Sage Conversations: What is the scorecard for security devices and software?

Technology integrations should support an organization's security and business needs


Recently I was asked to weigh in on the evaluation of a camera. I was one voice among many. Each of us came from different backgrounds such as:

• Camera and network engineer
• Security engineering manager
• Business process engineering
• Professional services consultant
• Security PACS architect
• Strategic business development
• Executive management

The camera/network and security engineer had become the lead for the technical evaluation. They were the first to weigh in. What was interesting in their technical evaluation was no mention of a scorecard for information integration. Much of their evaluation focused on the following:

1. Form factors
2. Installation
3. Resolution
4. VMS Integration
5. Multi-streaming
6. Price/performance
7. Power consumption
8. Frame rate
9. Encoding technology
10. Image quality
11. Low-light performance
12. Dynamic range
13. Technical support

It was a solid evaluation. But it was missing something critical to the next generation of security.

I have found this over and over again in the security industry. There is much focus on a device's functional abilities and its ability to integrate with a specific application, in this case a VMS, but this integration is held hostage by the proprietary architectures of many of the vendors as well as their highly protective business practices. Getting caught up in the device interoperability game keeps the focus on a limited scope of application integration.

Shouldn't there be a higher level demand for integration that supports the information needs of a security organization? By asking this question, we begin to cross over the line into a balanced scorecard for an information technology architecture. Information architects and the notion of an architecture for how information is consumed and integrated is not a comfortable area of competency for security professionals. And yet, more than ever, they are being asked to optimize their budgets, measure their value, and intersect their people, process and tools into the organization's mission and goals. Moore's law is testing their ability to keep up with new and emerging technology that will change how they deliver services to their organization. Security is no longer a lock on a door that can be expected to stay on that door for 20 years. IP devices and software will be expected to be upgradeable, scalable, and available and budgets and resources must be aligned to adjust to that concept.

There are a few models for approaching this information architecture scorecard. Organizations like the Sherwood Applied Business Security Architecture (SABSA), which provides a membership, training and certification body for enterprise security architects is one example. The Security Executive Council is another. They provide a model for board-level risk which would help determine the requirements of an information management architecture. A few integrators are beginning to implement professional services that purport to provide a methodology for assisting clients in the construction of an architecture that will deliver the strategic and tactical information required.

These integrators attempt to define the scorecard and understand the following before recommending a technology of any kind. They do this by starting at a value premise that answers the 'why?' But what are the organizational drivers of value that will put into context all decisions related to information management and the use of technology such as:

  • Business strategy, business environment, business goals and objectives.
  • Information activities: Internal and external ecosystems that require information and the identity polices needed to make that happen.
  • Information architecture: The policies that dictate the level of interoperability needed to enable and align the people, processes and tools and how to assess, design and deploy such solutions over time. It takes into considerations business and security urgency, risk and value.
  • Technology architecture: Specific technology is measured against the information architecture and the business enablement it represents. The key are the principles and scorecard by which this technology will be measured.
This content continues onto the next page...