11 questions to ask your vendors at GSX 2019

Sept. 5, 2019
Asking how technologies address real security challenges can help you see through marketing hype

Security industry technologies continue their rapid advancement, with two areas getting lots of attention as you already know: AI and Cloud. The most important questions of all to ask are:

  • End Users: What technologies will help me vastly improve my security operations? You probably already had this question in mind, but for vendors the talk is usually about features and new things. They are only relevant if they help you improve the security picture, and the improvement is worth more than the time, effort and cost to do it.
  • Security Integrators: What high-performing technologies will my customers value because they significantly improve their security capabilities? What are the actual end user stories that I can bring to them? It still amazes me when vendor sales folks laud their new and improved products yet can’t explain in detail the specific end-customer security improvements that resulted from how the product was applied.
  • Security Design Consultants: What documentation can you provide to me about the cybersecurity aspects of your products? For years we have been asking for this kind of information. It is ridiculous to expect consultants to specify a product or system that doesn’t have documentation to enable secure deployment. Here is a page with links to such information that lists the 24 vendors who do provide such information: Physical Security Hardening Guides in 2019. This is a key issue at the upcoming CONSULT 2019 event produced by SecuritySpecifiers.com.
  • I’m expecting that this year vendors will be noticeably more ready for such discussions than in the past.

    Vast Improvement

    By “vastly improve security operations” I mean orders of magnitude of improvement. But that doesn’t mean a massive change to the whole security program. It does mean that certain parts of it will be much more effective or efficient. I think that’s the main story about AI. Will AI revolutionize security operations? It definitely will. But not overnight and not universally.

    It’s like the self-driving car. That’s a “system of systems” – such as the braking system, steering system, tire management system, driver information system and dozens more – that all work together to make autonomous vehicle operation possible. But that didn’t result in all cars changing into autonomous vehicles overnight. That would have been a nightmare.

    Instead, we have a 25% reduction in vehicle-related fatalities. We have self-parking cars. We have lane departure avoidance. The young automotive engineers entering the field have embraced a future where we have all kinds of new vehicles, partly and fully autonomous. Their key engineering end goals are zero fatalities and zero-pollution transportation systems. This will take much more than a decade to unfold, but the technology improvements are arriving a few at a time into the cars we can buy and drive now.

    What’s Arriving

    In the same fashion, we’ll be seeing new capabilities arriving in across the spectrum of security technologies, made possible by the use of AI and cloud computing power. Many new industry entrants are bringing AI-enabled hybrid cloud solutions – for reasons they’ll be happy to explain.

    Whether or not you are looking at advanced next generation technology or existing technology being augmented using AI and/or the cloud, it is their security operations value that makes them worth deploying – not just being “cloud” or “AI.” They must be cyber-secure, deployable and manageable at scale,  standards-based and easily integrated with other systems. The additional questions below are aimed at those aspects.   

    Additional Vendor Questions

    4. Cybersecurity. Do you have a system (or product) hardening guide?

    A hardening guide recommends cybersecurity measures to apply to the vendor’s product or system. If a vendor has products or systems that connect to the network, hardening guidance is appropriate.

    5. Cloud Security. For cloud companies: Do you have a published vulnerability handling policy and documentation describing your company’s product (or cloud service) security program?

    Cybersecurity professionals look for the three indicators of a cloud vendor’s cybersecurity maturity, two of which (italicized) are not understood well enough in the physical security industry:

  • Product hardening guide.
  • Security vulnerability handling policy.Descriptive documentation of the company’s product security program.

    You don’t need to ask this question of the companies who have hardening guides. Most of the security industry companies with hardening guides also have published vulnerability handling policies, and many have descriptive documentation about the product security program or internal cybersecurity team. Yet many security industry companies still don’t have a clear idea of what a product security program is. Listen closely to how vendors answer this question, as the differences between answers can give you insights into the relative ranking of vendors.

    6. Infrastructure Management. What new features do you have that improve management and administration for large-scale deployments?

    Today’s technologies are more feature-rich and more complex than ever before and are broadly networked to a much greater scale than a decade ago. If you have a regionally, nationally or globally network security system, ask about features that facilitate the management of large-scale deployments. Also see this article’s introductory on Infrastructure Management.

    7. Cloud Characteristics. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

    There are several companies who have products that are supported or augmented by cloud-based services, as opposed to companies with fully-cloud based offerings. When you hear the word “cloud” be sure to understand what functionality resides in the cloud and why it is in the cloud. Sometimes the product is cloud-hosted but was not built as a cloud-native application. This question will tell you how well cloud engineering has been applied to the system or application. It is surprising to me how many cloud services sales people can’t answer this question in 2019!

    8. Risk Scenarios. What types of risk scenarios do your new features address?

    Vendors should be able to describe the risk situations that the new features were designed to address. Before the new feature, how did things work? Now how will they work using the new feature? When it comes to video analytics and AI/deep Learning based features, BOTH false positive and false negative rates must be considered. Hopefully, this year vendors have more to say on this topic than last year.

    9. Open Platform. Does the platform have an Open API, meaning that it’s published online and freely available? What type of API is it (such as REST, SOAP, RPC)? What are some examples of its use?

    Integration is emerging as a strong source of security systems value. Some platforms are more “open” others, and some APIs are more mature than others (a function of time and product advancement). Ask to hear about examples of how the API is used for systems integration. Some are mostly used by technology partners, and others are very useful for IT department integrations with customer applications, such as with an Identity Management System for physical/logical access control system integration.

    10. Artificial Intelligence (AI) and Deep Learning (DL).

    AI and Deep Learning functionality can exist in multiple places within a system. For example, there can be camera-based software that extracts an AI data model and streams video metadata for both cloud and on-premises video and data processing. See my article on Fog Computing (which I call “cloud on the ground” because it puts cloud-computing technology on-premises in your security system). This article has an excellent diagram of device, on-premises and cloud computing security system elements. There are seven questions that relate to AI and Deep Learning.

    Where does the AI software reside? Who develops and improves the AI? How does the product get updated for AI improvements? Does it build a data model? Where does the data model reside? How it is backed up? Who owns the data model that is built with your company’s or your facility’s data? I expect that more vendors will be able to answer these questions than last year.

    11. Standards. What encryption standard is used or what version of network protocol is used?

    The use of outdated encryption and network protocols introduces cybersecurity vulnerabilities. This was a sore point in the industry just a few years ago and is getting better now – but still needs checking on for products you own or are considering for purchase.

    About the Author:

    Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.

    About the Author

    Ray Bernard, PSP, CHS-III

    Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

    Follow him on LinkedIn: www.linkedin.com/in/raybernard

    Follow him on Twitter: @RayBernardRBCS.