Conducting a security risk analysis utilizing an experienced security consultant can prove invaluable for your organization. However, regardless if you use a paid consultant or locate one willing to help you at no cost, you will want to do your due diligence. Following are a few suggestions when selecting a security expert.
Suggestions when selecting a security consultant:
1) Review over-all security experience. How long has the expert worked in security management?
2) Is specific experience required? A security consultant meeting the two key requirements (experience and certification) is qualified to act as a security consultant in the vast majority of security assignments.
3) Industry certification. The author recommends at minimum that a security consultant who is claiming broad based credentials possess the designation of Certified Protection Professional (CPP). This certification is the highest designation that can be bestowed upon a security practitioner.
4) Formal Education. While I hold a graduate degree and believe that education is important, I place experience and certification much higher in the selection process.
5) General liability insurance. A Professional E&O Liability Policy should be in place to protect the consultant and consumer.
6) Professional memberships. While professional memberships may be helpful to the consultant their primary purpose is to provide educational programs to keep the security consultant current. One of the most highly recognized organizations for security professionals is ASIS International.
7) Publications. While this credential is not crucial in the selection process, publications by the consultant may reflect his or her view points and thought process relative to a particular consulting project.
8) References. Request recent references to determine if the consultant was able to enhance their existing security program via cost effective strategies. Peer references are also important.
9) Profit and Loss experience. P&L experience is invaluable. Too many times security managers and experts see things from a one-sided perspective and are not able to properly balance risk and profit.
10) Interpersonal skill. Does the consultant possess the skill level needed to interact with employees and senior management and orchestrate the security risk assessment process?