Physical security industry companies work hard at improving their products, but commonly they do so by trying to "out-feature" their competitors by having more features, or by somehow making a feature or design more impressive than a similar feature from a leading competitor. They should be looking at the gaps their customers still have in addressing security risks.
The failure to focus on these gaps leads to industry situations like this one: being 10 years or more behind in addressing cybersecurity for electronic security systems. For example, hardening guides have been common in IT for more than two decades, but they are not common in the physical security industry. A hardening guide tells you what security measures to take when you install a product or system. However, thanks to customers, integrators and consultants asking about hardening guides, and articles calling for them, this is changing. One year ago, there were no hardening guides available online for networked security products. However, now there are at least four.
If you are a security end-user, systems integrator or consultant—you can help refocus vendor thinking by asking questions that directly relate to your needs. That’s the purpose of these questions: to shift the focus back on your needs (or the needs of your customers and clients, in the case of consultants and integrators) and off of one-upping their competitors.
Don’t limit your questions to what I have here. You can probably come up with some good questions of your own if you think about what risks you have a hard time addressing to your satisfaction.
Note to vendors: If you already have a published hardening guide or a vulnerability policy (see the End User questions below), get one of those clear plastic stands for letter-size sheets, and make a nice-looking sign for your booth that says, for example, "Ask Us About Our Hardening Guide." If you have one, that makes you one of the leading companies, so don’t be shy about it!
Note to integrators and consultants: Do read the end-user questions first, as the questions for you are mostly identical, and so I put the explanations about the questions in the end-user questions section.
Questions for End-Users to Ask
1. Do you have a system (or product) hardening guide?
A hardening guide recommends cybersecurity measures to apply to the vendor’s product or system.
Don’t ask this question of Axis Communications, Bosch Security Systems, Genetec, or Tyco because they already have downloadable hardening guides (Axis hardening guide, Bosch IP Video and Data Security Guidebook, Genetec hardening guide, Tyco Cyber Protection Program). You should download at least one hardening guide to see what one looks like. Eagle Eye Networks has published a video system security guideline titled, 12 Security System Best Practices – Cyber Safe. Viakoo has published a guideline paper titled, Securing Your Video Security Network, which is a 12-point checklist of critical security flaws typically found in video security networks, and what to do about them. Tyco also published on YouTube a recording of its informative 30-minute webinar, "Cybersecurity Readiness of IP based Systems." This is worth watching.
A related key question to ask your systems integrator is: What hardening measures have you put in place for our system and device security? (Integrators and consultants take note: you should be proactive and review the system hardening opportunities with your existing customers)
Parallel Technologies published a two-page paper in 2014 titled: 5 Reasons for IT to Own Access Control. "Security" was their second reason. At the start of the paper, they say, ". . . physical access control systems (AC) have traditionally been designed without IT professionals in mind." For each of the five reasons, they explain what IT’s product considerations are. It is a good piece to download and read; it will enlighten you some of the perspectives from which your IT folks look at your security technology.
2. Do you have a Vulnerability Policy?
A vulnerability policy explains how a vendor will manage and respond to reported security vulnerabilities with their products to minimize their customers’ exposure to cyber risks. That’s where you find out how to report a vulnerability to them, and where to find the list of vulnerabilities that have already been reported, along with their status. Axis Communications provides information on product security, and you can download the Axis Vulnerability Policy here.
3. Do you have case studies for my business sector, [insert sector name here], that show how our business-sector-specific risks can be addressed using your product?
I am not a big fan of the kind of case study articles that I typically see, which usually contain little information about the real value to customers of the products involved. What risks were addressed that couldn’t be address well enough before? What significant cost or efficiency savings were accomplished? Don’t be surprised if the vendor answers you with another question, "What kind of risks do you mean?" That’s a great opportunity to put forth one of the risk challenges that you would like help with, and see what the vendor says.
4. What features in your product offer significantly more value in some way than the same features in competing products?
I have only had a little luck with this question in the past. Most of the vendors didn’t really have that much insight into the differences between their competitors’ products and their own—in terms of the value to the customer. Those that did, like RedCloud’s access control system (now Avigilon’s Access Control Manager), promptly demonstrated them for me. In the case of RedCloud, I was happily surprised to see how their integration to Microsoft’s Active Directory could be set up in under three minutes. So even though the answers have been few, they have been valuable.
5. Can you give me a specific example of how that would work for an organization like mine?
You can only ask this question if the vendor’s representative makes a statement expecting your agreement or buy-in, yet you don’t see how the dots connect for your situation. I remember one case in which the sales person said, ". . . which in turn strengthens security, which ultimately has a positive impact on your company’s bottom line." So I asked, "Please explain to me exactly where the bottom line impact comes from? What specific aspect of the product deployment contributes to the bottom line impact?" He had no real answer, which is what sometimes happens when sales people repeat the phrases they are taught. But it is important not to assume that something sounding like "fluff" has no basis. I am sometimes pleasantly surprised when someone provides me with a specific business case that realistically does match their assertion. You won’t know if you don’t ask.
Here are two questions to ask vendors with cloud-based offerings:
6. Is there a reason that you haven’t self-certified your service in the Cloud Security Alliance’s STAR program?
The Cloud Security Alliance (CSA) has developed the CSA Security, Trust & Assurance Registry (STAR) program. CSA STAR is the industry’s most powerful program for security assurance in the cloud.
Do not ask this question of Brivo systems, as they have already performed their self-assessment.
7. Where can I find a security architecture diagram for your offering?
The vendor has full responsibility for the security of a cloud-based application (SaaS – Software as a Service). It is not a responsibility of the cloud infrastructure provider (such as Amazon’s AWS or Microsoft’s Azure). Read about this online in my article about addressing cloud risk.
Questions for Integrators and Consultants to Ask
- Do you have a system (or product) hardening guide?
- Do you have case studies for these specific business sectors [insert your list here], that show how the business-sector-specific risks can be addressed using your product?
- Do you have case studies for these business sectors, [insert list here], that show how some of the business-sector-specific risks can be addressed using your product?
- What features in your product offer significantly more value in some way than the same features in competing products?
- Can you give me a specific example of how that would work for an organization that is in the [insert industry name] industry?
Questions for vendors of cloud-based services:
- Is there a reason that you haven’t self-certified your service in the Cloud Security Alliance’s STAR program?
- Where can I find an application security architecture diagram for your offering?
If you have other questions that you think are important, please send them to me ([email protected]) and I’ll include them in the list for next year’s ISC West and ASIS events.
About the Author: Ray Bernard, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private organizations (www.go-rbcs.com). Mr. Bernard has also provided pivotal strategic and technical advice in the security for more than 29 years. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). He is also an active member of the ASIS International member councils for Physical Security and IT Security.
