The criteria presented here are in no particular order, and it is really up to the person working their way through them to determine how much weight they should attach to each one. The results of a threat and risk assessment should help you decide.

The first on the list is “operational” consideration. Regardless of the system or product you are purchasing, serious consideration needs to be given to its daily usage. What is the system’s compatibility with industry standards? Is it a unique product where the most basic parts have to be ordered in special, take six months to manufacture, are unusually expensive, hard to get, difficult to make? Does it come with options, add-ons, special programming, or any extra requirements? Does it have architectural flexibility, meaning can it interface with other products? Are you getting a product that is an operational nightmare that will have your staff pulling their hair out or quitting in frustration? Do you know the answers to these questions or are you just crossing your fingers and hoping for the best?

The second item on the list is “functional” consideration. Does the system do what the company literature says it does? Have you sat through a demonstration or did you get an opportunity to test it out in real-world conditions? Did your staff get a chance to try it? Does it meet the needs of the site, complex, or the people who require it? Does it work? Is dealer training available? Are you going to have to fly in a specialist if you run into problems, with six months advance notice, working on the vendor’s time frame and not yours? Will they train your staff, locally, or will you have to fly them somewhere? Will they need a PhD in electrical engineering and computer science to understand the training? How much will the training cost?

Next, does the system or product actually provide security solutions? For example, if you are considering purchasing a lock and key system, are the keys difficult to copy and if so, how difficult? How much effort would it require to get past the lock? Does it actually work to the level promised? A couple of years ago, my department was looking at a number of laptop theft prevention devices. One product in particular was promised to provide a particular level of security. One of my staff tested it out, and using a couple of screwdrivers and some twisting and leverage, he bypassed the security mechanism in about 10 seconds. Needless to say, we sent it back and got a refund. My advice is to test the stuff out. Wreck something if you have to. This is all part of the due diligence process.