Why Hire a Security Consultant

Transcription

1 Why Hire a Security Consultant Everyone is familiar with the statement Consultants are people with briefcases who do not know our business and who, for a fee, will tell us what we already know. That statement, which dismisses the value of consultants across the board, may engender some smiles, but it certainly is not a philosophy by which to manage an organization. Consultants can make important contributions to the success of an organization. This paper will discuss those contributions based on the organization s functional sophistication. As a security professional and consultant in the area of protecting people, property and information, the examples will relate to the security function. The information presented, however, will also be valid for other functional disciplines (e.g., aviation, safety, public relations, etc). The information will cover four stages of sophistication of the security function: No Function, New Function, Established Function and Sophisticated Function. No Function The vast majority of organizations do not have a formal security function 1. Generally, this is due to the size of the organization. A small organization, for example, will likely never have one. On an informal basis, management simply does what needs to be done vis-à-vis security. They can contract with an alarm company for a security system; have a locksmith install the proper locks; etc. This concept is employed because the security risk exposure for the organization is extremely low and/or the revenue stream cannot support a formal security function. The downside to this approach is: Management in small organizations wear many hats and likely does not have the time to deal with security unless it is creating significant pain; Management generally has no securityrelated knowledge or skills, so security efforts may not be as effective or efficient as desired; and There may be holes in the organization s security program that are not obvious, but which have the potential to result in risks/losses. A consultant can provide value to this type organization by conducting assessments of the existing security program and of the risks/vulnerabilities faced by the organization. These activities can identify ongoing losses, the potential for loss and liability exposure, and gaps in the program. A consultant can also be a valuable resource for the occasional security question. It can prove to be extremely useful for an organization to have a subject-matter-expert on-call when the occasional security question/issue arises, especially when there is no cost for such an arrangement unless the service is used. As an example, if a small business owner decides an alarm system is necessary, a security consultant can provide the owner with an opinion as to whether the system, as proposed, will meet the owner s objectives and do it at a reasonable cost. New Function As organizations grow in size and complexity, there comes a point where the management handles security concept becomes unworkable and the need for a security function becomes apparent. When this organizational inflection point is reached, the most frequent approach is to formally assign security responsibilities to someone who is managing another functional area (e.g., Human Resources, Facilities, etc.). When security functions are first established, it is typically in response to a specific problem, and it is common to see the security efforts address that 1

2 one need. As other security problems arise, they too will be addressed in the same manner. The tendency to reactively address each new problem as it comes along can result in an inefficient hodgepodge of security processes and procedures. Exacerbating that problem will be the fact that the manager in charge of security will likely have no security expertise. The solutions and processes they develop will sometimes be by trial and error. Other times they will reach out to a security equipment or services provider for guidance. That approach has the potential to be more effective than a trial and error approach, but it is useful to remember the saying To a hammer everything looks like a nail. With that in mind, it is not difficult to imagine what might be a key part of a solution envisioned by a company that sells security cameras, or by a company that is in the guard business. It is not that equipment/services vendors cannot provide value, but rather that they have a perspective that may be influenced by the products or services they offer. This is where a consultant can make a contribution. An independent consultant (i.e., one that is not affiliated with companies providing products or services) will not have a bias in their approach to developing solutions. They will also be familiar with the tendency to approach security in a reactive manner and the inefficiencies of that approach, and will be able to provide guidance that will permit the organization to develop their program in a proactive manner. A consultant can inject the wisdom gained from years of experience with a variety of organizations. As a result, they can envision where the function will likely need to be in the future and can recommend a course of action and program components that will meet the organization s current needs and also be scalable and positioned to meet future needs. Simply stated, a consultant will be able to get the organization on the road to success without having to experience a steep learning curve littered with the cost and pain of a trial and error approach. It is a matter of the organization availing itself of the consultant s skills, knowledge and experience to be as efficient and effective as possible right out of the gate. Established Function The established function 2 stage is where many formal security functions reside, and where they can become stuck. In this stage, the organization is comfortable with the services provided by the function and the manner in which they are provided. Security staff has processes and a routine in place and is comfortable in what they are doing and how they are doing it. Unlike most other business functions, senior management likely knows little or nothing about what the security function should be doing and how it should be doing it. That results in a lack of critical oversight that other functions enjoy. It boils down to this: The security function has been around a number of years, they generally seem to have things under control, and management is content if there are no major incidents. In this organizational environment, because there are no security events of a magnitude that warrant senior management involvement, there are important questions relating to security that may not be asked, such as: Does the security function have a good handle on the business of the organization and the most critical security risks it faces? What does security see as the most critical security risks, why has it classified them as the most critical, and does senior management concur with their assessment? Is security focusing on the most critical risks and mitigating them in an effective and efficient manner? Does the security staff have the necessary knowledge and skill sets, and is there an effective process in place to ensure they continue to upgrade their knowledge and skills? Does the security function have the correct touch points in the organization to keep 2

3 abreast of changes in the business, the business environment and the risk picture? Are the security processes accurate, reliable, repeatable, scalable, documented, and followed? Are metrics in place to allow management to measure the effectiveness of the function and to identify anomalies that need to be addressed? This is where a consultant can make important contributions through an assessment of the risks faced by the organization and an assessment of the security function itself. The value of using a consultant for such a review falls into a few broad areas: 1. An important part of the assessment process is the gathering and analysis of information regarding management s views of the organization s security risks, and of the effectiveness, support and services provided by the security function. It is generally easier and more effective for management to have that discussion with a consultant rather than with members of the security function. 2. The security function, having been in place for a number of years, may have a parochial view of their world, whereas a consultant would view the organization, their risks and the function with a fresh set of eyes. 3. A consultant will likely have a broader range of experience (e.g., experience with more organizations, more industries, more security situations and solutions, etc.) then the members of the security function, and may visualize risks and opportunities not apparent to management of the function. 4. Because a consultant does not have a stake in the outcome of the assessment, their findings and recommendations will focus on what is in the best interests of the organization, not the best interests of specific individuals or functions. Sophisticated Function The sophisticated function 3 stage is generally found in very large and complex organizations. In this type of organization, senior management likely has an understanding of the key services provided by the security function and will consider the function to be a contributor to the success of the organization. Security functions operating at this level will be in a constant state of refinement and will engage in activities such as: Maintaining vigilance for new and/or evolving risks; Thinking proactively about, and assessing the potential for, risks that have not yet manifested themselves; Revising processes and methods to ensure they are effective and efficient; Providing recurring training to staff to upgrade knowledge and skills; Reallocating staff to meet new challenges; and Upgrading/replacing technology as needed. A security function operating at this stage will typically use a consultant for such things as: Providing services that are infrequently needed and that require highly specialized knowledge, skills and/or equipment; Supplementing security staff during peak periods; Providing assessments the security function cannot provide themselves (e.g., the IRS requires that, under certain circumstances, an independent consultant conduct an assessment of an executive s security risks if the security costs for the executive are 3

4 not to be classified as taxable fringe benefits); or Providing independent evaluations of specific elements of the security function to validate processes. How to Select a Consultant Selecting the right consultant is an important element of success for any consulting engagement. The following points should help to find the right consultant with whom to partner. The points are intended as a guide and are not intended to limit the organization in the processes they normally employ in the evaluation and selection of vendors. An independent consultant (i.e., one that is not part of, or affiliated with, organizations that sells services and/or products) will help to avoid a concern that they may have a divided interest or bias. Professional certifications, the authoring of books or published articles, and/or continuing education will all be indicators they are improving their knowledge/skills on a continuing basis. A broad background (e.g., years in the profession, range of topical experience, experience in a range of industries, etc.) is an indication they have seen and solved a large number of diverse problems. If the issues to be addressed are very specialized in nature, it will be important to find a consultant with experience in that specific area. Sometimes the consulting firm employee with whom the organization is negotiating will not be the individual doing the actual work. As such, it is important to know who will be doing the work, because it is their credentials, experience, demeanor and communication skills that matter. Asking the consultant how they will go about performing their work (i.e., their process) can be useful in developing a level of comfort that the consultant has done similar work before and does follow a defined process. No consultant can do everything. Be suspicious if they say they can. Ask for, and expect to receive, a few examples of assignments they do not have the required knowledge or skills to undertake. Checking references can be valuable. Useful areas of inquiry would be: the value of the services provided by the consultant, the overall quality of the products that were delivered, whether deadlines were met and the consultant was appropriately responsive to the clients needs, how well the consultant interfaced with the clients and others in the clients organizations, etc. Pay attention to the fine points of the initial contacts with the candidate consultants. If s and other written materials are not professional in nature and/or if the consultant s responses to phone calls and s are not prompt, it is reasonable to assume they will not improve if the consultant is retained. A good starting point when searching for a consultant is the International Association of Professional Security Consultants. The bottom line is that the broad range of experience and wealth of specialized knowledge a consultant brings to the table can help organizations improve their effectiveness and efficiency by helping to see the forest for the trees and consider approaches or solutions that had not been previously contemplated. 4

5 End Notes: 1 For the purposes of this paper, the term formal security function is defined as a distinct organizational unit populated by one or more individuals with training/skills specifically relating to the protection of people, property and information and who dedicate the majority of their time to that responsibility. 2 Defined as a function with dedicated staff and defined processes that have been in place for a number of years. A number of processes will be documented, repeatable and providing value-added services. The function may or may not have identified the most critical risks to the organization and may or may not be mitigating them in the most effective and efficient manner. 3 Defined as a function led by a security professional at the executive level in the organization that typically is no more than one reporting level removed from the CEO. Staff is composed of individuals who have robust experience in the security profession, with many holding professional certifications. Processes are well defined, documented and repeatable. The organization s risks are understood and classified as to criticality, there are reliable processes in place to identify and adapt to changes in the risk environment, and metrics are in place to measure performance and highlight anomalies and/or opportunities for improvement. About the Author John Cholewa, CPP, is the owner & principal consultant of Mentor Associates LLC, a Colorado based security management consulting firm. His 35+ years of experience includes servicing as security director for four Fortune 500 companies. He is the recipient of a Bachelor of Science in Law Enforcement from the University of Maryland, a Master of Arts in Business Management from Central Michigan University, and is Board Certified in Security Management. His book, Developing and Managing Physical Security Programs: A Guide for Facilities and Human Resources Managers, is designed to guide non-security professionals charged with implementing and managing physical security programs. 5