Cybersecurity is more than just a headline associated with attacks on critical infrastructure assets, such as utility companies or our nation’s repository of its personnel records of employees with the highest security clearances. Cybersecurity touches each and every component of our business community from the largest corporation to the smallest “Mom and Pop” shop. The word “critical” is merely a relative term. Yes, the nation would be devastated by an attack on its telecoms or power systems. However, any small and medium-sized business could be equally critically impacted should an attack disrupt or disable their capability to conduct their business regardless of whether they contribute to our national security or they produce bubble gum.
Most companies don’t have security leaders or professionals on their staff, and they have to rely upon the expertise and guidance of those that provide those services to them. Those companies that are large enough to have professional security staff are frequently challenged with knowing what the right level of security is and how to implement it. Most security leaders choose their systems integrator (video, access, alarms and cyber) based on two main criteria “competitive prices and customer service.” Of course the personal relationship with your account executive also plays a major part of your comfort level. This is an incomplete way to make your decisions.
There are two desperately needed skills that are rarely evaluated: Your integrator’s understanding of cyber threats, and their ability to work within your company’s ever-changing IT environment.
Every integrator in your region, and especially those powerful-looking national integrators, all tout their high-level IT skills. But who ever really checks their depth and span of knowledge? No integrator says “Yup, we can pull wire, but we just connect the boxes.” Everyone claims to have experienced IT professional on staff and available. The reality is quite different.
First, in a regional integrator, the IT skills vary and often consist of one “whiz kid,” who may leave at any time. Is there a backup? In a national integrator that can afford more in-depth IT experience, those specialists are usually located near their major offices. Is your site close to their headquarters? Are they willing to come onsite when there is a major security versus IT department problem? Most likely those IT experts are in high demand and far from your office.
Develop a checklist when interviewing current and prospective security integrators.
- How many IT staff are in the company? Names and certifications please.
- How many of the staff are certified on your specific system?
- Is the IT staff on call or only available Monday through Friday during working hours? How available is the IT backup staff in an emergency?
- Ask for the contingency plan should the IT staff depart. Is there a contracted backup or sufficient depth in staff to handle any one person leaving?
- Have your IT department leader interview the integrator’s best IT staff, preferably more than one person. Your colleague can quickly advise you if the integrator has the necessary skills and understanding of your IT department operating systems.
- Your IT leader can also probe into cybersecurity issues. How much training does your integrator have in understanding and responding to cyber threats?
- Ask your integrator for their in-house cybersecurity protocols. Do they perceive their own systems as vulnerable and what did they do to mitigate? Have them show you a written cybersecurity plan. If they don’t have one, they are working a decade behind the times.
- Does your integrator know the potential vulnerabilities of your existing access control system? If they answer “There are none,” you have a problem.
- Find out what kind of insurance coverage your technology provider has if they are found responsible for introducing a vulnerability or performing poor work.
- Assess what kind of insurance you have against cyber attacks. Do a thorough review of your policy to understand what is covered, and what is not covered. You’ll be surprised to learn that there are typically more exclusions than inclusions, and your cyber insurance may be limited to loss of privacy-related data and not an operational interruption or damage to your systems resulting from an attack.
Do not take security IT skills at face value. Use your internal support teams to probe and complete due diligence, and where you don’t have a “support team,” take the time to ask the tough questions and make sure you get answers you can understand. Uncover weaknesses and push for upgrades in staff. If the end-users don’t demand better skills, integrators will not always add overhead until there is a crisis.