By Steven R. Keller

Security managers with an unusually heavy workload or highly specialized problem may sometimes find themselves in need of help from a consultant. Too often, though, the consultant is hired by the security manager's boss because the manager failed to ask for help until conditions attracted the attention of someone outside the security operation.

Although the grapevine says that a consultant is called in
to an organization to solve a problem after it has gotten out of hand, professional security consultants often engage in preventive consulting. They provide a valuable second opinion to clients long before a crisis strikes. Security managers for most major corporations recognize that a consultant is one of many tools they can use without fear of criticism for not being able to handle the job themselves. In fact, the use of management, technical, marketing, and financial consultants in industry and business in general has become so common as to be unremarkable. When you hire a full-time employee, you are locked into the skills of that employee unless you slowly, and sometimes at great expense, develop additional skills. The advantage of hiring a security consultant is that you can hire as many as you need in order to buy the skills your special project requires.

The concept of preventive consulting doesn't mean, of course, that a consultant should not be called in during a crisis. Consultants can often provide a fresh, objective opinion as well as valuable problem-solving expertise when it is most needed. However, too many security managers call in outside advice when they are doing something right rather than after something has gone wrong. Either way, it is important to find the right consultant to manage your project properly and to ensure you receive the quality of service you expect. After all, anyone can call himself a professional security consultant, and hiring a security consultant who is not qualified to do the job can be a costly mistake.

What is a Security Consultant?

The International Association of Professional Security Consultants currently defines a professional security consultant who is a member of the association as an independent, non product-affiliated consultant who engages in security management consultation and preventive, training, technical, or forensic consultation on matters involving security. It is widely felt that, to be as effective as possible, a security consultant should work in more than one of these areas. A management consultant who fails to keep up with security technology or a forensic consultant who spends all of his time testifying in court may lose touch with the industry and its trends.

I recall meeting with a very high-priced consultant from a prestigious firm-- a firm of about 3,000 employees who provided consultation in many disciplines to governments and businesses. We began talking about electronic security, and the subject came up of an electronic access control keypad with numbers that scramble after each use. To my surprise, this consultant had never heard of the product. He asked me how to get information on the device, and I told him it is usually advertised in "Security Management" and "Security" magazines. His reply was, "What magazines? How do I get a copy of them?" Obviously this security consultant was not in touch with the security industry and was not a member of the leading professional association in the field.

Can a security consultant be a generalist? Clearly, the answer is no. While there are many similarities among the needs of certain businesses and industries, each type of company does have its own specialized needs and requires a consultant who understands them. Knowledge of a particular industry's infrastructure and how companies in that industry function is important. Many consultants declare a specialization in one or more types of security such as museum or university security, access system design and specification, or expert testimony. Some specialize in security training and manual or policy preparation for all industries.

I once read an article in which a consultant specializing in counterintelligence work stated that specialization is not as important as it might seem. When asked if he felt he was qualified to be a museum security consultant, he said the thought process needed to solve problems in a museum is the same as the thought process needed to solve counterintelligence problems. Therefore, he felt he was qualified.

This view is obviously based on an incorrect assumption.
While it may be true that the thought process is the same, there are major differences between the detection of spies and the protection of art. Consider the trouble we would be in if the CIA was run by a committee of museum security consultants. On the other hand, the special knowledge in the museum security field is considerable. Few industries hang their assets on the wall with no barrier between them and the visitor. And the unique conservation requirements and aesthetic considerations in a museum setting prohibit the use of "normal" alarm devices and installation methods. Without knowing the ways museums record and document their collections, a consultant wouldn't stand a chance of preventing internal theft by manipulation of these records.

To some degree, a person who has been in security long enough is exposed to many fields. A museum consultant who has served as security director of a major museum knows something about food service operations, retail operations, cash security, accounting procedures, access control, parcel control, physical security, and electronic security because a large modern museum, like a hospital or hotel, has all of these elements. This knowledge may enable such a consultant to work in many environments, but it cannot qualify him to work in all.

Many security practitioners cut their teeth on several different industries. They may start in banking, move to manufacturing, then on to make a name for themselves in still another field. Likewise, consultants can have several specialties. No person, however, is qualified to consult in every aspect of security. For a consultant to accept a project in a field for which he or she is not qualified would be not only an ethical breach but might constitute malpractice. Unfortunately for the consumer of consulting services, many security consultants do not feel this way. Their "know-it-all" attitude has led to catastrophes, such as improper design of major alarm systems by electrical engineers or architects who consider themselves proficient in security.

To expand their capabilities, security consultants may have specialists on staff or available as subcontractors. Very large projects, such as a comprehensive survey for a Fortune 500 firm, often require a security consultant to bring in associates. An auditor may contribute to one phase of the project, an alarm system designer to another phase, and a locksmith to still another. Larger firms might have staff members with these skills, but normally security consultants have a contingent of experts they can call on as needed. While it might not be as impressive to use an associate as it is to have a large staff of experts, it is usually just as effective and is generally more economical.

Which Consultant Should You Hire?

What questions should you ask a potential consultant? First, find out if he or she is selling anything other than his or her own time and advice. You want your consultant to be independent and not affiliated with a product or service. If your consultant is not independent, you should know about his relationship and understand that it may result in a conflict of interest. The IAPSC will not admit for membership any person affiliated with a product or service. The exception to this is that members may sell books they have published or engage in training or academic activities..

Why is this distinction so important? Besides the obvious financial conflict of interest that might occur when a consultant represents a product, you run the risk of limiting the solutions to your problem. An independent security consultant should approach every assignment objectively. More important, he should take a holistic approach to solving problems. For example, a consultant may survey your facility and find you need to bolster access control. Since this can be accomplished by several methods, he might recommend adding some new alarms, placing additional security officers at strategic locations, and improving hardware. But if the "consultant" is also a salesman for the local contract guard agency, he may attempt to solve the problem using only security officers. While this may or may not be a good solution, it certainly appears to be a conflict of interest.

In another example, your consultant is a dealer for a local alarm company. She fails to recognize the importance of additional security officer and recommends only additional electronics. An employee is assaulted on her way to the parking lot at night and the electronics detect the attack, but the staffing level does not permit prompt response. The employee sues, stating that had you taken a more holistic approach to security, she might have been safer. The court weighs the expertise of the "expert consultant" you brought in to define your needs, sees the apparent conflict-- which may or may not be real- and rules against you because you failed to evaluate the entire problem objectively. While I know of no case of this type going before the courts, it certainly is possible.

Ask whether your consultant has a specialty. Are you trying to catch spies with a museum consultant or survey a hospital with a consultant whose primary expertise is in investigating or auditing? Many private investigators and polygraph examiners call themselves security consultants, but their specialty is in investigation and detection of deception when you may need a specialist in surveying or auditing.

Ask if your consultant is full-time. Too often, investigators and polygraph examiners call themselves security consultants to supplement their incomes. While these are important and noble professions, you may want to know if your consultant is a full-time consultant and, if so, whether he or she is engaged in any other activities. Having served for nearly eight years as a part-time consultant while holding a responsible job as a security manager, I must defend the competence of part-timers. But your job may require the status of a full-time consultant or time commitments, staff, and associates that a part-timer can't provide.

What are the qualifications of your consultant? Who ordained him or her an expert? How many years has the consultant been in the business? How many successful projects of this type has he or she concluded?  Will the consultant provide references or are previous clients all confidential? What practical experience does the consultant have? Has he or she ever been a security manager? What is your consultant's educational background? Experience, they say, is the best teacher, and so it goes for consulting. But academic credentials say something about a person's ability to communicate and evaluate. While a lack of formal education is no more a mark of failure than a Ph.D. is an indication of success, you should make sure the consultant's background qualifies him for your project.  Is he or she a member of the American Society for Industrial Security? Of the IAPSC? While lack of membership in either of these organizations does not signal a lack of credentials, participation indicates that the prospective consultant at least professes to observe the code of ethics and to meet the minimum standards for affiliation with the groups. The IAPSC subjects its applicants to a background check that, while not infallible, is some assurance that the applicant is not a felon and that he or she otherwise meets the requirements for membership, including the requirements for specified levels of education and experience.

As industry trends change, codes of ethics must change as well. For instance, the IAPSC has implemented a code of ethics for forensic consultants (expert witnesses) because some unethical consultants have become little more than "gunslingers," testifying in civil cases for whatever side pays the highest fee. As a member of both the ASIS Ethical Practices Committee and the IAPSC, I can assure you that both groups enforce their codes of ethics and invite consumers of security consulting services to report unethical behavior.

When selecting a security consultant, it is essential that you fully understand the project you want completed. Does it involve physical security work, management consulting, training, electronic system design, litigation avoidance, evaluation of depositions? It is only after you have thoroughly defined the requirements of the job that you can select the consulting firm to complete the work. If the project is not confidential and you can freely discuss it with other managers in your organization, you can call upon them to help you define the scope of the problem. For example, if the project involves detailed auditing and accounting problems, the comptroller can advise you on the skills and requirements your consultant should have-- or have within his or her circle of associates-- in order to complete the job successfully.

Consultants generally do not advertise extensively, but most are listed in industry directories such as the *Security Industry Buyers Guide*, *Security Letter Sourcebook*, "Security" magazine annual buyers' guide, and others. Some directories list all consultants in one category, while others list independent, non product-affiliated consultants separately. The IAPSC publishes a free annual directory of members with a complete biography and listing of specialties for each member. The IAPSC also operates a free referral service for consumers of consulting services. Another excellent source of qualified consultants is colleagues in your industry who have used a consultant and are pleased with the relationship.

The IAPSC estimates there are approximately 250 independent, non product-affiliated consulting firms in North America, whose consultants meet or exceed its membership standards, and approximately 500 other independent security consultants. The number of product-affiliated consultants is in the thousands.

To date, there is no valid certification program for security consultants, and a CPP or degree in a specialized field such as law or electrical engineering is the best measure of proficiency. The diverse nature of security consulting makes it unlikely that any valid certification program will be developed in the near future, so the consumer should be wary of anyone claiming to be a certified security consultant.

What if your boss selects a consultant without your involvement? Obviously, this is not a desirable situation. The security manager should be consulted during the selection process. To avoid being excluded from that process, select a consultant as you select your doctor-- before you need one. Establish a relationship before you have a problem, and you will probably never find yourself in the position where your boss has selected a consultant for you.

Working with Your Consultant

After you have identified a consultant you want to work with, what do you do?  Start with a thorough background check or at least check his or her references to assure yourself the individual is both competent and trustworthy. After all, you are about to convey the deepest secrets of your organization to this person and his or her associates.

Interview the consultant as you would an assistant. For major projects, it is common to invite the consultant==at your expense-- to your office to introduce him or her to the project. This interview allows you to evaluate the consultant more closely and allows the consultant to assess the scope of your problem. If the consultant is a member of the IAPSC, he or she will be compelled by the codes of conduct and ethics to tell you if his or her firm or circle of associates is not able to perform the work in a capable and professional manner. If that is the case, the consultant may refer you to another consultant, and if the consultant abides by the IAPSC's code of ethics, he or she will not accept a referral fee.

Discuss the project, fees, and expenses with the consultant in advance. Get the full details. How much does the consultant charge? How is work billed? Is there an hourly, daily, or weekly rate? Will the consultant quote a "not-to-exceed" figure?  Who pays expenses? Will the consultant travel first class, stay in a five-star hotel, and eat only the best milk-fed veal, or are there limitations placed on expenses?  How is travel time billed? Are you billed portal to portal? Who buys airline tickets? Who pays expenses if meetings are changed, airports are snowed in, or the consultant is stranded in a hotel due to flight delays? What receipts or proof of expenses are required? The more details you iron out in advance, the fewer surprises there will be later.

Expect to treat a consultant, for purposes of travel expenses and comforts, at a level equal to your own or that of the chief administrative or financial officer of your company. After all, the consultant is an expert in his or her field-- probably the president of his or her own company-- who is being called in because of special knowledge and skill. If the vice president flies first class, your consultant should be expected to fly first class. If the vice president flies coach, you may be reasonable in expecting the consultant to fly coach. But remember, when you insist on travel arrangements that take the consultant into a suburban airport rather than a major airport or that result in connecting rather than direct flights, you may be achieving false economy. You will probably be billed for travel time, including time the consultant spends in a taxi or an airport lounge.

Look at the question of expense and fees sensibly. If the consultant flies from Chicago to Boston in the morning to attend a 1:00 p.m. meeting, then flies back to Chicago on a 6:30 p.m. flight, arriving home at midnight, he or she may be entitled to fly first class. After all, the consultant is saving you hotel and breakfast expenses and is enduring a physically difficult schedule to accommodate your needs.

Fees vary from consultant to consultant and project to project. While some industry directories include sample hourly fees, these may vary drastically. When seeking a comparison of fees and expenses, the best approach is to prepare a bid proposal outline, stating exactly what you want a consultant to do for you, and ask interested consultants to provide a proposal that addresses your concerns. In this way, all consultants you approach will be quoting a fee on the same project scope.

When evaluating proposals, it is important to know a low hourly fee may not necessarily be an advantage, unless the consultant assures you the project will not exceed a given number of hours. Some consultants cost less but take more time. Some cost more but, due to their experience, can resolve problems more quickly.

If you want to eliminate any possibility of misunderstanding between you and your consultant, regarding the scope of services or fees, spell out your expectations in a contract. Some consultants prefer to prepare a proposal for your review and signature. If this document is not clear, leaves questions unanswered, or fails to tell you what you will get for your money, request that it be modified.

What should you get for your money? That, of course, depends on the project. A preliminary evaluation might be required before a consultant can give you a formal proposal. Too many clients want a price quotation, but don't want to pay for the consultant to visit their facilities. You can't get an estimate on the repair of your toaster without paying for it, so you can't expect a consultant to fly across the country to visit your site without compensation. Some consultants will perform a preliminary visit at a reduced rate, but they will, justifiably, not solve your problems during that visit. Others expect a higher fee, and will freely discuss apparent solutions.

Some reputable consultants include in the consulting contract what you will not get as well as what you will receive. Be sure you are in full agreement about expectations. If you want a written report, ask for a written report. If you want an oral report, specify an oral report. Your consultant may advise you on the type of report he or she feels you should receive. For example, if the consultant is performing a litigation avoidance survey, he or she may suggest that you not request a written report, which might be subpoenaed at a later date and used against you. Whatever you decide, be sure you and the consultant agree. Perhaps the greatest area of disagreement between consultant and client is the  quality of product to be delivered, and the product is usually the report.

If your problem requires specialized equipment such as an improved alarm system, agree in advance whether the consultant should recommend specific products. Some consultants won't-- or can't-- make recommendations. Decide whether you want a basic concept report, a conceptual layout, or specifications and bid documents. Some consultants consider it unethical to specify products or equipment by name, but there is nothing in the code of ethics of any security, fire protection, electrical engineering, or architectural association to prevent this. In fact, it is difficult to serve a client without providing occasional product cut sheets recommending specific products. An ethical consultant will do so without a conflict of interest and, while he or she might have a product preference, can generally recommend "equals."

If you want the consultant to visit your site and make a formal presentation of his or her report, spell this out. If you want the consultant to do the work and not delegate it to an employee or associate, or if you have a time limitation on delivery of the report, specify these things. You have a right to know if the consultant has other major projects in progress that detract from his or her ability to meet your needs. And, if you pay your consultant a regular retainer, you have a right to expect priority service.

Since the consultant will be gathering considerable information about your organization, including its vulnerabilities, you should consider limiting the amount or type of material he or she is allowed to retain. That material should remain confidential, and the consultant should be restrained by contract from making his or her findings or any details of your project public. If the consultant is permitted to retain notes and copies of your report, blueprints, or other materials, specify that they be maintained in a secure manner. There are serious legal issues regarding whether you can compel a consultant to turn over to you all notes and materials stemming from your project. If you contractually obligate your consultant to do so, you deny him the opportunity to defend himself in a future error and omission lawsuit and, therefore, you may lose your right to bring such a suit.

When a consultant embarks on a complex assignment, he or she may encounter problems that must be resolved but were not anticipated. You have a right to expect the consultant to provide you with answers to your questions or solutions to your problems, but you must understand that these unforeseen problems will require a flexibility of contract and budget. Agree in advance on a means of approving additional work that might result from the project. An ethical and experienced consultant should be able and willing to point out the types of problems that might arise and expand the scope of the project and the project budget. You should require, however, that the consultant keep you informed of additional costs as they arise so there are no surprises when the bill comes.

When your consultant arrives for work, make every effort to make his or her time productive. If possible, provide an office with a phone and necessary supplies. Introduce the consultant to the staff and clerical support persons who can facilitate his or her efforts. Time is money, and you are the one picking up the tab.

If your consultant needs access to information before conclusions can be drawn, ascertain whether you can provide that information in a concise format. For example, if you are asking your consultant to audit your manpower and determine whether you need additional security personnel, provide all necessary information regarding the number of current personnel, sick days used, vacation days used, length of vacation provided for each position, and vacation accrued by staff. Your secretary can assemble that data much less expensively than a consultant can. Don't give the easy work to your consultant!

During and after your project, you are entitled to access to your consultant. While the consultant is not required to report findings or share information until the final report is made, you can expect interim reports to ensure that the work is on target. Agree in advance how much the consultant will charge for follow-up phone consultations after the project is concluded. Many consultants include a reasonable amount of follow-up consultation in the project, while others bill for each phone call. In any case, you cannot expect your consultant to incur phone expenses or to spend any great amount of time on your behalf without compensation. This is why you may wish to consider a retainer.

The most successful relationships with consultants
exist in organizations where the consultant is invited in to reassess or reevaluate conditions periodically. When a problem occurs, a new consultant will not be able to come in and react immediately to your needs. He or she must be familiar with your facility and its unique situation. Interim and follow-up visits need not be costly, and they should be seen as an investment in the future. In return, you will receive an investment in commitment from your consultant.

Your security consultant should be viewed as an objective member of your team who, by virtue of his distance from your day-to-day situation, can provide you with valuable input and support in your efforts. He is a highly qualified specialist who, contrary to popular belief, works very hard for his money. While your hourly wage may be lower than his, your insurance, hospitalization, and other valuable benefits-- including an office telephone, copier, and other necessities-- are paid for. A good consultant has nothing to sell but time and experience. The consultant earns his or her wage through hard work and spends many hours in airport waiting rooms. Good consultants have paid their dues with years of hard work. If properly utilized, they can be of great value and can possibly save you far more than the cost of their fees.  The burden is on you to seek out  professional practices and a member of the qualified professional who can meet your needs. Just Remember, in services, as in products, you get what you pay for.

 
Clearing Up Cloudy Skies: 
How To Hire A Security Consultant

The author is a Principal of Architect’s Security Group, formerly Steve Keller & Associates, Inc. Protected by Copyright All Rights Are Reserved.