10 questions to ask your vendors at ISC West 2023

March 21, 2023
Some tips for getting the most out of your interactions with vendors as security industry technologies continue their rapidly accelerating advancement.

Security industry technologies continue their rapidly accelerating advancement. Most of us expected an increase in AI-enabled features, and that’s happening. Historically, new products have not fared well when it came to cybersecurity capabilities. That situation is improving, but the first question on our list is still about cybersecurity.

The number of emerging cloud-based offerings continues to grow. Only three physical security companies so far have placed themselves in the STAR Registry (Security Trust Assurance and Risk) of the Cloud Security Alliance: Alcatraz AI (booth #30075), Brivo Systems and Eagle Eye Networks (see both at booth #20035). The registry reached over 1,000 entries by 2021, and it is a sad commentary on the Physical Security Industry that it has only three companies participating in the program.

What’s more, all three companies came from the IT sector into physical security. Alcatraz AI represents a new breed of companies coming out of Silicon Valley who take interoperability, cybersecurity and data privacy – as well as product user experience (known as UX in the IT world) – very seriously, in contrast to the incumbent physical security manufacturers.

It’s hard to believe we still have so few companies are taking cloud security seriously enough. Running on Amazon’s AWS, Google Cloud, Microsoft’s Azure and other infrastructure-as-a-service providers is not a guarantee of cloud application security.

The avalanche of AI-enabled products continues unabated, and there are two entries on the questions list regarding AI. I haven’t included questions for drones and robots, as they would make this list too long, and most of the people I’ve talked to who have a strong interest in drones are already prepared with questions.

Questions to Ask

This numbered list is actually a list of question topics, as half of the numbered entries have more than one question.

1.      CYBERSECURITY. Is cybersecurity baked into new on-premises products and new product capabilities? Or do design consultants, integrators and end-users have to plan it out based on good written guidance, or work it out without guidance? For cloud offerings, how do you document your cloud application security?

Vendors should be able to point you specifically to such guidance, not just answer, “We have it.”

2.       PRIVACY AND DATA GOVERNANCE. What support do your products provide for GDPR compliance?

The toughest privacy and security law in the world is the European Union’s General Data Protection Regulation. For certain types of data, this includes the ability to automatically anonymize the data before sharing or exporting it.

Privacy and data governance are business issues whose importance to security system deployments is increasing significantly, because of the rise in non-security business operations data generated by security system analytics and AI-enabled computer vision. Some leading manufacturers have begun providing features that facilitate the proper handling of system data that has privacy considerations.

The only product that I’m aware of that has enough privacy features built-in is the Rock (booth #30075) from Alcatraz AI, which is the only facial authentication device (note that it’s “authentication” and not “recognition” or “identification”) that can be used in the U.S. states where facial recognition products have been banned.

3.       SECURITY OPERATIONS IMPROVEMENT. What product capabilities will help vastly improve one or more key aspects of security operations?

Once again, you probably already had this question in mind, but for vendors the talk is usually about features and new things. Product improvements are only relevant if they help you significantly improve your security administration or security operations picture, and the improvement is worth more than the time, effort and cost to obtain it.

As I have said before, by “vastly improve security operations” I mean orders of magnitude of improvement. But doesn’t mean a massive change to the whole security program. It does mean that certain parts of it will be much more effective or efficient.

The story of AI-based analytics includes more than just improvement of previous capabilities, but also the addition of new kinds of data providing enhanced security intelligence and business intelligence. Thus, business operations value is a key factor in evaluating technology.

4.       CLOUD CHARACTERISTICS. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

It is still surprising to me how many cloud services sales people can’t answer that question! This can also have some application to on-premises equipment that is cloud-managed.

Many of the emerging cloud offerings are applications hosted on a cloud server, and don’t give users the flexibility and capabilities provided by cloud computing capabilities. Not surprisingly, both Brivo Systems and Eagle Eye Networks provide papers that document how they leverage cloud computing capabilities. Why do you think more cloud solution providers don’t do that?

5.       RISK SCENARIOS. What types of end-user risk scenarios do your new or improved features address?

Vendors should be able to describe the risk situations that new or improved features were designed to address. Before the new feature, how did things work? Now how will they work using the new feature?

Ambient.ai (booth #21125) has taken the lead in this regard, as their AI computer vision capabilities are threat-signature based, and the number of threat signatures is now more than double the number announced by the 2022 press release linked to here.  

6.       OPEN PLATFORM. Does the platform have an Open API, meaning that it’s published online and freely available? What are some examples of its use?

Integration is emerging as a strong source of security systems value. Some platforms are more “open” than others, and some APIs are more mature than others (a function of time and product advancement). Ask to hear about examples of how the API is used for systems integration.

7.       ARTIFICIAL INTELLIGENCE (AI) and DEEP LEARNING (DL). Where does the AI software reside? What are the cloud computing and edge computing components? Who develops and improves the AI? Are patents involved, and if so, who owns them? Where does the AI data model reside – on-premises or in the cloud? Under what conditions could an on-premises data model be lost, resulting in AI learning having to start all over again.

AI is a rapidly advancing technology field, with very wide differences in the AI elements of AI-enabled physical security products.

8.       AI TIME-TO-VALUE. At what point in the deployment timeline does an AI-enabled product achieve its full value? What are the time frames for AI training and initial learning that enable it to be fully functional?

Over the past three years the time-to-value for a few of the leading AI offerings has dropped dramatically from months to weeks, and weeks to days. Ask about this at the Ambient AI booth.

9.       DIGITAL CERTIFICATES. Do your products support customer-provided digital certificates?  How close to instantaneous is the certificate replacement process? How do you facilitate certificate management for large numbers of devices?

An increasing number of end-user organizations are requiring that encryption and system device authentication utilize customer-provided digital certificates. Because these organizations typically act as their own Certificate Authority (CA), they can perform near-instant certificate replacement for their systems. End-user customers don’t have such control over vendor-provided certificates.

10.   BODY-WORN TECHNOLOGY. How can we pilot the technology to understand the impacts of any system complexities, manual process or procedure requirements and the do’s and don’ts for individuals wearing the technology? How is data privacy accounted for? What are the care and maintenance requirements? Are live video streams available for sharing, or is video only recorded? If sharable, exactly how does the sharing work?

Recently body-worn technology has advanced to the point where video can be shared live – a critical improvement in situational awareness for addressing active assailant incidents and monitoring early stage risk situations.

One pizza franchise implemented body cameras because of an increase in negative customer reports about the pizza delivery experience. One surprising result shortly thereafter was a 20%+ increase in sales, due to delivery personnel being on their “best behavior” -- in some cases going beyond their training requirements to provide high quality of service. 

Body-worn technologies of all types can have beneficial impacts above and beyond the initial security or oversight driver for adoption.

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Follow Ray on Twitter: @RayBernardRBCS.


Courtesy of BigStock.com -- Copyright: Photonphoto
The core of the Internet was expanded to keep up with demand, with high-speed networking and computer virtualization facilitating and accelerating its growth.