot of guard companies.

 

And so it sort of like was a weird transition of my career and getting on mission to make places safe and effectively building a business around the idea of a level of physical security about the unknown.

 

That’s basically it. You have people coming to the building. You don’t know who they are. You don’t know why they’re coming. They’re trying to figure it out. And if you’re in the position of a security guard, it’s your job to protect the building from unknown risk. So essentially, you know, basically have two jobs as a guard, patrol, observe things that are challenging or risky and report.

 

and also maintain an entrance, maintain a portal of some sort where someone can get into a facility.

 

Jeffrey Friedman (01:55.199)

And basically outside of that, the other roles are to basically observe. Observe through cameras, observe physically when you’re walking the building, and maybe from time to time escorting people from here to there. And I’m not talking about executive protection. That’s a different category. But essentially, the idea of physical security is keeping people out of other areas and making people safe.

 

And so the goal was to rebuild the World Trade Center one day, right, after 9-11. And I became a big part of supplying the solution and also the framework for managing access to the secure facilities within the campus. Just to go one step further.

 

Obviously, you can go to World Trade Center, you can walk around, can see the fountains, you can go to the mall, as just a person, you walk around. And they need to as a security measure for whether it’s the police department or the Port Authority Police Department, they’re trying to keep everybody safe in the public areas. And then there’s certain other areas like inside the corporate and the office buildings and inside where vehicles go underneath buildings. We want to make sure that they’re safe as well. We wouldn’t want to let

 

an unknown vehicle underneath the building. Pretty simple. So in that we built a program to manage the access of different people. I’ve been doing it for about 20 years. I’ve seen a lot of different places and I’ve applied the same concepts and techniques and now I’m actually in a project working on it with the military to do the same thing.

 

John Verry (03:41.186)

Excellent. I always ask, before we get too deep in the weeds here, what’s your drink of choice?

 

Jeffrey Friedman (03:45.495)

Mm-hmm.

 

What’s my drink of choice? On any given day, I’d probably order Jack and Ginger. I was a…

 

John Verry (03:54.062)

Why would you ruin a why would you ruin bourbon which an accident Jack and ginger is a refreshing drink I agree

 

Jeffrey Friedman (04:01.293)

It’s a funny, I bartended my way through law school and people would always ask, what should I have? And routinely I would say Jack and Ginger because they probably never had it before and it wasn’t very popular and now we’re going back to the 90s. And so I would, would.

 

offer that drink and people would be like, my God, I never tried this before. So that would be my drink of choice. Before that, it was long on ice teas all day, but.

 

John Verry (04:36.426)

I was, you know, it’s so funny you should say that. So I bartended my way through college. I didn’t go to law school. I went to engineering school. And the drink of choice in those days was a Long Island iced tea. Yeah. I probably made more Long Island. I mean, you know, enough Long Island iced teas to float a battleship probably. All right. Yeah. Are you from Long Island as well? We’re in Long Island.

 

Jeffrey Friedman (04:47.275)

Yeah.

 

Jeffrey Friedman (04:52.161)

Yeah. Yeah. So anyway, being from Long Island, it always came up. I am. I am actually from Lawrence, which is near Atlantic Beach on the South Shore, close to the Rockaways. So close to the city. Nassau County, yeah.

 

John Verry (05:02.862)

Hmm.

 

John Verry (05:07.31)

Okay, so Nassau County. Yeah, I’m from Suffolk County out sort of in the center of the island there, a little town called Center Reach near Lake Rekokoma. So, all right, so people don’t want to hear us chat about, the only funny thing about Long Island is that back in the day, I was used to joke that everyone would say to me, oh my God, I have a cousin on Long Island. You might know him. I’d like, Long Island’s like 120 miles. Yeah, yeah, yeah. So anyway.

 

Jeffrey Friedman (05:15.257)

I know it.

 

Jeffrey Friedman (05:30.349)

It’s a pretty big island. Pretty big island.

 

John Verry (05:35.692)

So physical security, interesting, right? So if I say back in the day, let’s say pre-World Trade Center, pre-COVID, pre-highly virtualized workforce, things of that nature, I would say physical security was a pretty straightforward practice, right? You had a local data center, you had key card access, you had video cameras, maybe a front desk that signed you in. How has physical security changed with these increased threat profiles, with the new

 

Jeffrey Friedman (05:39.66)

Mm-hmm.

 

Cool. See you.

 

Jeffrey Friedman (05:52.213)

Yeah. Yeah.

 

John Verry (06:04.97)

work model, cloud first companies, virtualization, et cetera.

 

Jeffrey Friedman (06:09.741)

Let me backtrack for a second because I want to just explain something to your audience, is when we were developing the context of not early days, I didn’t even think about this, but when we were developing the programs for the critical infrastructure in let’s say the mid 2010s, right? We really just modeled it after Zero Trust.

 

We really just took the considerations that cybersecurity people were taking and saying, look, you know, if I don’t know who you are, you shouldn’t be have access to this. Right. And there was a concept of we don’t trust anybody. You have to prove yourself. You have to verify yourself. You have to authenticate yourself and then we’ll give you access. And we just applied cybersecurity methodologies into physical security and then created software to support that. Right.

 

So the idea of it being a cloud-based system, which is what we’re getting at to now, simply who has access to the system is still a cybersecurity problem, right? I’m going online, I’m going to schedule my visitor.

 

Well, you need to have your cybersecurity credentials to get into the system to even schedule somebody or identify somebody. And then the process keeps going. The security officer that’s signing in is also signing in through a credential into the cloud service. The cloud service also ultimately creates a data link, basically you could say, that supports information to help you process people better.

 

You process people that might be, might discover who’s at risk and who might be at risk, who’s not using the system well and how long it takes people to process. And essentially by using a cloud distributed system, you enable sort of the sharing of data across disparate geographies, disparate users of different roles and permissions.

 

Jeffrey Friedman (08:09.609)

And there’s a lot of different roles in physical security that people have different permissions. And once again, it’s very similar to it’s a cyber security model inside the system itself, right? That makes sense inside the system. Inside the ecosystem, it’s a cyber security software, no different than like Salesforce, where people are on serving the management of sales is the actual goal.

 

But the solution is still a cloud-based hierarchy of permissions.

 

John Verry (08:44.076)

Yeah, so what you’re saying is authentication authorization is authentication authorization, like whether it’s a physical model or a logical model, right?

 

Jeffrey Friedman (08:54.413)

Correct, like basically when we sign into a program, let’s say it’s multifactor, right? I sign in, then I might get an SMS message and I prove that it’s me because I have my phone, right? That’s a very easy sample. Whether it’s Okta or Ping or any of these other identity management solutions. Maybe there’s a dual authentication methodology, right?

 

Maybe there’s a third, maybe my GPS is also recorded. Like I’m supposed to be somewhere, like another factor, supposed to be somewhere where I’m using this and I’m not, meaning why am I in Japan when I should be in New York using my computer, right? That’s another authentication method. Yes, we apply those concepts.

 

But physically, a person is trying to get some into someplace where they physically actually are. And then what methodology are we proving that they are who they say they are? Let’s just take identity as a concept, right? We might take their facial recognition, right? This is definitely them and we compare it to their driver’s license. OK, so now we’re proving their identity in the physical world, right? And they actually showed up on time.

 

They’re scheduled, they should be there at that time, not five hours early, not five hours late. And beyond that, somebody else may have sponsored them. That person’s a real person. So now you have many factors, multi-factor authentication really happening at the gate. Does that make sense?

 

John Verry (10:30.722)

Yep. Yeah, it makes total sense. in a way, right, one of the things that for years we’ve kind of heard about this, you convergence of cybersecurity and physical security. So it sounds like you’re kind of leaning into that idea right there where you’re beginning to talk about that. you know, is that something that you’re seeing at this point in time? Have we reached that point of convergence from most organizations that you work with?

 

Jeffrey Friedman (10:53.229)

No, not in the way I just described that they’re utilizing, they’re not putting it all together. There’s elements that cross-connect. An example would be I’m using my Okta Identity System or my Active Directory Federated System from Microsoft as my sign-in tool to use other products.

 

You know, so you see a little bit of that and that’s just, it would be the same if it was Salesforce, right? If you would say that there’s convergence between sales and cyber, would you say that’s true? don’t really know, but what.

 

John Verry (11:31.246)

Yeah, so let me ask a question, though. So I liked what you, I thought it was very interesting what you said a little bit earlier where you were talking about the fact that someone has authenticated with a computer in one location, and now maybe they’re trying to badge in at another location, right? Which would be illogical. So what we’d call an impossible authentication or impossible. So does, would,

 

What percentage, I guess maybe a better question to ask, what percentage of organizations would catch that? Because to me, that’s when I think of beginning that convergence. It’s sort of like sharing that information in a way that it adds that additional context. I love that phrase you used earlier, context. What percentage of organizations would actually be able to detect

 

Jeffrey Friedman (12:06.487)

and

 

Jeffrey Friedman (12:17.411)

Well, they could. The answer is, are they? Right? I mean, are you asking me, are they? Are they putting it together? I think it’s there’s a dream story here that we’re trying to help with on this on this front, which is it’s a the information that you can get out of physical access control reveals that truth to and that you would compare it to the other side of it, which is your cybersecurity element of

 

John Verry (12:23.534)

Good point.

 

Jeffrey Friedman (12:48.385)

this person through this IP address at this network is definitely in this country, right? And that’s something, there’s something wrong and I want to set an alarm, right? I would say a very, very, very low percentage of organizations are actually putting A plus B equals C together. And if they are, and I know a lot of organizations, it’s two separate,

 

distinct families within the security world under the CISO maybe. Because there could be a chief security officer at a CISO or there could be a CISO who has a chief security officer reporting to him who’s dealing with physical security, maybe another one with executive protection, right? And so, you know, maybe there’s a group I’m being like.

 

fundamental about this. Let’s say there’s a group of 20 very important employees inside an organization that are critical to the functioning of the business and they get additional executive protection. We need to know what they are all the time. So there is that tracking. Does that make sense?

 

John Verry (14:00.483)

Yes.

 

Jeffrey Friedman (14:01.697)

But again, that might be siloed into the reality of what they’re trying to do, which is protect the families and the executives in case, you know, and I mean, if we, know, the United Health Care CEO story has definitely like ramped up that for a lot of companies.

 

John Verry (14:23.234)

Yeah, Louis Mangioni opened some eyes, I think. So I like what you said. So it’s the same historical problem that we’ve always had. We have this problem with the siloing of enterprise risk versus cybersecurity risk versus third party risk. And you’re adding physical security risk and maybe even executive protection risk. If we’re not looking at these in a unified way, we’re putting ourselves at risk, essentially.

 

Jeffrey Friedman (14:47.49)

Mm-hmm.

 

Jeffrey Friedman (14:51.605)

You know, I want to say like I feel like I’m on the edge working on it with clients showing them the tool sets that you can actually accomplish these kinds of goals. And it’s all, you it’s really not that hard, if you know what I mean, because the info is there, the data is there. So it’s like the convergence of it all is available.

 

but you’re asking me how many are really looking at it and I think that’s a very low percentage. From a surveillance point of view, right? I like I’m observing what is going on between these two systems and there is cross value, like crossover value to observing the risk.

 

John Verry (15:20.654)

Okay. Yeah.

 

John Verry (15:35.918)

Right, and it really shouldn’t be that hard, right? So, all right. So I think when we think about non-human identities like system accounts, things of that nature, right? They’ve traditionally lived in the world of, I’m gonna call it a cybersecurity challenge to manage and validate, age out, et cetera. Increasingly in the organizations we work in, there are non-human identities.

 

Jeffrey Friedman (15:38.381)

Correct.

 

John Verry (16:03.626)

that we need to manage, right? Autonomous vehicles, drones, IOT devices, maybe even now you talk about agentic AI. How, some of those are gonna be physical security challenges, right? How are we, how should organizations be approaching that risk?

 

Jeffrey Friedman (16:23.565)

So, this is actually very interesting because systems, large system AI that the company relies on probably needs their own sort of framework for managing the cybersecurity risk and or,

 

I’m not saying that these things are going to be sentient tomorrow, but what if they were and they decided, hey, I’m going to go off the rails and go into the network. I personally, as a leader or expert, do not cross into that figuring that out. But what I do think about a lot is that people, drones, certain containers,

 

autonomous vehicles are coming and all of a sudden there are operators like people who are responsible that are operating these things and they’re orchestrating it. There’s still a person engaged in the orchestration and responsible and have to sign off on these deliveries on these on patrols like you know right now there are drones going on patrol.

 

somebody’s operating it, right? So it’s kind of like cross connecting that there is a human in the loop. I don’t know if that expression, but there’s a human in the loop somewhere. And that person needs to take responsibility for administrating those autonomous.

 

activities right so we’re connecting the dots of like who is responsible and that there’s like sign off on what’s going on and then once once once once that occurs you’re still even if there’s a driver or not a driver that vehicle should behave

 

Jeffrey Friedman (18:06.733)

certain way. Does that make sense? There’s a behavioral analysis of where is the what’s the vehicle doing. Simple. Vehicle is on a service road and it’s going 70 miles an hour. Doesn’t matter. That’s bad. It doesn’t matter whether it’s drive or not, right? So there’s an observability of behavior that might indicate time to mitigate the risk.

 

John Verry (18:28.834)

Yeah, and that concept of physical security when it comes to devices of that nature gets really interesting, right? Because we could talk about the physical security we just talked about. We could talk about the physical security of humans having the authority to enter, control those devices, right? And you could have physical security relating to protecting the device itself, right? Can someone get into the vehicle? Can someone connect to a port on the vehicle to do something to the vehicle?

 

Jeffrey Friedman (18:50.017)

Mm-hmm.

 

John Verry (18:58.094)

And then you’ve got the idea of physical security. Can this device enter this facility? Can this autonomous vehicle, is it authorized to open the gate and enter the underground facility? So I guess the concept of physical security to these devices is multimodal.

 

Jeffrey Friedman (19:12.214)

Yeah.

 

Jeffrey Friedman (19:17.055)

Yeah, I mean, we’re talking about something. We’re here at 2026. We probably all can’t believe how quickly AI has changed the map in the last two years. To me, and I develop technology, I feel like AI in the last year has made an incredible leap.

 

And if it keeps going at this speed, it’s very, you know, like we should have some concerns about security. And I think it’s not too hard to imagine that if a organizational AI said, hey, I want to make a delivery. And the thing that’s in my way is this bollard that’s controlled by another AI.

 

right needs to go down for me to make that delivery. I’m not even talking about this risks reality, right? That the two entities would talk and trust each other to enable the framework of the baller to go down or the gate to open. And then the truck comes in and they pull up and they make their delivery, right? People take the stuff out and then the vehicle leaves the gate opens and it’s all completely automated. And it’s all great because it’s

 

John Verry (20:15.565)

Yes.

 

Jeffrey Friedman (20:33.231)

sufficient, no people, right, save a lot of money, but then you start to think, wait a second, if it could do the good thing, good delivery, it could do the bad delivery using the same protocol without anybody in the loop. Does that make sense what I’m saying?

 

John Verry (20:49.026)

Yeah, yeah, it does and then on top of that you said people are gonna unload it well, know increasingly if you look at what you know X or X AI or whatever whatever the name of Elon Musk latest company is or you know, the Chinese or Boston robotics, right? We’re seeing robots. mean literal robots that you know, we are not far from It’s probably happening at you know in some places already right so you’re you’re you’re really talking about

 

Jeffrey Friedman (20:57.289)

or Amazon? Yeah, yeah.

 

Jeffrey Friedman (21:03.586)

Yeah.

 

Yeah.

 

Jeffrey Friedman (21:13.953)

Yes. Yes.

 

John Verry (21:17.972)

in theory the potential for all that to happen without

 

that it could happen without any human in the loop. So it’s interesting that what we’re talking about, right, like there is this component, like all of these things are inexorably linked, right? know, cyber, AI, physical security, there are no boundaries, right? Like we need to work, I guess this is a phenomenal argument for the convergence, right, that we talked about earlier, right?

 

Jeffrey Friedman (21:26.039)

That’s right.

 

Jeffrey Friedman (21:34.987)

Yes, that’s.

 

Jeffrey Friedman (21:42.893)

Let’s talk about efficiency, not security for a second. What is the efficiency of a long haul truck going from, let’s say, Ohio to Philadelphia, right? And there’s two distribution centers, right? They both have gates, right? Because you’re trying to protect from theft.

 

The vehicle that has no driver pulls in. It’s the right vehicle at the right time. The gate opens up and the vehicle finds its way to the dock and the dock or the bay of the dock. And then the machines come in and they pull the pallets out. And then now the vehicle leaves and goes on to whatever the next journey is. Everything went great. Everything went amazing.

 

Nobody even had to do anything. And the same thing could happen for a flying drone, right? The drone comes, picks up the medication and departs, right? Stays on path, stays on path, stays on the pathway. And two computers are talking to each other from two different companies the whole time.

 

There’s a cybersecurity element, like we don’t want a bad person to get into those solutions and change the output, if you know what mean, or the outcome. So cyber is a requirement of the future of physical security. And then this second part, which is the future of physical security, is going to be very dependent on cybersecurity, if not more.

 

We’re at an Asian stage where it’s not really day-to-day stuff that’s happening. But, you know, I mean, it’s, we’re at a highly accelerated reality with drones, highly accelerated because of Ukraine and now the Iranian conflict. Autonomous drones are happening. The battle at…

 

Jeffrey Friedman (23:49.889)

right now about anthropic not allowing for a lethality of its AI and why they’re being shunned by the government is relevant to the fact that they don’t want to have that as a consequence of autonomous decisions, right? So I think that we’re on the verge of something here that probably is a must have. When we say, not now, but there’s going to be a must have here for sure by the CISOs to really

 

take over these budgets, if you know what I’m saying, like take over this part of the reality of the risk and begin the concept of using their cybersecurity chops into the physical world, which is much more ad hoc, which is just much more, you take it as you get it. It’s not easy to create a framework that’s ubiquitous.

 

John Verry (24:43.586)

Yeah, this conversation has me thinking much more significantly than I honestly expected it to. I spent a lot of time pondering AI and AI governance and the risks associated with AI and the new threat vectors that will exist. And I hadn’t really thought through very well, shame on me, what we just talked about, right? That the how

 

Like on a first pass logic, you wouldn’t think AI would drive physical security to higher levels, but I think you just painted a good picture of why it does. And it’s also interesting to me. So another area that I think is driving physical security’s importance at the moment are some of the emerging regulations that organizations are subject to. Most notably, CMMC.

 

right, in the defense industrial base, right? So all of the manufacturing facilities that are processing CUI, many of have shop floors. Shop floors are historically not a physically secured space or not very well physically secured, right? We’ve got loading docks, we’ve got trucks coming in and out. Often we don’t have any physical restrictions to get even onto the property. And then the other one, which also I think

 

we’re seeing more of is T-SACs, T-I-S-A-X, that’s in the automotive supply chain. The physical security becomes very important if you’re doing any prototypes for the automotive OEMs. So I’m curious, have you yet seen those things starting to impact your business?

 

Jeffrey Friedman (26:25.581)

Well, I mentioned that we work in military environments. So CMMC is real and other FedRAMP, IL-5, these are things that are part of my journey, as they say. But I think what they’re trying to accomplish is not too different than the NIST 800 or…

 

program and then just sort of applying it in a different type of framework. So they kind of have their own, but it’s very similar, very similar to the controls that are in this already. And there are other regulations to consider in the physical world that are beyond.

 

cyber, includes like FDA health regulations and OSHA and a lot of other things that are relevant in physical world stuff that you can be violating different other things than just, you know, security problems with his health standards and rules of the road. you also remember that operations doesn’t stop. There’s a lot of exceptions made so that things can actually occur.

 

because if you just got stuck into regulations, a lot of things just stop. And so you have to make a decision whether the operational risk of stopping or the negative impact of the operational risk is worthy of stopping the flow of the business itself, right?

 

So enforcement of regulations is another questionable thing that goes on in this country and all countries. Like how much money are you gonna put towards the teeth of the regulation? And I always use this as my favorite example is who doesn’t drive 70 on the highway? Do we say, we all know, but we’re practicing a different program.

 

John Verry (28:23.915)

Exactly.

 

Jeffrey Friedman (28:31.979)

than what the regulation is, right? Why? Why? Because it’s the way it is, right? And if I don’t go, if I go 55, it’s not really safe for me.

 

John Verry (28:42.55)

No, you’re actually you’re actually endangering yourself these days driving, you know, at exactly the speed limit if you’re in at least in the northeast and probably out in in Nebraska and Wyoming and places like that as well, right?

 

Jeffrey Friedman (28:52.343)

Yeah, so it’s funny, it’s like, you know, I am in this world and I ponder the things that I just mentioned to you a lot and I think that there’s a lot of room for…

 

collaboration and working together. And there’s a lot of distance between, you know, maybe even understanding how doors operate and doors open. How do they open? What does it mean to have a card read at a door? And how does it actually, because there’s electrical engineering in some of that to make it work, right? And, you know, you can go to a building, there’s panels all over and you can act. And this is also, CMMC is being applied to the panels.

 

the panels, not like what you would call like a complete, you know, cloud based system, but at the local level on the edge, people are let to let in through doors because a decision is made at a panel that’s local. Need that for fire, for fire, for life safety, you need to be able to open the doors if there’s a fire to make sense locally, and you may not have the internet to do it, right? So you need to have

 

John Verry (29:59.918)

Yeah, I never thought of that. That’s really interesting. And to your point, that’s something that somebody like me, who’s been doing this a long time, would never have been cognizant of prior to this conversation.

 

Jeffrey Friedman (30:09.752)

Well.

 

know, the POS systems that are at every single target are the one that got hacked by the HVAC guy that got into the cybersecurity because he got into the POS system through this to the local HVAC system network that he needed to fix the HVAC system, which sends signals about controlling heat, cold air, right? And now all of a sudden some guy got into the POS. So the breaches on the cybersecurity, we’re kind of moving into the other subject that’s very interesting.

 

cybersecurity and physical security is that the physical security networks to a large degree are siloed in different ways, right? They’re a different network, hopefully. Sometimes they’re not. Sometimes they’re actually separated by, you know, like routers.

 

John Verry (30:58.648)

Yeah, they’ll firewall them off now. like in the old days, ITOT were completely segregated. Now, most of the time, you’ll see some type of, there is some IP connectivity that’s in a perfect world tightly controlled through firewalling and access control and authorization. So in a perfect world.

 

Jeffrey Friedman (31:05.463)

Yeah.

 

Jeffrey Friedman (31:20.467)

Yeah, okay, but right, so here we are, here we are on the edge, HVAC vendor getting access to a facility into a hopefully a secure room where the HVAC system is, has access to the network and that router isn’t configured well. Let’s just say well, okay?

 

Now he could infiltrate whatever subsystem is available to that particular building. And now you’re going back up through the network, right? If you’re a sophisticated hacker, it’s a nice, it’s a perfect endpoint to get to something bigger than the average employee’s computer.

 

John Verry (32:08.366)

One thing I hadn’t thought to ask you, but I’ll ask you, how much of what CESA, the Critical Infrastructure Systems Agency, TSA and their control over ports and energy pipelines, regs and privacy, excuse me, physical security relating to core infrastructure, whether that’s water, whether that’s electrical grid, how much does that drive your business?

 

Jeffrey Friedman (32:08.395)

And that’s everywhere.

 

John Verry (32:38.272)

and anything interesting going on there.

 

Jeffrey Friedman (32:44.749)

I, you know, typically, and this is sort of the truth amongst physical security in general, like the government does not have enough money and personnel and people to protect everything. So what they do is they create public private partnership arrangements.

 

where the public company, I’m sorry, the private companies really work well with, hopefully work well with the agencies that are appropriated for each one to figure out what to do and share notes. It’s a very interesting non-competitive world.

 

because we’re not really competing for who’s got the best security. We’re competing to make sure everybody’s safe. So the banking industry, for example, gets a lot of value out of the agencies because this is our critical infrastructure, banking, right?

 

So the teams, think a lot of the CISOs for sure are like getting together with other banking CISOs talking about what’s their liability and the federal government really sets it up as best they can so that they can learn together, all of them and share information together about what’s on the docket for the day and other protective ways to protect each other because one…

 

One bank’s failure is every bank’s failure when it comes to this kind of any confidence lost is just bad for all the banks. So that also applies to the grid, right? Or water treatment plants or nuclear facilities. Nuclear facilities are highly regulated by various groups and they’re part of the Department of Energy and part of the part to an extent of the Department of now the war.

 

Jeffrey Friedman (34:41.473)

So they’re sort of different. I put them on a different plane because they have to deal with theft of nuclear. There’s a lot of things going on there. But there’s a lot of electrical substations around this country that are unfortunately, well, fortunately not as protected as they should be because it’s just impossible. They’re scattered everywhere. would take a lot of people.

 

know, outdoor facilities sometimes are subject to weather and other conditions, very, very difficult. And so I don’t know if I’m digressing here,

 

John Verry (35:18.942)

No, no, it’s it’s an interesting. Did you see the so it’s funny you should mention the electrical substations, right? I saw something today which really surprised me and I’m assuming it’s accurate Where Trump was talking about? Not bombing certain things within Iran because it would set them back it would take them many years to recover and apparently at the heart of Electrical distribution systems. There’s this one. I don’t know was a giant transformer like

 

Something which is custom, takes years to build, costs like a billion dollars or like some insane amount of money. So if you blew that up, it’s not like they can go and get a new one. And literally would largely cripple the grid. So to your point, we need to make sure we’re investing those dollars into the right place from a physical security perspective. Because I mean, look, we’re not going to stop necessarily an Iranian drone from hitting one.

 

but we could prevent somebody from, like you said, driving up in a truck loaded with chemical fertilizer and causing a problem,

 

Jeffrey Friedman (36:26.453)

Yeah, mean, the government’s basically like separated all businesses into 16 sectors and each sector, if you looked at it independently, it would be like, that’s pretty important. You it’ll just take hospitality, for example, like our economy relies a lot on hospitality. So any incident in a huge hospitality situation would be terrible. Just just terrible. So

 

It’s kind of like the sectors work together to figure out what’s the threat of the physical world and to a large degree cyber. Like I said, the banking, it’s a lot about the cyber problem. And many of the agencies work really well hand in hand with the leaders, the CISOs to effectuate the best plan and share. And share. there’s a lot of things that aren’t public that happen.

 

to effectuate, you

 

John Verry (37:22.722)

Yeah, the ISACS is really what you’re talking about, right? The Information Sharing and Analysis Center, I think that stands for. So we’ve done a little work with some of the ISACS in terms of looking at the threat feeds and understanding what they might mean to core clients. So I get it.

 

Jeffrey Friedman (37:29.292)

Yeah.

 

Jeffrey Friedman (37:38.83)

I mean, if you’re familiar with InfraGuard, is the one that is the, right? So that, yeah, so they, I think they’re leaning harder towards the cyber side these days than they are the physical side. then, know, CESA are the same at DHS, you know, they’re mostly focused on protecting, because the critical infrastructure from the cyber side is so detrimental and.

 

John Verry (37:43.042)

Yep, I am. I’m a member.

 

Jeffrey Friedman (38:07.053)

that it’s something that they could actually be effective with. And when you look at the physical thing, the problem with physical security is you have to look at each facility and building separately and see the conditions of things. It doesn’t matter whether it’s a stadium or a huge iconic landmark, there’s just different conditions everywhere. And so it’s impossible to have a static framework.

 

for this is what you need to do, you know.

 

John Verry (38:35.808)

Right. Right. The other thing which is why I think is that the universe of bad actors, right? I mean, you could literally have a teenager sitting in his bedroom in some godforsaken place who finds a path into someplace where he shouldn’t be where that same individual or those tens of millions of potential individuals are not going to be able to get too proximate to this physical facility, right? Or wouldn’t have, I can.

 

I can take a grid down with a $600 MacBook, but I can’t take the grid down. I would need far more resources to be able to take down the grid with a physical act. So I think that’s another reason why that emphasis is because the universe of and the amount of resources required by those individuals is so much lower.

 

Jeffrey Friedman (39:29.377)

Yeah, there’s also the context of.

 

information that’s on the network to produce the information that will support the physical. Let’s just go with theft, right? You go to a health care facility. The most protected part of the facility is probably the obstetrics, right? If you’ve ever been like they’re pretty tight on that. They have a different like access system for that. And then the drug closets where all the drugs are stored. So part of it is also like, how do I know where the drugs are stored? Right? Is that on?

 

the network, like is there a map on the network that I can access so I can figure out where I need to go inside the building? Or what about when do I know when are the deliveries made? Who’s making the deliveries? Where are they coming from? Maybe I could stop the truck on the way. You know, if you’re doing sophisticated theft of things that are very valuable, you are probably going to do your research and that’s going to be a cyber breach maybe that didn’t even hurt anybody, but they got the information they needed. Does that make sense?

 

John Verry (40:31.822)

Right. Yeah, in fact, if they stole that information, they could do it quietly and no one would ever know that it was stolen.

 

Jeffrey Friedman (40:39.853)

Correct. you don’t even know if it was a hack or someone shared some information, but you might have the footprints inside the network from the forensic footprints inside the network, which to a large degree for a CISO, just like that, you know, part of the bread and butter is having the systems in place to make sure you can capture the footprints, which is whether it’s a cybersecurity crime or not, they did it on a network.

 

You know what mean? Like what we’re thinking of is like direct attacks or phishing attacks, but there’s other corporate infiltration, corporate espionage. is the key. It’s like somebody gets to a facility and he’s been there a lot of times and he figures out what people logging in with because he’s had access to the facility. Then he goes offsite, figures out how to log in.

 

and gets everything he needs because he’s pretending to somebody else, right? He’s using the fact that they only have a singular faction of identity access, right? Single factor, you know what I mean? And so now I can get online and get what I need and nobody even saw me, you know? And I wasn’t even there when it happened.

 

John Verry (41:58.575)

And you just touched on another value of that physical and cyber convergence is in most organizations, when you do some type of incident response, incident detection, incident analysis, even determining whether an event should rise to an incident level, you’re in a sim usually. That’s where we’re going to see this data. And if we don’t have that physical security data in there as well, we could be missing a key piece of the

 

Jeffrey Friedman (42:04.225)

Mm-hmm. Yeah.

 

Jeffrey Friedman (42:28.169)

Yeah, I mean, to a large degree, to oversimplify like what my career and expertise is really about is I’m trying to figure out who’s not supposed be there, who is supposed to be there when it’s not a normal staff. So, you know, everybody comes to the…

 

before COVID, right? Everybody came to the building nine to five, 80 % of the people in the building were supposed to be there. And some percentage were only there temporarily. They could actually be staffed from another office that doesn’t have access to the building normally, but had to get temporary access or a vendor or.

 

A visitor to a patient, has a visitor coming. You there’s a lot of different scenarios here. It’s very hard in public venues, very, very challenging. I tour a lot of public venues about that situation, which is you really just don’t want, you don’t know anybody, right? And they’re coming to your facility and you might be in critical infrastructure, like a train station, where it’s a very big challenge. So that’s really my career, like looking at.

 

what we could find out about what’s wrong with this picture. A little bit like where’s Waldo, right? And that’s also on a network. Why is this person touching this server when that’s not their job? What’s going on here, right? So the same framework of thought process that’s in the zero trust architecture is the thing that we apply in the physical world as best we can using the tools that we have.

 

John Verry (44:10.478)

So I think that is an ideal idea, thought process, to actually end this podcast on. What you do, what we do, is largely the same, largely using the same frameworks. And it even increases the idea of this convergence being a necessary evil, especially in the evolving space that we’re in with some of the other issues we talked about. So this has been fun, man. I appreciate you coming on. Yeah.

 

Jeffrey Friedman (44:18.157)

Anyway.

 

Jeffrey Friedman (44:34.187)

Yeah, I appreciate it. Thanks, John. John, thanks for having me and I hope to meet more of your audience soon. Thank you.

 

John Verry (44:41.282)

Yeah, well, real quick to that end. How can, if somebody would like to reach out to you, what would be the best way for them to do that?

 

Jeffrey Friedman (44:47.147)

Yeah, I currently I’m a Jeff at Fortify and that’s F-O-R-T-I-F-Y-E dot com. You can reach out to me that way and check it out. We’re building AI agents to kind of like combat some of this stuff. But actually, you know, part of it is just we’re figuring it out fast.

 

Things are changing very fast. So I really appreciate people’s ideas, concepts, things they would like to see executed that they just can’t seem to figure out how to put A plus B together. I’m very fortunate that I’m around a lot of people who are basically in that same boat. We’re trying to figure out how to.

 

make places that are safer, and make sure people have a great experience in the process. Visiting a building shouldn’t be the worst part of your day. It should be the best part of your day, right? And have a good experience, and be efficient in your deliveries, and not have the hassle of security. Less friction.

 

John Verry (45:52.686)

God’s ears man. Alright listen, have a great weekend. Have a great weekend and thanks everyone.

 

Jeffrey Friedman (45:53.611)

Yeah, I know. Thank you, you too.

 

You got it.

Back to Blog