8 questions to ask your vendors at ISC West 2019

April 2, 2019
Asking the right questions can help you cut through marketing jargon to address real security needs, vulnerabilities

Security industry technologies are rapidly advancing in the areas listed below. As I have mentioned before, collaboration among technology partners is at an all-time high as there are more reasons and opportunities for collaboration.

Note that the numbers in parentheses like (#12345) are the vendor show floor booth numbers. Linked booth numbers take you to a page to request a demo or time to meet at the show booth.

  • AI and Deep Learning. Not all AI is for robotics, but all robotics use AI and machine learning. Check out the robots from Turing Video (#6044). Agent Vi is hosting a panel: Safe, Secure & Smart: Case Study of the City of Vicente López, Argentina (April 10, 1:45–2:45 pm), and presenting an educational session: Deep Learning Demystified: Next-Generation Artificial Intelligence Applied to Video (April 11, 9:45–10:45 am). There are many vendors and education sessions that will also touch on this topic.

Infrastructure Management. Today’s technology is interconnected and evolves significantly through software and firmware updates. The larger your tech deployments are, the more critical tech infrastructure becomes. In a recent SIA Cyber Office Hours webinar, Rodney Thayer asked: What would you do if the FBI called and said, “We have evidence of a credible threat to your electronic physical security system infrastructure. Update the firmware and change the passwords on your networked security devices and IT equipment.” You could do both instantly for your IoT devices with a Viakoo (#33087) subscription, not so instantly but still in a short period of calendar time using brand-specific solutions for each particular brand of device. Manageability at scale is an important issue, so at the Milestone booth (#18053) ask about The Boring Toolbox from The Boring Lab (Milestone Solution Partner of the Year for 2019). The Toolbox is a series of functional tools that help end users and integrators more efficiently manage medium-to-large distributed video surveillance networks using Milestone’s XProtect video management software.Facility Physical Access Management. Access management is an area of physical security management that lags way behind the modern tools and approaches of IT. This is one reason why Lenel Systems (#1801) has introduced real-time Policy controls for access management into its flagship product OnGuard, as well as many other improvements well worth looking at. Other companies who have already stepped up to that plate are AlertEnterprise (#3077) and RightCrowd (#34079), who is the leader in Presence Control.

  • Open Platforms. Much of the integration and system design action these days centers around functionality made possible via a published open API (Application Programming Interface – the way two applications talk to each other). See my recent article on The API Economy and the security industry. There are now too many API providers to list in this article.

This year “artificial intelligence” (AI), “deep learning” (DL), and API-based “open platform” are among the hot buzzwords. While not as hot, “cloud” and “mobile” are two aspects of modern technology that are unavoidable. As always, when you hear those terms, it becomes important to differentiate between yesterday’s technology “re-described” for marketing purposes, and advanced next generation technology that brings valuable new capabilities. The questions below should help.    

This Year’s Vendor Questions

To keep this article simpler than my previous show “questions” articles, I’m no longer making separate questions for end users, integrators and consultants. End-users are now more tech-savvy, and integrators and consultants are increasing their understanding of end-user needs. One set of questions will work fine now, where a few years ago, that wasn’t the case.

1.  Cybersecurity. Do you have a system (or product) hardening guide?

A hardening guide recommends cybersecurity measures to apply to the vendor’s product or system.

This remains the top question as cybersecurity is a top concern for end-users, integrators, security designers and specifiers, especially with the growing threat from Deepfake video. The following companies, listed with their document links here, have published hardening guides or cybersecurity guidance: Avigilon, Axis, Bosch, Brivo, Cisco, Dahua, Eagle Eye, Genetec, Hanwha Techwin, Hikvision, Honeywell, IndigoVision, Lenel Systems, March Networks, Mercury Security, Milestone, Mobotix, OnSSI, Pelco, Razberi, Salient, Sony, Tyco, Viakoo, and Vivotek. If a vendor has products or systems that connect to the network, hardening guidance is appropriate.

2.  Cloud Security. For cloud companies: Do you have a published vulnerability handling policy and documentation describing your company’s product (or cloud service) security program?

Cybersecurity professionals look for the three indicators of a cloud vendor’s cybersecurity maturity, two of which (italicized) are not understood well enough in the physical security industry:

  • Product hardening guide.
  • Security vulnerability handling policy.Descriptive documentation of the company’s product security program.

    You don’t need to ask this question of the companies who have hardening guides. Most of the security industry companies with hardening guides also have published vulnerability handling policies, and many have descriptive documentation about the product security program or internal cybersecurity team. Yet many security industry companies still don’t have a clear idea of what a product security program is. Listen closely to how vendors answer this question, as the differences between answers can give you insights into the relative ranking of vendors.

    3.  Infrastructure Management. What new features do you have that improve management and administration for large-scale deployments?

    Today’s technologies are more feature-rich and more complex than ever before and are broadly networked to a much greater scale than a decade ago. If you have a regionally, nationally or globally network security system, ask about features that facilitate the management of large-scale deployments. Also see this article’s introductory on Infrastructure Management.

    4.  Cloud Characteristics. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

    There are several companies who have products that are supported or augmented by cloud-based services, as opposed to companies with fully-cloud based offerings. When you hear the word “cloud” be sure to understand what functionality resides in the cloud and why it is in the cloud. Sometimes the product is cloud-hosted but was not built as a cloud-native application. This question will tell you how well cloud engineering has been applied to the system or application. It is surprising to me how many cloud services sales people can’t answer this question in 2019!

    5.  Rick Scenarios. What types of risk scenarios do your new features address?

    Vendors should be able to describe the risk situations that the new features were designed to address. Before the new feature, how did things work? Now how will they work using the new feature? When it comes to video analytics and AI/deep Learning based features, BOTH false positive and false negative rates must be considered. Hopefully, this year vendors have more to say on this topic than last year

    6.  Open Platform. Does the platform have an Open API, meaning that it’s published online and freely available? What type of API is it (such as REST, SOAP, RPC)? What are some examples of its use?

    Integration is emerging as a strong source of security systems value. Some platforms are more “open” than others, and some APIs are more mature than others (a function of time and product advancement). Ask to hear about examples of how the API is used for systems integration. Some are mostly used by technology partners, and others are very useful for IT department integrations with customer applications, such as with an identity management system for physical/logical access control system integration.

    7.  Artificial Intelligence (AI) and Deep Learning (DL).  

    AI and Deep Learning functionality can exist in multiple places within a system. For example, there can be camera-based software that extracts an AI data model and streams video metadata for both cloud and on-premises video and data processing. See my article on Fog Computing (which I call “cloud on the ground” because it puts cloud-computing technology on-premises in your security system). This article has an excellent diagram of device, on-premises and cloud computing security system elements. There are seven questions that relate to AI and Deep Learning.

    Where does the AI software reside? Who develops and improves the AI? How does the product get updated for AI improvements? Does it build a data model? Where does the data model reside? How it is backed up? Who owns the data model that is built with your company’s or your facility’s data? I expect that more vendors will be able to answer these questions than last year.

    8.  Standards. What encryption standard is used or what version of network protocol is used?

    The use of outdated encryption and network protocols introduces cybersecurity vulnerabilities. This was a sore point in the industry just a few years ago and is getting better now – but still needs checking on for products you own or are considering for purchase.

    About the Author:

    Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.