Going to ISC West? Here’s How to Analyze the Cybersecurity Posture of Vendors and Solutions
With ISC West 2024 quickly approaching (April 9-12, 2024 in Vegas!), you’re probably already thinking about which booths you’ll visit and what new security solutions you’ll be seeking in the miles of aisles. Of course, anytime you work with a new vendor, partner or solution provider, you have to be ready to evaluate the company and the product’s cybersecurity posture.
To help you out, the team at the Security Industry Association (SIA) spoke with two of the instructors of our Security Industry Cybersecurity Certification (SICC) program. Jim Cooper, chief technology officer at Integrated Security & Communications, and Josh Cummings, executive vice president, technology, at Paladin Technologies, have been contributors to SIA’s Security Industry Cybersecurity Certification (SICC) program, are instructors in SIA’s SICC Review Course and are SICC credential holders themselves. (That course is, of course, being offered as part of SIA Education at ISC West 2024).
We asked these experts – as integrators themselves – how to be cybersecurity aware when evaluating new solutions and where you can go for training to ensure you have core cybersecurity knowledge to ensure you can be conversant and prepared on this important topic.
Question: In April, tens of thousands of people will gather at ISC West to explore the latest security technologies. How can someone evaluate the cybersecurity of these systems?
Josh Cummings: I'm excited to see the event this year. It was great to see such a strong turnout last year. There is so much technology being demonstrated at the exhibit, and it can be a bit overwhelming for those looking at new products to evaluate the way these products are manufactured and secured. I would say to start with some of the basics. Where is this product being manufactured? How do they handle software and firmware updates? How do they secure the product? Do they support TLS 1.2 or better, encryption of the data, certificates and other methods for cybersecurity? Do they disclose cybersecurity vulnerabilities, and what does that program look like? There are so many good questions you can ask – the key is to start asking them. You can gain a lot of insight from the responses you get.
Jim Cooper: When looking at a new product or manufacturer, there should be a standardized set of questions to ask when vetting a product. For an overall idea on the security posture of a manufacturer, you can ask if they have had a SOC audit performed and if they follow any of the ISO standards, which can help highlight how important cybersecurity is to the company. When reviewing an individual product, ask if there has been an external vulnerability assessment performed on it and, if so, how they responded to the findings. We’ve worked with companies with very niche products and small staffs who weren’t following ISO standards and hadn’t had SOC audits performed, but they shared their most recent vulnerability assessments, addressed all the findings and had follow-up assessments scheduled. It demonstrated how seriously they took cybersecurity on their products, which made us as the integrator more comfortable with presenting them to our customer base.
Question: What do you recommend integrators do in terms of training on cybersecurity?
Jim Cooper: Integrators need to change the training model from mostly product-specific training, which may only occur once, to include external training on networking and cybersecurity. Certifications like CISSP, Security+ or CCNA/CCNA Security are fairly broad and may not be the best use of your training budget, as they cover topics that are not completely relevant to physical security. Industry-specific certifications, like the SICC, offer an alternative to the broader IT certifications and focus on the cybersecurity components that are important to the industry. The SICC preparation is based on elements from CCNA, Security+, A+ and several other broader certifications but eliminates components that are not relevant.
The SICC verifies that the individual has a deep understanding of cybersecurity and how to apply those concepts to the physical security industry and systems. As the leader of a technology group for an integrator, I put more weight in an individual who has the SICC certification over somebody who may have a cybersecurity background but has no knowledge of the industry and how it applies to the systems we work on every day. Cybersecurity training and education are constantly ongoing and evolving – integrators need to ensure their technical staff have time to stay informed on emerging technology and threats. The attackers never stop evolving and learning – as defenders we need to ensure that we don’t either!
Josh Cummings: I think there are several good paths for training. SIA has the SICC, which is a great option. Some manufacturers offer courses specific to cybersecurity. CompTIA has the Security+ course, which is a great program and certification. There are also lots of great options for higher education through a university. You can also look at pursuing something like the CISSP. Develop a program and a rhythm around investing in cybersecurity training for your people.
We are making great progress, but we still have a long way to go. I would encourage folks to engage with organizations in the industry that help to drive education, awareness, training and opportunities in our industry. Be a part of the community. Learn, contribute and help make our industry even better.