High Potential: The Marijuana Market Embraces Technology
It’s not often that you get a chance to build a security technology department from scratch in a rapidly evolving business vertical. But that’s exactly the opportunity that Brandon Smith jumped at in 2018 as Canada was moving forward on fully legalizing cannabis for recreational and medicinal use.
Three years after Canada legalized cannabis, research and market analysis valued the global marijuana marketplace at $13.5 billion in 2021 and forecasted revenue of $70.6 billion in revenue by 2028, according to market analysis from Grand View Research. One of the biggest companies in this marketplace is Smith’s employer—Canopy Growth Corporation.
As the director of security technology, Smith oversees a team that has done work in Australia, Canada, Colombia, and Germany, helping set up the infrastructure to maintain and secure Canopy’s assets and family of brands.
“In security, we’ve never had an industry open up that required so much security technology,” Smith says. “It was an industry that was mandated to spend a lot of money on physical security. That’s not always the case—unless you’re a prison or other high-security user. For the cannabis industry to require this is something we’d only dream of.”
Getting Started
Uruguay was the first country to legalize marijuana in 2013. Five years later, Canada followed suit when it enacted the Cannabis Act to make recreational marijuana use legal for adults 18 and older. The Canadian parliament passed the legislation in the second quarter of 2018 and gave provincial governments until 17 October 2018 to implement the details of legalization—including preparing retail stores for sale.
“One of the things that we heard very clearly from the provinces is that they need a certain amount of time to get their brick and mortar stores—their online sales—ready,” said Canadian Prime Minister Justin Trudeau in June 2018. “Producers need time to be able to actually prepare for a regimented and successful implementation of the regime… This is something we want to get right.”
$13.5B
Forecasted value of the global marijuana marketplace by 2028.
One of the individuals working overtime to prepare for the October 2018 deadline was Smith. His background is in IT, to which he then added physical security knowledge to focus on system integration, system software in GSOCs, and more—ultimately co-founding a security integration company.
But Smith was also interested in the cannabis marketplace, and when the movement began in 2015 to legalize recreational use and sale of the drug—Smith decided to be strategic about seizing the moment.
“In 2015, that started the spark—that this new industry was opening that everyone was hyping up,” Smith says. “I had to think about what the best approach was… and being the business owner that I was, I came to my senses and realized I have zero skills running a dispensary shop. So, I waited for the industry to mature to when they were looking for positions that fit my background.”
He set up alerts for job postings, and in 2018 as Canada moved to finalize legalization, he got one for a job at Canopy Growth Corporation. Smith applied, sold his share of the integration company to his partner, and became the first security professional to join Canopy Growth.
Canopy Growth is headquartered in Canada but is a global cannabis and cannabinoid-based consumer product company. In addition to offering products in the recreational cannabis market, Canopy also has a global medical brand—Spectrum Therapeutics—that is available in Canada and Germany; is active in the health and wellness consumer space in Canada, the United States, and Europe; and has introduced hemp-derived CBD products to the United States through its First & Free and Martha Stewart CBD brands, as well as formed a partnership with Fortune 500 alcohol leader Constellation Brands.
When Smith joined as the manager of security infrastructure in 2018, the company was building six different facilities while planning for nine different retail stores to open on 17 October 2018.
“My first week on the ground was catching up, then going to Colombia and then Australia,” Smith says. “We were working 18- to 20-hour days. The first year it was myself, managing to do everything. Then in November, I hired a coordinator who is with me today and that’s how we built our team.”
Building the Team
Smith’s team, now called the Security Technology Department, consists of a tech support manager, three technicians, two coordinators, and Smith, who are responsible for keeping everything up and running every day, all day. It was built out of the necessity to have security technology operational at all times both to secure assets and to ensure that Canopy Growth was compliant with a variety of regulations in different jurisdictions.
“Every [Canadian] province has its own rules,” Smith says. “We had to open eight different stores in different provinces in 2018, and a lot were slow to roll out their regulations, so we chose the most strict province—Alberta—as our benchmark. We were dealing with a lot of unknowns, so we took that template from them.”
In addition to Canada, the team has also designed security solutions and helped build facilities in Australia, Colombia, Germany, Jamaica, South Africa, the United Kingdom, and the United States. Smith says at certain times Canopy has been responsible for more than 5 million square feet of grow space and 34 retail storefronts, in addition to office space associated with its respective brands.
The team handles about 85 percent of all of Canopy’s security technology systematic issues, with the remaining 15 percent sent to regional system integrators. The team’s coordinators manage scheduling at different sites, as well as sending paperwork to document control because all security changes need to be logged to comply with regulations.
“We also have a coordinator who specializes in design,” Smith says. “In Canada, we’re hovering around 4,800 cameras alone. Whenever you make a change, you move a camera, you have to adjust your security blueprint and drawings and submit them to a government regulator. So, there is a lot of design work involved.”
Because of this vast technology infrastructure, the team has also built a lifecycle material management program for the company. Each endpoint—such as a camera or access control reader—is logged with the date it was installed, whether it is battery-operated, and when those batteries need to be replaced as part of overall five- to seven-year lifecycle management.
“We take the most problematic devices, and we account for future money to be spent on them,” Smith says, which creates a reserve fund for when replacements are needed. “The idea of this program is that at the end of my seven-year lifecycle, I should have enough in reserve where I can replace that system.”
Additionally, most of this infrastructure is connected to networks that allow it to be monitored. While this meets operational and security needs, this connectivity also poses risks should the networks be compromised through a cyber intrusion or subject to a cyberattack.
“It’s a topic that keeps me up nightly,” Smith says. “When you have thousands of endpoints on a network, it’s inevitable—it’s all about exposure.”
To help limit exposure, the team uses air gaps where possible and works with its information security partners to segment networks. Smith’s team also has a logging system to keep track of devices and what firmware is on those devices, with a template that includes camera, access control, and reader card models that are used in Canopy’s facilities.
“It creates my overall parts list, and we keep our reader part number, camera part number, and we keep track of online chatter so if it’s exposed, we push down what needs to be upgraded,” Smith adds.
While all of this logging and tracking helps the team manage its infrastructure, it has also been beneficial during the supply chain shortages of the past few years. Through the lifecycle management program, Smith says the team creates a spare part inventory to have access to devices in storage that can be pulled from when things need to be replaced.
"That's advantageous because it's allowed us to keep control of the cost," he adds. "If you order 200 card readers, you get some strategic pricing. That lets us keep inventory on hand, too."
Unique Threats and Requirements
The cannabis industry is subject to the same threats that most verticals are—supply chain shortages, COVID-19 restrictions, ransomware attacks. But there are some unique regional ones that Smith says must be taken into account depending on where an organization operates.
In Canada, for instance, one of the major security concerns for cannabis is threats to outdoor growth facilities that are uncovered. Regulations require organizations have equipment monitoring that growth area at all times, but Smith says monitoring does not prevent someone from gaining access to the outdoor grow area.
“You’re monitoring but not preventing entry,” he says. “Anyone and their dog can get a ladder and just climb over.”
To address this threat, Smith’s team has used a variety of approaches, including cameras enabled with analytics that alert security personnel to an intruder. Based on the type of an intruder—a bird flying over a fence line or a person climbing over—the security team can respond appropriately.
In the United States, on the other hand, a major security concern is cash on site. The U.S. federal government has not legalized marijuana use or sale, so many cannabis businesses operating in U.S. states where it is legal deal primarily in cash.
“With a cash business, you have to move cash,” Smith adds. “There are major risks, and staff are holding on to a large amount of cash, the facility might have an ATM.”
And then in Germany, cultural expectations for privacy mean that cameras in internal spaces—such as inside an office facility—are less common and often not tolerated.
“Having cameras in every location and corridor will not fly—you’ll get combatted by the national union that protects employees’ rights,” Smith says. “It’s challenging to work in Germany when you’re accustomed to working in other high security places…because there’s a lot of trust within staff, access control isn’t as important. Intrusion monitoring isn’t as important. So security focuses on reporting, and what to do if the report doesn’t go through.”
Other factors that have to be considered are the different requirements that jurisdictions mandate for operating a legal cannabis business and how those play into overall security. In Colombia, the ministry providing oversight for cannabis required a dual fence line and a third perimeter defense that was a natural defense.
“We opted to go with a thick, native bush to Colombia—it’s thorny and grows three to four feet a year,” Smith says. “Our facility perimeter was more than 9 kilometers, and it was very useful. I take that into consideration now when planning other facilities. It’s not just about technology—you can lean heavily on CPTED.”
Across the Pacific Ocean in Australia, a unique requirement for cannabis businesses is electrical fencing around growth operations. As part of a what-if scenario planning exercise, however, the team discussed what would happen if the growth operation was in a flat area and unruly teenagers drove through the electric fence, disconnecting it?
“We built an inverted mound into the landscape, which wouldn’t allow a car to drive through,” Smith says. “We built a ditch.”
These experiences have helped build upon Smith’s background in IT and as an integrator, and the opportunity to build a security team from the ground up has proven beneficial.
“There is a huge benefit in getting in on the ground. I’m the longest tenured person in my department, and I know how things ended up the way they are. That’s a huge advantage on my behalf,” he says. “Also, I rely on my security integration background. Not only is it easy to install new parts, but I spent a lot of my life servicing things that break. I know what the pain is there, and pitting my past experience in being on the ground floor, it has allowed us to create these programs.”
With four years of experience in the industry under his belt, Smith says that he still thinks cannabis is in the beginning of its current business journey.
“It’s been a wild ride, the last four years, and every single year has been different from the year before,” Smith says. “We’re still on the beginning end of the industry. And being in on the ground floor allowed me to learn mistakes early. We’re excited to see what the future is for the global cannabis industry.”
Megan Gates is editor-in-chief of Security Technology. Connect with her at [email protected]. Follow her on Twitter: @mgngates.
