By Ray Bernard, PSP, CHS-III
What impact will the arrival of cloud computing have on your security technology roadmap?
Join us for the
21st Century Technology Leadership
Best Practices Group
Ray Bernard and the Security Executive Council have developed a Best Practices Group focused on how to cost-effectively benefit from new technology advances.
Participants have a say in setting the scope and focus of each topic addressed, to ensure a good match to their security program needs and objectives.
Click to scroll down to the program description.
Evolving Roadmap Context
Although cloud computing is not new, it is still evolving. Cloud computing—along with across-the-board information technology advances—is driving massive change in the ways that people, businesses and governments interact, and the way that organizations operate. Cloud-based systems are changing the expectations that people and organizations have for technology, including security technology. When asked, at the 2014 Gartner Data Center Conference of December 2014, about the effects of digital disruption on General Electric, Chris Drumgoole, chief operating officer of GE’s cloud division, said, “There is really not a single thing that we do in IT, today, that we’ll do the same way two years from now. I struggle to name a single process within our organization that isn’t going to change dramatically over the next two years or three years.”
Drumgoole also said, in a 2014 InfoWorld interview, “We really believe that world is changing from an engineered-systems to an integrated-systems world, where the component is no longer the most important piece. It’s around systemic behavior, where systems exist to serve apps.”
Given the continuing advances in analytics and risk data services, application integration is likely to be the level of design that will bring maximum value—in terms of risk mitigation capabilities—to an organization’s electronic physical security systems.
All of this means that a traditional 3- or 5-year technology roadmap plan based upon installed hardware system products won’t work.
20th Century Technology Planning
A traditional but now-outdated approach to security technology roadmap development is shown in the steps below, which presume knowledge of the organization’s risk picture and security’s objectives relating to it:
- Evaluate the state of your current technology.
- Identify candidate new products.
- Qualify the integration requirements.
- Collaborate with IT on the computing and networking requirements.
- Determine the ballpark cost for deployment.
- Create a deployment plan with a project timeline.
- Obtain management business and financial approval.
This approach was acceptable when security product life cycles were 5 to 10 years or more, when technology didn’t change that much from year to year, and when the rate of business change was much less than it is now. Going forward, there are a lot more factors to take into consideration that this traditional product-based approach does not account for.
21st Century Technology Planning
Technology planning in the 21st century has distinct differences from planning for the previous century’s technology, some of which are shown in Table 1 below.
Table 1. Some roadmap planning differences between technology eras.
| Planning Item | 20th Century | 21st Century |
| Basis of evaluation | Security products and their integration capabilities | Security products and technology trends, information technology trends, integration capabilities of non-security sensors, devices and systems |
| Focus of Evaluation | Systems and controlled devices, and their integration | Applications, intelligent devices and their integration |
| Architecture | Server and workstation computers with client/server software, locally connected devices | Web-based with local or cloud-based servers, and smart devices, securely accessible anywhere |
| Integrations | System to system (one main system to a few other systems) | Many-to-many connections (local, remote and cloud-based applications, smart devices, and smart sensors) |
| Standards | Few; some it industry and some security industry | Hundreds to thousands of emerging standards, both security industry standards and it industry standards |
| End Users | A few in fixed locations | Many users located anywhere, such as a university’s faculty and staff, students and their parents, connected via smart mobile devices |
| Operational Value | Based upon system and controlled device capabilities, and local integrations for central data collection, providing situational awareness to a few local users | Based upon the capabilities of many applications and systems, and smart device capabilities, with two-way human interaction, achieving distributed situational awareness to a large number of users |
| Operations Mode | Central command and control; human interactions with first responders | Centrally-coordinated or monitored actions by situationally-aware individuals and teams; automated interactions with first responders |
| Non-Radio Communications Capabilities | Text messages, email, and one-to-many message broadcasting | Multiple, parallel, automated messaging based upon real-time unfolding situation status, with role-based distribution of live data to specific individuals and teams |
| Situational Awareness | Central awareness used for command and control purposes | Awareness shared with any or all users local and remote, with two-way communication, and with well-coordinated adaptive response capabilities |
| Analytics Capabilities | Simple analytics used for individual event alarming and object/person recognition | Advanced analytics with multiple sensor fusion, metadata generation and collection, adaptive and predictive algorithms, self-learning capabilities, including data-sharing, enabling autonomous operation of GPS-aware, task-performing robots, and self-piloting land, water and air vehicles |
| System Constraints | Defined by technology limitations (such as network throughput and data storage capacities) | Rarely (and only temporarily) constrained by technology limitations; primarily constrained by the insightfulness of the design and configuration of the security systems infrastructure |
| Legacy Technology | Usually replaced by the new technology | Can often be enhanced or have its life extended by integration with new technology |
| Affordability | Most projects highly constrained by budgetary limitations | Falling technology prices and rising technology capabilities continually increase affordability and security value |
| Tech Infrastructure Management | 20th century manual processes, like officers monitoring cameras on the midnight shift | 21st century automated monitoring, analytics and diagnostics, and automated workflow processes, including products purpose-built for physical security systems; akin to IT Infrastructure Analytics and IT Service Management workflow automation |
| People, Process and Technology Approach | Find the best technology you can afford, then make up for its shortcomings with people and process measures. | Get deep insight into the organization’s risk scenarios. Dream up ideal ways of addressing the risks. Find technology to provide the operational capabilities that fit your intended people and process measures. If it doesn’t exist now, it probably will in the very near future. |
Scenarios and Roadmap Planning
Security risk scenarios are an effective way to characterize the risk picture for security stakeholders. They are also a quick and effective way to communicate the value of any particular technology.
For example, here is a retail store gunpoint hold-up scenario, inspired by several new technology offerings. Typical risk scenario: A robber in a hoody, wearing gloves, and orders the cashier to open the cash drawer and step away. The cashier cannot press the silent alarm button. The robber bypasses the duress device in cash drawer, takes the cash, and safely exits store. Typically, at that point, the employee would call police, but the police would arrive several minutes after robber’s departure. There would be no clear video of robber’s face in the store cameras. The typical outcome: the robber gets away with the crime.
New Technology risk scenario: Instead, with new tablet-based Point-of-Sale (POS) system technology, the cashier presses an unmarked holdup button on checkout the screen then the button to open the cash register. The camera built into POS screen tablet gets a close-up facial picture of the robber taking the cash. The police car was rolling before the cashier stepped away from the cash drawer. The POS system sent email to police containing picture of robber, picture of store floor showing where the customers and employees are, plus link to a web page with live video from all store cameras and a map of the store location. The new outcome: Police arrive as the robber exits, follow him to his vehicle, arrest the robber and recover the money.
In a slightly futuristic version of this scenario (next year?), all of the store owners on the block have subscribed to a drone service, which provides a drone that is parked in readiness on top of one of the buildings. Had the police not arrived in time, the drone would have tracked the robber from the air, sending live video streams and location data, for the map on the same web page the police are looking at. The new outcome is still the same: the police arrest the robber and recover the money.
Holograms Solve Parking Problem
For a real-life look at the value of advanced technologies, watch this 1-1/2 minute video to the right, to see how public safety leaders are using holograms in Russia and Europe to solve the challenge of keeping non-permitted people out of spaces reserved for the disabled.
Clearly defined risk scenarios provided a sound basis for risk-mitigation designs that include intended outcomes and success criteria.
The hologram project's initial installations in Russia achieved very good results, and so was expanded into European malls.
Risk Scenarios Show the Value of Advanced Communications Technology
For several other good risk scenarios (school violence, hospital workplace violence, and retail store crowd control) that demonstrate how new cloud-based technology can make a vast improvement in incident outcomes, download this white paper: Future Threat Readiness.
New Technologies Require New Technology Strategies
Successfully implementing such advanced technology means doing so in a way that significantly improves the organization’s risk picture, by improving the security-effectiveness and cost-effectiveness of the organization’s security program. This means that your security technology strategy, to be effective, must include an updated risk assessment process whose results will provide scenarios of how advanced technology will be used to improve the risk picture. These are essential for educating the senior security stakeholders.
Financial stakeholders also require educating, because security technology funding will now contain an OpEx element for cloud-based services. OpEx funding is not new to security for many organizations, since that’s the source of facility security force budgets. However, details will still have to be worked out. Fortunately, the utilization of cloud-based services is not new for organizations today.
Another part of the security technology strategy is the role that IT will play. For most organization’s IT is undergoing significant change, as mentioned earlier, and the security technology strategy will be complementary to IT’s technology strategy. IT can easily play a valuable advisory role with regard to the adoption of IT practices. Additionally, it can provide quality assurance for system design and integration documentation provided by security integrators. This type of documentation is typically a weak spot for most security integrators.
There are likely to be opportunities for advanced security technology to be of operational value to other business functions, especially for video and analytics applications.
IT may also have a strategy for identity and credential management, another potentially valuable point of integration for security systems.
Technology Planning Ingredients
Going forward, product selection will just be one part of the overall process for technology planning, which must include:
- Updated Assessment Process. A risk assessment process is required that takes a close look at the operational scenarios for risk mitigation across the full spectrum of the organization’s security risks.
- Technology Strategy. A security technology strategy that is aligned with and complementary to IT’s corporate technology strategy, and leverages IT knowledge, infrastructure, and processes; informs all of the stakeholders and enables them to make sound decisions regarding the role of security technology going forward, as well as for approving specific initiatives; and sets the objectives that the security technology roadmap must meet.
- Technology Roadmap. A 21st century security technology roadmap for physical and corporate security that is a living document, updated annually, and reviewed any time the organization undergoes significant business or risk changes, or whenever breakthrough technologies offer new and highly beneficial risk mitigation capabilities.
- What security technology leadership means at your level of leadership
- What levels of management and ownership buy-in are important
- How to address the funding challenge of adding technology subscriptions (an Operating Expense) to the traditional approach of technology purchases (a Capital Expenditure)
- How to approach the important aspects of strategic collaboration with IT
- What should you include in your security technology strategic plan
- How to assess the value of stakeholder involvement in developing a technology strategic plan
- How to define a 21st century technology roadmap project