Commentary: The Collapsing Line Between Physical and Digital Security in Gaming

For decades, the security organization at a typical casino has been structured around a clean separation. Surveillance reported through one chain of command. IT and cybersecurity reported through another. The two functions interacted at the edges, usually around system uptime or incident response coordination, but they operated on different budgets, different tooling, different talent pools, and largely different mental models of what "security" meant.

That structure no longer matches the threat surface the industry actually faces.

Why the Separation Persisted

The historical case for separation was real. Surveillance grew out of the regulatory requirement to monitor floor and table activity, anchored in analog video systems and staffed by personnel with backgrounds in gaming operations and law enforcement. Cybersecurity, where it existed as a distinct function at all, was an IT responsibility focused on workstation health, payment systems, and email-borne threats. The two disciplines used different vocabularies, different evidentiary standards, and different definitions of what counted as an incident.

For most of the industry's modern history, that separation was operationally workable. Surveillance recorded what happened on the floor. IT kept the systems running. The points where the two had to coordinate were narrow and well understood.

What Changed

Three shifts, each individually significant, have together made the old division untenable.

First, surveillance itself became a network. The transition from analog to IP video moved every camera, encoder, and recorder onto the same infrastructure layer that the rest of the casino's systems depend on. A vulnerability in a camera firmware build, a misconfigured switch port, or a flat VLAN no longer affects only the surveillance department. It affects the entire environment.

Second, gaming systems became high-value targets in their own right. The Casino Management System, the EGM network, ticketing systems, and player tracking platforms now hold sensitive financial data, transmit regulated transactions, and offer paths into adjacent systems. The same techniques used against banks and retailers, including credential theft, lateral movement, and ransomware staging, are now used against gaming operators, and the consequences are not limited to data loss. They reach the floor itself.

Third, the threat actors targeting casinos have stopped distinguishing between physical and digital paths. The same operation may begin with a phishing email, pivot through an unhardened diagnostic interface, and end with a coordinated physical event on the gaming floor. Treating the two halves of that operation as separate problems for separate teams is exactly the gap that sophisticated actors are looking for.

What the Integrated Model Looks Like

Closing the gap does not mean dissolving surveillance and cybersecurity into a single function. The disciplines remain distinct and the people doing them require different training, different tooling, and different professional backgrounds. What it does mean is that the two functions need shared visibility, coordinated detection, and a unified operational picture.

In practice, that looks like a few specific things.

  1. A single source of truth for network topology that includes every camera, encoder, gaming system, and workstation, maintained as the network actually changes rather than as a static document that ages out the day it is signed.
  1. Detection telemetry that crosses the boundary. Anomalies in surveillance network traffic should be visible to the cybersecurity function. Anomalies in workstation behavior inside surveillance offices should be visible to the surveillance director.
  1. Incident response procedures that assume coordination from the first minute, rather than escalating between teams only after each has independently concluded the event is the other group's problem.
  1. Shared accountability for the systems that span both worlds. Video analytics platforms, integrated access control, and the network infrastructure underneath all of it sit in a gray zone that historically no single function fully owned. Modern operations require explicit ownership and joint review.

Where This Goes Next

The properties moving fastest on this convergence are not waiting for an incident to force the issue. They are using the integration to move from reactive monitoring to predictive awareness, applying analytics to surveillance feeds, correlating network telemetry with floor activity, and building an operational picture that anticipates risk rather than reconstructing it after the fact.

That direction is consistent with where the wider security industry is heading, but the gaming sector has a structural advantage. The density of sensors on a casino floor, the regulatory requirement for continuous monitoring, and the operational discipline already embedded in surveillance culture make gaming one of the most natural environments in which to develop integrated, predictive security in practice.

Doradus Labs was founded on that premise. The work we do across managed IT, cybersecurity, and video analytics is not three separate practices that share a brand. It is a single practice organized around the way the threat surface actually behaves. The operators who structure their own security organizations the same way will be the ones best positioned for what comes next.