There are several educational sessions at this year’s ISC West conference that focus on or include discussion on TCO – Total Cost of Ownership, something I get specific about in my educational session at 12:30 PM on Thursday, April 6th. TCO factors are evolving as product and system capabilities advance, and there is a growing realization that the cybersecurity profile of deployed systems is an increasingly important TCO factor.
Hot ISC West Sessions
I had to take a different approach this year to make a list of Hot ISC West Sessions. This year’s array of topics and speakers are so fantastic that it’s impossible not to be frustrated about the fact that you can only be in one place (one session) at one time. So I made a list of tough choices so that you can take a divide-and-conquer approach to make sure that between yourself and your colleagues and friends, you can cover the "don’t miss" sessions.
This Year’s Vendor Questions
If you are a security end-user, systems integrator or consultant—you can help refocus vendor thinking by asking questions that directly relate to your needs and concerns. Don’t limit your questions to what I have here. You can and should come up with some good questions of your own if you think about what risks and deployment challenges you have a hard time addressing to your satisfaction.
Note to integrators and consultants: Do read the end-user questions first as the questions for you are mostly identical to those, and so I put explanations for the questions in the end-user questions section.
Questions for End-Users to Ask
1. Do you have a system (or product) hardening guide?
A hardening guide recommends cybersecurity measures to apply to the vendor’s product or system.
Here are companies that I know have published system hardening material, and if you can make the time for it, I recommend checking out those guides ahead of time as they are likely to prompt some questions on your part. I suspect that I am missing a few companies from this list, and I hope they email me ([email protected]) so that I can add them to this online article before the show.
Check out this list of system and product hardening advice:
- Axis security policy and product security information
- Bosch IP Video and Data Security Guidebook
- Brivo review of secure system architecture and background on system information security considerations (24 pages)
- Eagle Eye Networks Cyber Safe Best Practices, cyber security blog, and Cyber Lockdown feature
- Genetec hardening guide
- Milestone hardening guide
- Tyco Security Cyber Protection Program
- Viakoo InfoSec white paper and 12-point video network security checklist
2. Do you have a Vulnerability Policy?
A vulnerability policy explains how a vendor will manage and respond to reported security vulnerabilities with their products to minimize their customers’ exposure to cyber risks. That’s where you find out how to report a vulnerability to them, and where to find the list of vulnerabilities that have already been reported, along with their status. This is still an area where many vendors haven’t understood the issues.
3. Do you have case studies for my business sector, [insert sector name here], that show how our business-sector-specific risks can be addressed using your product?
I am not a big fan of the kind of case study articles that I typically see, which usually contain little information about the real value to customers of the products involved. What risks were addressed that couldn’t be address well enough before? What significant cost or efficiency savings were accomplished? Don’t be surprised if the vendor answers you with another question, “What kind of risks do you mean?” That’s a great opportunity to put forth one of the risk challenges that you would like help with and see what the vendor says. Last year I saw material of this kind being produced, so there is hope that you may find some at this year’s ISC West conference.
4. What features in your product offer significantly more value in some way than the same features in competing products?
I have only had a little luck with this question in the past. Most of the vendors didn’t really have that much insight into the differences between their competitors’ products and their own in terms of the value to the customer. Those that did, like RedCloud’s access control system (now Avigilon’s Access Control Manager), promptly demonstrated them for me. In the case of RedCloud, I was happily surprised to see how their integration to Microsoft’s Active Directory could be set up in under three minutes. So even though the answers have been few, they have been valuable.
5. Can you give me a specific example of how that would work for an organization like mine?
You can only ask this question if the vendor’s representative makes a statement expecting your agreement or buy-in, yet you don’t see how the dots connect for your situation. I remember one case in which the sales person said, “. . . which in turn strengthens security, which ultimately has a positive impact on your company’s bottom line.” So I asked: “Please explain to me exactly where the bottom line impact comes from? What specific aspect of the product deployment contributes to the bottom line impact?” He had no real answer, which is what sometimes happens when sales people repeat the phrases they are taught. But it is important not to assume that something sounding like “fluff” has no basis. I am sometimes pleasantly surprised when someone provides me with a specific business case that realistically does match their assertion. You won’t know if you don’t ask.
6. Is there a reason that you haven’t self-certified your service in the Cloud Security Alliance’s STAR program?
The Cloud Security Alliance (CSA) has developed the CSA Security, Trust & Assurance Registry (STAR) program. CSA STAR is the industry’s most powerful program for security assurance in the cloud.
Do not ask this question of Brivo as they have already performed their self-assessment.
Questions for Integrators and Consultants to Ask
1. Do you have a system (or product) hardening guide?
In particular, you should look for information about what steps to take for validating cybersecurity in product and system commissioning. If you ask this question of their A&E representative, you’ll get them thinking along this line.
2. Do you have a Vulnerability Policy?
How would you report a vulnerability you found while commissioning a system? As I mentioned above, this is an area that for most companies still isn’t being addressed.
3. Do you have case studies for these business sectors, [insert list here], that show how some of the business-sector-specific risks can be addressed using your product?
You can get specific about this question based upon your client knowledge. Sometimes you find that the vendor does have people with subject matter expertise in particular sectors. It can be helpful to get their take on what risks they see are and aren’t being addressed.
4. What features in your product offer significantly more value in some way than the same features in competing products?
In this day of information overload, it’s hard to stay up to date on product and system advances. I have found that this question can lead to answers containing high-value information.
5. Can you give me a specific example of how that would work for an organization that is in the [insert industry name] industry?
6. Is there a reason that you haven’t self-certified your service in the Cloud Security Alliance’s STAR program?
Please do ask this question! Check out the Cloud Security Alliance website if you are not already familiar with it, and you’ll see why security industry folks need to be giving this serious attention.
About the Author:
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council and an active member of the ASIS International member councils for Physical Security and IT Security.