Pract 7(20)

profileSam@98&
PAGE-303.docx

PAGE-303

Is Your Camera System a Soft Target?

In the Federal Trade Commission’s (FTC) first action against a company selling a product with interconnectivity to the Internet and mobile devices (i.e., IoT), a settlement was reached with TRENDnet for falsely claiming its cameras for home security, baby monitoring, and other purposes were “secure.” The charges included lax security and faulty software that exposed the private lives of consumers to public viewing, and sometimes listening, via the Internet by anyone with the cameras’ Internet address. The FTC complaint pointed to failure of TRENDnet to test its software, such as a setting for the cameras’ password requirement. A hacker exploited the lax security, publicized it, and posted the links to the live feeds of almost 700 cameras, exposing babies, children, and adults in their homes. Under the terms of the FTC settlement, TRENDnet must stop misrepresenting its products, improve cybersecurity and privacy of customers, and maintain an external evaluation of its security programs every 2 years for 20 years (Federal Trade Commission, 2014).

Matwyshyn (2017) recommends that before purchasing technology, customers should check the security history of the product or service. Request information on the vendor’s security testing from the vendor. What does an Internet search of the vendor show? Is there a history of breaches? Does the vendor work quickly to fix vulnerabilities and patch flaws? Vendor promises should be written into the purchase contract.

System Acquisition

Many organizations require a formal competitive bidding process to acquire a new se- curity system (or service). Competitive bidding offers benefits such as obtaining alter- nate prices from vendors, learning new ideas from experts, and gaining improved value for the budget. Organizations seeking to improve efficiency with numerous projects are increasingly using online procurement and placing contract, design requirements, and questionnaires online for vendors (Aggleton, 2012).

Khairallah (2006) explains the competitive bidding process. Once a security need is established, a preliminary design is prepared, and when management approves the plan and funding, the next step is to prepare a solicitation for the market to obtain pricing and availability of the product or service. Three types of bids are explained below.

A request for information (RFI) serves to gather information. It is especially helpful when the security practitioner is searching for guidance. Essentially, the market helps with problem solving.

A request for quotation (RFQ) seeks costs. It provides an opportunity to compare bidders.

A request for proposal (RFP) contains the elements of an RFQ plus performance criteria. The National Contract Management Association offers a listing of contract types

and conditions. Khairallah notes that even for a trained professional it is nearly impossible to know all the features of all security products from the numerous manu- facturers. He recommends that the RFP be well organized and indexed. Khairallah suggests using a technique from federal government contracting called work breakdown structure (WBS) that separates parts of a project into clearly definable tasks. It is used to check each bid to ensure that all components of the project are included, and it helps with the ranking of bids.

Jensen (2010) notes that when a customer has a very specific challenge and need, the RFP should be detailed so vendors can offer precise solutions. He also recommends including existing standards applied by the customer.

Following the evaluation of the written proposals, the next step is to request a product demonstration from the most likely vendors that can meet the requirements of the RFP. As the evaluation of vendor proposals ends, the security practitioner prepares a written report for management to pinpoint the most favorable bidder. Once the contract is awarded, there are specific stages of installation and implementation such as in- spections, testing, and training.

You Be the Judge1 Carl Simpson, the security director at Southeast Tool Company, was fighting mad. The plant had been burglarized again, but that was nothing new. What had him angry was that the alarm system the company had recently leased had failed to detect the intrusion.

“Get Security Systems International on the phone,” snapped Simpson at his secretary.

Once SSI came on the line, Simpson began his attack: “We had $135,000 worth of precision machine tools stolen last night, and your people are responsible. According to our contract, you are supposed to make sure this alarm system works. It doesn’t, so your company had better come up with $135,000.”

The manager of SSI just laughed. “Calm down and reread your contract,” he said. “It has what’s called an exculpatory clause, which says that SSI is not responsible for any loss caused by burglary.” “But this was your fault!” Simpson cried. “It doesn’t matter,” replied the man- ager. “The clause covers us even if we’re negligent.” He chuckled, “I can tell you’ve never dealt with a burglar alarm company before. Almost all alarm contracts have an exculpatory clause in them.”

Southeast sued SSI for breach of contract, breach of warranty, and negligence. Simpson argued, “they shouldn’t be able to use a catch-all clause to escape liability for their negligence.”

Did the court agree? Make your decision; then turn to the end of the chapter for the court’s decision.

1Reprinted with permission from Security ManagementdPlant and Property Protection, a publication of Bureau of Business Practice, Inc., 24 Rope Ferry Road, Waterford, CT 06386.

Outsourcing

Outsourcing is purchasing, from outside companies, services that were previously performed in-house. In Business at the Speed of Thought, Bill Gates writes: “An important reengineering principle is that companies should focus on their core business and outsource everything else.”

Internet connectivity has produced a global economy with intense competition requiring management to concentrate on new challenges and opportunities or be left behind. Outsourcing improves a company’s focus, frees internal resources for other purposes, reduces costs, and shares risks. Consequently, activities that do not contribute directly to the bottom line and are part of “the cost of doing business” are ripe targets for outsourcing. Examples are human resources, risk management, environmental man- agement, safety, and security (Caldwell, 2001).

Here, we consider two outsourcing decisions. A frequent outsourcing decision concerns choosing between in-house and contract security officer services. With in-house, the ad- vantages are lower turnover and increased control over hiring, training, and quality. In addition, officers often have greater loyalty and are familiar with unique needs. The disad- vantages are higher costs and total responsibility for security. With contract services, the advantages are lower costs, fewer human resources duties, and shared responsibilities. The disadvantages are less direct control (e.g., hiring), loyalty may be more of an issue, and higher turnover (Maurer, 2000). All these factors are generalizations and there are exceptions.

In the IT sphere, “managed security” is a growing trend involving outsourcing of security technologies, infrastructure, and services. Many companies with in-house staff simply cannot keep up with all the pressing IT security issues (DeJesus, 2001).

Career: Security Sales, Equipment, and Services

This security specialty can be stimulating, challenging, and financially rewarding. New security systems and services have resulted from emerging threats and evolving technology, and the number of companies offering various security services has grown as a result. Sales positions can range from products such as barriers, alarm systems, biometrics, video, and risk man- agement software to uniformed security services. Sales and service personnel may be employed by a product manufacturer or by an independent dealer who represents a variety of products.

Entry-level positions may entail making sales calls, handling advertising queries, organizing sales booths, demonstrating products, and providing input on proposal requests. Entry-level management positions may call for a college degree, depending on the size and nature of the employer. It is recommended that broad-based education and experience be achieved in areas such as accounting, engineering, management, marketing, human resources, communications, and statistics. Certifications can enhance professionalism and advancement opportunities.

In addition to typical management functions, midlevel management responsibilities may include directing and motivating sales personnel, organizing sales and marketing campaigns, and preparing and presenting proposals.

Search the Internet

Use search engines to view what is online for “security services” and “security systems.” Also, check out the following sites:

American Purchasing Society: www.american-purchasing.com ASIS International: www.asisonline.org Electronic Security Association: www.esaweb.org International Association of Professional Security Consultants: www.iapsc.org International Association of Security and Investigative Regulators: www.iasir.org National Association of Security Companies: www.iasir.org

page306image18720320

Security Industry Association: www.securityindustry.org

Case Problem

page306image18720896

A. Select a specific security service or system. Study the state of the art. Then list, in order of priority, 10 questions you would ask vendors. Explain why the first three questions are placed at the top of the list.

The Decision for “You Be the Judge”

The court did not agree with Simpson’s reasoning and dismissed Southeast’s lawsuit against SSI because the clause was valid and clear in absolving SSI from liability for the burglary. Consumers should check such contracts for an exculpatory clause. Not all courts have upheld the validity of such clauses in all circumstances. Check with your company’s lawyer to find out where your state courts stand on this issue.

This case is based on L. Luria & Son v. Alarmtech International, 384 So2d 947. The names in this case have been changed to protect the privacy of those involved.