Vulnerability
If You Don’t Like What a Security Consultant Tells You, What Can You Do?
When you ask a security expert to perform a security assessment and risk analysis, you’re bringing in a consultant, and paying them to give you their professional opinion and recommendations for making your site more secure.
But what if, after the assessment and analysis, you don’t agree with the results? What if the security recommendations are at odds with your organization’s brand, site, or culture?
It can be jarring when a security expert makes recommendations you don’t want to implement, but it’s important to understand that you do have options when you don’t agree with the results of a security assessment and risk analysis.
What happens when a business doesn’t agree with security recommendations?
I once performed a risk assessment of a utility company’s payment center. The organization was renovating their lobby. They wanted to be stronger and safer, but also wanted to keep an open, friendly, and welcoming feeling at their site.
During the assessment, I discovered that there had recently been several armed robberies in the neighborhood, so I asked the payment center’s tellers how they felt. They were worried about their safety. They often saw angry customers, people who were upset about high utility bills, and they had already received threats. The tellers felt it was only a matter of time before a disgruntled customer came in with a gun.
Based on these concerns, I recommended a much more protective environment in the payment center lobby to make sure the tellers were well-protected. My recommendations included bullet-proof glass and other obvious security measures, but the leadership of the utility company didn’t like it; they wanted a friendly environment.
So what are their options in this scenario? Must they do everything I suggested or do they just ignore my report?
What to do when you don’t agree with the results of a security assessment
The first thing to understand is that it’s not a black and white choice: an organization doesn’t have to follow recommendations to the letter, nor should you simply ignore a report they don’t like. There are a few best practices that can help you challenge recommendations that don’t meet your needs.
Speak up
The first thing you should do when faced with security recommendations you don’t want to implement is simple: say something. A consultant is paid for their expertise; take advantage of their knowledge and ask about their recommendations. Discuss your concerns. A good consultant will be open to your feedback and be able to answer any questions or concerns you have.
Ask for options
Remember, an assessment should be about the objective (keeping your people from being shot), not the specific countermeasures (bulletproof glass). If a security assessment suggests a countermeasure that’s at odds with your culture, ask if there’s another way to achieve the same objective. A good consultant will offer a variety of suggestions. If you don’t want bulletproof glass, for example, the consultant might suggest having a security officer at the door, or an unobtrusive weapons detection system hidden in the wall. There may also be ways to arrange your lobby that will make it safer for employees and visitors.
Get a second opinion
If your consultant is married to only the countermeasures they’ve suggested, it may be time for a second opinion. Remember: security consultants are not always right. You wouldn’t keep seeing a doctor if you didn’t agree with their diagnosis, so find another professional and see what they say.
Be intentional about choosing a second expert
It’s important to be careful when you choose a second security expert, however. Some experts are more interested in keeping you happy than safe, and will ask up front what you want or need in your security recommendations before writing a report to suit. That’s ethically wrong, and will create a false sense of security for you and your employees. You may not have liked the first set of recommendations, but if a security expert seems to be pandering to you, be aware that’s a red flag. (If the second opinion is the same as the first, however, it may be time to realize you’re wrong, and need to implement some protective measures, even if you don’t like them.)
Invest in security risk assessment software
Digital tools, like security assessment platforms, can help provide a more granular view of your security gaps and offer recommendations for a range of countermeasures. Digital assessment tools can also give your business the ability to perform assessments yourselves. A site manager or other employee can use software to take a first pass at an assessment and track remediations. A security consultant can then review the results of those site assessments and offer their recommendations based on those findings. This is a smarter use of their time, and gives you a more detailed and updated view of your security posture at all your sites.
It’s your security; be proactive about it
Sometimes security experts treat their recommendations as gospel; absolute recommendations that must be enforced to the letter. That’s not the case, and it’s a failing in the physical security industry, which needs to improve its reporting process.
As the customer, you should of course always follow a recommendation to protect your people, but when it comes to how you do that, the choice should be yours.
Circadian Risk’s comprehensive security risk platform can help you do that. Our tools transform complex data from multiple sites and systems into visual, actionable insights, helping you quickly identify vulnerabilities, quantify risk, and make confident, informed decisions. Whether you’re assessing physical security, cybersecurity, or organizational culture, Circadian Risk’s risk analysis platform helps ensure your new acquisition strengthens your portfolio, not your exposure.
Schedule your risk-free demo of Circadian Risk’s risk assessment platform today.
