What Good Looks Like: Governance and Shared Access
Modern physical security succeeds when governance comes first. That means defining owners, roles and workflows early — ideally before the RFP — so design choices align with policy, not the other way around. We see more jurisdictions prioritizing secure, role-based sharing from day one: Real-time crime centers and emergency operations teams need live video; facilities need health and status views; investigators need time-bound historical access.
IT governance ensures the right people get the right data at the right time — and only for as long as they need it. It also clarifies adjoining requirements such as retention policies, identity management, audit trails and change control. When those decisions are made up front, projects deploy faster and avoid post-installation rework. To ensure that IT shares in the upkeep and security of this new class of devices on the network, document responsibilities and processes within a standard operating procedure.
Build It Right: Segmenting, Hardening and Sharing
State and local government IT teams should take measures to build a separate video surveillance LAN. Here are some measures to consider.
Start with segmentation: Treat cameras, access control panels, intercoms and sensors as a distinct, tiered environment — often on separate virtual LANs or even physically separate hardware — so their security and latency priorities don’t compete with general business traffic. Pair network segmentation with identity segmentation by enforcing least-privilege, role-based access across video management and access control platforms. This reduces the blast radius if something is compromised and streamlines legitimate access for partners.
Harden the edge: Many attacks begin with default credentials, unpatched firmware or unmanaged “one-off” devices. Establish a repeatable baseline that includes device discovery, secure configuration, certificate use, credential rotation, patch cadence and health monitoring. Shadow IT is real in sprawling jurisdictions; automated discovery and policy enforcement keep surprises off the network.
Plan for sharing: Map use cases (such as live versus historical, location scope or incident access) and size storage accordingly. Some feeds demand low latency and high resilience; others need cost-efficient, long-term retention. Document it all so operations, audits and handoffs don’t depend on institutional knowledge.
Sustainable Programs: Frame, Rightsize, Measure and Partner
State and local government IT teams should set up a program for success. Make sure to follow a framework and scale appropriately with partners. Here are some measures to consider.
Anchor the program to a framework: A program should be designed so that it survives staff changes and scales as needed. Agencies succeed when they map physical security into the Center for Internet Security’s Critical Security Controls or the National Institute of Standards and Technology’s Cybersecurity Framework. These models turn ad-hoc tasks into steady practice: identify assets (every camera and controller), protect (segmentation and hardening), detect (logging and monitoring), respond and recover. Some states are formalizing this approach; requirements to adopt a framework are prompting many agencies to group cyber and physical security together.
Rightsize for your team: A big city might have dedicated units for networking, cybersecurity and physical security. A small county might have three people covering it all while facilities run day-to-day operations. The goals are the same, but the paths differ: automate discovery and patching where possible; standardize configurations; and use managed or co-managed services to cover gaps, especially for monitoring, firmware maintenance and incident response.
Measure what matters: Track uptime of critical devices, time-to-patch for firmware, percentage of assets discovered and onboarded to your standard, mean time to provision access for authorized users, and the dwell time of unauthorized devices on the network (aim for zero). These metrics show leaders that physical security isn’t just installed, it’s governed.
Choose partners that can work end to end: You don’t need five vendors pulling you in different directions. Look for a single integrator (or a primary vendor with accountable subcontractors) that can handle network design, cybersecurity controls, storage and retention planning, and the physical devices themselves — plus the documentation and training your auditors will eventually ask to see.
Done well, the IT takeover of physical security isn’t a turf war, it’s a maturity curve. Segmentation, shared access with least privilege, disciplined lifecycle management and framework-driven governance turn a patchwork of cameras and doors into a resilient, auditable, mission-ready system.
This article is part of StateTech’s CITizen blog series.
