Hiring a Consultant

Hiring an independent security consultant has many advantages: an objective perspective; a new outlook on old problems; and new ideas and solutions resulting from a diverse set of experiences. As with any major security decision, however, it pays to do research and ask questions in advance. On the surface, hiring a security consultant to improve security policies and procedures while mitigating security risks and vulnerabilities may seem like a relatively easy decision, but it can be a complicated process.

Here are 10 basic questions the Anti-Terrorist Operations Group (ATOG) suggests asking about an organization and the security consultant to be hired:

1. Is my organization willing to make changes?

   Your security consultant may ultimately recommend some significant changes in equipment, personnel or procedures. Do you have commitment from your executive leadership to spend the time and money needed to make those changes? Will they support the projects for the long term — especially when difficulties arise, such as employee resistance to change or challenges from stakeholders?

2. Does this consultant know my industry?

   Analyzing threats to water treatment plants is very different from evaluating dangers at schools, which is different from the hazards at airports. While there may be some common issues, there are enough significant differences to require specialized experience and knowledge.

3. Are there competing or conflicting interests at work?

   Some consultants are truly independent, representing neither a particular company nor a particular technology solution. Others, however, may be using their consulting services as a “door opener” to sell particular products and services you may or may not need, but for which a consultant may collect commissions or other fees.

4. Will you be independent or dependent when the project ends?

   The ideal consultant will not only help you solve the current problem but also equip you with skills and knowledge to tackle the next one.

5. Will the consultant’s services include training seminars or other materials to use with the staff?

   No doubt you’ll need to educate others within the company about your new security procedures and changes. The consultant should have the skills and abilities to conduct implementation and follow-up training as required.

6. How comprehensive is the consultant’s knowledge and approach?

   In some cases, you’re hiring a consultant to solve a specific problem. Using a consultant with a broader perspective, however, means possibly identifying and solving problems you may not have previously considered.

7. Who’s on the case?

   You might have a highly experienced, senior consultant make the “pitch” to get your business. But will you ever see that expert again after you’ve signed on the dotted line? Make sure you get the experience you pay for.

8. What are the steps in the evaluation, planning and implementation process the consultant will use?

   Is it a cookie-cutter approach or are the consultant’s methodologies customized to your specific needs? For example, some security consultants use a “cookbook” checklist originally designed for another application — checking manufacturing warehouses, for example — but which is now relegated to being a catchall assessment used for every facility.

9. How does the security consultant meet reporting requirements?

   Make sure you discuss exactly what is required from the consultant as a report for the security assessment. For example, do you want the consultant to deliver the final report in a written form that will be discoverable through the Freedom of Information Act? Or would your requirements be better served having the consultant give you a presentation of your vulnerabilities? Make sure these requirements are settled at the start of the project.

10. Can the security consultant advise on implementation and training?

    To ensure consistency in the transition from mediation recommendations to security systems implementation, it is best to ensure that your security consultant will be able to provide technical training for new security policies, procedures and systems implemented as a result of facility risk and vulnerability assessment.

Don Buzzelli is CEO of the Anti-Terrorist Operations Group (ATOG), an Atlanta-based company that specializes in developing strategies for protecting and ensuring the continued operation of critical infrastructure.