Having 20 years of museum security experience, Ibrahim Bulut shares his knowledge on security market evolution, challenges of museum owners, PSIM softwares and many more. Ibrahim says about himself that he’s a giver, not a taker – and when you’ll be finishing reading his story, you’ll think that as well.
- Professional background
- What drives Ibrahim in his work
- How the museum security market evolved in the past 4-5 years
- How did the COVID-19 pandemic affect the museum security
- What changes we can see in the museums in the next years
- The biggest challenges for museum owners
- The future of museum security
- Predictive profiling
- About PSIM
We heard that the love of your life is museum security and that you are the go-to expert for this. What can you tell us about your background? How did you end up here?
How did I end up in museum security? That’s a great question.
I have a master’s in economics, so nothing to do with security at all. When I graduated from university, the first year I was a blue collar worker for IKEA. I prepared the pallets with all the products that were ordered by the stores. After six months of working in the distribution centre, there was an open vacancy for a safety and security manager and I filled it in. In that specific job, I was responsible for the safety of 450 people in Belgium. Later on, I became responsible for the distribution centre in Oosterhout in The Netherlands, close to Breda, where I’ve been working for seven years.
IKEA did a lot of international projects regarding investigation, but more often on safety issues. I specialised in internal tests and insurance fraud. People wanted to have more vacation and they were trying to create work accident situations, so they could abuse the insurance companies. I have also specialised in fire sprinkler systems – easy suppression fast responses sprinklers. I learned everything about the basics of security at IKEA, and also about strategic operations.
After IKEA, I joined Lubrizol. Lubrizol was or still is a company that specialises in producing specific sprinkler tubes from CPVC. I was the third party business developer and helped both the clients to solve their issues and the business itself. But that was in 2008-9 – an economically difficult period – and after six months, I had to leave that job.
I became a security consultant at one of the biggest security consultancy firms in Belgium, called Optimit, and I specialised in safety and security operations and procedures.
After a few months, I got a call from my boss: “I’m sick, you need to help me with a project for museums. You need to help these people to create a sort of emergency plan for museums”. At that time I didn’t know that there was a specific program, ACCE, whose main purpose is helping people within the museums/cultural institutions to get a better view of their safety and security risks related to the building or the environment and create a network that helps people make emergency plans.
We had templates that were distributed during a nine-month period with several different phases. During each phase, we had a presentation or conference about a specific topic where we were teaching those conservators or staff from the museums how to think about risk. The first important thing is the risk assessment – analyse your specific items that can start being a risk (or not). After each session with its specific topic, we gave them homework. “Here are some templates. Now you have to sit together with your staff in the museum and discuss, but we are here to help you when needed.” When you put all those templates together after nine months, you have a fully accessible and operational emergency plan. I did this for that consulting firm for five years.
Besides the emergency planning, I also did project management for new buildings that are supposed to open. I was helping museums with strategic choices regarding security or security products.
I was also responsible as a project manager for the whole upgrade of the security level of 88 buildings in Bruges. The 16 biggest museums in Bruges have been refurbished and the whole security system was changed. The first thing was we did a first preliminary risk assessment.
We went talking to all those people – like you’re doing now with this interview -. We wrote down all their needs and their wishes and we created a document that said, “Okay, we observed the whole situation, we went to each building, this was what we saw recorded from the interviews, and this is how we would propose to go to go for a future plan and try to get the security improvements realised”. It was quite a big book that we created.
They said, “Okay, now that we have all this information captured, we want to go for a for a tender.” And so we were also the company who created this tender for the security upgrades. We did the selection criteria, and also the follow up of who was going to be selected as an integrator. I think it took more than a year to create these documents because there were big buildings, so we had to go really in depth and see cabling and all the other existing security products.
The protocols are also very important if you’re creating a PSIM. How is every security device component talking to each other? Which language? What are they saying when they are talking to each other? What are they passing through that communication channel? And how can we see, if we have a problem, that the product is going to tell this and that to other components to do? That’s what you guys do. You’re the wizard of getting all these languages together and give a very nice dashboard that illustrates the location of the problems, if any.
Then we had the selection criteria. We always do a sort of proof of concept, to check the things that we wrote down in our tender. Then, you get to the offer part and then you have to really produce and release the project and make it work in the same way that is written down in that tender.
That was a five year very interesting project because we’ve learned a lot of new things. You have to have specific talks with specific departments that are saying “okay, you can’t do this” or “you have to do this” or “you can’t use this colour with that camera on that background because it’s heritage protected”.
In the beginning I didn’t know that there was such a big amount of details, so I’ve learned a lot. So then there are the basics of my love towards museum security.
Afterwards I also started teaching museum security. We are being asked by so many architects to help them think about security in the planning phase already (when they are creating their architectural plans). We did that for a new museum building in Bruges called BRUSK, and also for big architects in Belgium and very well known Dutch architects from Rotterdam, but also international ones.
After that period I was working as a second manager of art security, but that part has been taken over as a consulting firm by a big company that wanted to create a sort of new business. I was not really interested in it because you lose your independence if you become part of a bigger company and in Belgium, it’s very important for a security company to be truly independent, to not be connected to end products. That’s the law in Belgium: you can’t be a security consultant and an installer at the same time.
When I left Optimit, I was headhunted by a company called Meyvaert, a bespoke showcase builder. I was an international business development manager and at that time, we worked in Singapore, in Canada, Abu Dhabi and other international places. There I was specialised in following up new projects, creating documents, replying on specific tenders, talking with people about high security showcases. For two and a half years I was responsible for the House of European History in Brussels, a very nice building.
And then afterwards I came back to the security industry more in love with security consulting instead of some real product. Trying to sell the concept of security concept it’s easier for me than selling products. And so now I’m already working four years for the company as a senior security consultant at ALLESCON.
We now have a holistic view on everything that you did. What drives you behind all of this?
What drives me? To be very, very honest, the thing that gets me out of bed every day to go to work with customers is that people respect me, and that they are eager to learn about new things. What I’m trying to do every day, Cristina, is not to give people the everyday solution of security, but to sit together with them, brainstorming and doing workshops (e.g. risk workshops), thinking together to find a new kind of solution. There’s so much diversity within museum security projects.
One day, I’m working on transport for artworks and they say, “Okay, we have a new exhibition, and we need to understand how we will be getting these artworks transported from New York Metropolitan Museum to Belgium, somewhere in Brussels”, so I have to discuss with all people involved to tackle each aspect. For example, we needed a transport company that is really specialised in art transport, that’d be willing to work together with the museum that was lending the artworks – because the museum, of course, had many concerns: “What are the security measures that you’re going to take to protect this painting, because we are going to lend it out for three – four months?”, “Could vandalism and theft be a problem?”. And then we did our part in looking at the bigger picture: How are we going to work around that security concept?
Every day is a different, you’re not confronted with the same problem twice. It’s truly always something new.
I once had one exhibition where there was a lending museum from the US who was insisting on 24 Hour Body guarding, people with a weapon within the museum to protect the painting because for them it’s priceless. But these things are, by law, not allowed in Belgium – so you have to find a new solution. For that exhibition in a museum near Ghent, we had a three-month discussion with the security director and with the team of the lending museum from the US to answer the question “How are we going to solve this problem?” because we couldn’t deliver what the US museum was expecting, since the Belgian law was clear on armed body guarding.
You really need to negotiate and understand how security laws and concepts are working in different countries, so that you can find a balance between perspectives. Usually you need to make a good mix of operational organisational procedural electronic measures and deliver a security concept. Sometimes it goes quite quick and well, in the sense that people love instantly the concept we’re presenting, but that exhibition took three-four months, so we really have to write down everything – risk assessments, risk scenarios, scripts for each possible situation. This is what drives me.
As you can observe, I might talk too much sometimes – but this is only because I want to share my experiences with people. I’m also already teaching more than 12 years at specific schools and universities about the security basics, but also fire prevention, museum security, how to deal with facility management and many others. I’m a teacher, and that also drives me a lot, because all the knowledge and things that I know I can pass them to other people. I also enjoy the possibility to answer any question that they have, to give them a good solution for their specific issue. These are all things that drive me.
If you want me not to be happy in my environment, you have to create a monotone, every day the same kind of project, and then you will kill me. I can’t do it, I need to have that stress of new changes, otherwise I’m not able to perform in a good way.
You know, what is very strange is that I do not have customers – I only have friends within the museums. The relationship building that you get from every interaction is very important for me. I’m not a salesman, I can’t do it. I’m a consultant, I’m giving advice, I’m trying to help people with my knowledge.
Most of the clients that I had in the past became friends and, for me, a friend is somebody who can pick up a phone, call me, ask me specific questions without worrying that they have to pay anything – they call because they trust my knowledge, they trust my advice.
I have friends already from 12-15 years from when working in museums – they still think about me and they offer me projects. These relationships mean that they respect me and my know-how.
So this is what I get in return from my daily activity: friendship, knowledge sharing, lobbying, networking. They’ll all be very, very important for me.
What would be the greatest form of respect for you?
The thing that I would love the most is when you have a new project you think of me: “Okay, this project has something that really suits Ibrahim’s brain and he can solve that issue for you”. What creates a good consultant is thinking out of the box, but also having a huge network so that you can give people the connections and best tools to work.
I’m not a taker, I’m a giver. You can call me and ask me a question, I will not charge you. I’m not an attorney to say “Okay, I’ve been on a call with Cristina now for 45 minutes, I’m going to charge her this much”. That’s not me. What goes around comes around. The more you’re offering, the more you’ll be receiving. Word-of-mouth promotion matters more than paying for a piece of advice.
How has the market or the industry evolved or performed over the past 4-5 years?
COVID changed a lot of things, but not in a negative way for security. Everybody’s working at home, so there are more risks that are popping up (e.g. cybersecurity issues). As a business owner, you have buildings that are empty, but they still need to be protected. What’s more, now come to the surface projects that weren’t possible in the past because there wasn’t time or enough money.
People are rethinking their concepts, invest more and more in security and, as a result, the market is growing rather fast. Big firms have so many office spaces that aren’t anymore occupied, and their variable cost goes down, but the direct cost stays. Think: you have a big building, and you have to put on the heating, you have to pay your cleaning company or your garden company. You’ll try to diminish as much as you can your costs or make the workspace a little smaller. You can rent out more floors to other companies and so, you’re rethinking the security concept because now you have outsiders in your building and they can do a lot of harm. These security issues create bigger projects and they keep popping up.
Cybersecurity has never been as big as before. Neither was internal theft: people are stealing from inside the company – money, fraud insurance, PCs, laptops etc. It’s a good thing that companies start to have awareness programs about insider threats, because insider threat can be connected with terrorism. The threat is not coming from the outside anymore, but it’s really the inside people who are attacking.
To give an example: we had one case with a really high placed manager working in a company who had a very bad divorce experience. The divorce was so severe, that the ex wife was getting almost his entire financials. To be more specific: if you’re not able to pay your child’s care, then the Belgian law oblige the employer to block a part of your wage, and pay it immediately and directly to the party that’s owned that amount. He couldn’t cope anymore, as he was getting in a very nasty financial situation. This was a powerful trigger to do internal theft.
Salary blockage is an information that goes directly from the government towards the CEO / HR manager and it’s a major red flag. If this situation happens, the security director needs to be involved also, because that will have an impact on that specific person’s characteristics and the way of working.
If you can make your co-workers aware about security, that would have a huge effect. Electronics like CCTV and intrusion work at their very best when they are integrated, so make sure you combine all the layers of the security concept”.
Focus on awareness because the very first important pillar in a building is the organisational security concept. Then you add physical security, electronics security and, at the end, you have your control room. But 80% of the security issues can be solved by following the correct organisational measures and it will only cost you 20% of the security budget. You take 20% of your security investment and you get a return of 80%.
How did the COVID pandemic affect the museum security?
The big problem for the museums during COVID was that they had no visitors, but their buildings and paintings were there, so they had to protect them nonetheless. Museums can’t say “okay, because there are no visitors anymore, we don’t have to have any security guards anymore in place.” That’s not possible. There was a huge operational cost for security guards and all other components of internal and external guarding.
While in Europe that didn’t happen that much, in the UK there were many museums who went bankrupt due to debt. They had to sell their collection to keep the building open or maintained. But the big problem was, as they couldn’t have any visitors anymore, they had to change very, very fast to digital visit options.
Museums created virtual tours, but it’s not the same feeling when you go on a website and take a virtual tour, compared to going physically and admiring art. However, the up-bright is that you have the possibility of going to a museum that you would never have been able to visit without physically travelling. Now you can enjoy one museum per hour, even though the museums are thousands of km apart.
Another points is that museum buildings are not the most energy efficient buildings. Some are very old that need regular and constant relative humidity, so they really have to have the heat and ventilation system working.
Museums didn’t have any income, but they had to pay for everything. Many said “We are closing the whole museum, we are locking it down, and we are going to take out the paintings and put them in storage areas.” Which was good for private storage depots – they had a lot of work during the COVID period because if the museums didn’t have their own internal storage area, they’d need their help to keep their art safe and secure.
What changes can we see in museums during the next years?
Did you know that many museums are showing only 5-10% of the paintings they have within their collection and the rest of 95-90% of the collection never sees any daylight?
What will be affected in the future of museums are the big exhibitions (e.g. Van Gogh) and museums with huge collections (e.g. Rijksmuseum). Exhibitions are very difficult. It takes 2-3, sometimes 4 years to create an exhibition because you have to think about the storyline together with scenographers, designers, interior architects and more. They think and analyse the best feeling that you should get while walking through an exhibition and it takes time to create that “wow” effect. It has to be a memorable and pleasant experience.
I don’t think that they will create any more of these kinds of big events due to sustainability, travelling, and many paintings that need to come from different countries. There are some paintings that need to be transported with an attendant sitting in first class in a plane from New York to Brussels, from New York to Amsterdam or Singapore. Now museums give more thought to sustainability and will be more and more appreciative of their internal availability of paintings.
Museums are now rethinking the model, doing more temporary exhibitions and show more the paintings, artworks and objects that they have in their internal storage area. One popular way is via publicly open storage areas (e.g. Depot Boijmans Van Beuningen) so that people can see what is really underneath the museum’s old buildings, in their cellars. You have to rethink the security concept because it will be publicly open. In the past, you locked down the door, nobody passed and if there’s something happening, you will be informed. But now you don’t only have security, but also fire regulations and evacuation plans to think about how your customer is walking through the building itself.
What would be the biggest museum security challenge for museums’ owners?
I think the biggest challenge will be how can they get people interested in visiting the museum if they’re not going to do any international exhibitions. How to get people interested to visit museums if there are only local artworks to display?
A second big challenge is regarding the funding. There are many museums that are doing fundraising to keep the whole system running. In the United States it’s quite easy to donate to a museum because you get tax shelters and in the UK 20% of the National Lottery funding goes towards arts, but this doesn’t happen in every country. Fundraising will be a new upcoming issue for European museums because not all governments are having clear budgets for them.
Another thing that I’m seeing is about digitally tracking the paintings that museums are sending or receiving from other museums. They will be putting tracking devices and certain object detection systems on the paintings so they can track the transport from their desk and check and adjust their environment’s humidity and temperature. Once they arrive at the location, they can also follow digitally and see if everything goes well beyond unpacking. The whole thing of checking if the conditions are okay or not will have a huge impact within the museums.
What’s the future of museum security?
IB: The health aspects will be a little bit more carefully watched (e.g. washing your hands more often, maybe wearing masks), but the security issues will stay the same.
However, sensitive topics – non-vaccinated people, BLM, LGBTQ, art illustrating history – are also taking into consideration when thinking about a museum security concept. More and more visitors are reacting towards things that are on displays in the museums. People are expressing their morals and ethics, but some will attack art in doing so. It’s even more difficult when there are groups of visitors. People with hidden (bad) intentions will get mixed into groups with people with pure art interests, so vandalism is easier to get done.
The Art Deco exhibition from Hitler period created a big fuss because people came looking like Hitler, with moustaches and uniforms. They were making signs and hand gestures, and you couldn’t do anything from a security point of view because they were visitors for a specific exhibition. They were expressing themselves. But from a security point of view, it’s a huge problem because we need to understand what will these people be doing if they see something that is not correct in their eyes. How will they react? Would it be possible for somebody to take out a knife and cut a specific part out of the painting?
Are you collaborating with psychologists?
I’m collaborating with Interpol, FBI and CIA to create awareness programs that are called Predictive profiling, focused on body language. They are putting more emphasis on the thoughts of those kinds of people and what kind of barriers can we put towards those thoughts if they become actionable.
It might help if there are intelligent camera systems with video content analysis that can capture body temperature or can help on crowd control, when specific gestures or actions that are taking place (e.g. yelling, pushing, hitting). Your control room can immediately show this and maybe it’s not a security issue, but you do have to watch and pay attention to what’s happening.
There is definitely a need for a performant security operating centre and professional operators who can have access to good image quality, direct information, real time video images that can capture people’s gestures, so that the safety of the entire environment is ensured. But here enters the GDPR aspect. It makes sense to not being allowed to track each movement, yet we also have to protect the objects that are inside the museum.
I would like to see what is happening outside of the museum perimeter because people can be preparing themselves outside. Specific gestures or people loitering outside the museum can be a sign of upcoming trouble inside the museum. The sooner we have this kind of information, the better. Outside surveillance can be beneficial for creating and implementing the security concept, ’cause if we get the information too late there can be serious consequences for the security crew. It’s a fine line and a delicate issue with the level you need to have your security integrated. How intrusive is too intrusive? If it somehow happens and someone slips inside a building with a knife and attacks paintings – or, worse, another person -, wouldn’t you have preferred to prevent it?
What’s your take on PSIM?
IB: For me, it’s a layer that connects or integrates all your different security parts, and gives you a security operating centre of control, a good overview of all the things happening.
We need to be very honest – you can’t see everything on every system, that’s impossible. So what you guys are doing or what the PSIM market is doing is creating a security layer that can talk bidirectionally with all components involved and offer the correct information in very nice dashboards so that operators can take the right decision(s) in a very short time. You don’t put any stress anymore on operators for them to have to look at all the systems, but you give them one clear system that displays the relevant information.
You can’t say to an operator “you have to watch 200 camera images” – that’s insane. It’s better to create the correct security layers that can directly give the operator a warning when something important is happening instead of him watching useless material. You create the correct security layer by connecting several security systems (incl. video walls, motion detectors etc.) in a PSIM software and a vigilant operator ready to take action whenever the software detects a possible threat.
I see the PSIM market growing a lot within the last few years and it will only get more attention in the upcoming years. Why? Because you have to optimise your security needs and to be more intelligent. The technology is also rising and the video content analysis part within video management systems is getting better and better.
PSIM as a service package can help you to integrate not only security, but also other building systems (e.g. temperature, maintenance) so that you can make the best decision in each situation.
Gradually people will see the advantage of getting the correct information on time on a screen in dashboards so that they can make the right decision. Because within security, what is very important after the detection of a security issue and the alarm, is the reaction. And the reaction can be quick, but not correct, if you don’t get all the right information. Detection and alarm will almost always be correct, but not the same thing can be said about the reaction to the situation. However, if the notification that you receive is not correct, then the reaction can create even a bigger problem. That’s the main benefit of a PSIM: you can quickly make the right decision based on information that you know it’s correct.
What’s more, PSIM can even take basic security decisions. For example, in Belgium you can only call the police if there is a double detection (e.g. a combination of intrusion system and motion detection detectors) and this would be very interesting to see on a PSIM software.
Let’s think of the following situation: if someone wants to attack the museum or just do some damage, they need to trespass. There are the outer perimeter and the inside perimeter, but maybe the intrusion system is faulty. You need motion detectors in all areas so that you can know that a person is going from room A to room B, maybe they want to go in room C and identify their object of attack or stealing. A PSIM software can create a flow and initiate specific procedures depending on several different types of situations.
Artificial intelligence also helps because you can have basic decision making processes be easily done by a piece of data. A PSIM software helps people to focus on the important security operating procedures without bothering about small issues, like “oh, what do I do when only one detection sensor goes on?”.
Like with autonomous cars when they will park themselves when you’re falling asleep at the steering wheel, now in the security world you don’t talk anymore about cameras, but about components that are catching even the most sensitive data.
Data analysts will take over the security world because metadata is extremely important. You need good programs that can collect all kinds of data, then analyse it, identify the patterns and inform you. And this is easier when all the information is displayed in a user-friendly dashboard.
What I think is that, if you look specifically to Prysm and Addvals, AppVision™ is a sensational dashboard and implementing it in more organisations would make a huge difference.
AppVision™ gives you the correct information, the correct time with the correct data analysed, and it’s only on one screen that gives you all the information that you need. It’s simple, not too complex, everything important is shown in a good way. Making something difficult look easy is not an easy job. Trying to get complex information in a very normal way of reading or presenting is the future.
What solution got your attention lately that a PSIM software can learn from?
You know how there are so many things that you’re doing and so many things you have to follow up. Since I don’t want to forget about something, I use an app that informs me about everything. You put all your tasks in, it synchronises your email and other tools and then it creates a daily task list. You get a notification and reminders (push notifications) about what actions you need to do on a specific day or at a specific time. This would also be something that you can integrate in your PSIM.
If you know that you have to have a virtual guard tool that needs to be done every day at eight o’clock that you will be missing, better to have a reminder “It’s eight o’clock, now you have to do this because otherwise you will forget it”.
Or say there is somebody doing some work that increases the temperature inside the company and you have to turn off for a while your fire detection system, so this kind of tool will automatically say after two hours “Hi there, didn’t you forget to reactivate your fire control system? Better check and see that maybe the work is done.” Then you check, see it’s not done, so you push a notification and the tool will inform you again within 30-45 minutes or one hour.
These things are making my life easier. It’s very helpful to have something that gives you reminders about tasks and that takes into account information as it comes. Because if you have a huge issue that’s happening, or there is an unexpected event, then you will forget all the other things. It’s best if you have a system that will help you, maybe it can automatically do some stuff for you, so that you don’t have to think about that.
Imagine there has been an accident and two things are happening in the same time: there is a fire alarm and somebody is trying to get into the museum. You have two detections – which one should you react to first? Of course you have to call first the fire department and an ambulance, so you’re putting your emphasis on that, so, with an automatic procedure, the system can do the rest. If the system detects two or three motion detectors going off immediately, there is an automatic message going towards the police station to call and say “There is a detection going on, we need your help”. Something simple, but that helps.
What would be very interesting for me to see in the PSIM market is to have some sort of timeline for each type of accident, and to mark as check every step that you already did. It helps to visually see what steps were taken and what tasks were done and what still needs to be done. You need a full overview in real time, so that means integrated and automated timeframes, processes and procedures.
Ibrahim Bulut is an experienced safety & security consultant with a Master in Economics and Qualifications in Safety. His expertise is situated in the domain of safety (Compliance, Risk Analysis & Management and security (Total & Integrated Security Risk Management). His career started as a safety & security manager for the distribution centres of NV IKEA Distribution BENELUX SA. From 2009 till 2015 he was a security consultant at Optimit where he was responsible for providing consulting in the domains of risk analysis, strategy & planning, security design, organisational procedures and instructions, tendering process, project management, training and audit. From 2015 till 2017 he was the Business Development Manager for Meyvaert Glass Engineering worldwide securing the most valuable art works with bespoke showcases. Now he will return to the security industry as a senior security consultant.
On May 25, 2022 Ibrahim was one of the speakers at Addvals’ event Challenges of a PSIM project. Read the transcript or watch on Youtube the entire event.
And don’t forget to connect with Ibrahim on LinkedIn.
What stuck with you from this interview? Was something that you felt it needed to be said or maybe something you didn’t agree with? Leave a comment below and let’s start a conversation!
…or at least check out our Linkedin. 🧐