9 questions to ask your vendors at ASIS 2017

Sept. 20, 2017
Asking the right questions can shift the focus of vendors back onto the needs of customers

The world of technology keeps advancing faster and many advancements are making their way into security industry offerings. There is a new generation of advanced video analytics technology that is very different from previous generations of analytics. These analytics products are self-configuring and automatically learn the difference between activity of interest (people, objects, vehicles, crowd behavior, etc.) and what is normal background motion (tree branches waving, rain, snow, birds, clouds and their ground shadows, etc.). You’ll see impressive examples by visiting Agent Vi in the Axis Communications booth (#4032) or Milestone booth (#3945), and Bosch Security in their booth (#3333).

Embedded product audio analytics are also advancing, with gunshot detection being the most notable. Check out AmberBox ahead of time and then visit their booth (#725).

In general, ask vendors about the cybersecurity profile of their products. Many companies have added or improved product cybersecurity features. Find out how they secure data in transit on local networks and back-and-forth to the cloud, and how they protect data at rest (in storage).

Smart home automation now goes well beyond security, and there will be plenty to see at the show.

This Year’s Vendor Questions

This year, there are three new questions relating to cloud and IoT. Most residential system vendors can explain the specifics of their IoT related features. Make sure to drill down on commercial business security system claims of IoT support. Simply triggering an alarm input is nothing new.

If you are a security end-user, systems integrator or consultant—you can help refocus vendor thinking by asking questions that directly relate to your needs and concerns. However, don’t limit your questions to what I have here. You can and should come up with some good questions of your own if you think about what risks and deployment challenges you have a hard time addressing to your satisfaction.

Note to integrators and consultants: Do read the end-user questions first, as the questions for you are mostly identical to those, and so I put explanations for the questions in the end-user questions section.

Questions for End Users to Ask

1. Do you have a system (or product) hardening guide?

A hardening guide recommends cybersecurity measures to apply to the vendor’s product or system.

There are now 12 companies that I know have published system hardening material, and if you can make the time for it, I recommend checking out those guides ahead of time, as they are likely to prompt some questions on your part. I suspect that I am missing a few companies from this list, and I hope they email me ([email protected]) so that I can add them to this online article before the show.

Check out this list of manufacturers providing system and product hardening advice:

2. Do you have a vulnerability policy?

A vulnerability policy explains how a vendor will manage and respond to reported security vulnerabilities with their products, to minimize their customers’ exposure to cyber risks. That’s where you find out how to report a vulnerability to them, and where to find the list of vulnerabilities that have already been reported, along with their status. This is still an area where many vendors haven’t understood the issues.

3. Do you have case studies for my business sector, [insert sector name here], that show how our business-sector-specific risks can be addressed using your product?

I am not a big fan of the kind of case study articles that I typically see, which usually contain little information about the real value to customers of the products involved. What risks were addressed that couldn’t be addressed well enough before? What significant cost or efficiency savings were accomplished? Don’t be surprised if the vendor answers you with another question, “What kind of risks do you mean?” That’s a great opportunity to put forth one of the risk challenges that you would like help with, and see what the vendor says. Last year I saw material of this kind being produced, so there is hope that you may find some at this year’s ASIS conference.

4. What features in your product offer significantly more value in some way than the same features in competing products?

I have only had a little luck with this question in the past. Most of the vendors didn’t really have that much insight into the differences between their competitors’ products and their own—in terms of the value to the customer. Integration to Microsoft’s Active Directory, for example, has always been challenging for most access control systems—but such integrations have gotten easier to configure, so be sure to ask about improvements to integration capabilities.

5. Can you give me a specific example of how that would work for an organization like mine?

You can only ask this question if the vendor’s representative makes a statement expecting your agreement or buy-in, yet you don’t see how the dots connect for your situation. I remember one case in which the sales person said, “. . . which in turn strengthens security, which ultimately has a positive impact on your company’s bottom line.” So I asked, “Please explain to me exactly where the bottom line impact comes from? What specific aspect of the product deployment contributes to the bottom line impact?” He had no real answer, which is what sometimes happens when sales people repeat the phrases they are taught. But it is important not to assume that something sounding like “fluff” has no basis. I am sometimes pleasantly surprised when someone provides me with a specific business case that realistically does match their assertion. You won’t know if you don’t ask.

For Cloud and IoT Offerings

These questions are for vendors with cloud-based offerings or who say they are an “IoT Company” or support IoT sensors for situation awareness. Questions 6 and 7 are for cloud-based offerings. Question 8 is for vendors presenting or providing IoT sensor or integration platform capabilities.

6. Is there a reason that you haven’t self-certified your cloud service in the Cloud Security Alliance’s STAR program?

The Cloud Security Alliance (CSA) has developed the CSA Security, Trust & Assurance Registry (STAR) program. CSA STAR is the industry’s most powerful program for security assurance in the cloud.

Do not ask this question of Brivo systems, as they have already performed and published their self-assessment.

7. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

8. For IoT sensors: what cybersecurity protections are built into your IoT sensors or devices?

9. For IoT platforms: what out of the box integrations do you have for facility security or building automation systems?

Questions for Integrators and Consultants to Ask

1. Do you have a system (or product) hardening guide?

In particular, you should look for information about what steps to take for validating cybersecurity in product and system commissioning. If you ask this question of their A&E representative, you’ll get them thinking along this line.

2. Do you have a vulnerability policy?

How would you report a vulnerability you found while commissioning a system? As I mentioned above, this is an area that for most companies still isn’t being addressed.

3. Do you have case studies for these business sectors, [insert list here], that show how some of the business-sector-specific risks can be addressed using your product?

You can get specific about this question based upon your client knowledge. Sometimes you find that the vendor does have people with subject matter expertise in particular sectors. It can be helpful to get their take on what risks they see are and aren’t being addressed.

4. What features in your product offer significantly more value in some way than the same features in competing products?

In this day of information overload, it’s hard to stay up to date on product and system advances. I have found that this question can lead to answers containing high-value information.

5. Can you give me a specific example of how that would work for an organization that is in the [insert industry name] industry?

6. Is there a reason that you haven’t self-certified your service in the Cloud Security Alliance’s STAR program?  

Please do ask this question! Check out the Cloud Security Alliance website if you are not already familiar with it, and you’ll see why security industry folks need to be giving this serious attention.

7. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

8. For IoT sensors: what cybersecurity protections are built into your IoT sensors or devices?

9. For IoT integration platforms: what out of the box integrations do you have for facility security or building automation systems?

About the Author:

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council and an active member of the ASIS International member councils for Physical Security and IT Security.

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.