Embrace a Security Culture
This column first appeared in Sound & Communications.
In the Washington, D.C., area where InfoComm is located, we have an unreliable, accident-prone light rail system. Trains regularly break down and equipment malfunctions or even catches fire. It’s gotten to the point where now, for stretches at a time, parts of the system must be shut down to perform sorely needed maintenance and upgrades. Authorities have investigated the system to help figure out the problem, and one thing the National Transportation Safety Board identified as a key failing is the lack of a “safety culture.” In other words, for whatever reason, safety has not been regarded as important enough by operators to take the steps necessary to ensure a proper, safe experience for riders. Or if safety has been regarded as important, it hasn’t been the organizing principle for everything the system does.
We are at the point in AV and IT integration where AV companies should (if they haven’t already) embrace a “security culture.” It is practically an existential issue.
On many levels, AV/IT convergence is complete. If there’s an elephant in the room — a last stumbling block to complete convergence — it is AV/IT security. AV pros know the advantages created by running audiovisual solutions over networks, and IT pros recognize the important role of AV and collaborative solutions in an enterprise technology strategy. The two need each other. But “not on my network” will be a common refrain until a security culture permeates the AV industry, from product development to design and integration, to service and support. Those who understand (and many do) are already reaping the benefits.
“If, as an AV integrator, you are not security-conscious, then do not come to me,” an AV customer at a U.S. government agency recently told InfoComm researchers. “Don’t say, ‘Aren’t you being overly cautious?’ because there is no such thing.”
“Security issues and concerns have taken a heightened role in the selection of products and the development of policies, including which technologies can be used, should be prohibited or can be put on the network,” said a technology manager at a private U.S. university.
My friend David Danto of Dimension Data was once asked by a client to do a security analysis of the company’s integrated AV systems. Most failed basic security measures, and bringing the systems up to a more secure state was not easy.
Security (device, network, cyber security) is a big, thorny, constantly-moving issue. It’s also closely intertwined with networking competency. At InfoComm, when we teach about networked AV systems, we include a discussion of security principles. If you visited us at the June show in Las Vegas, you had a chance to dive deeper into AV/IT security topics, thanks to industry professionals such as Paul Zielie, CTS-D, CTS-I, of Harman. And we’ll continue to identify appropriate security training for AV professionals, but it behooves everyone involved in AV design, integration and operation to seek out expertise; to establish that security culture in their organizations.
For some AV companies, embracing a security culture may require hiring skilled IT security staff or training the staff they have. This is not unlike the requirement for skilled networking staff back at the dawn of AV/IT convergence. But building networking skills is not enough to create a security culture. If the Internet of Things is teaching us anything, it’s that putting devices on a network is one thing, but securing them is another.
Security is a specialty. AV companies may consider adding positions such as chief security officer, chief information security officer, software security engineer, security consultant/designer or application security manager. These are established job functions in IT, and communicate an organization’s commitment to a security culture. And there are highly regarded IT security certifications that AV firms might invest in, such as CompTIA Security + and the International Information Systems Security Certification Consortium’s advanced Certified Information Systems Security Professional (CISSP) credential.
Beyond staffing, AV companies should approach systems with security in mind. That sounds obvious, but making it second nature requires a cultural shift. Among the many concepts that should inform their work are:
- AV/IT systems need to be integrated. The days of separate networks for AV systems are numbered, mostly from the standpoint of manageability. So, either the AV systems have to be secure, or they don’t get installed.
- AV security has to be baked into the process. It’s the age-old problem: AV designers have to be involved early. Too often, security issues get addressed during installation or later. You need to discover security requirements during design, if not earlier, such as during the needs analysis.
- Security will have to influence integration. To put it simply, the way AV firms have always done things may not jibe with a security culture. For example, if you’ve always specified a product that requires telnet for control, and telnet violates a customer’s security policy, you probably need to use a different device. Similarly, although integrating many disparate devices has long been the AV industry’s bread and butter, it may mean many disparate security vulnerabilities. Highly integrated, out-of-the-box devices — if they are, indeed, more secure — may be preferable.
- Security should be ongoing. We talk about AV companies offering managed services. Securing AV systems should be one of those services. With a security culture in place, and a trusted relationship with the customer, AV companies are in the best position to monitor AV systems and offer regular security patches and updates.
And this is the tip of the iceberg. With more and more AV deployments falling under IT, security has to permeate everything the AV industry does. That laptop your technician uses to troubleshoot a client’s AV system? How do you ensure that it’s not a vulnerability?
“We are not the guinea pigs for new technology,” said the government agency customer. “It has to be tested and the security and privacy protocols have to be worked out.”
AV security can’t be an afterthought. For the AV industry’s growing legion of customers (enterprise IT), it is one of their top concerns. When you’re staging an AV system, for example, you may have to introduce a level of vulnerability testing to the process. It takes a different mindset to attack your own systems to see if they’re secure, but it’s part of the culture in which IT departments operate.
There are signs, based on research InfoComm has done into various market segments, that things are getting better, but we’re just getting started. Cultural shifts don’t happen overnight.