Like all professional services, security consultants are a diverse group.  Many have years of experience while others have just entered the field.  Some are specialized in specific industries or type of facilities while others are generalists.  Many consultants rely on their prior experience in law enforcement, the military, or as security managers and directors until they have developed the acumen for specific facilities and industries through their work in those areas.  Unfortunately, a lack of experience may or may not be beneficial to a client’s current project.

The following questions should be answered prior to hiring a consultant:

  1. Is the consultant independent?
  2. Does the consultant have requisite experience in my industry?
  3. Is the consultant licensed?
  4. Does the consultant have any relevant certifications or credentials?
  5. Does the consultant have a track record of research and publication?
  6. Does the consultant have the business acumen to provide solid, defensible recommendations?

Independence is the single most important characteristic that a consultant must have.  Consultants that are not independent are usually affiliated with other products or services that they may recommend.  This may compromise their objectivity.  Many independent security consultants are members of the International Association of Professional Security Consultants (www.IAPSC.org).  “The primary purpose of the IAPSC is to establish and maintain the highest set of standards for professionalism and ethical conduct in the industry. Its members are independent of affiliation with any product or service they may recommend in the course of an engagement, thus ensuring that the services they render are in the best interests of the client.”  As a prominent physical security consultant succinctly puts it, an independent security consultant “matches product to need, not need to product.”

Industry specific knowledge is not needed on all projects; however, some industries are regulated or must meet other compliance standards.  Hospitals, chemical plants, and maritime ports are examples of regulated facilities.  If the scope of the project for which you are hiring a security consultant must meet those requirements, the consultant should have the requisite knowledge of such guidelines and standards.  Given the situational nature of security, a baseline level of industry specific knowledge should be a requirement.

In most states, security consultants need not be licensed.  Some states, such as Texas and Nevada, do require that security consultants be licensed.  Licensing, in and of itself, does not mean that the consultant possesses the other characteristics discussed in this article.  Check with your state’s security bureau to determine if consultants in your state must be licensed.

There are many certifications available within the security industry.  Among the most prominent are the CPP (Certified Protection Professional), and PSP (Physical Security Professional), and the CISSP (Certified Information Systems Security Professional).  The CSC (Certified Security Consultant) is the only certification for independent security consultants.  Where the CPP, PSP, and CISSP demonstrate knowledge of security management, physical security, and information security, the CSC demonstrates consulting competence and independence.

Beyond certification, other credentials may be relevant to your project including membership in industry associations.  Most security consultants are members ASIS-International, the largest security industry association in the world.  As stated above, many independent security consultants are members of the IAPSC.  Information security consultants are often members of (ISC)2.  Security consultants that specialize in specific industries may be members of industry specific organizations, for example IAHSS for consultants who specialize in healthcare and hospitals.  Though security association membership is beneficial, many associations are simply “pay to play” in that they do not require active participation in the association.  Consultants who attend the association’s conferences and training seminars are typically more knowledgeable than those that do not.  Also, consultants who actively volunteer for association projects or serve in leadership roles may bring value to your project.

Security consultants who have a background in research are often adept at finding solutions to complex security problems and are often on the cutting edge in management techniques and security system design.  Consultants who have researched security solutions extensively will usually bring a broad perspective to your project which affords them the ability to accurately identify the root problem, understand your needs, and develop multiple solutions to resolve the issue.  When reviewing a consultants resume or curriculum vitae, research experience is often reflected as publications and speaking engagements.

After independence, the last question is probably the most important from your (the client’s) perspective.  Ultimately, it’s the recommendations made by the consultant that you’ll be responsible for seeking approval and implementing those that are approved.  A consultant that identifies roadblocks to implementing recommendation provides great value to the client.  A consultant that identifies alternative solutions and the costs and benefits of each alternative provides even greater value.

Finally, while there are many quantitative factors (cost, experience, education, etc) that you should look for in a consultant, there are also qualitative traits that enhance the project and the relationship.  These traits include good project management and communication skills.  This trait means that the consultant has the ability to talk to different people at various levels within your organization and has the ability to successfully manage the project to its end.  Good project management skills will ensure that the project comes in on time, on budget, and with a high degree of quality.  The consultant should also be collaborative and willing to work as part of your team and other project stakeholders.  The consultant should be adaptive, willing to adjust the project objectives as needs are refined.  The consultant should have an open mind about the project goals and should avoid pre-conceived notions.  To do this, the consultant must ask the right questions and avoid cookie-cutter solutions.

For assistance or more information on Threat Analysis Group, LLC, please contact us.