This article is presented in two parts. Part 1 will include the types of security consultants, the meaning and value of independence, determining qualifications, and the benefits of retaining a security consultant. Part 2 will address determining the knowledge requirements of a consultant, and how to define scope, retain a consultant and mange the fees associated with the service.
The challenge: How to buy a professional service when consumers are inexperienced in the service they are purchasing. Security consultants generally work for non-security experts to provide supplemental knowledge, experience and services. It is not uncommon for consultants to be retained by seasoned security professionals for a variety of reasons, such as getting an extra pair of hands, for specialized projects or to help pick up the slack in a heavy workload.
How often a security consultant is used will vary based on the individual organizational needs and circumstances. The first step in hiring a reliable consultant is to define the requirements of the job. Does it involve the analysis of risk, implementation of security systems, regulatory compliance, management consulting, training, or defense of an inadequate security claim? Only after you define the requirements of the job can you select the right type of consultant to complete the work.
Types of Consultants
There are typically three types of consultants available in the physical security space1:
- Security Management Consultant – This type of consultant is typically considered a generalist and might engage in such services as security risk assessments, policy and procedure analysis of development, guard service assessments, crisis management planning and other non-technical work products.
- Technical Security Consultant – The technical security consultant is likely to be focused more on the low voltage security systems such as access control, video surveillance, intrusion detection and similar systems. Technical consultants would assist in technology assessments, security design and working alongside architects to address the security portion of a large project; typically covered under MasterFormat Division 28. While it is the risk analysis that defines the design basis for a security program; it is the technical security consultant that implements conceptual through actual system design, construction and operation, much the same way an architect moves through a process to build a building. The scope of the designed systems can vary widely as necessary to deter, detect, delay and deny an adversary access to a client’s critical assets.
- Forensic Consultant – The forensic consultant will be found working in court litigation cases either for the plaintiff or the defense trying to resolve allegations of inadequate security under the tort law premise liability among other case types.
One fundamental skill set all security consultants must have is the ability to perform a proper security risk assessment. If, for instance, a technical security consultant is not well versed in risk assessment, how effective might you expect his or her advice to be regarding the placement and interaction of complex security devices. One technical consultant was heard saying, “I just throw a bunch of devices into a project and see what sticks to the wall.” Technology is too expensive to take a spitball approach, so every enhancement to security should be founded on risk or regulatory compliance at a minimum. For more information on security risk assessment, view – https://www.securingpeople.com/physical-security-risk-assessment/ or – https://www.securingpeople.com/security-risk-assessment/threat-vulnerability-risk/
1This document is not intended to address cyber security and cyber security consulting.
Hiring the right consultant can result in significant benefits to an organization. For example:
- Outside expert advice with real world experience for organizations who may not need a full time security professional
- Manage security spending using talent only when needed versus retaining in-house or reducing the cost of security operations
- Objective viewpoint
- Independent and non-product affiliated avoids product conflicts of interest or limited solution set offerings
- Options for protecting critical assets
- Liability reduction or defense
- New outlook and experience from someone who has worked in other organizations with similar problems
- Delivering knowledge on rapidly evolving security technology
- Faster completion of complex projects
- Identification of unknown problems and security vulnerabilities
- Risk transference – Utilizing an outside security consultant in the assessment of criminal risk can serve an important purpose in defining criminal foreseeability and help an organization that may be accused of having inadequate security.
- Flexibility – When you hire a full-time employee, you are locked into the skills of that employee unless you slowly, and sometimes at great expense, develop additional skills. The advantage of hiring a security consultant is that you can hire as many as you need in order to buy the skills your special project requires.
- Networking – well respected consultants know how to connect clients with hard to find technical resources.
- Unique or niche expertise available.
Why Independence is Important
The next concern is independence. Some consultants are truly independent, representing neither a particular company nor a particular technology solution. Others, however, may be using their consulting services as a door opener to sell products and services you may or may not need but for which a consultant may collect commissions or other fees. When a “consultant” also represents a product, there is a natural financial conflict of interest. Further, when “consultants” (who really should be called a salesperson) and vendors represent a product, you run the risk of seeing limited solution sets as these “advisors” will typically only present the products he or she represents.
If a consultant is going to sell you what he or she recommends, how can you be sure the recommendation is based on your needs and not the salesman’s need to sell the product? The answer is you cannot. In fact, far too many salespeople and vendors try and disguise themselves as consultants. This is not to take anything away from those persons and their subject matter knowledge of the products that are being sold, but it is misleading to the end user to call oneself a consultant without the independence that frees a person from limited solution sets and the conflict of interest.
Next, when you are not dealing with an independent security consultant capable of taking a holistic approach to solving problems, you run the risk of being offered limited and inadequate solutions. For example, if you are getting advice from a security systems vendor, expect to get recommendations along the lines of security systems as the best way to solve your problems. If you are getting advice from a security guard vendor, expect security guards to be the answer to your problems.
The International Association of Professional Security Consultants (www.iapsc.org) defines independence as being non-product affiliated among other criteria. This rules out all the product sales personnel. The IAPSC goes on to limit membership by stating in their bylaws, “Members shall not be an employee of, be employed by a subsidiary of, hold a direct financial or controlling interest in, or participate in the management of a business entity that manufactures, distributes, sells, installs, maintains or in any way provides services or products whose activities are prohibited by IAPSC by-laws. Members are required to advise the IAPSC Board of Directors of any activity that may contravene, or appear to contravene, these by-laws.” So, the IAPSC standard of independence is a high one requiring disclosure of anything that may even appear to call into question one’s independence.
Qualifications are defined and correlate to competency in various analytical protocols the consultant may employ. Too often consumers and hiring agents look no further than the last title an individual had, whether it be federal or local law enforcement. These may be highly skilled people in policing and investigation, but that is not a guarantee that those former skill sets will immediately translate to effective security consulting skills. Remember that one can go to the police or other agency academy to qualify for law enforcement while others can earn security certifications and degrees; you are comparing an apple and an orange. They are simply different but complimentary disciplines not to be utilized interchangeably.
Typically, an independent professional security consultant is going to be a member of ASIS International or the International Association of Professional Security Consultants (IAPSC). These are the top two security consultant affiliations. While lack of membership in either of these organizations does not equate to a lack of qualifications, participation indicates that the prospective consultant at least professes to observe the code of ethics and to meet the minimum standards for affiliation with the groups. The IAPSC subjects its applicants to a background check to verify candidates have not been convicted of any felony or any crime involving moral turpitude or engaged in any act which constitutes moral turpitude. This also includes a verification of claimed levels of education and experience.
There are also several industry certifications that serve as benchmarks for the professional security consultant including the Certified Security Consultant (CSC), Certified Protection Professional (CPP) or the Physical Security Professional (PSP).
Obviously and lastly, your consultant should have consulting experience to properly navigate and produce a satisfactory work product at the conclusion of an engagement. This experience can come from working in a consulting firm or, in some cases, is developed by being an internal security advisor in a corporate security or crime prevention role.
Subject Matter Expertise
The consultant must be able to demonstrate prior experience and knowledge as well as provide references. While safeguarding confidentiality is an essential part of a consultant’s business, most clients when asked will agree to serve as a reference. Be wary of the consultant who claims that all clients are confidential and refuses to provide references.
Frank Pisciotta, CSC, is president of Business Protection Specialists, an international security consulting firm that helps clients prevent criminal and terrorist incidents since 1990. Pisciotta is a Certified Security Consultant (CSC) and achieved his Certified Protection Professional designation in 1994.
Frank gratefully acknowledges other authors who have written about hiring a security consultant; namely Steven R. Keller, CPP, Stephen R. Zimmerman, James R. Kus, CP and John A. Nolan III, CPP.