11 questions to ask vendors at GSX 2022

Sept. 12, 2022
The key is to address how to ward off cyberattacks

Security industry technologies continue their rapidly accelerating advancement. This is not new news. Neither is the fact that cyberattackers increasingly target the expanding attack surfaces of networked physical security systems. Most of us expected an increase in AI-enabled features, but in addition to that, many manufacturers significantly expanded their product lines and their “out-of-the-box” integrations and technology partnerships.

I have not included questions about robots and drones, as they are many, and if you have a possible use case for either technology, you probably already have a list of questions ready.

1. PRODUCT SECURITY. Where can I find your company’s specific guidance on secure product configuration and deployment?

Vendors should be able to point you specifically to such guidance, which hopefully has been released or updated within the past few years. I updated my own list of companies who provide guidance on security product deployments, Physical Security Hardening Guides in 2022. At the end of last year, I had to remove several vendors, because they took down their online guidance. I’m hoping that this year we can expand the list. Many new industry entrants that have cloud-based offerings come from the IT domain and understand the necessity for product security. However, only two physical-security industry companies that I know of (Brivo Systems and Eagle Eye Networks) have joined the STAR Registry (Security, Trust, Assurance and Risk) of the Cloud Security Alliance.

2. PRIVACY AND DATA GOVERNANCE. What support do your products provide for GDPR compliance?

The toughest privacy and security law in the world is the European Union’s General Data Protection Regulation. For certain types of data, this includes the capability to automatically anonymize the data before sharing or exporting it. Privacy and data governance are business issues whose importance to security system deployments is increasing significantly because of the rise in nonsecurity business operations data generated by security system analytics. Some leading manufacturers have begun to provide features that facilitate the proper handling of system data that has privacy considerations. Requirements vary depending on the type of product. Axis Communications provides versatile dynamic privacy masking for late-model cameras through its deep-learning enabled AXIS Live Privacy Shield software that runs on the camera. Cameras that have that feature provide a privacy-masked stream and a nonmasked stream, which supports a variety of activity surveillance and evidentiary privacy requirements, such as the ones that medical facilities and educational institutions have. This capability helps to simplify conformance to security video PII handling requirements.

3. SECURITY OPERATIONS IMPROVEMENT. What product capabilities will help to vastly improve a key aspect of security operations?

Once again, you probably already had this question in mind, but for vendors the talk is usually about features and new things. They are relevant only if they help you to improve the security picture, and the improvement is worth more than the time, effort and cost to do it. As I have said, by “vastly improve security operations,” I mean orders of magnitude of improvement. But that doesn’t mean a massive change to the whole security program. It means that certain parts of it will be much more effective or efficient. The story of AI-based analytics includes improvement of previous capabilities and the addition of new types of data that provide enhanced security intelligence and business intelligence. Thus, business operations value is a key factor in evaluating technology.

4. INFRASTRUCTURE MANAGEMENT. What new features do you have that improve management and administration for large-scale deployments?

Today’s technologies are broadly networked to a much larger scale than a decade ago. If you have a regionally, nationally or globally network security system, ask about features that facilitate the management of large-scale deployments.

5. CLOUD CHARACTERISTICS. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

In 2022, it still surprises me how many cloud services salespeople can’t answer that question! This also has application to on-premises equipment that is cloud-managed.

6. RISK SCENARIOS. What types of end user risk scenarios do your new or improved features address?

Vendors should be able to describe the risk situations that new or improved features were designed to address. Before the new feature, how did things work? Now, how will they work using the new feature?

7. OPEN PLATFORM. Does the platform have an Open API, meaning that it’s published online and freely available? What are some examples of its use?

Integration is emerging as a strong source of security systems value. Some platforms are more “open” than others, and some APIs are more mature than others (a function of time and product advancement). Ask to hear about examples of how the API is used for systems integration.

8. ARTIFICIAL INTELLIGENCE (AI) and DEEP LEARNING (DL). For AI-based systems, is the AI pretrained by the vendor, or is there an on-site training element? Where does the AI software reside? Who develops and improves the AI? How does the product get updated for AI improvements? Does it build a data model? Where does the data model reside? How is it backed up? Who owns the data model that is built with your company’s or your facility’s data? Under what conditions could an on-premises data model be lost, resulting in AI learning having to start all over again.

AI is a rapidly advancing technology field. What plans does the vendor have to keep its AI implementation current with the trends for AI improvement and advancement?

9. DIGITAL CERTIFICATES. What use do you make of digital certificates, for encryption or device identity?

An increasing number of IT departments require that encryption and system device authentication use digital certificates. Few noncloud security system software applications use certificate-based encryption. When it comes to device authentication, few vendors make on-premises devices that use digital certificates to authenticate themselves to their cloud data center. The first cloud-based  physical security systems to do so are the Eagle Eye Cloud VMS and the Brivo cloud access control system. This level of system security should be an industry standard.

10. SENSOR OR OTHER DEVICE PROTOCOLS. Do you support MQTT or other publish-subscribe event message protocols?

We’re seeing an increase in the number of products that support 2D and 3D people counting, queue monitoring and human-presence detection. New to the physical-security industry is the adoption of the publish-subscribe protocol MQTT, which is an IoT protocol for lightweight, publish-subscribe, machine-to-machine network communications. It is designed for connections with remote locations that include devices that have resource constraints or limited network bandwidth. The use of MQTT, widely supported in the IoT world, in physical-security devices enables their participation in smart-building and smart-city systems. The relatively new AXIS D4100-E Network Strobe Siren also supports MQTT protocol (as well as other protocols) for activation.

11. BODY WORN TECHNOLOGY. How can we pilot the technology to understand the effects of any system complexities, manual process or procedure requirements and the do’s and don’ts for individuals who wear the technology? How is data privacy accounted for? What are the care and maintenance requirements?

One pizza franchise implemented body cameras because of an increase in negative customer reports about the pizza-delivery experience. One surprising result shortly thereafter was a more than 20% increase in sales because of delivery personnel being on their “best behavior” and, in some cases, going beyond their training requirements to provide high-quality service. Body-worn technologies of all types can have beneficial effects above and beyond the initial security or oversight driver for adoption.

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as No. 12 in the world’s top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Follow Ray on Twitter: @RayBernardRBCS.