The right security consultant can offer invaluable service and guidance to help make a protected environment safer and more secure. But not all consultants are created equally. What’s more, the conventional playbook is definitely not the most effective one. To our mind, thinking outside the box is mandatory. Here’s what to look for:
1 Holistic Knowledge. There are many practitioners who know executive protection, physical security, loss prevention, security technology. You need a security consultant who has knowledge and experience in many different facets. Vulnerabilities are never limited to specific areas. Knowing what to look for and which procedures work best in a mail room can be just as important as knowing about access control.
2 Ability to Study. The consultant must be open to and able to learn. It’s nowhere near enough to come in with a know-it-all attitude like “this is how we handled things when I was with the FBI…” A security system is based on four pillars: marketability, liability, budget and the adversary. The consultant has to closely study the client and their environment and understand both the physical elements and the culture. If users don’t buy in to the need for and approach to security, even the very best recommendations will not be implemented and therefore not be applied.
3 Knowledge of the Adversary. It is not enough to have knowledge of various security solutions. The consultant has to also be an expert in how the adversary operates. And even with adversarial knowledge, there are multiple levels of expertise. An ex- seal team member may know how to attack an adversary using military techniques, but they don’t necessarily have skills for intelligence gathering. Consultants who come from a single discipline may only have expertise in one or two facets of adversarial operations. Yet adversaries use multiple paths – they recruit, have tactical skills, use social engineering and more. Only a consultant with a well-rounded understanding of the adversary will be able to create a proactive security system.
4 Ability to ‘Sell’ Security. For a security system to work well, everyone has to be on the same page. A consultant therefore has to be able to communicate information to every stakeholder on the client’s management team in order to get that vital buy in. Convincing everyone how security should work and why it is important requires solid communication skills, a clear notion as to who the decision makers and leaders are, mixed with a touch of political acumen.
5 Reporting. Boilerplate doesn’t cut it. Neither does a recitation of facts. A consultant’s findings need to be put in a clear, logical, detailed working document that the client can then use to establish a budget and priorities. The report needs to be written with both Board members, Operations and Security Managers in mind. It is a tool, not an afterthought.
6 Human Element. The security consultant must have deep understanding of the human element side of security, not just of cameras, alarms and locks. The best security system in the world can be brought down in a second by human error (or deceit). What are the skill and knowledge gaps at every level of the security team? Does the admin assistant know how to deal with a threatening call? Does the Security Officer understand his primary and secondary security objectives for the given environment? Does he know the next step to take once a threat is detected?
7 The SOP. The Security Operating Procedures may seem a dry document to some, but it should be the core of a security system, not just an administrative feature but a proactive tool. The consultant needs to have the skills to assess procedures and then write them out clearly and efficiently. The SOP dictates training. It supports a threat-oriented stance. For example, a deficient SOP would say ‘check door number 3 every night at 9:00PM’. Checking a door is fine, but if the objective is securing access, then the SOP also needs to cover indicators related to using a false ID to access a building. Because whether or not a door is locked, an adversary may have stolen a pass card.
8 Reputation. Like hiring for any position, talk directly to a consultant’s references and ask a lot of questions. No one knows better than an existing or previous customer how a given security consultant performs, despite their claims and salesmanship.
9 Independent. A security consultant should not have direct ties to security vendors, integrators or physical security service providers. The sole agenda needs to be the security interests of the client, without other influencers.
10 Methodology. You don’t hear this every day, but security solutions must be based on a methodology. A security consultant needs to recommend a methodology that will provide clients principles on which to base decisions going forward in the long term. This is opposed to telling a client, here is a hole that needs to be fixed. And then what? An old but apt analogy would be the value in teaching a client to fish versus giving them a fish. Based on an proactive threat methodology like the establishment of security rings, the client will know where and how to post officers. They will know not only how to hire guards in the future but also to post them facing outwards, not inside.
11 Force Multiplier. An astute security consultant will talk to everyone involved in an operation, from the gardener to the CEO, from the Human Resource Director to the receptionist. Everyone has information to offer that might be useful, making each individual a potential force multiplier. Involving them makes them a part of the security system.
12 Quality Assurance. Car manufacturers do it. Makers of video games do it. Bankers do it. We are talking about Quality Assurance. Once the security assessment is done, keeping the security system as a whole effective is critical, otherwise a client will lapse back to, god forbid, the status quo. A good security consultant understands the importance of quality assurance and that threats change and so too should a client’s security. Testing the security system to make sure it’s working is part of forward maintenance. Are the officers doing a good job? Are protocols being followed? The only way to know is via quality assurance testing.