The Five Biggest Security Technology Mistakes and How to Avoid Them
By James R. Black
Security managers throughout the country are rightfully considering and deploying more advanced security technology as important components of their security program. It makes perfect sense that planning and implementing modern security systems requires special attention be paid to every detail ensuring that the totality of equipment and systems function as intended, does not over burden administration, operations or maintenance staff and maximizes their intended benefits. Individual technologies must also integrate to provide greater situational awareness, thereby amplifying any “force multiplier” potentials to quicken return on investment.
The old axiom of “Good news travels fast and bad news is waiting when it gets there” does not seem to apply as much to security technology mistakes made by critical infrastructures. Many users are uncomfortable sharing details from their technology implementation failures and political pressure is sometimes applied to lower the profile and embarrassment of dollars wasted on technology missteps. The benefits of sharing these lessons learned however far outweigh any short term perceptions. To help you get maximum benefit from your security technology systems let’s review five of the most common security technology deployment mistakes made by critical infrastructure protectors accompanied by tips for how to avoid them.
Mistake #1: Believing what you read and hear. The security industry in the United States does not oversee or regulate what manufacturer’s print or say about their products. In today’s market, finding unbiased information about products is annoyingly difficult. Trying to learn a company’s strategic vision for their products and a particular product line is harder. Forecasting which companies may purchase, absorb and otherwise eliminate products is impossible. The flood of proprietary specialty products amplifies the problems faced by decision makers. Users are generally challenged for time and resources and usually need to make effective decisions, quickly. For critical infrastructures especially, there can be pressure applied to hurry along technology deployments and expedite implementations. How do you address these challenges? First, be skeptical of everything you read and hear. Focus less on technical data like pixel counts and laboratory controlled error rates and more on head to head evaluations in real-world conditions like yours. Seek unbiased and experienced evaluations and advice. If you belong to an industry group or other peer network, use its membership to solicit feedback on what works and what doesn’t. If you’re relying on a peer with an identical system, visit them directly rather than take anyone’s word for the effectiveness of their systems as they may not be using the products full functionality or features you intend to. Before you commit to implementing any particular technology conduct “proof of concept” testing at your facility to replicate how proposed technologies will perform and more importantly whether the technology meets your real needs. This is different from “Beta” testing that let’s others use you as a guinea pig for their product development while learning how their products perform at your expense. Too many users accept these test systems to cheaply augment their existing security to the detriment of the overall program.
Mistake #2: Thinking technology will solve all your security problems. Every security technology is only as good as the complete security program that supports them. History has demonstrated time and again that the simplest breakdowns can render the most sophisticated security systems useless. This is especially true with critical infrastructures where an abundance of territorial stakeholders increases the odds of operational and procedural breakdowns. Protectors of our nations’ assets should remain constantly mindful that security technology is only one aspect of your security program and in fact, depends on the success of the other parts in order to be effective. For example, some technology proponents automatically believe that video surveillance cameras outfitted with analytics can replace the need for roving guards. In reality however, depending on the particulars of the situation, more monitoring staff might be needed to receive, assess and respond to increased alerts that might be generated by today’s advanced video systems offsetting the fewer field personnel. It is important to keep expectations reasonable about technologies role in your overall security program and thoroughly understand exactly what the impacts will be from implementing each proposed system. Ultimately, your security programs success may hinge on the perception of how effectively and appropriately security technologies are understood and have been deployed at your facility. In addition, technology’s role in the overall program should be well thought out and clearly communicated to everyone involved.
Mistake #3: Insufficient planning. Security breaches can be a stressful time for everyone. Natural instinct dictates that the sooner something is done to address an incident the less likely something like it will occur again. Security technology such as cameras, access control, and intrusion detection can seem like obviously good tools to deploy or upgrade. However, rushed incident response driven deployments without appropriate planning are not always best for the overall security program and in some cases can create unnecessary liability. A thorough understanding of the real vs. perceived needs for security technology is necessary prior to deploying any equipment. Planning for any critical infrastructure enhancement involves knowing the real security needs and which technologies are most appropriate to deploy where. This process must also addresses “low tech” and “no tech” supporting features essential to program success. For example, wherever cameras are deployed, a lighting plan should support their use. When IP based security systems are considered, the IT infrastructure plans should be updated to account for current and future bandwidth and resources demands. When facilities are designed or renovated minimum security technology standards should be in place before hand. Before product standards decisions are made, a thorough competitive evaluation should be performed including identifying a pool of competent, factory certified installing companies to provide options and ongoing support. When security systems costs are estimated, understand product lifespan and 5 year service needs are anticipated in addition to the ongoing personnel and operational costs of maintaining these systems.
Mistake #4: Leaving out lynchpin stakeholders. Critical infrastructures, like many organizations can be politically charged environments with competing interests, agendas and legacy attitudes. We have seen a trend among some organizations that in order to obtain consensus on issues and complete the project, the pool of stakeholders must be as small as possible. Security projects that kick-off without involvement from important stakeholders invites second-guessing, criticism and can create hurdles and project road blocks that could be avoided. Ultimately, the security program may suffer from less credibility and support due to what’s viewed by some as a program forced upon them by an elite group out of touch with the real needs of the organization. Commonly overlooked stakeholders include service staff who will be charged with maintaining systems, field personnel who respond to system alarms, operators who will be manning the equipment on a regular basis and information technology personnel whose network may be supporting the systems. Other departments appropriate for process inclusion are legal, local law enforcement, human resources and procurement. Not every stakeholder needs to be integral to every security technology discussion however, inviting these stakeholders to the table from the outset and keeping them informed in some manner throughout the process can smooth the implementation and acceptance path down the road and remove much of the potential resistance to your security technology program.
Mistake #5: Deploying more technology than you need. Just because it can be done, doesn’t mean it should be done. In recent years, security mandates and grant funding opportunities have driven facilities to acquire significant amounts of security equipment. I’ve had critical infrastructure clients call me and say they need to come up with some proposed security projects quickly so they can stake their claim to funds and get “their share” of a grant award. Unfortunately, we have repeatedly seen that funding processes and rushes to deploy technology at critical infrastructures sometimes do not consider the real vs. perceived needs for this equipment nor the impacts these deployments will have on the overall security program. Whether incident driven or not, many well meaning facilities have deployed more technology than they need. Ultimately, shortsighted technology deployments often become expensive boat anchors dragging down the security program without adequate operating or maintenance funding. How much of which technology is enough then? Try to match every technology deployment to a specific documented priority need. Make sure that these needs cannot be addressed by simpler and easier to implement and manage “low tech” or “no tech” solutions. One test to evaluate whether you’ve deployed too much technology is to find the person within your organization who is most familiar with the proposed work. Ask that person to explain to a small group of non-security employees (representing various skill and authority levels), what need the proposed equipment will address, how it will accomplish this and how using this technology is appropriate when compared to other alternatives. Then interview these employees and ask them these simple questions. Did the technology advocate’s explanations make sense? Is it clear from the session that we need this equipment? Do you think our security program will be better with this equipment? You might be surprised what insights into your security program outsiders can provide. If the explanations are not clear, concise and incorporate more than one narrow aspect of your security program, other improvements might serve you better.
Advanced security technologies and the great potential they bring to solving today’s most difficult security challenges can be intoxicating . Experience shows us however, that security technology planning and deployment mistakes can not only be costly in the short term to your organization but they also can adversely affect the perception and effectiveness your security program long after problems have been corrected or the offending equipment has been removed. Proactively avoiding repeats of these common pitfalls will benefit everyone in critical infrastructure protection.
James R. Black, CPP, PSP, CSC, CET serves as senior security consultant and operations manager for TRC out of their Irvine, CA office. Over the past 13 years, Mr. Black has assessed threats and designed security systems for many of the nation’s critical infrastructures including municipalities, transportation centers, and utilities. Mr. Black is a member of ASIS and is a member of their architecture and engineering committee. He holds numerous security licenses and regularly writes and lectures about current and emerging security technologies. James can be reached at firstname.lastname@example.org