Hiring a Security Consultant – Part 2

BPS Blog Image

This article is presented in two parts. Part 1 included the types of security consultants, the meaning and value of independence, determining qualifications and the benefits of retaining a security consultant. This segment addresses determining the knowledge requirements of a consultant, and how to define scope, retain a consultant and manage the fees associated with the service.

Industry Specific Knowledge – How Much is Enough?

How much does the consultant need to know about any specific environment? There are two schools of thought, and each has some merit. One perspective is that to be effective, the consultant must know your business; the other states that critical diagnostic processes, such as risk assessment methodologies, can effectively be applied uniformly across multiple organizational types.

Those who believe the security consultant needs to have significant depth in a vertical market may assert the number of consulting engagements the consultant has performed in the relevant area of service/expertise is critical. For example, analyzing threats to water treatment plants is different from evaluating dangers at universities, which is different from the hazards at chemical plants. While there may be some common issues, there are enough significant differences that make specialized experience and knowledge important to consider.

This counter position might hold that there are key fundamental processes (e.g., facility characterization, threat assessment, risk analysis) that can be applied to different markets with effective results for the client. In the case of a risk assessment for an unfamiliar business, it may simply take the consultant longer to complete the facility characterization portion of the risk assessment, creating a little inefficiency, but not necessarily impacting the quality of the finished product.

In some cases, there may be merit in introducing a consultant from outside the vertical market as he or she can recommend appropriate security solutions that are used in other vertical markets not previously known or deployed in yours.

Scope Definition

The key to any successful security consulting engagement is a proper scoping of the work to be performed. Do you know what problem it is you are trying to solve? Do you know what work methodology makes the most sense to address your needs? Have you had a significant security incident and just want someone to come in and provide an overall analysis? Some advance planning and evaluation may be needed to determine specifically what to ask for from your prospective security consultants. Do not be afraid to engage some security consultants in discussion during the scope definition phase. You will learn a lot and may even get support in forming a scope of work that you can use to solicit formal proposals. Additionally, we have seen clients engage a consultant for a few hours on the front end of a more complex project to set scope in collaboration with the client and to help them make good decisions and keep a project within a reasonable fee range.

Another situation involves technical security design projects. There are variables that must be managed in terms of the work scope to ensure the consultant can provide a cost and the client understands what they are buying and why. Typically, a technical security design consultant will provide a certain number of submissions of drawings and specifications throughout the course of a design until the documents are ready to issue to security integrators for bidding. The client may wish to adjust the number of submissions up or down depending on the complexity of the project.

While the consultant may not be required to report findings or share information until the final report is made, you may wish to request interim briefings to ensure that the work is on target and the final timeline will be met.

In short, your scope needs to clearly define what you want and when you want it. If you want a written report, ask for a written report. If you want an oral report, specify an oral report. Your consultant may advise you on the type of report he or she feels you should receive. If you want the consultant to visit your site and make a formal presentation of his or her report, spell this out. If you want the consultant to do the work and not delegate it to an employee or associate, or if you have a time limitation on delivery of the report, specify these things. You also have a right to know if the consultant has other major projects in progress that detract from his or her ability to meet your needs.

Finding a Consultant

There are several methods for identifying a qualified consultant. In the U.S., one of the primary sources of independent professional security consultants is the International Association of Professional Security Consultants (www.iapsc.org). The IAPSC also operates a free referral service for consumers.

Another excellent source of qualified consultants is colleagues in your industry who have used a consultant and are pleased with the relationship. Additionally, you may find resources through industry trade groups.

A consultant’s publications and professional papers also can be valuable to provide insight into their knowledge of your issues or industry. Consultants who write for professional publications have to keep abreast of the myriad changes in technology, techniques and trends.

Soliciting Proposals

Once you have a good scope defined for your project, you may wish to consider documenting the most important parameters of the project in a formal request for proposal (RFP). The RFP is a good tactic for leveling the playing field when selecting a security consultant as it ensures that the proposals you receive will be against equivalent work scope criteria. IAPSC has an RFP portal through which you can both acquire RFP models as well as submit completed RFPs to receive bids from multiple independent consultants (https://www.iapsc.org/rfp-portal/). If you are going to use an IAPSC consultant, check the website to ensure that it is a member in good standing.

Analyzing Proposals

When evaluating proposal responses, it is important to realize purchasing professional services on a low-cost basis is a recipe for disaster. There is an elevated risk of getting a substandard quality consultant or having a work scope that will result in requests for change orders throughout the course of the project. Fee management is an important part of retaining a consultant, especially since budget, billing and fee processes are unique to each individual project.

Additionally, when the decision is made to retain a security consultant in response to a specific need, it is important not to rush the selection process. Doing so only to pacify critics that second-guess the timeliness of your actions is likely not the best decision. Timely, informed and well-thought-out decision-making should be your guide. In the higher education safety and security profession, being fiscally responsible includes being safety conscious and must entail looking at the service being provided and how that service will fulfill the desired outcome. Open communication with university leadership is very important in demonstrating the current needs and how they impact today, tomorrow and beyond.

It is essential to discuss project fees and expenses with consultants in advance. As a consumer, you are entitled to know how the consultant’s work is billed. Is there an hourly, daily or weekly rate? The more details you iron out in advance, the fewer surprises there will be later. If you have a budget and need to work within it, a good consultant can provide you with options for getting some benefit for the available funds by using different methodologies.

An ethical and experienced consultant should be able and willing to point out the types of problems that might arise and expand the scope of the project and the project budget. Ideally, some contingency should be built into every agreement, particularly when uncertainties are anticipated at the onset of the project. You should also require that the consultant keep you informed of additional costs as they arise so there are no surprises when the bill comes.

Short Listing and Selection Criteria to Consider

If after reviewing proposals from multiple consultants, you have no clear-cut choice, create a short list from the perceived highest-ranking consultants. You should develop a score card to help you compare consultants and to guide your decision. Consider the following example:

Navigating Fees

Most established, reliable consultants have a fee structure and are willing to negotiate a fixed fee providing there is a defined scope of work. A seasoned consultant will know how much time and effort a project will take and the associated fee. There will always be some negotiation, but the basic pricing should remain constant, which is to your advantage as much as to the consultant’s. There are three models for fees:

• Time and materials (favors the consultant).
• Fixed fee not to exceed (balanced).
• Fixed fee (favors the client).

In terms of financial risk management, fixed fee is always in the best interest of the client. Time and materials not to exceed a fixed fee is balanced to meet the interests of both the consultant and the owner. Time and materials are clearly weighted in favor of the consultant and some engagements (e.g., forensic consulting where the scope may not be crystal clear) may necessitate such an arrangement. The better the work scope and more experienced the consultant, the easier it will be to secure a fixed fee or time and materials not to exceed for structure. If the scope of the project changes, you should expect a request for a fee adjustment.[/vc_column_text][vc_column_text css=”.vc_custom_1612457069981{margin-top: 20px !important;padding-top: 0px !important;padding-right: 10px !important;padding-bottom: 20px !important;padding-left: 10px !important;background-color: #eeeeee !important;}”]

Fee Management Issues

    • Expenses. Who pays and whether there is a mark up
    • The class of airfare the consultant typically uses
    • Are there limitations placed on expenses on a daily basis (e.g. per diem, GSA)
    • Travel time. Determine the consultant’s policy for how it is billed.  There are basically several options:
      • None of it
      • All of it
      • Half of it
      • Travel time billed at a reduced rate
    • Who pays expenses if meetings are changed, flights cancelled or the consultant is stranded in a hotel due to flight delays? This now happens all of the time.
    • What receipts or proof of expenses are required?



Frank Pisciotta, CSC is president of Business Protection Specialists, an international security consulting firm that helps clients prevent criminal and terrorist incidents since 1990. Pisciotta is a Certified Security Consultant (CSC) and achieved his Certified Protection Professional designation in 1994.

Frank gratefully acknowledges other authors who have written about hiring a security consultant; namely Steven R. Keller, CPP, Stephen R. Zimmerman, James R. Kus, CP and John A. Nolan III, CPP.