The Cloud and Your Security Technology Roadmap

Aug. 3, 2016
Adopting advanced technologies requires using up-to-date strategies

Evolving Roadmap Context

Although cloud computing is not new, it is still evolving. Cloud computing—along with across-the-board information technology advances—is driving massive change in the ways that people, businesses, and governments interact, and the way that organizations operate. Cloud-based systems are changing the expectations that people and organizations have for technology, including security technology. When asked, at the 2014 Gartner Data Center Conference in December 2014, about the effects of digital disruption on General Electric, Chris Drumgoole, chief operating officer of GE’s cloud division, said, “There is really not a single thing that we do in IT, today, that we'll do the same way two years from now. I struggle to name a single process within our organization that isn't going to change dramatically over the next two years or three years.”

Drumgoole also said, in a 2014 InfoWorld interview, “We really believe that the world is changing from engineered-systems to an integrated-systems world, where the component is no longer the most important piece. It’s around systemic behavior, where systems exist to serve apps.”

Given the continuing advances in analytics and risk data services, application integration is likely to be the level of design that will bring maximum value—in terms of risk mitigation capabilities — to an organization’s electronic physical security systems.  All of this means that a traditional three-or five-year technology roadmap plan based upon installed hardware system products won’t work.

20th Century Technology Planning

A traditional but now-outdated approach to security technology roadmap development is shown in the steps below, which presume knowledge of the organization’s risk picture and security’s objectives relating to it:

  • Evaluate the state of your current technology.
  • Identify candidate new products.
  • Qualify the integration requirements.
  • Collaborate with IT on the computing and networking requirements.
  • Determine the ballpark cost for deployment.
  • Create a deployment plan with a project timeline.
  • Obtain management business and financial approval.

This approach was acceptable when security product life cycles were 5 to 10 years or more when technology didn’t change that much from year to year, and when the rate of business change was much less than it is now. Going forward, there are a lot more factors to take into consideration that this traditional product-based approach does not account for.

21st Century Technology Planning

Technology planning in the 21st century has distinct differences from planning for the previous century’s technology, some of which are shown in Table 1 below.

Scenarios and Roadmap Planning

Security risk scenarios are an effective way to characterize the risk picture for security stakeholders. They are also a quick and effective way to communicate the value of any particular technology.

For example, here is a retail store gunpoint hold-up scenario, inspired by www.AlertPOS.com.  A robber in a hoody, wearing gloves, and orders the cashier to open the cash drawer and step away. The cashier cannot press the silent alarm button. The robber bypasses the duress device in the cash drawer, takes the cash, and safely exits the store. Typically, at that point, the employee would call the police, but the police would arrive several minutes after robber’s departure. There would be no clear video of robber’s face in the store cameras. The typical outcome: the robber gets away with the crime.

Instead, with new tablet-based Point-of-Sale (POS) system technology, the cashier presses an unmarked holdup button on checkout screen plus the button to open the cash register. The camera built into POS screen tablet gets facial a close-up facial picture of robber taking the cash. The police car was rolling before the cashier stepped away from the cash drawer. The POS system sends an email to police containing a picture of the robber, the picture of store floor showing where the customers and employees are, plus a link to a web page with live video from all store cameras and a map of the store location.

The new outcome: Police arrives as the robber exits, follow him to his vehicle, arrest the robber and recover the money.

In a slightly futuristic scenario (next year?), all of the store owners on the block have subscribed to a drone service, which provides the drone that is parked in readiness on top of one of the buildings. Had the police not arrived in time, the drone would have tracked the robber from the air, sending live video streams and location data for the map on the same web page the police are looking at.

The new outcome is still the same: the police arrest the robber and recover the money.

New Technologies Require New Technology Strategies

Successfully implementing such advanced technology means doing so in a way that significantly improves the organization’s risk picture, by improving the security-effectiveness and cost-effectiveness of the organization’s security program. This means that your security technology strategy, to be effective, must include an updated risk assessment process whose results will provide scenarios of how advanced technology will be used to improve the risk picture. These are essential for educating the senior security stakeholders.

Financial stakeholders also require educating, because security technology funding will now contain an OpEx element for cloud-based services. OpEx funding is not new to security for many organizations since that’s the source of facility security force budgets. However, details will still have to be worked out. Fortunately, the utilization of cloud-based services is not new for organizations today.

Another part of the security technology strategy is the role that IT will play. For most organization’s IT is undergoing significant change, as mentioned earlier, and the security technology strategy will be complementary to IT’s technology strategy. IT can easily play a valuable advisory role with regard to the adoption of IT practices. Additionally, it can provide quality assurance for system design and integration documentation provided by security integrators.

This type of documentation is typically a weak spot for most security integrators.

There are likely to be opportunities for advanced security technology to be of operational value to other business functions, especially for video and analytics applications.  IT may also have a strategy for identity and credential management, another potentially valuable point of integration for security systems.

Technology Planning Ingredients

Going forward, product selection will just be one part of the overall process for technology planning, which must include:

  • Updated Assessment Process. A risk assessment process is required that takes a close look at the operational scenarios for risk mitigation across the full spectrum of the organization’s security risks.
  • Technology Strategy. A security technology strategy that is aligned with and complementary to IT’s corporate technology strategy, and leverages IT knowledge, infrastructure, and processes; informs all of the stakeholders and enables them to make sound decisions regarding the role of security technology going forward, as well as for approving specific initiatives; and sets the objectives that the security technology roadmap must meet.
  • Technology Roadmap. A 21st-century security technology roadmap for physical and corporate security that is a living document, updated annually, and reviewed any time the organization undergoes significant business or risk changes, or whenever breakthrough technologies offer new and highly beneficial risk mitigation capabilities.

About the AuthorRay Bernard, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private organizations (www.go-rbcs.com). Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 28 years. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). He is also an active member of the ASIS International member councils for Physical Security and IT Security.