By Eric Moreau, Partner at Theseus Professional Systems
Modernizing a security program is not about chasing shiny objects. It is about reducing risk, speeding response, and building a foundation that keeps working when your organization grows or regulations shift. At Security Technology Forum 2025 I joined Jeff Drews from Southwest Microwave, Tino Urbina from Commend, and Jeff Fields from Gallagher Security to unpack what modernization really looks like. Below the panel discussion recording is how I translate those insights into concrete next steps for the clients I serve as a consultant and engineer.
For years, physical systems could sit untouched if they were still “working.” That mindset no longer holds. Cybersecurity expectations, policy changes, and the pace of analytics require a living program. When I assess a site, I typically find a mix of end of life devices, unpatched firmware, and siloed platforms. These are not minor housekeeping items. They are risk multipliers that slow operators when seconds matter.
Client benefit: treating modernization as a program instead of a project gives you predictable upgrades, cleaner audits, and less firefighting. It also lowers total cost of ownership by reducing expensive emergency replacements.
My design work starts from a simple reality. Your SOC, your cyber team, and your physical security team are already connected whether you plan for it or not. Identity data, network health, edge device integrity, logging, and response workflows cross that boundary every day.
I align clients around three practical moves:
Shared policy and vocabulary. We write access, video, and alert handling policies that use the same terms and escalation paths as IT and cyber.
Data integrity as a requirement. If a device produces an alert, we treat the transport and storage of that data as part of the control itself.
Cloud reality check. If you are using or exploring cloud or hybrid architectures, we define governance and controls before the first workload moves.
Client benefit: fewer blind spots at handoff points, faster investigations, and cleaner compliance evidence because cyber and physical controls reference each other by design.
AI is no longer a lab topic. Operators can now ask questions in plain language and pivot across video, access, and alarms. My approach is to pilot one high value use case instead of boiling the ocean. Examples that work:
Find a person of interest as they traverse multiple cameras and doors
Summarize last night’s alarms and flag anomalies that break policy
Detect tailgating patterns or off hours door activity and create a case automatically
We pair the pilot with training and policy updates so the workflow sticks.
Client benefit: faster time to evidence, fewer manual searches, less operator fatigue, and a clear ROI narrative you can show to leadership.
Many clients ask if they should choose an open or proprietary system. The better question is how the platform integrates and how long it stays compatible. I look for:
Documented REST APIs and actively maintained integrations
An “evergreen” roadmap that preserves compatibility across releases
Proven bridges for common third party devices and credential ecosystems
Some vendors will always protect their core software. That is fine if they are serious about ingesting and sharing data. I design for that reality with interoperability at the architecture layer and pragmatic vendor selection at the product layer.
Client benefit: freedom to phase upgrades, connect best of breed subsystems, and avoid forklift replacements that drain budgets.
Regulatory mandates like FIPS, NIST 800 series, SOC 2, CMMC, and FAR or DFARS rules are evolving and they are influencing commercial standards. I treat them as guardrails. Even when a client is not in a regulated sector, we borrow from recognized frameworks to justify choices and set baselines.
A common pattern in my engagements:
Map current controls to a lightweight control catalog
Identify end of life and unsupported items as security findings
Tie gaps to concrete incidents and known risks
Use that map to phase upgrades by impact and urgency
Client benefit: modernization budgets tied to risk and compliance outcomes instead of wish lists, with third party evidence to support funding.
You do not get budget because a feature is interesting. You get budget because the upgrade reduces risk and increases resilience. Here is how I build that case with clients:
Client benefit: faster approvals, less pushback, and partners across the organization who own a share of the outcome.
Zero trust at the edge. Device identity, certificates, encrypted transport, and credential hygiene are non negotiable.
Lifecycle discipline. Track end of life and schedule firmware updates two to four times per year based on vendor cadence and risk.
Telemetry first. Design for searchable metadata across video, access, and alarms. If you cannot query it, you cannot improve it.
Operator centered workflows. Technology should shorten steps for the people who use it. We test in the SOC before we scale.
Evergreen architecture. Choose components that survive multiple cycles so you can phase without ripping and replacing.
Client benefit: fewer surprises, simpler audits, and a platform that gets smarter with each improvement.
If you need to move quickly, I run this as a standard playbook:
Commission a third party assessment or engage me to lead one with your team. The goal is a prioritized risk and lifecycle view.
Build an interoperability map. List how systems talk today, where APIs exist, and which bridges are proven.
Publish a phased roadmap. Identify quick wins in quarter one and sequence the rest by risk and disruption.
Institute update hygiene. Create a firmware and certificate schedule and assign owners.
Pilot one AI use case. Pick a high value workflow and document operator time saved.
Stand up a cross functional council. Security, IT, Facilities, and Compliance meet regularly with clear roles and metrics.
Client benefit: visible momentum in weeks, not months, without betting the farm on a single big bang project.
When modernization lands correctly, operators get to decisions faster, audits get cleaner, and leadership sees a clear return on investment. Perhaps more important than any metric, people feel safer. Tino said it well during the panel. Unified communications, access, and video save minutes more than meetings. That is the north star I keep in every design and every plan.
If you want help turning these ideas into a concrete roadmap for your environment, I can start with a focused assessment and deliver a phased plan that aligns to your mission, your budget, and your risk profile. Modernization is not a one time sprint. It is a steady discipline. With the right architecture and the right partners, it becomes a path you can trust.
Watch our free on-demand webinar featuring insights that transcend healthcare and apply to any facility security program. Whether you're managing a hospital or a corporate campus, the strategies discussed can help improve your environment’s safety and operational readiness.
This webinar is available on-demand, allowing you to watch at your convenience. Don’t miss this opportunity to learn from one of the industry's leading experts and take your facility’s safety and security to the next level.
To register and access the on-demand webinar, click here >>
Security professionals are constantly looking for innovative ways to secure their facility and provide a safe environment within their budget. And, they are also constantly looking for resources to help them achieve that mission while expert advice is hard to come by.
Fortunately, we have released a considerations guide that will help security professionals perform their own in-house security risk assessment.
What's Inside?
This guide is intended to assist you with performing an in-house physical security risk assessment. In many cases, assistance from a third-party expert, like Theseus Professional Services, is required.
Identification of missing or inadequate physical security measures that safeguard assets (people, property, and information) and critical business functions is of paramount importance. The findings of a security risk assessment are used to measure and communicate the level of risk to the organization.