Seems like everyone has a horror story about a bad hire. Usually, those are the kinds of stories everyone loves to share because they make for great entertainment. But if your bad-hire story is about a security consultant, you could also be telling a tale about a lawsuit, an attacker, or a natural hazard that put your company in a dangerous position. That’s not so much fun to tell.
If you’re looking to hire a security consultant for your business, make sure you know what NOT to look for. Here are 11 red flags to avoid.
Avoid These Security Consulting Hiring Mistakes
- Law enforcement officers with no security background
There are a lot of retired police officers who start their own consultancies. Some of them are very good, but others don’t have a strong background in security, and that can be a problem.
A police officer’s job is inherently to be reactive, and a security consultant’s job is to be proactive. It’s a different line of thinking, and not understanding the difference can get you into trouble. A security consultant needs to look at liability from the perspective of what could happen and how it could affect an organization. But if you come at it from a reactive perspective, you’re just thinking about how to delay and respond. Often you need to mitigate and prevent.
When people retire from a job, their heart and soul usually aren’t in it anymore. If they’re doing consulting, it’s often because they’re looking for an added source of income. When I’ve seen those scenarios, the reports have been the worst reports I’ve ever read. Many retirees just don’t have the same level of dedication as someone whose career is based on security.
Know if the consultant has a career background in security before you hire.
Having a security person for prevention and a law enforcement officer for response is a great combination if you have a team you can work with.
- Someone who doesn’t takes your culture seriously
A culture mismatch between you and your consultant might seem like a small issue, but it can be a huge problem. If you’re a startup and you hire a security consultant who is dismissive of a tech-style workplace culture, their reaction to your culture will undermine your relationship, and their risk assessment may be (at best) too harsh and (at worst) completely useless to your organization.
Culture mismatches go beyond someone who might turn up their nose at the open-plan seating, creative problem-solving, and beanbag chairs of start-up culture. If a security culture is racist, homophobic, or misogynist, that’s also a cultural difference that can be devastating if you don’t do your research before making a hire.
- Tech-timid professionals
You simply can’t provide an adequate assessment using a paper-based model. It’s inherently a subjective process that won’t give you a reliable assessment of your risk, or detailed corrective actions.
Consultants that rely on paper-based methods typically write their reports with unsecured computers. And when they deliver your unsecured PDF report, they’ll send it via unsecured email.
On the other hand, digital technology keeps your data secure, it provides more in-depth analysis, it’s more efficient, and it allows you to aggregate your data across all of your facilities.
Can you do 100 risk assessments in 30 days? Find out how.
- Uninsured consultants
Make sure the consultant is fully insured and carries professional liability insurance. Anyone who isn’t insured is most likely doing security consulting as a hobby and not as a profession.
There’s nothing wrong with a certification. But many companies look exclusively for security professionals with a CPP, PSP or PCI certification. When they were created four decades ago, they designated people who had an advanced knowledge of security. Now, you can get a bachelors, masters, or doctorate degree in areas such as security management, critical infrastructure protection, or homeland security. It is important to not only look for the certifications but their whole education and expertise. A great consultant has a strong understanding of the industry you are in, the training and education in security, and the experience performing analyzing risk.
The certifications provide a level of credibility, but never eliminate a qualified security professional from consideration simply because they don’t carry one of these designations. Some of the most important people in security have PhDs, but no certifications.
- Little time on campus
Some security professionals do a quick survey of a site then spend many hours at their own office writing up a report. Honestly, they should spend a significant amount of time on your campus—and ideally, they should write the report on-site as well.
Expect your consultant to do multiple assessments, at different times of day—otherwise, you won’t get a complete picture of your risks. Each building’s risk changes throughout the day. Differences in lighting, the busyness of the facility, work/non-work hours, special events—all of these factors (and more) affect risk. If I’m doing consulting, I request office space at that location. If your consultant isn’t there, they’re not getting a full picture of the risk.
Who is in your building? 3 Best Practices for Visitor Management
- Opaque pricing
I know of a security consulting company that was contracted with a state to do assessments of all their public schools. They sent inspectors out to the field, and the inspectors sent their notes to an administrator. The administrator wrote the reports, not the security professionals who had done the assessments. But the consulting company charged the state the same amount of money for the inspectors’ and the administrator’s time.
There are all kinds of pricing structures that consultants use—and that’s fine. But always be sure that you know what you’re paying for.
Also be wary of very cheap or very expensive services. Cheap consultants are probably just hobbyists that are looking for some extra money. You ultimately will not get the best results. Expensive companies may be charging you the same rate for each person on the project, whether they are a junior, administrator, or senior.
- A fuzzy process
If your consultant isn’t telling you how they’re going to get the job done, that’s a red flag. A good security consultant should offer up an outline of their process, their objectives, their deliverables, and their expectations of you as a client.
Knowing a consultant’s process is important because it helps you plan ahead. You should know if you’ll be sitting in two hours of interviews with them, or if the site managers need to schedule an hour with the consultant each. If the consultant simply says “I’ll perform an assessment,” that’s not good enough — you won’t know how long the assessment will take, what meetings you need to schedule, or what they’ll be doing on your sites.
- An unrealistic time schedule
Watch out for consultants that promise quick turnarounds in a tight timeframe. Quality risk assessments simply take time. If anyone suggests that they can complete an assessment in a day, walk away.
Several factors affect the amount of time an assessment should take, including:
- The complexity of the organization. Churches don’t vary much from one to another, but chemical facilities or hospitals have a lot of complexity to consider.
- Size of the facility. A single small business will be much different from an organization with multiple buildings on its campus.
- Regulatory issues. Does your company need to meet specific regulations or compliance standards?
Using digital technology will cut these times down (and boost assessment quality), but even then you should expect the inspection itself to take some time—anything from a couple days for a small building to a couple weeks for a large campus.
- Loose lips
I’ve seen some consultants talk about their past clients’ security problems. I was at a DHS-sponsored training class, and the presenter was talking about a specific bank in an East Coast city’s vulnerabilities. During the discussion, we realized that it was a real facility, not a mock scenario. They gave us the name of the company, its location, and specific real-life vulnerabilities the client had. I was shocked—but this presenter isn’t the only consultant out there who isn’t careful enough with his clients’ information.
Also be careful of consultants who list their clients on their website — they might be breaking an NDA to do so. You do not want to become a target because a company wants to market your brand.
- Consultants who live in a vacuum
Beware of consultants who are not active in professional and industry organizations, like ASIS or the CSO Risk Council. Consultants who aren’t networking with their peers in the industry tend to have a narrow view of reality — they aren’t educating themselves, they aren’t learning more about the rapidly changing security industry, and may be set in their ways. If they haven’t been learning about how the industry has been changing, they may not be able to give you the best advice possible.
How can you hire the right consultant?
A risk assessment is an investment in the safety of your employees, your facilities, and your company’s future. The right consultant is an invaluable asset, but if you hire the wrong one, that can give you a false sense of security.
Fortunately, if you know what to look out for, you’ll be able to hire someone you can trust to keep your company safe. Click here for our must-ask list of questions that will help you choose the best security consultant to protect your business