One of the ways Aronson Security Group, a leader in Security Risk Management Services (SRMS), gives back to the industry is through our professional membership and leadership participation in PSA the world’s largest security cooperative of security solutions providers.
TEC, presented by PSA Security Network, is the premier education and networking event for all security solutions providers. TEC features quality education and certification programs, networking, and dedicated exhibit hours designed to advance the skills and expertise of security industry professionals.
This year we sent 25 associates to the forum. One of our executive management team members, Robert Birley, SVP of Engineering and Performance Management, teamed up with noted risk consultant Jeffrey Slotnick, CPP, PSP and the CSO and founder of Setracon, and the VP of Global Strategic Alliances of Zenitel, Dan Rothrock.
They were asked to address the persistent need for security solutions advisors to develop evaluation criteria for the technology they represent, as well as to design a methodology for evaluating the risk and operational needs of their clients.
The two go together. Otherwise solution providers simply are resellers who are more loyal to a product manufacturer then to their clients.
One of the first topics the group addressed was the methodology and culture of Enterprise Security Risk Management (ESRM). “Before you propose a solution, you must have a clear picture of the all-hazards risk state of the organization”, said Slotnick. “If done correctly, this will also tell you how the program is organized. That is, how do their people perform roles in their core operating processes as well as who are the perceived stakeholders of risk.”
Once the overall “As-Is” state of the organization and security program is assessed, the solution provider must have the means to vet technology before they agree to resell it or support it. This means they have a methodology for creating a scorecard for technology vendors within a ‘category’ such as access control, video management, and critical communications.
Dan Rothrock provided a definition of critical communication. “Communication is a tool for reaching mutual understanding” he said. “It infers that you understand the message and can take appropriate action. For business, it means that people rely on clear concise directions for performing their roles within a process. If the communication is ‘critical’ it means you rely on it to generate something of value. For security professionals, critical communication is understood in the context of situational awareness and actionable response where seconds matter to assets and people.”
“The emerging solution provider should have a fully developed methodology that orchestrates each step in their client’s path to value” said Robert Birley, “including risk, technology, and corporate culture assessments all the way through implementation and performance management. This is part of the scorecard that the SRMS provider must overlay on top of the technology assessment.”
The three presenters then went on to propose a high-level scorecard for critical communications that had three pillars.
· Intelligibility. This term is called out by major standards bodies and refers to the ability to hear and understand; which are sometimes confused. Because of this confusion, the panelists noted, that many communication devices like intercom systems have not had appropriate benchmarking on their intelligibility. “Clients have mentioned to us that they purchased communication technology that was tinny and unintelligible”, said Slotnick.
· Interoperability. It was noted by the panel that interoperability is not a one-time integration. The technology vendor should have a program that supports the integration as close to real time as possible. Also, the combination of technologies will become increasingly important as security managers need dashboards that provide real time intelligence. “Our clients are advised that having a communication system that ties into access control and video suddenly optimizes their people and processes and provides them situational intelligence for every event” said Birley. “An operator can use one interface to send and receive voice messages (live and pre-recorded) and link to other enabling technologies like video surveillance. Each of these interactions can be tracked and measured.” Rothrock noted that many times the integrator or the manufacturer can position an integration as a check list for closing a deal. “This approach has no chance of sustainability over time and can erode the confidence in all of us.”
· 'Ilities'. The presenters asked the audience to raise their hand if they believed security is mission critical to the organization that funds the security program. “This is a central question to any solutions provider”, said Birley. “IT organizations provision mission critical systems. Our job is to qualify the solution as mission critical and treat the assessment of their infrastructure accordingly. That is why we also are getting involved in network and device hardening. At the end of the day, clients need high availability, reliability, scalability, maintainability and defensibility.”
Case studies on the scorecard, its importance to the ROI and the value, and the lessons learned from failed implementations, anchored the rest of the presentation. A large hospital, global software provider, and education campus were profiled.
The opportunity for the integration community was summed up well by Birley. “We know that people do not do what you expect. They do what you inspect. So, it is imperative you take the scorecard and leverage it in the vendor vetting process before you represent a technology to a client. Think of this as vetting the overall problem it is trying to solve, the vendor’s ability to innovate and maintain the solution over time, and finally their ability to serve the needs of the client in the future. Then you need to have a methodology or scorecard, for measuring the impact of the technology on the client’s program. Finally, you need an internal scorecard for how you measure and maintain your own performance throughout the lifecycle of a program and a project.”