“My question set is my secret sauce.”
We often hear this from security consultants and practitioners when they’re talking about the questions they use to perform risk analyses. Many consultants believe their security questions differentiate them from the competition. They believe they have the best assessments for their industries
This usually comes up when we’re about to input their questions into the Circadian Risk platform; consultants worry that their proprietary question set will be shared with everyone who uses our software— that the competition will get access to their “secret sauce.”
There are a few misconceptions here. First, we never share question sets without explicit permission from a client. Second, most question sets are the same. I have never seen a question set so unique that it’s better than anybody else’s. Third, your question set isn’t what sets you above the competition at all; it’s something else entirely.
What is a question set?
A question set is the list of questions or checklists a security consultant uses to perform a risk analysis at a site. These can vary a little, depending on the way the risk analysis is being conducted. There are three ways of doing this.
Many industries comply with specific security standards and regulations. For example, importers and freight companies comply with Customs Trade Partnership Against Terrorism (CTPAT). When a site is being assessed using a standard like CTPAT, assessors use a standard question set, or a question set based on the standard’s requirements.
Some industries aren’t governed by standards. In this case, companies or assessors often come up with their own questions, based on voluntary standards, best practices or guides. This often takes the form of a checklist.
Ad hoc assessment
Ad hoc assessments are assessor-based rather than question-based. While there might be some guiding questions during an ad hoc assessment, typically there is no question set at all. Instead an individual assessor writes their observations about your site’s security. True risk analysis can’t be done during an ad hoc assessment, because it’s so subjective.
In all these cases, most assessors are asking the same questions about a site’s risk. Circadian Risk has a slightly different approach. We’ve created scenario-based risk assessments.
Question sets for scenario-based risk assessments
A scenario-based assessment is a risk assessment that’s directed toward a specific threat, concern, compliance standard, or hazard. Rather than using a general question set to assess the vulnerability of an entire site, a scenario-based assessment evaluates the risk of one specific scenario happening at each site. Your question set to evaluate the risk of theft, for example, would be much different than the one you’d use to assess the risk posed by a tornado.
Assessing risk by scenario allows you to normalize data, so we can do comparison and trend analysis, recommend countermeasures that apply to the scenario, and track remediation in our platform.
Your question set doesn’t differentiate you; you do that yourself
In the end, it’s not the question set you use. It’s the end deliverable and the service you provide to your clients that sets you apart.
As a consultant, it’s important to ask yourself what you are going to provide to your client that differentiates you. Don’t be afraid to let your expertise show. Many consultants don’t recommend products, for example. Clients, however, need your expertise when choosing cameras or other technology. Help them by explaining which products work best.
Many consultants provide a narrative report. Differentiate yourself by offering a digital report that clearly shows data about their risk and allows your client to remediate that risk based on the best countermeasures on the market.
Your clients rely on you, not your question set. By providing excellent service, you can stand out from the competition and keep your clients safe.
Interested in learning more? Contact us to talk to an expert today.