With so many security solutions on the market today, it can be tempting to chase the brightest new technologies to improve security operations in your enterprise. However, it’s important to take a long, hard look before you leap – cobbling together a security system out of myriad standalone solutions – even stunning, state-of-the-art ones – could produce a system that isn’t interoperable, sustainable or even functional.
Enterprise security leaders can work with their integrators and risk management consultants, as well as other partners and stakeholders within the business, to test new security solutions before purchasing or installing it to ensure it’s the right fit, both for what’s already in place and for the enterprise’s future security and facility needs.
According to Jim Destefano, National Sales Manager – Security Products for Siemens’ Building Technologies Division: “Choosing the best technology has evolved into a team event. Many end users have realized that in order to get the best technology, they need to have the right people on their team so all concerns are covered. Today, there are many variables that can impact the technology choices. Besides having the Facilities and IT groups involved on the team, Purchasing, Risk Management, Disaster Recovery, Business Continuity and others can all be vital participants in a team approach when looking at the best technology that not only solves the business issue at hand today, but is robust enough to be sustainable for the future. … The integrator needs to be a partner in the process and not merely an outside bidder with limited information from an RFP to provide lowest pricing.” He adds that integrators should make recommendations that can drive more value and produce greater results for the enterprise.
Before making a technology purchase or beginning to test possible solutions, enterprise security leaders should conduct a security risk assessment, says William Plante, Principal with the Enterprise Security Risk Group at Aronson Security Group. This can include the enterprise’s current security technology architecture and performance metrics, an assessment of current IT standards and capabilities, and the goals of the program, which can then inform the Security Master Plan, which can help align the organizational goals with the security program and the enterprise’s technology roadmap.
Enterprise security executives should be ready to provide their strategic security partner with information about the number of users, any in-house expertise, required integration with any other systems or platforms, budget, existing systems and components, and short-term and long-term goals. Having this information ready to share with consultant or integrator partners puts the project on the right track right off the bat, and having the right stakeholders at the table makes a difference, too, especially IT.
“Working with IT can be a game-changer,” says Scott Schmidt, VP of Technology for Aronson Security Group. “IT is key in the strategy towards selecting and deploying an enterprise technology solution. It is important to work within the IT governance program to establish a strong working relationship and support for the enterprise platform. Working with finance is a game-changer; working with the risk manager is a game-changer. The new security executive and their strategic advisor must know how to talk to all of these owners of risk and technology within their organization.”
Especially for security systems and technology relying on the network, such as IP cameras or access control systems, working with IT to determine the limitations of the current network, cybersecurity risks or support capabilities, according to Brad McMullen, VP of Sales – National Accounts for STANLEY Convergent Security Solutions. For video, especially, McMullen recommends CSOs work with their integrators to test the network capabilities, the quality levels cameras can produce on the network, the amounts of data or bandwidth required and any potential costs of needing to upgrade the network or establish a separate network just for security.
With regards to retrofits or acquired properties, McMullen says that well-prepared CSOs should have inventories of what’s already installed, whether they want to keep it as a standalone system or migrate it to a uniform system, and what the intended budget is. “The scope of a job can change because the organization might not be well-informed of the existing components,” he says. “Security is usually one of the last things they look at in an acquisition, which makes it a back-end challenge for end users and integrators,” which makes a cohesive inventory all the more valuable to communicate the scope of a project.
When it comes to new technology, however, security leaders are typically slow to adopt. McMullen recommends either using a pilot program (small space with a small number of users, typically in a lab environment), discussing the technology with a peer using it (integrators can try to connect CSOs with other users), or ideally perform a small sample test in the enterprise. The latter option would give CSOs the opportunity to test how their users would actually work with the system and to address any possible concerns.
A prime example of this was in a biometrics test performed by Convergint Technologies for one of their customers, says Darren Wieder, Business Development Manager for Convergint. “Most organizations want a good user experience. We don’t want to roll out something that confuses or concerns users, as employee adoption is needed for the system to work.” During an on-site test of a fingerprint biometric reader and automatic door for access management, one employee chose to skip the system and use the old method of card-based access and opening the door manually. When asked why she preferred that to the biometrics, she cited concerns about hygiene from using the same biometric scanner as everyone else. This became a good educational opportunity for both parties, as the enterprise found a new cultural concern to address and the employee could be shown the hygienic difference between scanning one finger and using her whole hand to open the door.
What are the risks for not testing technology, though? It does cost more time and money to test and develop a more customized security system, however, if the installed technology fails, or causes challenges in other parts of the enterprise, that could be much more costly, says Wieder. Video could be lost, the enterprise’s infrastructure (such as power management or network switches) might not support the purchase, non-vetted turnstiles could cause backlog and delays to get into the building. All of these challenges could be avoided or addressed by performing your due diligence, he adds.
However, this due diligence needs to extend further than just the initial purchase, especially regarding cybersecurity. According to Destefano, “Regular testing and updating of security patches/passwords for devices is a must to not only protect the network but also the data and information of these systems. … A system being ‘totally secure’ is one of the common misconceptions that can be limited and addressed through testing. Trying ‘manufacturer’ passwords on IP devices is a common test that results in systems failing because the installer (either an end user or an integrator) left standard passwords (that can be pulled off the Internet) on their devices. Other tests are regular checks to ensure that firmware is up to date to prevent configuration issues and/or cyberattacks.”
“The good news is that the technology vendors now realize it starts with them: designing quality products that are hardened and quality documentation for deployment and maintenance,” says Schmidt. “However, (CSOs) need to demand a different level of service agreement and not treat this as a ‘break and fix’ problem. This is serious. The CSO should consider performing a holistic risk assessment that includes both physical and cyber security and then deploy solutions that can be sustained and maintained over time under the construct of a Service Level Agreement (SLA).”
Top Do’s and Don’ts of Security Technology Testing
Get outside input from your integrator, security risk management services provider or consultant.
Get inside input and buy-in from internal stakeholders like IT, facilities management, loss prevention, finance and marketing.
Get input from users – whether these are day-to-day employees who would be utilizing an access reader or the GSOC operators using advanced analytics.
Test the proposed technology on-site and on your network to determine how it will (or won’t) fit in with existing infrastructure.
Discuss cybersecurity needs and best practices with IT, integrators and manufacturers and codify your enterprise’s standards in a service level agreement.
Rush the purchase.
Buy products or services solely off of manufacturers’ spec sheets.
Ignore your enterprise’s culture or the user experience when considering new security tools and services.
Ignore cybersecurity functions and maintenance requirements.
Consider only current security challenges and solutions. Security systems are a long-term investment, so ensure they can meet your long-term goals.