Seems like everyone has a horror story about a bad hire. Usually, those are the kinds of stories everyone loves to share because they make for great entertainment. But if your bad-hire story is about a security consultant, you could also be telling a tale about a lawsuit, an attacker, or a natural hazard that put your company in a dangerous position. That’s not so much fun to tell.
If you’re looking to hire a security consultant for your business, make sure you know what NOT to look for. Here are some red flags to avoid.
Avoid These Security Consulting Hiring Mistakes
Law enforcement officers with no security background
There are a lot of retired police officers who start their own consultancies. Some of them are very good, but others don’t have a strong background in security. Security consulting is a different school of thought from law enforcement.
A police officer’s job is inherently to be reactive, and a security consultant’s job is to be proactive. It’s a different line of thinking, and not understanding the difference can get you into trouble. A security consultant needs to look at liability from the perspective of what could happen and how it could affect an organization. But if you come at it from a reactive perspective, you’re just thinking about how to delay and respond. Often you need to mitigate and prevent.
When people retire from a job, their heart and soul usually aren’t in it anymore. If they’re doing consulting, it’s often because they’re looking for an added source of income. When I’ve seen those scenarios, the reports have been the worst reports I’ve ever read. Many retirees just don’t have the same level of dedication as someone whose career is based on security.
Know if the consultant has a career background in security before you hire.
You simply can’t provide an adequate assessment using a paper-based model. It’s inherently a subjective process that won’t give you a reliable assessment of your risk, or detailed corrective actions.
Consultants that rely on paper-based methods typically write their reports with unsecured computers. And when they deliver your unsecured PDF report, they’ll send it via unsecured email.
On the other hand, digital technology keeps your data secure, it provides more in-depth analysis, it’s more efficient, and it allows you to aggregate your data across all of your facilities.
Make sure the consultant is fully insured and carries professional liability insurance. Anyone who isn’t insured is most likely doing security consulting as a hobby and not as a profession.
Okay, there’s nothing wrong with a certification. But many companies look exclusively for security professionals with a CPP, PSP or PCI certification. When they were created four decades ago, they designated people who had an advanced knowledge of security. Now, you can get a bachelors, masters, or doctorate degree in areas such as security management, critical infrastructure protection, or homeland security. It is important to not only look for the certifications but their whole education and expertise. A great consultant has a strong understanding of the industry you are in, the training and education in security, and the experience performing analyzing risk.
The certifications provide a level of credibility, but never eliminate a qualified security professional from consideration simply because they don’t carry one of these designations. Some of the most important people in security have PhDs, but no certifications.
Little time on campus
Some security professionals do a quick survey of a site then spend many hours at their own office writing up a report. Honestly, they should spend a significant amount of time on your campus—and ideally, they should write the report on-site as well.
Expect your consultant to do multiple assessments, at different times of day—otherwise, you won’t get a complete picture of your risks. Each building’s risk changes throughout the day. Differences in lighting, the busyness of the facility, work/non-work hours, special events—all of these factors (and more) affect risk.
I know of a security consulting company that was contracted with a state to do assessments of all their public schools. They sent inspectors out to the field, and the inspectors sent their notes to an administrator. The administrator wrote the reports, not the security professionals who had done the assessments. But the consulting company charged the state the same amount of money for the inspectors’ and the administrator’s time.
There are all kinds of pricing structures that consultants use—and that’s fine. But always be sure that you know what you’re paying for.
Also be wary of very cheap or very expensive services. Cheap consultants are probably just hobbyists that are looking for some extra money. You ultimately will not get the best results. Expensive companies may be charging you the same rate for each person on the project, whether they are a junior, administrator, or senior.
Unrealistic time schedule
Watch out for consultants that promise quick turnarounds in a tight timeframe. Quality risk assessments simply take time. If anyone suggests that they can complete an assessment in a day, walk away.
Several factors affect the amount of time an assessment should take, including:
- The complexity of the organization. Churches don’t vary much from one to another, but chemical facilities or hospitals have a lot of complexity to consider.
- Size of the facility. A single small business will be much different from an organization with multiple buildings on its campus.
- Regulatory issues. Does your company need to meet specific regulations or compliance standards?
Using digital technology will cut these times down (and boost assessment quality), but even then you should expect the inspection itself to take some time—anything from a couple days for a small building to a couple weeks for a large campus.
I’ve seen some consultants talk about their past clients’ security problems. I was at a DHS-sponsored training class, and the presenter was talking about a facility’s vulnerabilities. During the discussion, we realized that it was a real facility, not a mock scenario. They gave us the name of the company, its location, and specific real-life vulnerabilities the client had. I was shocked—but this presenter isn’t the only consultant out there who isn’t careful enough with his clients’ information.
Must-Ask Questions Before You Hire
Here’s a quick sample set of questions to keep on hand while you’re vetting prospective security consultants.
1. Who are your past clients? If the consultant divulges specific names, they’d better have permission! Ask to see it in writing. A lot of clients don’t want people to know that they work with a security consultant, and a company that freely lists its clients without permission isn’t trustworthy.
2. Are you familiar with our standard?
3. What is your background? For example, if they’re a police officer, find out what other types of security assessments they’ve done.
4. How many people will work on this contract? I always recommend using multiple people.
5. When will you do the assessments? Look for multiple times of day and multiple days.
6. What technology will you use? If possible, avoid professionals who don’t use digital technology to do their assessments.
7. What’s the end deliverable? Some consultants will give a report with their findings, but no recommendations. Some will give recommendations, but not detailed corrective actions.
8. Do you have any relationships with first responders? Consultants should be talking with local law enforcement and other first responders, who can provide input on their own concerns about your facilities.
9. Do you have partnerships with other integrators? Think of your security consultant as a general practitioner. If they’re connected to specialists in the field, they can get access to a deeper wealth of expertise if the need arises on your site.
Invest Wisely in Your Company’s Future
A risk assessment isn’t just a cost to your company—you’re investing into the safety of your employees, your facilities, and your company’s future. The wrong consultant can give you a false sense of security. But if you know what to look out for, you’ll be more certain to hire someone you can trust to keep your company safe.