Seventeen questions to ask your vendors at GSX 2024

Sept. 20, 2024
AI capabilities are usually top of mind in current technology discussions. I’ve saved those for last because I don’t want them to eclipse the other important aspects of technology that warrant attention, most of which apply to AI-enabled technologies.

So much has changed about technology and security industry companies, that the rationale behind this year’s questions more directly reflect two things: the changes in the security industry landscape, and the challenges facing security technology end user customers -- many of whom are property managers whose overall responsibilities include not just physical security, but the tenant and visitor experience of their various properties.

Many security industry companies have grown and evolved substantially, as happens in any industry. As the size of security technology deployments keeps increasing (number of devices, systems, integrations and end users (mobile apps and mobile credentials), many industry companies have increased the ability for their products and systems to be managed at scale. Some companies are leading in this advancement and have been for years, and some are now catching up.

AI capabilities are usually top of mind in current technology discussions. I’ve saved those for last because I don’t want them to eclipse the other important aspects of technology that warrant attention, most of which apply to AI-enabled technologies.

System and Device Cybersecurity

When it comes to networked physical security systems, it’s important for the sake of all other devices on the network that any networked system (video, access control, etc.) supports certificate-based highly secure connections to its managed and interfaced devices.

  1. DEVICE CYBERSECURITY. How is cybersecurity baked into on-premise devices? Has the system implemented zero-trust connectivity for its managed devices?

This involves the manageable use of digital certificates, strong passwords and password management, and firmware update capabilities all manageable at scale.

System Cybersecurity

  1. SYSTEM CYBERSECURITY. What are the recent improvements you have made in cybersecurity?

If you don’t get a sensible answer, it’s likely that the individual hasn’t been paying attention to what the company has been doing or doesn’t want to talk about it. Ask for specifics about device and system cybersecurity, not just assurances like, “we have it covered.” There should also be information available online, and in downloadable format.

Get additional information and links to hardening guides here. Several hardening guides identify which hardening steps relate to the various cybersecurity frameworks, such as the NIST cybersecurity framework and the Center for Internet Security’s CIS Controls. Recent NIST guidance (explained here) includes how to apply foundational NIST cybersecurity documents to a physical access control system (PACS).

Pre-Configured Servers and Appliances

  1. Which server and workstation models have documented lab-test performance results?

On-premise server-based systems require CYBER-hardened servers and workstations, but also guidance on which model to use based on the intended workload (especially important for video servers and monitoring workstations). Many manufacturers provide pre-hardened offerings, tested not only in their own labs but (for example) in Dell Technologies labs. Milestone Systems (Booth #1675 ) and Genetec (Booth #2612) are just two of the companies that have been making the most of their partnerships with Dell Technologies. Detailed lab reports should be provided.

Technology Advancement

  1. What is truly innovative, evolved or game-changing relating to security operations capabilities?

Practically every security industry incumbent will have “new and improved” versions of products or systems, and much of that will be around AI, integrations and mobile and cloud capabilities. While they often like to highlight the technical features, what matters most is what customers can do with them. If not volunteered, be sure to ask about customer story and case study specifics.

  1. How do you support integrator professional services and as-a-service offerings?

As-a-service offerings are much more than just rebranded leasing options. Due to varying lifecycles of the devices and components of today’s advancing security systems, and the increasing number of product and system configuration options, remote service capability is an important factor in addressing the complexities so as to maximize uptime and reduce service costs. Establishing secure remote connections to deployed systems is very feasible today.

Security integrator dashboards are improving with increased usability – saving time and money. However, there will be game-changers and the nature and scope of “as-a-service” offerings are beginning to change. Eagle Eye Networks (booth #1721) provides an excellent example with Eagle Eye Complete, which provides both CapEx and OpEx options. Eagle Eye is truly prepared for an in-depth Total Cost of Ownership discussion, and downloadable documentation that will (in my opinion) show you how to approach accurate TCO calculation for any offering.

Privacy and Data Governance

  1. What support do your products provide for GDPR, CCPA and CPRA compliance?

The toughest privacy and data security law in the world is the European Union’s General Data Protection Regulation. In the U.S. regulations vary by state, with California leading the way with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Previously I’ve said that being GDPR compliant is a way to assure compliance that is sufficient for any U.S. state, and for business security systems that is generally true. But there may be exceptions based on the type of business operating the security system and other factors. Download a detailed report by OneTrust DataGuidance and the Newmeyer & Dillion law firm.

For certain types of data, privacy protections include the ability to automatically anonymize the data before sharing or exporting it. Some privacy features are automated, some may be AI-based or non-AI analytics based (like face-blurring), and some require manual configuration.

Privacy and data governance are business issues whose importance to security system deployments is increasing significantly, because of the rise in non-security business operations data generated by security system analytics and AI-enabled computer vision.

Due to the security industry largely ignoring the privacy aspects involved in facial recognition, and the dangers inherent in mistaken identification, facial recognition technology has been banned in some states and government-regulated industries, such as the airport and city bans on its use.

This is what makes the facial authentication technology of Alcatraz AI (Booth #3000) multi-technology facial readers so important -- because they work based on mathematical models of a face, and that facial data cannot be used to recreate the original visual image. Thus, they store no PII and so can be used even in areas and facilities in which facial recognition has been banned.

Some leading manufacturers have begun providing features that facilitate the proper handling of system data that has privacy considerations. Ask to see each privacy-compliance feature so you can determine how much configuration is required, and what data management processes you should have in place to support data privacy across all your physical security systems.

Cloud Offerings

  1. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

This is not a new question. It is still surprising to me how many cloud services salespeople can’t answer that question! This can also have some application to on-premises equipment that is cloud-managed. Many of the emerging cloud offerings are applications hosted on a cloud server, and don’t give users the flexibility and capabilities provided by cloud computing capabilities.

Not surprisingly, both Brivo Systems and Eagle Eye Networks (both are in booth #1721) provide papers that document how they leverage cloud computing capabilities. Why do you think more cloud solution providers don’t do that?

  1. Is your company listed in the STAR Registry of the Cloud Security Alliance?

It never ceases to amaze me that only three physical security industry companies (Brivo, Eagle Eye and Alcatraz AI) have filled out the free STAR Level 1 self-assessment spreadsheet and submitted it to the STAR Registry. What’s more, you’d think they would be interested in seeing what kinds of information other companies are providing!

The more people keep asking this question, the more physical security industry companies will sense the need to pay attention to the Cloud Security Alliance. When companies brag to me about how secure their cloud solution is, this question is my first response. It should be yours, too.

Addressing Risk Scenarios

  1. What types of end user risk scenarios do your new or improved features address?

Vendors should be able to describe the risk situations that new or improved features were designed to address. Before the new feature, how did things work? Now how will they work using the new feature?

Ambient.ai (booth # 280) has taken the lead in this regard, as their AI computer vision capabilities are threat-signature based, and the number of threat signatures keeps increasing. Invalid Badge with Loitering and Invalid Badge Followed By Tailgating are two examples of AI combining data from multiple systems (video and access control) to detect threat situations not detectable by either system alone.

Open Platform

  1. Does the platform have an Open API -- meaning that it’s published online and freely available? What are some examples of its use?

Integration is now becoming one of the most important physical security technology capabilities. Think “smart spaces” and “smart buildings.” See the Brivo 2024 Global Security Trends report. Some physical security system platforms are more “open” than others, and some APIs are more mature than others (a function of time and product advancement).

Ask to hear about examples of how the API is used for systems integration. SoloInsight’s CloudGate platform (booth #2827) supports an amazing array of integrations across multiple brands of systems. Milestone Systems (Booth #1675) was the first to provide an open video management software platform.

Digital Certificates

  1. Do your products support customer-provided digital certificates? How close to instantaneous is the certificate replacement process? How do you facilitate certificate management for large numbers of devices?

An increasing number of end-user organizations are requiring that encryption and system device authentication utilize customer-provided digital certificates. Because these organizations typically act as their own Certificate Authority (CA), they can perform near-instant certificate replacement for their systems. End-user customers don’t have such control over vendor-provided certificates.

Body-Worn Technology

The use of body-worn cameras in the business sector keeps increasing. They have been found to be highly valuable in the retail, healthcare, transportation and education sectors. However, the wearability of products and their technical capabilities vary significantly. The following set of questions applies.

  1. How can we pilot the technology to understand the impacts of any system complexities, manual process or procedure requirements and the do’s and don’ts for individuals wearing the technology? How is data privacy accounted for? What are the care and maintenance requirements? Are live video streams available for sharing such as via WiFi, or is video only recorded? If sharable, exactly how does the sharing work? Can the technology be used with cloud VMS systems as well as on-Premises systems? What customers do you have whose use cases most closely match mine?

Due to the increasing use of body-worn cameras in the business sector, most providers can be very specific about how the technology will work in any situation and use case.

Leveraging Existing Technology Deployments

This is a critical subject because many multi-national organizations have widespread technology deployments and rightly balk at rip-and-replace scenarios, especially ones that lock them into a specific brand or line of products.

  1. What do you have that adds value to my existing physical security systems?

Check out SoloInsight’s CloudGate platform (booth #2827), mentioned above in question #6, because this platform’s purpose is to add value – especially manageability – to enterprise-scale deployments, regardless of how many types and brands of electronic physical security systems are involved.

Alcatraz AI (Booth #3000) is an excellent example of a device that can significantly improve the effectiveness of specific access control points by addressing tailgating very cost-effectively.

AI-Enabled Technologies

It would be impossible to avoid the AI-based and AI-enhanced technologies at GSX 2024. Many of the questions above apply to AI-enabled products, such as from Ambient AI and Alcatraz AI.

A plethora of network video cameras have machine learning and deep learning chips and contain manufacturer-provided video analytics software that uses them. Some support third-party AI-based analytics that utilize these chips.

It is important to note that security devices and system AI is categorized as “narrow AI,” which refers to AI that has a narrow focus and whose functionality is limited to a specific purpose. It cannot go beyond the bounds set for it.

This is in contrast to “general AI” (refers to hypothetical AI systems that would have human-like general intelligence and problem-solving abilities across diverse domains) and “generative AI” (a type of AI that can create new content such as text, images, music, audio, and videos). It is these two categories of AI around which the scary stories are centered.

A good look at the uses of AI, including the different types of facial recognition (technical but understandable) is the paper titled, Artificial Intelligence in Physical Security, by Chris Navaral, Director Global Operations Center at Salesforce, primarily for those overseeing or operating their company’s Security Operation Centers.

Reading that 10-page paper will likely prompt several questions relevant to AI and your specific security technology applications. Read the paper all the way through, as there are several very key points towards the end.

  1. At what point in the deployment timeline does an AI-enabled product achieve its full value? What are the time frames for AI training and initial learning that enable it to be fully functional?

Over the past three years the time-to-value for a few of the leading AI platforms has dropped dramatically from months to weeks, and weeks to days. Ask about this at the Ambient AI booth. For many AI-enabled devices, such as the Alcatraz AI products, the time to value is zero, based on the nature of how its AI is used.

  1. Who developed the AI software? Was it developed internally, based on open-source AI software, or specifically licensed from the developing company?
  2. If it is a hybrid system, with some elements on premises and some in the cloud, where is all the data kept? If some learned data is kept locally on the on-premises server, how to I back it up?
  3. If AI is used in rule-based decision-making relating to access control or video systems, do you have documentation sufficient to meet a privacy regulation requirements to document the processing of PII data?

It is often quite daunting to see the number and variety of products at GSX. It can be hard to differentiate between them. Hopefully, the answers to these questions will help with that.

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Download his just-released ground-breaking eBook titled, Future-Ready Network Design for Physical Security Systems.

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.