In the past 15 years video security camera and system capabilities have advanced more than in the previous 50 years, primarily due to video’s adoption of digital information technologies and the resultant consumerization of video technology. Today, the value provided to organizations by video data far surpasses that of any other physical security technology category. Nearly all existing video security deployments require close evaluation to ensure that going forward, the organization receives the valuable benefits available from this exponentially advancing technology category.
Q: Before management will approve upgrades to our security video system, we’ve been asked to document the existing system’s effectiveness and shortcomings. How do we do that?
A: A video systems value is established by its usefulness to a facility’s video stakeholders, which today typically includes business operations stakeholders as well as security stakeholders. A thorough and comprehensive assessment is required.
Rating any aspect of a security program – people, process or technology – requires baseline criteria against which to measure the results being achieved. By baseline is meant, “a clearly defined starting point from which a comparison is made.” See the guidance in the previous issue’s column, “Determining the Effectiveness of Physical Security Systems.” That column focused on physical access control to illustrate its points. In contrast, security video systems have many more stakeholders and a much greater breadth of technology. Determining the current requirements for an effective video security system involves considering the type of facility, the nature and scale of the facility’s critical assets and operations processes, and its people component.
Security Video System Value
Like the saying, “Beauty is in the eye of the beholder,” video system value is in the eye of the video stakeholder. For a small or medium sized retail business, security, management and financial stakeholders may desire a security effectiveness baseline that examines loss prevention and evidentiary video value, while management and marketing may have a strong desire for a baseline related to in-store people traffic and customer behavior information, with information in a format that allows them to make correlations between store activity levels, marketing campaigns, local weather and other conditions. Warehouse supervisors may want the video system to provide alerts when a shipment staging area is empty (meaning that the shipment is now being delivered) and when a staging area is not cleared per schedule. Supervisors may need the ability to define alerts themselves throughout the day and week. Each type of stakeholder has specific requirements relating to video quality, video retention, and video metadata provided by analytics. Some information must be provided in real time, other information must be retained for specific use by authorized personnel.
As the business grows and as personnel change, stakeholders change and so do their requirements.
Thus, evaluating a video system’s value often requires significant preparation work, which is likely to include a stakeholder educational component. What are other similar businesses doing with video? This is one type of baseline for evaluation.
Evaluation Baselines
It easy to see that there are many potential baselines for evaluating security video systems. Thus, it is very important at the start of any evaluation to be crystal-clear about what the evaluation criteria are. They may involve more than one baseline. Below is a list of potential overall video evaluation baselines.
· How well is the existing system delivering on the purposes for which it was deployed?
· If the system has been expanded, how is it delivering on those anticipated results.
· Has the system been updated based on changes to the facility or business operations?
· Has the risk picture changed in ways that require new system capabilities (such as more camera, better night vision, or video analytics)?
· How well is each camera achieving its purpose?
· How does our use of security video and video analytics compare to what are common practices and best practices in our industry and for our type of facility?
As part of any evaluation, the following key elements of a security video system deployment must be rated to determine the system’s effectiveness and what must be done to correct any deficiencies found. These should relate not to the general technical capabilities, but to how well these capabilities perform for the activities and circumstances where it is important. A camera that captures an identifiable image only 50% of the time overall, but does so 100% when investigations have needed it, has an acceptable level of performance. Determining appropriate ratings often involves stakeholder feedback. Below are some example camera rating criteria.
· Sufficiency of video coverage. This should include people, critical material assets and critical activities for both security and business operations purposes. It can be expressed as a percentage for each critical asset area and summarized in an overall percentage figure. For example, 80% of warehouse critical areas are covered, 100% of perimeter entryways, and so on.
· Camera effectiveness according to purpose. This can also be a percentage rating based on success or failure. License plate images are readable 50% of the time. Personnel identification is doable in 90% of the situations that need it. In such a case is 100% performance cost-feasible? If not, then the technology is performing as well as can be expected.
· Sufficiency of recorded video quality and length of retention. There are many factors involved in determining appropriate quality and retention, including regulatory requirements, privacy concerns, length of time before incident reporting or discovery, sufficiency of quality to prompt a confession as opposed to going to an offender taking chances in court. (One airport that has multiple video security systems, when last consulted, had a multi-year record of 100% convictions based on offender confessions after viewing the video of their actions, even though the quality of video was not as good as the airport wanted.)
· Video analytics accuracy and data value. For marketing purposes, a 95% accuracy rate on daily customer traffic may be quite good enough for marketing campaign success evaluation or for determining service staffing levels. However, a single misinterpretation of a crawling intruder as a dog would not be acceptable. The degree of analytics accuracy required is very dependent on the purpose of the analytic.
· System Cybersecurity. Rarely is this critically important factor evaluated sufficiently. Most security functions don’t know how the cybersecurity status of their physical security systems compares to the security requirements adopted by the company’s IT function. Most security departments don’t realize that they can use the cybersecurity framework that their IT function uses to rate their security system deployments. The two most popular are the NIST Cybersecurity Framework and the CIS Controls.
Cybersecurity Remediation
From the NIST and CIS controls ASIS International’s IT Security Council (http://bit.ly/ASIS-ITSC) has prepared a one-page guidance document that references the NIST and CIS controls most appropriate for electronic physical security systems. This document provides excellent guidance that someone responsible for electronic physical security systems can use to implement cybersecurity controls and/or collaborate with their internal IT function or security system services provider to provide strong network and computer security for security systems.
Recently, two U.S. companies found that 30% of their more than 3,000 video cameras had critical vulnerabilities and were also past the end of their support lives. The camera vulnerabilities couldn’t be fixed, and their IT group said they had to be replaced or taken off the company network. One company’s commitments to their cybersecurity insurance carrier required such action.
Dealing with Video System Shortcomings
Whether you report your evaluation results using a formal assessment document presenting findings and recommendations, or use a PowerPoint presentation style briefing, or generate a detailed spreadsheet documenting specific technical improvements and their rationale, be sure to present what is successful about the existing deployment and the value of the security video investment to date.
About the author: Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.