by: Steven Bowcut, CPP, PSP
Many people view engaging an expert as a costly proposition and misunderstand the role of a security consultant
If you are one, or have ever used a security consultant, you probably already understand the basic point of this article. In fact, if that describes you, this article may not be for you. You will likely end up rolling your eyes with an audible “duh!” before you finish it. I only believe this topic to be worthy of writing about because, invariably, when I have this conversation with those that really need a security consultant I can tell by the proverbial light bulb illuminating over their heads, about halfway into my spiel, that they have never actually considered that hiring a security consultant is a cost savings measure.
In the name of transparency, let it be known that I am a security consultant. I am not writing this article in my role as a consultant but rather in my “other” role as the editor of a security magazine. If I were not a security consultant it is doubtful that I could claim the authority to write on this topic.
Hiring a security consultant, or engaging any subject matter expert, is most often seen as a necessary evil; an additional expense that must be endured to meet some compliance or regulatory requirement. It is not usually viewed as a cost cutting measure. I’m here to tell you why it should be.
Be it physical or cyber, the consultant’s role is the same. The purpose of hiring a security consultant should be two-fold; to help you be more secure and to save you money. Please note that this is an “and” not an “or” conjunctive. If your security consultant can not meet both of these objectives then, I dare say, they have no right to accept your assignment.
Simply stated: when you hire a security consultant they should be able to provide a service that lowers your overall cost to the point that you pay less than if you had not hired them. Many consultants aim for an overall savings to their clients that is twice the amount of their fee and in some circumstances the savings can be a multiplier of many times their fee.
Two Types of Relationships
If your organization already has a security director and security staff, you will likely need to hire a security consultant to perform a specific task or project, at one time or another. Maybe it will be a technology refresh or an independent review of your security plan, but your need will end after the project is complete. This is the classic “project based” relationship and your costs are usually proposed in such a way that you know exactly (or at least closely) what it will cost you to get the contracted services performed.
If your organization’s size or risk profile does not warrant a full-time security executive or security staff, you should have an ongoing relationship with a security consultant. Just about every organization needs someone at an executive level with specific expertise in security, either physical, cyber, or both on their team You may not need a full-time director of security, so an “as needed” consultant is a great fit. This can be viewed as “outsourcing” a security director and your total costs are usually not as clearly defined up front but rather billed on an hourly basis.
How Your Consultant Should Save You Money
Regardless of the type of relationship (described above) you have with your consultant there are two ways they should be saving you money. First by analyzing your needs accurately and second by lowering your risk. These two concepts are more than just hand-in-hand. They are more like conjoined twins. They always go together. If your consultant does not accurately assess your threats and vulnerabilities she simply cannot make the correct countermeasure recommendations to lower your risk.
As an aside, let me point out that the reason you always want an independent consultant, and not someone that also sells a product or service, is that the pressure to produce a needs analysis that closely fits the products or services offered can be too great.
Risk is expensive. There are risks associated with your business that cannot be avoided. You can assume these risks yourself, transfer them to an insurance carrier, or mitigate them. Or some combination of these options.
If you simply assume your risks yourself then you are essentially playing the odds and eventually this is likely to catch up with you and you will bear the full brunt of whatever loss is incurred. For some risks this is a reasonable solution, but for many it is not.
Don’t be fooled into thinking that you don’t have security risks because an unanalyzed risk is one that you are assuming yourself, even if you don’t know it.
If you transfer all, or part of the risk, you have an ongoing cost of insurance but you will never have to pay the full cost of the loss.
Finally, if you mitigate or reduce the risk you can then assume the risk or insure against it but at a much lower probability and/or criticality and therefore a lower cost. A consultant is most useful when deploying this stratagem.
If you want to avoid the high cost of insurance but feel the risks (or combined probability and criticality) are too high, a consultant can show you how to reduce them to an acceptable level. There will be a cost involved in hiring the consultant, but she will show you how to save more than her fee in reduced insurance costs.
If the relationship type you need is of the “ongoing” variety described above, then you can easily calculate additional savings. If your organization does not have a security executive you can begin to realize the benefits and lower costs associated with lower risk by hiring a qualified consultant only when you need them. In this type of relationship it is best if you think of this consultant as an extension of your executive team but with the added benefit of only having to pay them for their time spent working directly on your behalf. Sometimes a similar relationship is constructed for legal representation.
Consider that you would need to pay a qualified security director somewhere between $150K and $250K per year. The same qualified individual, working as a consultant, may charge you in the neighborhood of $150 to $200 per hour. If you only need a part-time security executive, depending on how often you use them, you can have your security needs met and yet save a significant amount. It often works out that if you need more than ½ to ⅔ of full time service, you should probably just hire your consultant, or some other qualified individual, full time.
When You Don’t Need A Consultant
If your threats are small, your vulnerabilities few, and your needs simple a consultant will likely not save you money. They may be able to meet the first objective of helping you be more secure but if they cannot also help you save money you are better off analyzing your own needs and then assuming the remainder of the risk yourself. By way of example, let’s assume you run a small office based business located in a secure office building. There is nothing about the products or services you produce that would make you a target for any kind of attack, physical or cyber. You probably only need off-the-shelf cyber protection, a burglar alarm, and maybe access control, mostly for convenience. You could easily shop around, get quotes from a few installing vendors, and make the best decision. It is not probable that a consultant could add enough value in the analysis or design process to save you more than he would charge you.
But, if your situation is not the most benign then you can likely save money by hiring a security consultant.
The Bottom Line
It’s all about your bottom line. A security consultant is a resource to be sought after when you want to save money on your security costs. Don’t be afraid to engage a qualified independent security consultant with the understanding that you want to be shown how they can save you money, not make your next security project more expensive, before you hire them. Experienced consultants are happy to have this conversation with you.
Steven Bowcut, CPP, PSP is a the Security Practice Director for Exante360 and Editor-in-Chief for Brilliance Security Magazine. He is Board Certified in Security Management as well as a Physical Security Professional.
We welcome your comments and observations. Please “like” our Facebook page and leave your comments on the post for this article, or any other post you find interesting.