This is an interesting topic, as someone has already said I think the security industry is a long way behind pure software companies.
It's only in the last few years that a serious number of CCTV devices have been connected to the internet (at least in the UK) and up until quite recently they where from a large number of different manufactures. As the quantity of units connected increases and the number of manufactures is reduced then they become targets just like companies in the software industry. And to this end I have some sympathy with the manufactures of all shapes and size.
However I think the response from the whole industry in general has been rather poor. I include manufactures, distributors and installers in this statement. We could and should have done more, from making sure vulnerabilities are not there in the first place, to informing installers about updates available for known issues, to installers taking basic precautions like changing default passwords.
It would seem we (the industry) have found it difficult to respond and in some cases even do basic things when notified of a problem. That's not to say we have been deliberately secretive, but rather we have not known how to respond, it's like the cat caught in the headlights of a car at night.
The software industry has had decades to formulate policies to deal with cyber security, for most security manufactures, distributors and installers this is the first time we have had to think about it seriously, and I think it's fare to say it's taken some of us by surprise.
Now I am not making excuses, but there are many lessons we must all learn from the recent cyber security issues and some of these will take time to implement, we have a lot of catching up to do.
But we must also be under no illusion that these cyber attacks will continue and if anything get worse. As more equipment is fitted and connected to the internet the target becomes bigger.
There are a lot of questions we need to ask as an industry and then consider the answers carefully before we can truly be in a position to say we are doing all we can.
Question. Once a vulnerability is identified who is notified, installer or end user.
Question. If the end user is notified are they given access to update without an installer.
Question. If an installer is to take responsibility for maintaining the software who will pay for the additional cost, end user or installer.
Question. Is adding auto update function (like your phone) a good idea, and who gets to make the update decision, or is it updated automatically.
Question. If the update is automatic what happens if the unit won't reboot of is slow to reboot and an incident is missed.
These questions raise many more questions and there is no simple answer, don't forget we are not talking about DIY systems here, some of these are security systems fitted in highly sensitive areas.
But I think over the coming months we will see some big changes in the way the industry looks at cyber security and we will all have to take it a lot more seriously.