Physical security industry companies work hard at improving their products, but commonly they do so by trying to “out-feature” their competitors (having more features), or by somehow making a feature or design more impressive than a similar feature from a leading competitor.
There is an old Korean saying: Carve the peg by looking at the hole. Which is why I say that many industry companies carve their peg by looking at their competitor’s peg, when they should be looking at the hole: the gaps their customers still have in addressing security risks.
This failure to “focus on the hole” leads to industry situations like this one: being 10 years behind in addressing network security for electronic security systems. For example, less than six months ago, there were no hardening guides for networked security products. A hardening guide tells you what security measures to take when you install a product or system. Hardening guides have been common in IT for more than two decades.
If you are a security end user, systems integrator or consultant—you can help refocus vendor thinking by asking questions that directly relate to your needs. That’s the purpose of these questions: to shift the focus back on your needs (or the needs of your customers and clients, in the case of consultants and integrators) and off of one-upping their competitors.
Don’t limit your questions to what I have here. You can probably come up with some good questions of your own if you think about what risks you have a hard time addressing to your satisfaction.
Note to Vendors: If you already have a published hardening guide or a vulnerability policy (see the End User questions below), get one of those clear plastic stands for letter-size sheets, and make a nice-looking sign for your booth that says, for example, “Ask Us About Our Hardening Guide.” If you have one, that makes you one of the leading companies, so don’t be shy about it!
Note to Integrators and Consultants: Do read the End User questions first, as the questions for you are mostly identical, and so I put the explanations about the questions in the End User questions section.
Questions for End Users to Ask
1. Do you have a system (or product) hardening guide?
A hardening guide recommends cyber security measures to apply to the vendor’s product or system.
Don’t ask this question of Axis Communications or Genetec because they already have downloadable hardening guides (Axis hardening guide and Genetec hardening guide). The Axis guide is openly available; the Genetec guide requires registering for a Technical Assistance Portal log-in. You should download the Axis guide to see what a good hardening guide would look like. And if you stop by the Firetide booth, ask them why their design and installation guides no longer have a section on hardening an installation.
Parallel Technologies published a two-page paper in 2014 titled: 5 Reasons for IT to Own Access Control. “Security” was their second reason. At the start of the paper, they say, “. . . physical access control systems (AC) have traditionally been designed without IT professionals in mind.” For each of the five reasons, they explain what IT’s product considerations are. It is a good piece to download and read; it will enlighten you some of the perspectives from which your IT folks look at your security technology.
2. Do you have a Vulnerability Policy?
A vulnerability policy explains how a vendor will manage and respond to reported security vulnerabilities with their products, to minimize their customers’ exposure to cyber risks. That’s where you find out how to report a vulnerability to them, and where to find the list of vulnerabilities that have already been reported, along with their status.
3. Do you have case studies for my business sector, [insert sector name here], that show how our business-sector-specific risks can be addressed using your product?
I am not a big fan of the kind of case study articles that I typically see, which usually contain little information about the real value to customers of the products involved. What risks were addressed that couldn’t be address well enough before? What significant cost or efficiency savings were accomplished? Don’t be surprised if the vendor answers you with another question, “What kind of risks do you mean?” That’s a great opportunity to put forth one of the risk challenges that you would like help with, and see what the vendor says.
4. What features in your product offer significantly more value in some way than the same features in competing products?
I have only had a little luck with this question in the past. Most of the vendors didn’t really have that much insight into the differences between their competitors’ products and their own—in terms of the value to the customer. Those that did, like RedCloud’s access control system (now Avigilon’s Access Control Manager), promptly demonstrated them for me. In the case of RedCloud, I was happily surprised to see how their integration to Microsoft’s Active Directory could be set up in under three minutes. So even though the answers have been few, they have been valuable.
5. Can you give me a specific example of how that would work for an organization like mine?
You can only ask this question if the vendor’s representative makes a statement expecting your agreement or buy-in, yet you don’t see how the dots connect for your situation. I remember one case in which the sales person said, “. . . which in turn strengthens security, which ultimately has a positive impact on your company’s bottom line.” So I asked, “Please explain to me exactly where the bottom line impact comes from? What specific aspect of the product deployment contributes to the bottom line impact?” He had no real answer, which is what sometimes happens when sales people repeat the phrases they are taught. But it is important not to assume that something sounding like “fluff” has no basis. I am sometimes pleasantly surprised when someone provides me with a specific business case that realistically does match their assertion. You won’t know if you don’t ask.
Here is a bonus question to ask vendors with cloud-based offerings:
6. Is there a reason that you haven’t self-certified your service in the Cloud Security Alliance’s STAR program?
The Cloud Security Alliance (CSA) has developed the CSA Security, Trust & Assurance Registry (STAR) program. CSA STAR is the industry’s most powerful program for security assurance in the cloud. Do not ask this question of Brivo systems, as they have already performed their self-assessment.
Questions for Integrators and Consultants to Ask
- Do you have a system (or product) hardening guide?
- Do you have case studies for these specific business sectors [insert your list here], that show how the business-sector-specific risks can be addressed using your product?
- Do you have case studies for these business sectors, [insert list here], that show how some of the business-sector-specific risks can be addressed using your product?
- What features in your product offer significantly more value in some way than the same features in competing products?
- Can you give me a specific example of how that would work for an organization that is in the [insert industry name] industry?
- Bonus questions for vendors of cloud-based services: Is there a reason that you haven’t self-certified your service in the Cloud Security Alliance’s STAR program?
If you have other questions that you think are important, please send them to me and I’ll include them in the list for ISC East ([email protected]).
About the Author: Ray Bernard is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 28 years. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). He is also an active member of the ASIS International member councils for Physical Security and IT Security.
