Compliant… but Not Secure? Rethinking Cyber Risk in Modern Security Systems

SEME Insight

Following a recent ISC2 session in the Middle East, Steve Kenny senior technology leader at Axis Communications shares key perspectives from discussions with end users, consultants and system integrators on one of the industry’s biggest emerging challenges.

As security systems become increasingly connected, this insight explores why compliance alone is no longer enough, and why cybersecurity must be considered across the entire lifecycle of a system.

Compliant… but Not Secure? Rethinking Cyber Risk in Modern Security Systems

Security systems have never been more capable, more connected, or more widely deployed.

Across regions like the Middle East, frameworks such as SIRA, ADMCC and others have set a high bar for how systems should be designed, installed and operated. They are, in many ways, a gold standard for operational security.

But there is a growing challenge that the industry is only just starting to confront. Systems are being designed as physical infrastructure…but deployed as connected, digital technology. And that changes everything.

Operationally Strong… but Cyber Isn’t Keeping Pace

If you look at most modern security deployments, they are well thought through from an operational perspective.

·         Camera coverage is defined

·         Retention periods are specified

·         Monitoring and control requirements are clear

·         System resilience is considered

In regulated environments like the Middle East, these requirements are often mandatory and enforced.

But when it comes to cybersecurity, the picture is very very different.

Cyber is typically addressed indirectly:

·         through network requirements

·         user access controls

·         audit trails

All important… but not sufficient. And way behind many other regions around the world.

What’s often missing is a structured approach to:

·         device security

·         vulnerability management

·         lifecycle support

·         ownership of cyber risk

Which leads to an uncomfortable reality: A system can be fully compliant… and still be vulnerable.

The Design Gap No One Owns

In many projects, the responsibilities are clear on paper:

·         Consultants design the system

·         System integrators deploy and configure it

·         Vendors supply the technology

·         IT manages the network

But cybersecurity sits somewhere in between.

And too often, the assumption is: “That sits with IT.”

From a consultant’s perspective, that’s understandable. Their scope is coverage, performance and compliance.

From a system integrator’s perspective, the focus is delivery, integration and functionality, ensuring the system works as specified.

From IT’s perspective, security systems are just another connected device on the network.

So what happens?

Responsibility is split… but the risk is not.

Cybersecurity is rarely considered at the point where systems are actually designed, and often not fully addressed during deployment either. And if it’s not designed in, it doesn’t appear later.

A Lack of Convergence

This challenge is not new, and it’s not unique to one region.

Research from ASIS International highlights that full convergence between physical security, cybersecurity and business functions is still far from the norm.

Only around a fifth of organisations have fully integrated these functions, while nearly half have no convergence at all, and many have no plans to change.

In practice, this means:

·         Physical security is managed in one silo

·         Cybersecurity in another

·         Operations somewhere else

With limited coordination between them. Which reinforces the problem: Cyber risk is shared across the system… but rarely managed that way.

The Evidence Is Clear

This isn’t just anecdotal. Industry observations of system specifications and tender documentation consistently show that cybersecurity is rarely defined at the design stage, with only a small proportion of projects explicitly including cyber requirements. And at an organisational level, the same pattern exists.

PwC’s Global Digital Trust Insights highlights that only 2% of organisations have implemented cyber resilience across all areas, with cybersecurity still not fully integrated across functions and ownership often unclear.

So, while cyber is widely recognised as a priority, it is not consistently embedded into how systems are designed and delivered. And that gap, is where the risk lives.

The Skyscraper Problem

In reality, cybersecurity does get considered… eventually. But often too late. It’s like constructing a skyscraper, the foundations are laid, the structure is built, the building is almost complete…and then someone asks: “Do you think we should put a lift in the building?”

At that point, it’s not a design decision. It’s a retrofit. More complex. More expensive. Less effective. And that is exactly how cybersecurity is still being treated in many projects today.

Are We Addressing the Right Risk?

If we acknowledge that we work in security, there is a fundamental question we should be asking ourselves: Are we addressing the organisation’s biggest risk?

For several years now, global risk assessments and surveys, including the like of the Allianz Risk Barometer 2026, have consistently ranked cyber incidents as the number one threat to business, ahead of business interruption, natural catastrophes and regulatory change.

And yet, in many environments, cybersecurity is still treated as secondary when designing physical security systems.

To suggest that security systems themselves are not a target is, at best, optimistic.

Recent research from Check Point Research highlights how connected surveillance technologies are actively being probed and exploited as part of broader cyber and geopolitical activity… Not in isolation, but as part of a wider attack surface.

The detail of the platforms is less important than the pattern:

·         connected devices are being scanned

·         vulnerabilities are being identified

·         and systems are being assessed for exposure

This is not theoretical. It is happening…… Video Surveillance Systems are under attack.

The Role of Optimism Bias

Part of the challenge is human. There is a natural tendency to believe: “It won’t happen to us.”

It’s a form of optimism bias, a normal, self-preserving mindset. But the evidence increasingly suggests otherwise. Cyber risk is not selective. It does not respect sector, geography or intent. And as systems become more connected, the likelihood of exposure only increases.

Security Technology Is Now Part of the Attack Surface

This is the shift the industry needs to fully recognise. Security systems are no longer isolated.

They are:

·         IP-based

·         cloud-connected

·         integrated with wider platforms

·         feeding data into operational systems

In other words, they are part of the organisation’s digital infrastructure.

Which means: Security technology is no longer just protecting the organisation… it is part of the attack surface. And if those systems are not designed with cybersecurity in mind, they introduce risk into the very environments they are meant to protect.

Regulation Is Starting to Catch Up

This is where we are starting to see a shift.

Frameworks like NIS2 and the Cyber Resilience Act (CRA) are changing expectations.

NIS2 focuses on organisations:

·         risk management

·         accountability

·         supply chain assurance

CRA focuses on products:

·         secure by design

·         vulnerability management

·         lifecycle support

Together, they raise the bar significantly. And importantly, they don’t stop at the EU border.

Organisations in the Middle East may not be directly regulated, but if they:

·         operate in the EU

·         support EU customers

·         or sit within EU supply chains

they will be expected to align.

You don’t need to be based in the EU to be affected… you just need to be connected to it.

What This Means for Consultants, Integrators and End Users

This is where the industry needs to evolve.

For consultants, cybersecurity must become part of system design and specification.

For system integrators, it must be considered during deployment, configuration and handover, not just functionality. And, for end users, it must be part of how systems are evaluated, procured and managed over time.

It’s no longer just:

·         does the system meet the operational requirement?

It becomes:

·         is it secure by design?

·         can it be maintained securely over its lifecycle?

·         who owns the cyber risk within the system?

What Good Looks Like

This doesn’t require a complete reinvention of the industry.

But it does require a shift in mindset.

·         Cybersecurity is considered alongside physical security at design stage

·         Vendors are evaluated not just on features, but on security capability

·         Systems are designed with lifecycle management in mind

·         Responsibility for cyber risk is clearly defined across all stakeholders

In short: Security needs to be thought of as a connected system, not separate domains.

A Final Thought

The industry has done a strong job of defining how security systems should be deployed and operated. But the environment those systems sit within has changed. They are no longer just cameras, sensors and control rooms. They are connected, intelligent and integrated technologies.

And that means the question is no longer: Is the system compliant?

It’s: Can the system be trusted?

Regardless of your role in the process, cybersecurity is a shared responsibility. It doesn’t sit with one function, one team or one stakeholder. It sits across the entire system.

And that means it sits with all of us. Yes… even you.

It’s no longer enough to assume someone else is taking care of it. The reality is simple: if you’re involved in designing, deploying or operating connected systems, you are part of the cyber risk.

So take ownership. Take accountability. Because if we don’t address it together, we leave the system exposed and the organisation at risk.