10 questions to ask your vendors at GSX 2021

Sept. 10, 2021
Asking how technologies address real world security challenges can help you cut through marketing hype

Security industry technologies continue their rapidly accelerating advancement, with four areas capturing attention for at least the past three years: AI/Deep Learning, cloud, mobile device and sensor-based products and features – with LiDAR and radar-based technologies in the forefront of new sensors. There are pros and cons to the use of various LiDAR and radar technologies, based on where, how and why you want to use them, if integration with other devices or systems are involved and what type of user interaction is required.

The electronic circuit trends of low power and miniaturization have enabled the design and production of radar chips which can be smaller than a quarter and, unlike traditional radars, have no moving parts. Thus, many radar sensors are provided as aesthetically packaged small devices that can sit on a countertop or desktop, or be mounted high on walls or ceilings.

Several companies produce various radar-based perimeter detection products, including Axis Communications (#1341) and SpotterRF (#1663).  Orion Entrance Control (#855) provides radar-based presence detection, zone occupancy and in/out counting, and vital sign monitoring (detects breathing, coughing and heart rates – with applications including lone worker situations, fitness centers, etc.). Quanergy (#1756) offers a Flow Management Platform, which utilizes 3D AI-powered LiDAR-based sensors, useful for tailgate prevention at critical area entry points, queue management and automation of key business processes.

The most important questions of all to ask are:

  1. End Users: What technologies will help me vastly improve a key aspect of my security operations? You probably already had this question in mind, but for vendors the talk is usually about features and new things. They are only relevant if they help you improve the security picture, and the improvement is worth more than the time, effort and cost to do it.
  2. Security Integrators: What high-performing technologies will my customers value because they significantly improve their security capabilities? What are the actual end user stories that I can bring to them? It still amazes me when vendor sales folks laud their new and improved products yet can’t explain in detail the specific end-customer security improvements that resulted from how the product was applied.
  3. Security Consultants and Integrators: What documentation can you provide to me about the product security aspects of your offerings? For years we have been asking for this kind of information. It is ridiculous to expect consultants to specify a product or system that doesn’t have documentation to enable secure deployment. Here is a page with links to such information that lists 28 vendors who do provide such information: Physical Security Hardening Guides in 2021. This is a key issue at the upcoming CONSULT 2021 event produced by SecuritySpecifiers.com.

Based on discussions I’ve had with vendors over the past year, many will be much more ready for such discussions than in the past. There has been a very strong manufacturer focus on use cases in product development and on user stories in marketing.

Vast Improvement

As I have said before, by “vastly improve security operations” I mean orders of magnitude of improvement. But doesn’t mean a massive change to the whole security program. It does mean that certain parts of it will be much more effective or efficient. The story of AI-based analytics includes more than just improvement of previous capabilities, but also the addition of new kinds of data providing enhanced security intelligence and business intelligence.

Vendor Partnerships

Collaboration among technology partners continues at an all-time high. For instance, through an integration between Eagle Eye Networks and Swift Sensors, in addition to its cloud VMS application, Eagle Eye provided Papa Murphy’s pizza with constant monitoring of the temperature of the walk-in coolers and prep lines, using wireless temperature sensors that securely transmit their data to the cloud. This is an example of providing business intelligence data in addition to security data. It’s notable that both Eagle Eye Networks and Swift Sensors have an Open API (see question #8 below).

What’s Arriving

New capabilities keep arriving in across the spectrum of security technologies, made possible by the use of AI and scalable on-demand cloud computing power. Whether or not you are looking at advanced next generation technology or existing technology being augmented using AI and/or the cloud, it is their security operations and, in some cases, also their business intelligence value that makes them worth deploying – not just being “cloud” or “AI”. They must be cyber-secure, deployable and manageable at scale,  standards-based and easily integrated with other systems. The additional questions below are aimed at those aspects.   

Additional Vendor Questions

4. Product Security. For cloud companies: Do you have a published vulnerability handling policy and documentation describing your company’s product (or cloud service) security program?

Cybersecurity professionals look for the three indicators of a cloud vendor’s cybersecurity maturity, two of which (italicized) are not understood well enough in the physical security industry:

  • Product hardening guide.
  • Security vulnerability handling policy.
  • Descriptive documentation of the company’s product security program.

You don’t need to ask this question of the companies who have hardening guides. Most of the security industry companies with hardening guides also have published vulnerability handling policies, and many have descriptive documentation about the product security program or internal cybersecurity team. Yet many security industry companies still don’t have a clear idea of what a product security program is. Listen closely to how vendors answer this question, as the differences between answers can give you insights into the relative security posture of vendor offerings.

5. Infrastructure Management. What new features to you have that improve management and administration for large-scale deployments?

Today’s technologies are more feature-rich and more complex than ever before and are broadly networked to a much greater scale than a decade ago. If you have a regionally, nationally or globally network security system, ask about features that facilitate the management of large-scale deployments.

6. Cloud Characteristics. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

There are several companies who have products that are supported or augmented by cloud-based services, as opposed to companies with fully-cloud based offerings. When you hear the word “cloud” be sure to understand what functionality resides in the cloud and why it is in the cloud. Sometimes the product is cloud-hosted but was not built as a cloud-native application. This question will tell you how well cloud engineering has been applied to the system or application. It is surprising to me how many cloud services sales people can’t answer this question in 2021!

7. Risk Scenarios. What types of end user risk scenarios do your new or improved features address?

Vendors should be able to describe the risk situations that new or improved features were designed to address. Before the new feature, how did things work? Now how will they work using the new feature?

8. Open Platform. Does the platform have an Open API, meaning that it’s published online and freely available? What type of API is it (such as REST, SOAP, RPC)? What are some examples of its use?

Integration is emerging as a strong source of security systems value. Some platforms are more “open” than others, and some APIs are more mature than others (a function of time and product advancement). Ask to hear about examples of how the API is used for systems integration.

9. Artificial Intelligence (AI) and Deep Learning (DL).

AI and Deep Learning functionality can exist in multiple places within a system. For example, there can be camera-based software that extracts an AI data model and streams video metadata for both cloud and on-premises video and data processing. There are seven questions that relate to AI and Deep Learning.

Where does the AI software reside? Who develops and improves the AI? How does the product get updated for AI improvements? Does it build a data model? Where does the data model reside? How it is backed up? Who owns the data model that is built with your company’s or your facility’s data? I hope that more vendors will be able to answer these questions than in the past.

10.   Digital Certificates. What use do you make of digital certificates, for encryption and/or device identity?

An increasing number of IT departments are requiring that encryption and system device authentication utilize digital certificates. Few non-cloud security system software applications use certificate-based encryption. When it comes to device authentication, I know of only two systems who’s on-premises hardware devices use digital certificates to authenticate themselves to their cloud data center: the Eagle Eye Cloud VMS and the Brivo cloud access control system. This level of system security should be industry standard.

About the Author:

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Follow Ray on Twitter: @RayBernardRBCS.

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.