Getting the Most from a Security Consultant

Hiring a security consultant must involve a specific action plan to best ensure maximum results. Using the following five fundamental tips from an insider can help.

Tip 1: Confirm what you need a consultant to do. Some clients believe they need a consultant, but some stakeholders may not be clear about why a consultant is needed and what they are expected to do.
Before you hire a consultant, develop consensus within your organization about why you need a consultant, what the end-result (often called deliverables) will be and what the path to completion (schedule) looks like.

It is true that many specifics about what a report should contain or the level of detail an engineering package might provide will be developed as a project moves forward. From the outset, however, it is important for every stakeholder to be clear on what the expectations of the consultant will be in order to create a success pathway before work commences.

One successful method used by clients involves creating a detailed scope of work. If you are not clear on what your security consultant might do for you, compare the scope of work others have developed for similar projects. Open source, readily available information about past and current projects like yours should be consulted. Do not reinvent the wheel if you do not have to.

In today’s more security conscious landscape, almost every security project has been done before by a similarly situated entity. Previously used proposals, request for quotes and project scopes of work serve as a great starting template ready to be customized for your project. Ultimately, a thorough and clear scope of work along with project stakeholders consensus are critical first steps toward ensuring the successful use of a security consultant.

Tip 2: Use peer review to enhance your consultant’s work. One reason to hire a consultant might have been their expert security knowledge; however, project stakeholders often do not have the ability to thoroughly review specialty security consultants’ work.

Set aside a portion of your budget for peer review by another similarly qualified consultant. Inform prospective consultants from the outset that their work products will be subject to peer review, which should be performed at every practical stage of your consultant engagement.

Assessment reports, master plans, engineering studies and construction documents (plans and specifications) are excellent candidates for this process. Include the peer review firm in your process from the outset and have them participate throughout for maximum benefit. Peer review consultants will bring another critical eye with their comments and suggestions leading to better overall project results.

Some firms may argue that they do not want a competitor to have access to their professional work products. This is a selfish argument that puts the consultants’ interests above their client’s and hurts both the individual project and casts the industry in a poor light. In reality, more experienced consultants have already seen each others work many times over the years. Professional consultants should not oppose this process, and in fact should welcome the resulting benefits to their clients.

The International Association of Professional Security Consultants (IAPSC) code of conduct includes rules that consultants must follow when performing peer review services. A legitimate consultant objecting to this process raises a red flag about their real dedication to their client.

One approach I have seen used effectively during competitive solicitations is to announce that the highest scoring firm will receive the primary contract with the next highest scoring firm engaged for peer review services.

Ultimately, peer review can make a significant difference in the success or failure of the primary consultants work. Each and every review comment or suggestion should not be taken as gospel of course, and there may very well be different opinions about any given issue that clients may need to participate in resolving. The net result of expert review and responses to those reviews will provide critical insight into your project and result directly in a better end-result.

Tip 3: Require frequent deliverables. Allowing a good deal of time and/or associated consultant effort to pass between work product deliveries can contribute to wasted effort and lead to a lesser end-result.
Most projects have deliverables that mimic the conventional engineering or construction processes, with sometimes months in between deliveries. It is common, for example, to have reports or engineering documents only at 50-percent and 100-percent completion. The main problem with this approach is many of the critical decisions that guide security consultant work products are made at the early stages of the project, and a great deal of work in a given project flows directly from these initial decisions. Changes in direction identified after much time and effort have been expended can defeat project success.
Moreover, when extended time passes or significant work is performed between deliveries, the odds of material correction becoming necessary increase accordingly. Extensive reworking of major issues can cause projects to extend beyond schedule or budget.

One option to consider is to add one or more formal deliveries, including one as soon after project kickoff as practical. If your project includes a report, for example, ask for an outline or table of contents right away to confirm the project is starting in the correct direction.

Early deliverables for consultants help ensure the path taken meets with owner approval before too much effort is expended.

Tip 4: Use clear project milestones. Too much time and effort passing between work product deliveries combined with unclear expectations can lead to wasted effort and contribute to a poor end-result.
Most projects have subjective milestones that mimic the conventional engineering or construction processes with no clear understanding of what should be provided with each. Reports or engineering documents deliverables at unclear and subjective milestones like 30, 60 or 80 percent are in and of themselves too vague to warrant thorough or appropriate comments. Many clients find processes like this so confusing that they do not even bother to review the early stage deliverables and wait until the final draft or 100-percent documents to start looking closely at documents — which defeats the purpose of having staged deliverables in the first place.

Clearly defining what specifics each report or design delivery should contain will help reduce the likelihood of omissions, confusion and missed expectations. Be sure to include specifics about each and every project milestone with increasing detailed and verifiable requirements as the project progresses. For example, in an assessment report, you might require site survey findings without any specific recommendations.
If your project involves engineering, ask for an early delivery of proposed device locations and/or color coded security zones so that overall security concepts can be intelligently reviewed and discussed.

Tip 5: Create a safety valve and use it if necessary. Clients should give themselves contractual options in the unlikely event your consultant’s project manager leaves the firm or does not live up to their responsibilities. Avoid getting trapped by contract terms that prohibit a consultant change for cause.

In healthcare, if you have an issue with a doctor or dentist, you can usually just pick another provider from a pre-screened list, have your records transferred without penalty and you can pick up where you left off. You should always be prepared for the possibility that a security consultant’s key person(s) might leave the project, or that the company generally fails to meet expectations. Unfortunately, in today’s cost-conscious environment, problems with low-bid consultants are more frequent than any of us in the industry would like to admit. Consultant personnel turnover does occur and can materially hurt your project if you are not prepared. Underperforming consultants can remain retained simply because another option is not readily available.

Do not lament your situation — take action. Some of the solutions discussed in this article combined with good project leadership can make the difference between project success and failure. Specifically, creating more frequent and clear deliverables along with engaging a competent peer review consultant from the start gives clients the ability to change course with minimal impact during a project.
This approach usually requires contracts be set up differently or modified to allow for such a transition. Break a project into smaller segments (task assignments or work orders) and authorize work and fees as each milestone is successfully met. Additional administrative requirements of this approach will more than be offset by the flexibility you gain by not being married to a substandard consultant. Here again, most professional consultants should not object to stricter contract provisions, and one should take a closer look at any consultant who does.

In summary, getting the most out your security consultant requires effort well beyond the selection process and good luck. Luck in this case, is a result of the diligence and effort applied toward creating and following a blueprint for project success.

James R. Black, CPP, PSP, CSC, CET serves as senior security consultant and operations manager for TRC Companies Inc. Over the past 13 years, Mr. Black has assessed threats and designed security systems for critical infrastructures including airports, water systems, municipalities, energy providers, healthcare facilities, colleges and historical landmarks. Mr. Black is a member of ATAP, ASIS and IAPSC. He can be reached at jblack@trcsolutions.com.

Loading