The title of this column arises from a question that I have heard from integrators, end-user customers, and consultants (including me) who have been called in to troubleshoot a problem situation with a particular system or piece of technology.
Q: Who specified this?
A: No one did.
System Design vs. Product Selection
The question and answer above identify the root cause of a great many problems with facility physical security system deployments - the system or product was not actually specified. It was selected, recommended, bid, quoted, copied or searched for on the Internet. Products are selected at trade shows, recommended by systems integrators, or bid or quoted in response to a request from a customer. They are copied from what was seen at other facilities. Sometimes they are selected simply from information found on vendor websites. When that happens outside the context of a sound security design effort, trouble follows.
Brian Gouin, a Physical Security Professional (PSP) and Certified Security Consultant (CSC), says in his book, "Security Design Consulting: The Business of Security System Design" - "With the growing complexity of technology in the security industry and the relatively poor-quality system design work within that industry, there is a growing need for design professionals specifically trained and working in the security field."
Only after a security designer has obtained a thorough understanding of a facility's security needs can a specific product be matched to those needs. And even then, it has to be done according to the concept of security operations in which specific product and system functions will be utilized.
Role of Security System Design
The folks at the International Association of Professional Security Consultants (IAPSC) know that periodically, I would send a security manager client to their two-day program titled, "The Successful Security Consultant," held as a pre-seminar program of the ASIS International annual seminars.
Occasionally, other consultants would question my sanity for doing so, asserting that I could be "doing myself out of a job" by having my clients learn how to perform the work of a security consultant. Quite to the contrary, this kind of comment shows a real lack of insight into the life of a security operations manager.
No security operations managers have the time to actually perform the work of a security design consultant. But they do have a need to understand it - in fact, some of the most effective security managers I have known are those who were security consultants prior to hiring on as a security manager. With regard to my own consulting projects, I definitely want to have a client who understands and appreciates the work that I do, and who also knows what is expected and needed from a client who embarks on a significant security technology deployment.
Explaining my preference for educated clients to one consultant a few years ago, I was surprised to see the horrified look on his face as he said, "You had better watch out. Knowledge is power." Of course it is! I want empowered clients who know how to represent their security agendas to management and to budget decision-makers, who can tell the difference between a good and a bad RFP response, and who know how to insist on and get a quality technology deployment. This works even from a self-serving perspective - it is the easiest way to achieve a string of highly successful consulting projects!
Certified Security Consultant
Recently, I was very happy to see an RFP for security consulting services that stated: "Preference - the consultant has the CSC (Certified Security Consultant) designation" (for more information on this certification, visit the IAPSC at www.iapsc.org). The CSC certification is available not only to independent consultants, but also to security managers (i.e. the company's internal security consultants) who meet the qualifications.