Sage Conversations: What is the scorecard for security devices and software?

Jan. 14, 2013
Technology integrations should support an organization's security and business needs

Recently I was asked to weigh in on the evaluation of a camera. I was one voice among many. Each of us came from different backgrounds such as:

• Camera and network engineer
• Security engineering manager
• Business process engineering
• Professional services consultant
• Security PACS architect
• Strategic business development
• Executive management

The camera/network and security engineer had become the lead for the technical evaluation. They were the first to weigh in. What was interesting in their technical evaluation was no mention of a scorecard for information integration. Much of their evaluation focused on the following:

1. Form factors
2. Installation
3. Resolution
4. VMS Integration
5. Multi-streaming
6. Price/performance
7. Power consumption
8. Frame rate
9. Encoding technology
10. Image quality
11. Low-light performance
12. Dynamic range
13. Technical support

It was a solid evaluation. But it was missing something critical to the next generation of security.

I have found this over and over again in the security industry. There is much focus on a device's functional abilities and its ability to integrate with a specific application, in this case a VMS, but this integration is held hostage by the proprietary architectures of many of the vendors as well as their highly protective business practices. Getting caught up in the device interoperability game keeps the focus on a limited scope of application integration.

Shouldn't there be a higher level demand for integration that supports the information needs of a security organization? By asking this question, we begin to cross over the line into a balanced scorecard for an information technology architecture. Information architects and the notion of an architecture for how information is consumed and integrated is not a comfortable area of competency for security professionals. And yet, more than ever, they are being asked to optimize their budgets, measure their value, and intersect their people, process and tools into the organization's mission and goals. Moore's law is testing their ability to keep up with new and emerging technology that will change how they deliver services to their organization. Security is no longer a lock on a door that can be expected to stay on that door for 20 years. IP devices and software will be expected to be upgradeable, scalable, and available and budgets and resources must be aligned to adjust to that concept.

There are a few models for approaching this information architecture scorecard. Organizations like the Sherwood Applied Business Security Architecture (SABSA), which provides a membership, training and certification body for enterprise security architects is one example. The Security Executive Council is another. They provide a model for board-level risk which would help determine the requirements of an information management architecture. A few integrators are beginning to implement professional services that purport to provide a methodology for assisting clients in the construction of an architecture that will deliver the strategic and tactical information required.

These integrators attempt to define the scorecard and understand the following before recommending a technology of any kind. They do this by starting at a value premise that answers the 'why?' But what are the organizational drivers of value that will put into context all decisions related to information management and the use of technology such as:

  • Business strategy, business environment, business goals and objectives.
  • Information activities: Internal and external ecosystems that require information and the identity polices needed to make that happen.
  • Information architecture: The policies that dictate the level of interoperability needed to enable and align the people, processes and tools and how to assess, design and deploy such solutions over time. It takes into considerations business and security urgency, risk and value.
  • Technology architecture: Specific technology is measured against the information architecture and the business enablement it represents. The key are the principles and scorecard by which this technology will be measured.

From the answers to these questions, a data process diagram begins to evolve to answer questions of collaboration (who), roadmap (what will be developed and deployed and when?), how it will be developed and resourced during and after deployment, and finally a solution orientation that can answer the attributes of a specific set of technologies that will be deployed to drive value. If done this way, ongoing metrics can be established that help measure the anticipated value from the original assessment, define the scorecard for future technology, as well as be used to create a continuous improvement program.

This takes a little more time, but, let us attempt to undergird the reasoning for this approach with a simple but critical logic statement. Security executives aim for a common operating picture, provisioned by the collection of data from multiple inputs including devices and software applications, that are effectively measured to ensure continuous improvement toward actionable business value and all-hazards risk mitigation while achieving continuous compliance. If that truly is the case, then every device and application must be measured against this over-arching goal.

What many CSOs tell me is they face an inherited culture that does not understand business objectives that align with risk and security nor how to measure it in a way that would be meaningful to business executives. They also complain of a dearth of standards that prevent them from integrating in a meaningful way. Finally, they complain about the lack of IT and business insights and advice they need to have from their existing consultants and integrators.

But the industry is changing. Technology is advancing much faster than the security market can absorb or understand it, and it is pushing the end user model for security as well as the channel for products and services.

Just look at Microsoft Global Security and their implementation of a commercial off-the-shelf (COTS)-based stack that inherits full integration of all its software applications if the device or software application conforms to its 'standard'. They are actively pushing the envelope for this level of business practice and information architecture approach and security technology companies are taking note. I predict a number of devices, solutions and professional service organizations will take advantage of this in a big way in 2013.