By Stephen R. Zimmerman
June 26, 2002 -- Hiring an independent security consultant has many advantages: an objective perspective; a new outlook on old problems; and new ideas and solutions resulting from a diverse set of experiences.
As with any major security decision, however, it pays to do research and to ask questions in advance. On the surface, hiring a security consultant to improve your security policies and procedures while mitigating your security risks and vulnerabilities may seem like a relatively easy decision process for a company. But as Arnold Palmer said about the game of golf, "It's deceptively simple, yet endlessly complicated."
Here are 10 basic questions businesses and utilities may want to ask about their organizations and about the security consultants they intend to hire:
1) Is my organization really willing to make changes? Your security consultant may ultimately recommend some significant changes in equipment, personnel or procedures. Do you have commitment from your executive leadership to spend the time and money needed to make changes? Will they back you up long term, especially when difficulties arise, such as employee resistance to change or challenges from shareholders? Will they follow-through?
2) Does this consultant know my industry? Analyzing threats to water treatment plants is very different from evaluating dangers at schools, which is different from the hazards at airports. While there may be some common issues there are enough significant differences that specialized experience and knowledge are crucial.
3) Are there competing or conflicting interests at work? Some consultants are truly independent, representing neither a particular company nor particular technology solution. Others, however, may be using their consulting services as a "door opener" to sell particular products and services you may or may not need but for which a consultant may collect commissions or other fees.
4) Will you be independent or dependent when the project ends? The ideal consultant will not only help you solve the current problem but also equip you with skills and knowledge to begin to tackle the next one. You may not be able to solve all future problems on your own, but you should know enough to begin preparing ideas.
5) Will the consultant's services include training seminars, materials or other extras to use with the staff? No doubt you'll need to educate others within the company about your new security ATOG procedures and changes. The consultant should have the skills and abilities to conduct implementation and follow-on training as required.
6) How comprehensive is the consultant's knowledge and approach? In some cases, you're hiring a consultant to solve a specific problem (for example, finding and installing biometric devices for access control). Using a consultant that has a broader perspective, however, means possibly identifying and solving problems you may not have considered before (for example, do the new access controls have any legal implications requiring new human resource policies?).
7) Who's on the case? You might have a highly experienced, senior consultant make the "pitch" to get your business. But will you ever see that expert again after you've signed on the dotted line or will your job be relegated to junior staff? Make sure you get the experience you pay for.
8) What are the steps in the evaluation, planning and implementation process the consultant will use? Is it a cookie-cutter approach or are the consultant's methodologies customized to your specific needs? For example, some security consultants use a "cookbook" checklist originally designed for another application - checking manufacturing warehouses, for example - but which is now relegated to being a catchall assessment used for every facility. Remember: when all you sell are hammers, every problem looks like a nail. Don't get nailed.
9) How does the security consultant meet reporting requirements? Make sure that you discuss exactly what it is you require from the consultant as a reporting deliverable (or series of deliverables) for your security assessment. For example, do you want the consultant to deliver the final report in a written form that will be discoverable through the Freedom of Information Act? Or would your requirements be better served by having the consultant give you an oral presentation of your vulnerabilities? Make sure these requirements are settled at the start of the project.
10) Can the security consultant advise on implementation and training? To ensure consistency in the transition from mediation recommendations to security systems implementation, it is best to ensure that your security consultant will be able to provide technical training for new security policies, procedures, and systems implemented as a result of your facility risk and vulnerability assessment.
After you've gone through this "deceptively simple, yet endlessly complicated" process - from hiring a competent security contractor to implementing the contractor's recommendations - the most important question remaining is "When do I start this process all over again?"
As your security consultant can tell you, the answer to that question is "right away." As in the game of golf, your handicap is directly related to your follow-through and regular practice.
About the Author: Stephen Zimmerman, Vice President of Security Services for ATOG, has more than 30 years of security, law enforcement, engineering, and academic experience with professional expertise in conducting military, government, and commercial security risk and vulnerability assessments, including: International airport passenger and employee operational facilities; U.S. Army Corps of Engineers physical security survey and force protection operations; and commercial business physical protection surveys and loss prevention assessments.
ATOG (the Anti-Terrorist Operations Group) is an Atlanta, Georgia-based company that specializes in developing strategies for protecting and assuring the continued operation of critical infrastructures. ATOG is currently working at Baltimore-Washington International Airport on a project with the Transportation Security Administration (TSA) on a prototype security surveillance systems project that could impact surveillance standards at airports throughout the United States.