Beyond their intrinsic value as a showcase for new technology implementation, case studies provide additional value. By demonstrating the art-of the-possible, they enable businesses to envision how IT solutions might be applied in their own circumstance - and to what end. The consumer of case studies can consider the ‘how to’ of implementation, absorbing lessons and ROI metrics that may be used to build business justification and smooth solution deployment. In the Genetec case study presented below, readers will come to understand how IT security may serve as more than "insurance" - how with expert help, security can help support market positioning and success.
Genetec is all about security. The Montreal-based company provides open architecture software, hardware and cloud-based services to physical security and public safety customers on a global basis. Genetec’s flagship product, Security Center, is a platform that unifies Omnicast IP-based video surveillance, Synergis access control and AutoVu license plate recognition systems, integrating physical and virtual security to offer enterprise and government clients greater efficiency through standardized workflows, faster response time and improved security over-all. The Genetec platform also supports additional third party technologies, such as intrusion panels, asset and building management systems, WiFi wireless door lock hardware, and video analytics to enable holistic security management. In June 2013, Genetec also launched Stratocast, cloud-based video-surveillance-as-a-service aimed at helping smaller businesses quickly deploy and remotely manage a single video installation — or more in a federated configuration that can reduce infrastructure cost and complexity.
Genetec’s value proposition lies in its ability to deliver more efficient, more reliable solutions to meet customer’s diverse physical security needs and in its ability to integrate these through an IP-based platform that enables centralized management. To support this positioning, the company engages in continuous development of security capabilities in both its own IT operations and in the products/solutions it develops and markets. Genetec has worked hard to ensure proper security on its own internal networks - following best practice, making sure the right patch levels are set — and to perform vulnerability testing on outward facing networks, including company web sites and portals. Through this kind of work, Genetec aims to establish its security expertise, and create top of mind awareness for the brand in this area.
According to Christian Morin, Genetec director of the strategic product group with responsibility for infrastructure, development of security capabilities represents a work in progress — "a journey that never ends because the destination keeps moving." And because security has many components, "we don’t necessarily have the skill sets in house to deal with all these." As a result, Genetec found the need to bolster internal resources with third-party expertise. Vulnerability assessment and penetration testing are two areas where Genetec looked to an external security provider for expert opinion. "Sometimes you are so close to it, that you can’t see the obvious. You can’t see the forest for the trees," Morin added, a hurdle that the company hoped to overcome through independent, objective assessment of security risk in its IT infrastructure.
To obtain third-party validation, Genetec turned to consulting services offered by Dell managed security provider SecureWorks in the areas of vulnerability assessment, compliance and certification, cloud security and review of internal security processes. According to Morin, leveraging access to vast amounts of threat data collected in the SecureWorks intelligence practice, SecureWorks consultants were able to offer expertise that was out of scope for the company’s internal security group. "Threats are continually evolving, but we don’t have an army of people looking over this on a daily basis," Morin noted.
With responsibility for supporting Genetec’s 540 employees, maintenance of online platforms, web properties and internal network, in addition to product development, the four person IT admin team required support that SecureWorks delivered remotely (assessment of external websites and portals) and onsite (assessment of the Genetec network). In preparation for the audit, Genetec scoped the work to be done, specified systems requiring assessment and methods/metrics that would be used in reporting. To minimize potential disruption, the company stood up external properties in a separate window with little traffic — in the case of failure, it would not be catastrophic. On the internal side, SecureWorks worked to identify vulnerabilities rather than test the limits through exploitation, an approach that also service to reduce disruption. The SecureWorks audit was conducted independently, without involvement of the company team. The bulk of Genetec work occurred post-assessment, when it came time to address vulnerabilities identified in a report that identified the magnitude of risk, the process for more simple fixes, as well as technologies that might address larger issues.
Since "security is a highly dynamic and evolving" field, Morin explained that Genetec has chosen to undergo this assessment on an annual basis. Each time a security assessment was conducted, issues were raised and action items identified, enabling the company to develop priorities and put in place remediation plans for addressing risks. This partnership also involved knowledge transfer. For example, during a recent software development engagement with Accuvant involving source code review and software vulnerability penetration testing for its physical security solution, Genetec was able to take advantage of SecureWorks training to also look at integrating the security development lifecycle into software development processes in order to bake in threat identification and potential mitigation factors at the outset. In addition to guidance on new threats to explore, SecureWorks has helped the company take the next step towards creation of security strategy — a roadmap for the future that takes into account not only the threat landscape but also the market landscape — the right security technologies to address Genetec’s unique business needs.
For Genetec, SecureWorks security validation served to establish the company’s credentials in the marketplace: "the fact that it is provided by an independent third-party gives this extra level of credibility when it comes time to talk to customers. It shows that you are taking the proper steps to ensure that your system is as bullet proof as it can be," Morin explained. Additionally, the development of best practice in security processes will better position Genetec to achieve security certifications such as the SOC 2 for audit and reporting or ISO 27001 for cloud services, security standards that also resonate in customer conversations. This kind of validation is especially critical given the kinds of industries that Genetec supports: government clients, large enterprises, healthcare organizations, which handle a lot of sensitive material , or retail, which manages credit card information, are especially security conscious and typically subject to their own regulations, a fact that drives Genetec efforts in turn.
Measuring ROI on security services is a difficult proposition that Morin believes "comes down to the value you place on security in your organization. You could almost see it as an insurance policy. There are some things you just have to do." Ironically, in terms of SecureWorks services specifically, he sees value in the identification of real risks — since these have helped Genetec bring its defences to the next level. "It’s an iterative process," he stated, "and as we mature as a company, we’re putting greater emphasis on security. These exercises really help ingrain this notion that security is important to the company."
"Be paranoid" Morin urged. A lot of people are complacent when it comes to security, especially the smaller organizations that may not have in house expertise, but the threat is evolving at a really rapid pace, he explained. By going through the assessment exercise on a regular basis, leveraging expert knowledge of the threat landscape, an organization can locate vulnerabilities in its own IT infrastructure while stay on top of the changing threat landscape.